How to configure SonicWall VPN Auto Provisioning in SonicOS 6.2.7 and above

03/26/2020 16 15016

DESCRIPTION:

RESOLUTION:

Example Hub and Spoke Specifications

Auto Provisioning Client TZ400W at branch office will connect to an Auto Provisioning Server NSA3600 at the corporate headquarter. Review the specifications in the following table:

Deployment Steps:

Procedure:

To configure the VPN AP, follow the steps below:

Step 1: Creating Address Objects for VPN subnets on NSA3600

 1. Login to the SonicWall Management Interface
 2. Navigate to Network | Address Objects, click on ADD button.

 3. Configure the Address Object as mentioned in the figure above, click OK when finished.

Step 2. Configuring an AP Server policy on SonicWall NSA3600

 1. Navigate to VPN | Settings page. Click Add button. The VPN Policy window is displayed.

 2. Click the General tab

  - Select SonicWall Auto Provisioning Server from the Authentication Method menu.

  - Enter a name for the policy in the Name field. 

  - Select  Preshared Secret next to Authentication Method

  - Enter a name for the VPN AP Client ID  field. And this name should be as same as the one which defined in the NSA3600 corresponding VPN policy.

  - Enter a  Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning. 

 3. Click the Network tab

  - Under Local Networks, select X0 Subnet from Allow Unauthenticated VPN AP Client Access menu.

  - Under Remote Networks, select 400w_branch from Choose destination network from list menu.

 4. Click Advanced button, then Proposals and tabs are displayed.

  - You can leave all the values in Proposals tab as default. In Advanced tab choose the proper interface next to VPN Policy bound to if there are multiple WAN interfaces on the firewall.

  - Click OK to apply the settings.

  Note:  To simplify auto-provisioning, parameter choices for Phase 1 have been limited.  IKE Aggressive Mode is always used, the Phase 1 DH Group is always Group 5, the Phase 1 encryption algorithm is always AES-256, and SHA-1 is always used for the Phase 1 hash algorithm.  Phase 2 does not need to be restricted other than allowing only ESP.  The other parameters are automatically provisioned prior to Phase 2 establishment so there is no chance of configuration discrepancies between the VPN AP Server and Client.

Step 3. Configuring an AP Client policy on SonicWall TZ 400W.

1. Login to the appliance and navigate to VPN | Settings page and Click Add button. The VPN Policy window is displayed.

  - Select SonicWall Auto Provisioning Server from the Authentication Method menu.

  - Enter the name for the policy in the Name field. 

  - Enter the NSA3600's WAN IP address in the IPsec Primary Gateway Name or Address field 

  - Select  Preshared Secret next to Authentication Method

  - Enter a name for the VPN AP Client ID  field. And this name should be as same as the one which defined in the TZ400W corresponding VPN policy.

  - Enter a  Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning. 

  - Click OK to apply the settings.

Step 4. How to test this scenario.

  - From the Lan PC2 which behind AP client TZ400W, ping the Lan PC1 which behind AP server NSA3600. 

Note: Traffic from AP Client to AP Server is a must to trigger the IKE phase 2 negotiation so that the IPSec VPN tunnel can be established whereafter.

  - The IPSec VPN tunnel will be established and the ping result should be successful.