IPsec VPN Configuration Example: SonicWall TZ 100


IPsec VPN Configuration Example: SonicWall TZ 100

This example illustrates how to configure two IPsec VPN tunnels from a SonicWALL TZ 100 firewall to two ZENs in the Zscaler cloud.

As shown in the figure below, the corporate office sends its internal traffic to LAN port X0 in the internal network. It sends the outbound traffic to the WAN interface X1.

A network diagram showing the primary and secondary IPSec tunnels from a SonicWALL TZ 100 firewall to two Zscaler ZENs

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.

Dead Peer Detection (DPD) must be enabled so the firewall can detect if a VPN is offline. If this occurs, it routes the Internet-bound traffic through the backup VPN.

SonicWALL TZ 100 firewall doesn't support VPN monitoring. It relies on DPD to fail over.

Prerequisites

Ensure you have the IP addresses of the ZENs.

Configure the Zscaler Service

In this example, the peers are using a pre-shared key for authentication and the FQDN of the peer. Log in to the admin portal and add the VPN credentials, and then link them to the location as described below.

Adding VPN Credentials

  1. In the admin portal, go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose FQDN and enter the FQDN abc@test.net. This is the FQDN that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.

Linking VPN Credentials to the Location

  1. In the admin portal, go to Administration > Resources > Locations.
  2. Click Add.
  3. In the Add Location page, do the following:
    • Enter the location name NW Branch.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.

Configure the SonicWALL TZ 100 Firewall

This section describes how to log in to the user interface of the SonicWALL TZ 100 firewall running version 5.6.0.11-61 and configure two IPsec VPN tunnel interfaces. Refer to the SonicWALL documentation for additional information about the user interface.

Log in to the SonicWALL TZ 100 and complete the following tasks:

Configure the Interfaces

Configure the following interfaces:

  • Port X0 in the Trusted zone LAN
  • Port X1 in the Untrusted zone WAN.
  1. Navigate to Network > Interfaces and click Configure beside the X0 interface.
  2. Complete the following and click OK:
    • IP Assignment: Static
    • IP Address and Subnet Mask: 192.168.168.168, 255.255.255.0
    • Management: Select HTTPHTTPSPing and SSH
  3. Click Configure beside the X1 interface.
  4. In the General tab, complete the following:
    • IP Assignment: DHCP
    • Management: Select HTTP and HTTPS
    • Select Add rule to enable redirect from HTTP to HTTPS
  5. In the Advanced tab, complete the following:
    • Interface MTU: 1400
  6. Click OK.

Configure the DNS Server and a Default Route on X1

Configure the DNS server.

  1. Navigate to Network > DNS.
  2. Click Specify DNS Server Manually and enter the DNS server IP address. In this example, the IP address is 10.10.104.23. (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.)
  3. Click Apply.

Configure the default route on the WAN port X1:

  1. Navigate to Network > Routing.
  2. Under Route Policies, click Add and complete the following:
    • Source: Any
    • Destination: 0.0.0.0
    • Service: Any
    • Gateway: 0.0.0.0
    • Interface: X1
    • Metric: 255
  3. Click OK.

Define the VPN Policy and Specify the IKE Settings

  1. Navigate to VPN > Settings.
  2. Click Add to create a new VPN policy.
  3. In the General tab, complete the following:
    • Security Policy
      • Policy Type: Site to Site
      • Authentication Method: IKE using Preshared Secret
      • Name: vpn-test
      • IPsec Primary Gateway Name or Address: 10.10.104.71 (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.)
      • IPsec Secondary Gateway Name or Address: 10.10.104.235 (See Prerequisites above to learn how to locate ZEN IP addresses for your organization.)
    • IKE Authentication
      • Enter the shared secret abc.
      • Local IKE ID: Select Email Address and enter abc@test.net.
      • Peer IKE ID: Select IP Address.
  4. In the Network tab, select the local network and remote networks for which the traffic will be tunneled via the IPsec tunnel:
    • Local Networks: Click Choose local network from list and select LAN Subnets.
    • Remote Networks: Select Use this VPN Tunnel as default route for all Internet traffic.
  5. In the Proposals tab, specify the parameters for the IKE Phase 1 and Phase 2 proposals:
    • IKE (Phase 1) Proposal
      • Exchange: Aggressive Mode
      • DH Group: Group 2
      • Encryption: AES-128
      • Authentication: SHA1
      • Lifetime (seconds): 86400
    • IKE (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: NONE
      • Authentication: MD5
      • DH Group: Group 2
      • Life Time (seconds): 28800
  6. In the Advanced tab, complete the following:
    • Select Enable Keep Alive.
    • VPN Policy bound to: Select Zone WAN.
    • Select Preempt Secondary Gateway.
    • Primary Gateway Detection Interval (seconds): Enter 28800.
  7. Click OK.

Enable DPD, Packet Fragmenting, and NAT Traversal

Navigate to VPN > Advanced, and do the following:

  1. Select Enable IKE Dead Peer Detection and set the following:
    • Dead Peer Detection Interval: 60 seconds
    • Failure Trigger Level: 3 missed heartbeats
  2. Select Enable Fragmented Packet Handling and Ignore DF (Don’t Fragment) Bit.
  3. Select Enable NAT Traversal.
  4. Select Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP address.

After you complete the configuration, you can monitor the status of the tunnel and view packet level statistics by navigating to VPN > Settings.

Screenshot of the VPN settings in the SonicWall UI.

Troubleshooting

To troubleshoot your configuration:

  • Verify that the default route is configured properly so traffic can reach the Zscaler ZENs.
  • If the tunnel goes down, click Renegotiate as shown in the following figure:

Screenshot of the Renegotiate button in the VPN settings page.