Creating a site-to-site VPN tunnel in the Sonicwall OS
Need: external IP and internal IP range of both ends. Note that the external IP range of any tunnel must be different than any of the other tunnels already defined on that firewall.
If you are setting a firewall up behind an ISP router that is NOT in bridge mode (i.e. double-NATing), you must setup an IP reservation for the Sonicwall so that it always gets the same IP address. For the Sonicwall’s WAN interface, define it as Static, and input this address. Use the IP of the ISP router as the gateway. You must forward port 443 to the Sonicwall for the VPN tunnel to work. Note also that you must forward port 4886 (or whatever your management port is) to be able to manage the Sonicwall over the internet, and port 4433 (or whatever your SSLVPN port is) for SSLVPN to connect to the firewall.
In this example, we’re using LOCAL as the local and REMOTE as the remote.
-
Create Address objects on each firewall for the other end’s LAN, e.g. LOCALLan and REMOTELan
- On the Local firewall, create address object
Name: REMOTELanZone: VPNType: NetworkNetwork: e.g. 10.0.0.0 (Remote location’s internal LAN range, using 0 in the last octet)Netmask: 255.255.255.0
- On the Remote firewall, create address object
\- Name: LOCALLan
\- Zone: VPN
\- Type: Network
\- Network: e.g. 172.15.1.0 (Local location’s internal LAN range, using 0 in the last octet)
\- Netmask: 255.255.255.0
-
In the VPN base settings of each firewall, change the Firewall Identifier to be descriptive (Note minimum of 4 characters)
- Local Identifier = LOCALFirewall
- Remote Identifer = REMOTEFirewall
-
Add a new VPN Policy in each firewall, name it the same as the identifier at the other end
- On LOCAL Firewall General Tab
Type = Site-to-siteName = Firewall ID from the other end (must match exactly)IKE using preshared secretPrimary Gateway = Remote site’s external IPSecondary Gateway = 0.0.0.0 (unless you are setting up an alternate path using a 3rd firewall)Shared Secret = you make this up, but write it down! Local IKE ID = Choose Firewall ID from the drop-down list, set value to the ID from step 2 (LOCALFirewall)Peer IKE ID = Choose Firewall ID from drop-down list, set value to the ID from step 2 (REMOTEFirewall)
- On LOCAL Firewall Network Tab
\- Choose local identifier from the list that represents IP range of local network = usually ‘LAN Primary Subnet’. If LAN Primary Subnet not available, try using the LAN interface - usually "X0" or similar. Check through the settings to make sure the refers to the same range from step 1 - IMPORTANT
\- Choose destination identifier from the list – choose the address object you created in step 1 (REMOTELan)
- On LOCAL Firewall Proposals Tab
\- Exchange = IKE v2 mode if available on both firewalls, otherwise use “Main Mode” if you have static IP addresses on both ends, or “Aggressive Mode” if you have a dynamic IP on either end.
\- Other fields on this tab = use the defaults
- On the LOCAL Firewall Advanced Tab
\- Check “Keep Alive” (note: If BOTH firewalls are on the 6.0+ firmware, then BOTH need Keep Alive enabled. Otherwise only LOCAL firewall should have keep alive enabled)
\- Other fields on this tab = use the defaults
- On REMOTE Firewall General Tab
\- Type = Site-to-site
\- IKE using preshared secret
\- Name the policy the same as the Firewall ID on the other end (must match exactly)
\- Primary Gateway = LOCAL location’s external IP
\- Secondary Gateway = 0.0.0.0 (unless you are setting up an alternate path using a 3rd firewall)
\- Shared Secret = same as the shared secret you used on the other firewall
\- Local IKE ID = Firewall ID from step 2 (REMOTEFirewall)
\- Peer IKE ID = Firewall ID from step 2 (LOCALFirewall)
- On REMOTE Firewall Network Tab
\- Choose local identifier from the list that represents IP range of local network = usually ‘LAN Primary Subnet’. If LAN primary subnet is not available, try using the LAN interface, usually "X0". Check through the settings to make sure the refers to the same range from step 1
\- Choose destination identifier from the list – choose the address object you created in step 1 (LOCALLan)
- On REMOTE Firewall Proposals Tab
\- Exchange = Use the same parameters you selected on the other firewall
\- Other fields on this tab = use the defaults
- On the REMOTE Firewall Advanced Tab
\- Check “Keep Alive” if the firewall is on the 6.0+ firmware (note: If BOTH firewalls are on the 6.0+ firmware, then BOTH need Keep Alive enabled. Otherwise only LOCAL firewall should have keep alive enabled)
- Other fields on this tab = use the defaults
-
Once you click OK on the 2nd firewall, you should see the tunnel come up (Green dot on the VPN tunnel listing)
-
Test the tunnel by pinging a computer on the remote LAN from the local LAN.