vpn
site-to-site vpn using dhcp over vpn (sonicos enhanced at the central site)
introduction: this document shows an example of how to configure a vpn tunnel between 2 sonicwall firewalls, one running sonicos enhanced at the main site (central site) and the other one running sonicos standard at the remote site. remote pc's located behind the sonicwall appliance on the remote site will obtain ip addresses automatically from a dhcp server located on the lan zone of the enhanced unit. versions used: sonicwall recommends using the latest firmware version on the units. on this document this feature has been tested on sonicos enhanced 3.0.0.4-21e and sonicos standard 3.0.0.1-28s. please note that sonicos enhanced runs on tz170, pro2040, pro3060, pro 4060 and pro 5060 models. sonicos standard only runs on the tz 150, tz170, pro2040, and pro3060 models. customers with current service/software support contracts can obtain updated versions of sonicwall firmware from the mysonicwall customer portal at https://www.mysonicwall.com. updated firmware is also freely available to customers who have registered the sonicwall device on mysonicwall for the first 90 days sample diagram:
task list please note that this setup requires having a dhcp server correctly configured on the lan zone of this firewall. on the sonicwall units: at the central site: o add and configure a vpn policy o configure dhcp over vpn at the remote site: o add and configure a vpn policy o configure dhcp over vpn
testing: verify that the vpn tunnel comes up verify that the dhcp client at the remote site obtains an ip address verify that traffic flows correctly between the sites verify that the dhcp client has access to its own network
before you begin: first of all make sure to have an available internet connection. if not, do so before completing any further steps. make sure that you know the ip and mac addresses of all static devices located on the remote site. setup steps: sonicwall central site configuration go to the vpn > settings page. click the add… button to create a new vpn tunnel. a new pop-up screen will appear. on the general tab: from the ipsec keying mode drop-down, select ike using preshared secret. in the name: box, enter to remote site. in the ipsec primary gateway name or address box, enter the wan ip address of the remote sonicwall device. leave the box next to ipsec secondary gateway name or address untouched. in the shared secret: box, enter in the preshared key you wish to use (you will need to enter this same key on the remote sonicwall device). leave the local ike id and peer ike id options untouched.
on the network tab: select the address object that you wish you use as local network, in this example lan primary subnet. select the radio button next to destination network obtains ip addresses using dhcp through this vpn tunnel on the destination networks.
on the proposals tab: from the phase 1 exchange drop-down, select main mode. from the phase 1 dh group drop-down, select group 2. from the phase 1 encryption drop-down, select 3des. from the phase 1 authentication drop-down, select sha1. in the phase 1 box next to life time (seconds), enter 28800. from the phase 2 protocol: drop-down, select 'esp'. from the phase 2 authentication: drop-down, select sha1. do not check the box next to enable perfect forward secrecy. in the phase 2 box next to life time (seconds), enter 28800.
on the advanced tab: select enable keep alive. when done, click the ok button at the bottom to save and activate this vpn tunnel.
your entries should look like this:
to finalize the configuration of the sonicwall appliance at the central site, go to the vpn > dhcp over vpn page. keep it as central gateway and click the configure button. select the checkbox send dhcp requests to the server addresses listed below and add the ip address of your dhcp server (here: 192.168.168.254). click ok and then apply.
sonicwall remote site configuration log into the remote sonicwall device's management gui and go to the vpn > settings page. click the add… button to create a new vpn tunnel. a new pop-up screen will appear.
on the 'general' tab: from the ipsec keying mode drop-down, select ike using preshared secret. in the name: box, enter to central site. in the ipsec primary gateway name or address box, enter the wan ip address of the central sonicwall device. leave the box next to ipsec secondary gateway name or address untouched in the shared secret: box, enter in the preshared key you wish to use (the same key you specified on the central sonicwall device). select the radio button next to specify destination networks below. click on the 'add…' button to enter in the central sonicwall's lan ip network(s) and subnet mask.
on the 'proposals' tab: from the phase 1 exchange drop-down, select main mode. from the phase 1 dh group drop-down, select group 2. from the phase 1 encryption drop-down, select 3des. from the phase 1 authentication drop-down, select sha1. in the phase 1 box next to life time (seconds), enter 28800. from the phase 2 protocol: drop-down, select esp. from the phase 2 authentication: drop-down, select sha1. do not check the box next to enable perfect forward secrecy. in the phase 2 box next to life time (seconds), enter 28800. when done, click the ok button at the bottom to save and activate this vpn tunnel.
on the advanced tab: select enable keep alive.
your entries should look like this:
to finalize the configuration of the sonicwall appliance at the remote site, go to the vpn > dhcp over vpn page. choose remote gateway and click on the configure button. the dhcp over vpn configuration window is displayed. on the general tab: select the vpn policy to be used for the vpn tunnel from the relay dhcp through this vpn tunnel menu. in our case it will be 'to central site'. you can enter a static ip address in the relay ip address field. this static ip address is from the pool of specific ip addresses on the central gateway. it should not be available in the scope of dhcp addresses. the sonicwall can also be managed through the relay ip address. in this example we will leave it with zeros. enter an ip address in the remote management ip address field. this setting is used to manage the sonicwall remotely through the vpn tunnel from behind the central gateway. here we use 192.168.168.240. leave the rest of the settings of this tab untouched.
on the devices tab: here you can add the ip addresses of the pc's at the remote site that have a static ip address. click add. the add lan device entry window is displayed. type the ip address of the device in the ip address field (192.168.38.190) and then enter the ethernet address of the device in the ethernet address field (00:50:fc:0d:5b:4f). thank to this, the remote pc's that obtain an ip address of the central location will be able to communicate with the local pc's, which belong to a different ip range.
testing on the remote pc configured to obtain an ip address automatically, open a command prompt box and type ipconfig /release and ipconfig /renew. it should obtain an ip address from the dhcp server at the central site. type then ping 192.168.168.168, or ping 192.168.168.254. you should get a reply ╟ if not, check the settings on both devices and ensure that both sides were configured correctly. you can also log into either sonicwall's management gui and verify that the tunnel is active by going to the vpn > settings page. if the vpn tunnel is active, it will display in the currently active vpn tunnels section. you can also try to manage the remote sonicwall from the central site by opening a web browser and typing https://192.168.168.240.