How to configure a Site-to-Site VPN between two Appliances using DDNS

07/15/2022 25 People found this article helpful 360,779 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

This article details how to configure a Site-to-Site VPN between two SonicWALL Appliances where both located behind DSL Connection with dynamic IP-Addresses.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

How To Configure Dynamic DNS

• Login to SonicWall management Interface.
• Click Manage in the top navigation menu.
• Navigate to Network |  Dynamic DNS
• Click Add.
  

• Add DDNS Profile window is displayed.
• The following configuration has to made on this window.

• Enable this DDNS profile: Checked
• Use Online settings: Checked
• Profile Name: Give any name
• Provider: Select the DDNS Provider from the list
• User Name: Username to login to the Provider site
• Domain name: Domain Name that is created for the IP
• Bound to: Select the Interface to which the IP is bounded
• Service type: Dynamic -A free Dynamic DNS service
• Custom: Support both dynamic and static IP address.
• Static: A free DNS service for Static Ip address

Navigate to Advanced tab , Select the following settings:

• Let the server detect IP Address- The dynamic DNS provider determines the IP address based upon the source address of the connection.This is the most common setting.
• Automatically set IP Address to the Primary WAN Interface IP Address- This will cause the SonicWall device to assert its WAN IP address as the registered IP address, overriding auto-detection by he dynamic DNS server.
• Specify IP Address manually- Allows for the IP address to be registered to be manually specified and asserted.
  
  The Off-line Settings section controls what IP address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWall.The options are:   
  
  
• Do nothing- the default setting. This allows the previously registered address to remain current with the dynamic DNS provider. This is the most common setting. 
• Use the Off-Line IP address previously configured at Providers site - If your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline .
  
• Click OK , Check whether the profile is  Enabled and the Status  shows  On-line and showing the correct IP. 

Creating Address Objects for VPN subnets

1. Login to the SonicWall management Interface.
2. Click on Objectin the top navigation menu.
3. Navigate to Match Objects|Addresses, click Add.

ON TZ 670

ON site TZ 570P

Configuring a VPN policy on Site A (Location 1) SonicWall

• Click Network in the top navigation menu.
• Navigate to IPsec VPN | Rules and Settings,click Add. The VPN policy window is displayed.
• Click General tab.

• Select IKE using Preshared Secretfrom the Authentication Method
• Enter a name for the policy in the Name
• Enter theDynamic DNS of the remote connection in the IPsec Primary Gateway name or Address field (Enter TZ 670 Dynamic DNS).
• Enter a Shared Secretpassword to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
• Optionally, you may specify a Local IKE ID(optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWall Identifier (ID_USER_FQDN) is used for Aggressive Mode.
  
• Click Network Tab.
• Under Local Networks, select a local network from Choose local network from list: and select the address object (LAN Subnet).
• Under Destination Networks, select Choose destination network from list: and select the address object (TZ -670)

Click the Proposals Tab.

• UnderIKE (Phase 1) Proposal, select Main Mode from the Exchange menu. 
• Under IKE (Phase 1) Proposal, the default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations. Be sure the Phase 1 values on the opposite side of the tunnel are configured to match. You can also choose AES-128, AES-192, or AES-256 from the Authentication menu instead of 3DES for enhanced authentication security.
• Under IPsec (Phase 2) Proposal, the default values forProtocol, Encryption, Authentication, Enable Perfect Forward Secrecy, DH Group, and Lifetime are acceptable for most VPN SA configurations. Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.
  

Click Advanced tab.

• SelectEnable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keep alive will allow for the automatic
  renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
• SelectEnable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
• To manage the local SonicWall through the VPN tunnel, selectHTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
• If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into theDefault LAN Gateway (optional) 
• Select an interface or zone from theVPN Policy bound to  A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
• Click Save.
  

Configuring a VPN policy on Site B(Location 2) SonicWall

• Click Network in the top navigation menu.
• Navigate to IPsec VPN | Rules and Settings,click Add. The VPN policy window is displayed.
• Click General tab.
• Select IKE using Preshared Secretfrom the Authentication Method

• Enter a name for the policy in the Name
• Enter theDynamic DNS of the remote connection in the IPsec Primary Gateway name or Address field (Enter TZ 570P Dynamic DNS).
• Enter a Shared Secretpassword to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
• Optionally, you may specify a Local IKE ID(optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWall Identifier (ID_USER_FQDN) is used for Aggressive Mode.
  

Click Network Tab.

• Under Local Networks, select a local network from Choose local network from list: and select the address object (LAN Subnet).
• Under Destination Networks, select Choose destination network from list: and select the address object (TZ -570P)
• Click the Proposals tab.
    NOTE: Settings must be same as Site A.
  

Click Advanced tab.

• SelectEnable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalive will allow for the automatic
  renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
• SelectEnable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
• To manage the local SonicWall through the VPN tunnel, selectHTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
• If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into theDefault LAN Gateway (optional) 
• Select an interface or zone from theVPN Policy bound to  A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
• Click Save.
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Kindly refer the KB for How to configure DDNS

Creating Address Objects for VPN subnets

1. Login to the SonicWall management Interface.
2. Click on Objectin the top navigation menu.
3. Navigate toMatch Objects|Addresses, click Add.

ON TZ 670

ON site TZ 570P

Configuring a VPN policy on Site A(Location 1) SonicWall

Click Network in the top navigation menu.

Navigate to IPsec VPN | Rules and Settings,click Add. The VPN policy window is displayed.

Click General tab.

• Select IKE using Preshared Secretfrom the Authentication Method
• Enter a name for the policy in the Name
• Enter theDynamic DNS of the remote connection in the IPsec Primary GatewayName or Address field (Enter TZ 670 Dynamic DNS).
• Enter a Shared Secretpassword to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
• Optionally, you may specify a Local IKE ID(optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWall Identifier (ID_USER_FQDN) is used for Aggressive Mode.

Click Network Tab.

• Under Local Networks, select a local network from Choose local network from list: and select the address object (LAN Subnet). 

Under Destination Networks, select Choose destination network from list: and select the address object (TZ -670)

Click the Proposals Tab.

1. UnderIKE (Phase 1) Proposal, select Main Mode from the Exchange menu. 
2. Under IKE (Phase 1) Proposal, the default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations. Be sure the Phase 1 values on the opposite side of the tunnel are configured to match. You can also choose AES-128, AES-192, or AES-256 from the Authentication menu instead of 3DES for enhanced authentication security.
3. Under IPSec (Phase 2) Proposal, the default values forProtocol, Encryption, Authentication, Enable Perfect Forward Secrecy, DH Group, and Lifetime are acceptable for most VPN SA configurations. Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.

Click Advanced tab.

• SelectEnable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic
  renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
• SelectEnable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
• To manage the local SonicWall through the VPN tunnel, selectHTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
• If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into theDefault LAN Gateway (optional) 
• Select an interface or zone from theVPN Policy bound to  A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
• Click Save.

Configuring a VPN policy on Site B(Location 2) SonicWall

Click Network in the top navigation menu.

Navigate to IPSec VPN | Rules and Settings,click Add. The VPN policy window is displayed.

Click General tab.

• Select IKE using Preshared Secretfrom the Authentication Method
• Enter a name for the policy in the Name
• Enter theDynamic DNS of the remote connection in the IPSec Primary GatewayName or Address field (Enter TZ 570P Dynamic DNS).
• Enter a Shared Secretpassword to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
• Optionally, you may specify a Local IKE ID(optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWall Identifier (ID_USER_FQDN) is used for Aggressive Mode.

Click Network Tab.

• Under Local Networks, select a local network from Choose local network from list: and select the address object (LAN Subnet).

Under Destination Networks, select Choose destination network from list: and select the address object (TZ -570P)

Click the Proposals tab.
  NOTE: Settings must be same as Site A. 

Click Advanced tab.

• SelectEnable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic
  renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
• SelectEnable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
• To manage the local SonicWall through the VPN tunnel, selectHTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
• If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into theDefault LAN Gateway (optional) 
• Select an interface or zone from theVPN Policy bound to  A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
• Click Save.

Related Articles

• How to Block Google QUIC Protocol on SonicOSX 7.0?
• How to block certain Keywords on SonicOSX 7.0?
• How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation

Categories

• Firewalls > NSa Series
• Firewalls > TZ Series