Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to configure SonicWall VPN Auto Provisioning in SonicOS 6.2.7 and above

03/26/2020 17 People found this article helpful 199,076 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    From SonicOS release 6.2.7.0, SonicWall firewall introduces the VPN Auto Provisioning feature(a.k.a EasyVPN). This feature provides automatic VPN provisioning for box?to?box hub?and?spoke configurations. The user experience is similar to that seen when using SonicWall Global VPN Client to connect from a client machine to a firewall, in which none of the complexity is visible to the user

    Resolution

    Example Hub and Spoke Specifications

    Auto Provisioning Client TZ400W at branch office will connect to an Auto Provisioning Server NSA3600 at the corporate headquarter. Review the specifications in the following table:

    NSA3600 (AP Server, Hub) LAN Subnet 192.168.136.0/24
      WAN IP Address 10.103.193.116
      LAN PC1 IP Address  192.168.136.1
         
    TZ400w (AP Client, Spoke) LAN Subnet 192.168.41.0/24
      LAN PC2 IP Address 192.168.41.65

    Deployment Steps:

    Step 1. Creating Address Objects for VPN subnets on NSA3600.
    Step 2. Configuring an AP Server policy on SonicWall NSA3600.
    Step 3. Configuring an AP Client policy on SonicWall TZ 400W.
    Step 4. How to test this scenario.

    Procedure:

    To configure the VPN AP, follow the steps below:

    Step 1: Creating Address Objects for VPN subnets on NSA3600

     1. Login to the SonicWall Management Interface
     2. Navigate to 
    Network | Address Objects, click on ADD button.

    Image

     3. Configure the Address Object as mentioned in the figure above, click OK when finished.

    Step 2. Configuring an AP Server policy on SonicWall NSA3600

     1. Navigate to VPN | Settings page. Click Add button. The VPN Policy window is displayed.

    Image

     2. Click the General tab

      - Select SonicWall Auto Provisioning Server from the Authentication Method menu.

      - Enter a name for the policy in the Name field. 

      - Select  Preshared Secret next to Authentication Method

      - Enter a name for the VPN AP Client ID  field. And this name should be as same as the one which defined in the NSA3600 corresponding VPN policy.

      - Enter a  Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning. 

     3. Click the Network tab

    Image

      - Under Local Networks, select X0 Subnet from Allow Unauthenticated VPN AP Client Access menu.

      - Under Remote Networks, select 400w_branch from Choose destination network from list menu.

     4. Click Advanced button, then Proposals and tabs are displayed.

    Image

     

      - You can leave all the values in Proposals tab as default. In Advanced tab choose the proper interface next to VPN Policy bound to if there are multiple WAN interfaces on the firewall.

      - Click OK to apply the settings.

      Note:  To simplify auto-provisioning, parameter choices for Phase 1 have been limited.  IKE Aggressive Mode is always used, the Phase 1 DH Group is always Group 5, the Phase 1 encryption algorithm is always AES-256, and SHA-1 is always used for the Phase 1 hash algorithm.  Phase 2 does not need to be restricted other than allowing only ESP.  The other parameters are automatically provisioned prior to Phase 2 establishment so there is no chance of configuration discrepancies between the VPN AP Server and Client.

     

    Step 3. Configuring an AP Client policy on SonicWall TZ 400W.

     

    1. Login to the appliance and navigate to VPN | Settings page and Click Add button. The VPN Policy window is displayed.

    Image

     

      - Select SonicWall Auto Provisioning Server from the Authentication Method menu.

      - Enter the name for the policy in the Name field. 

      - Enter the NSA3600's WAN IP address in the IPsec Primary Gateway Name or Address field 

      - Select  Preshared Secret next to Authentication Method

      - Enter a name for the VPN AP Client ID  field. And this name should be as same as the one which defined in the TZ400W corresponding VPN policy.

      - Enter a  Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning. 

      - Click OK to apply the settings.

    Step 4. How to test this scenario.

      - From the Lan PC2 which behind AP client TZ400W, ping the Lan PC1 which behind AP server NSA3600. 

    Note: Traffic from AP Client to AP Server is a must to trigger the IKE phase 2 negotiation so that the IPSec VPN tunnel can be established whereafter.

      - The IPSec VPN tunnel will be established and the ping result should be successful.

    Image

    Image

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > SonicWall SuperMassive 9000 Series > VPN
    • Firewalls > SonicWall NSA Series > VPN
    • Firewalls > TZ Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top