Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How Can I Setup Site To Site VPN With IKE2 In SonicOS?

10/22/2020 238 People found this article helpful 90,917 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Introduction, Deployment Scenario, and IKEv2 vs. IKEv1 Discussion

    This IKEv2 Proposal Type is the most modern, reliable solution for this. The IKEv2 option has been our default for almost a decade. All Gen5, Gen6, Gen6.5 SonicWall firewall models can be configured for Site To Site VPNs with IKEv2, from the lower TZ models up through all higher models: NSA, NSa, SuperMassive, and NSsp product lines. It is also supported on almost any IKE VPN appliance from other major vendors. VPN with IKEv2 is specified in IETF RFC 7296, and was adopted as a standard. It also has many improvements in areas such as security, NAT-Traversal, EAP, and VOIP. See this SonicWall KB article about IKEv2 advantages, and this Wikipedia article on IKE / IKEv2. 

    This article is for when both sites with Firewalls have static, public IP addresses on their WANs. For many years, SonicWall customers have chosen the older IKEv1 method Main Mode for this deployment scenario, but IKEv2 is far superior and it is very easy to change to it.

    See the below related article for the scenario when one firewall has a dynamic, or RFC-1918 private IP address on its WAN, and thus the other site, which is static, cannot point to it using the IPSec Gateway field.  This other method with IKEv2 can handle any scenario for which Aggressive Mode is often used.

    Here are more general points about this example VPN, detailed below. It is a very simple, split-tunnel VPN, which uses only the two X0 LANs configured on the firewalls as network objects. In contrast, SonicOS also supports many other forms of VPN, including ones which route all Internet traffic onto the VPN to the other side, as well as other Types (Tunnel Interface) and Authentication Methods (IKE Using 3rd Party Certificates; SonicWall Auto-Provisioning Client; SonicWall Auto-Provisioning Server; Manual Key).

    This IKEv2 option is the default type of IKE Proposal when a new VPN Policy is added. The IKEv2 Protocol has been our default for almost a decade, going back to very old versions of SonicOS 5.x.x.x . Compared to the Main and Aggressive Modes of IKEv1, IKEv2 is more efficient and more reliable in general. It is just as easy to use, especially when both firewalls have static, public IP addresses on their WANs so that both sides can specify an IPSec Gateway. 

    I've included images from a new, blank IKEv2 VPN Policy window from a Gen6.5 model on newly released SonicOS 6.5.4.6, and from an old Gen5 versions SonicOS 5.8.1.13, web-posted in July 2013, almost 7 years ago. NOTE: In these example images, I first specified an IP address in the IPSec Gateway field, so that all of the configurable options under IKEv2 are shown. When no IPSec Gateway is specified, the options for the IKE Proposal [DH Group; Encryption; Authentication; Life Time (seconds)] are not configurable except for in the VPN > Advanced setting called "IKEv2 Dynamic Client Proposal," which applies to all VPN Policies lacking the IPSec Gateway. Though that is not used in the method for this article, it is important to explain the behavior of the UI which relates to it.

    Image  Image

    Cause

    Two sites with Firewalls have static, public IP addresses on their WANs, and there is a need for the internal networks behind them to have a secure connection.

    Resolution

    Step-By-Step Instructions:

    • Basics about the two firewalls involved in the VPN

      NSA-5600 on SonicOS 6.5.4.5: X1 WAN Interface IP address: 10.61.34.65 /28 ;
      X0 LAN Interface IP address: 192.168.56.56 /24 ; X0 Subnet 192.168.56.0 /24

      NSa-5650 on SonicOS 6.5.4.5: X1 WAN Interface IP address: 10.61.134.10 /28 ;
      X0 LAN Interface IP address: 192.168.156.50 /22 ; X0 Subnet 192.168.156.0 /22

    • Identify which objects, on both sides (internal networks or hosts / ranges, or groups of these), are going to participate in the VPN.

      EXAMPLE: T

      wo network objects are used, cross-matched on the two firewalls:
      NSA-5600: Local - X0 Subnet 192.168.56.0 /24 ; Remote - NSa-5650 X0 Subnet 192.168.156.0 /22
      NSa-5650: Local - X0 Subnet 192.168.156.0 /22 ; Remote - NSA-5600 X0 Subnet 192.168.56.0 /24

    • Create, on each firewall, new network address objects, in zone VPN, for the remote internal networks or hosts / ranges, or groups on the other side.

      A local network address object (X0 Subnet) was auto-created by SonicOS when the X0 LAN interfaces on both firewalls were configured. See the four images below.
      Image  Image

      Image

      Image

    • Create VPN Policies on both firewalls, including the below settings.

      To start, navigate to Manage | VPN | Base Settings, Add (Contemporary Mode), or VPN | Settings, Add (Classic Mode).

    • General Tab:
      Type: "Site to Site";
      Authentication Method: "IKE Using Preshared Key"
      Specify Name,
      IPSec Gateway,
      Shared Secret (all other fields are optional for this scenario).

      TIP: You can copy / paste the Shared Secret between the two VPN Policy windows. It accepts all ASCII characters. You can toggle the "Mask Shared Secret" checkbox and it will auto-fill the "Confirm Shared Secret" field.

     

    • Two VPN Policy windows spring up when the Add button is clicked on two firewall's web management sessions;  the General settings can be typed or copied in on each.Image
      Image  Image

    • Network Tab:
      Choose an object for both of these on each firewall:
      (Choose local network from list;
      Choose destination network from list).

      Image  Image

    • Proposals Tab:
      Use Exchange: IKEv2 and choose items for IKE Proposal [DH Group; Encryption; Authentication; Life Time (seconds)] and for IPSec IKE Proposal [Encryption; Authentication; Life Time (seconds)]. In this case I've chosen stronger types of DH Group, Encryption, and Authentication and shorter lifetimes than default. Perfect Forward Secrecy is optional. When enabled, a "DH Group" option is available there. See the below two images.
      Image  Image


    • Advanced Tab:
      At least one side should have the "Enable Keep Alive" checkbox turned on. In this example, the NSa-5600 (Sitka) side has it on. Having both can lead to issues if one of the firewalls has a lot of VPN Policies. Other common features used are "Enable Windows Networking (NetBIOS) Broadcast" and Management via this SA: (HTTPS). The VPN is bound to Zone WAN by default, but it can be configured to specific network interfaces if needed (usually WAN interfaces). See the below two images.
      Image  Image

    • If the above steps are done without error, and without enabling other advanced features, both firewalls will have an active VPN Policy (with a green dot indicator) and traffic can flow between the two LANs.
      ImageImage


    • Traffic can flow because of automated bidirectional access rules between the LAN and VPN zones. The access rules have mouseovers with comments saying they were auto created for (VPN Policy Name).   The rules' appearance is not specific to IKEv2 or IKEv1 types.
      Image
      ImageImageImage

     

     

    • The two VM hosts behind the two firewalls involved in the VPN are able to send traffic to each other on ICMP, TCP and UDP, and to the opposite firewall's X0 interface, for ping, HTTPS Management and other management services such as SSH if enabled on the VPN Policy.
    • The VM on NSA-5600 X0 Subnet 192.168.56.200 is pinging 192.168.158.243 and is able to HTTPS manage the other firewall on its X0 IP of 192.168.156.50 .Image

    • The VM on NSa-5650 X0 Subnet 192.168.158.243 is pinging 192.168.56.200 and is able to HTTPS manage the other firewall on its X0 IP of 192.168.56.56 .Image

    • The VM on NSA-5600 X0 Subnet 192.168.56.200 is able to use RDP client to access the other VM 192.168.158.243, and the opposite works. The pings in both directions are still going, at a rate of over 1 MBps.
      Image

     

    Related Articles

    • Parserror on Event logs.
    • Switch from the Policy mode to classic mode on Gen 7 appliances
    • Analyzing TCP reset(RST)packets

    Categories

    • Firewalls > SonicWall NSA Series > VPN
    • Firewalls > NSa Series > VPN
    • Firewalls > TZ Series > VPN
    • Firewalls > SonicWall SuperMassive 9000 Series > VPN
    • Firewalls > NSv Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:957d8e7b1ca3887eccd6a78a7ba67e6e-76