Site to Site VPN between a SonicWall firewall and a Cisco IOS device
10/14/2021 1,307 People found this article helpful 500,722 Views
Description
This technote describes a Site-to-site vpn setup between a SonicWall UTM device and a Cisco device running Cisco IOS using IKE.
SonicWall has tested VPN interoperability with Cisco IOS SonicOS Standard and Enhanced using the following VPN Security Association information.
- Keying Mode: IKE
- IKE Mode: Main Mode with No PFS (perfect forward secrecy)
- SA Authentication Method: Pre-Shared key
- Keying Group: DH (Diffie Hellman) – Group 1
- ID_Type: IP
- Encryption and Data Integrity: ESP DES with MD5
- ESP 3DES with MD5
- ESP DES with SHA1
- ESP 3DES with SHA1
EXAMPLE: The network configuration shown below is used in the example VPN configuration. The example will configure a VPN using 3DES encryption with MD5 and without PFS.
SonicWall
WAN: IP 10.0.31.102
LAN: 192.168.170.1/24
Cisco IOS
WAN: 10.0.31.132
LAN: IP 192.168.132.1/24
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
SonicWall Configuration
First, on the SonicWall, you must create an address object for the remote network.
- Log into the SonicWall.
- Navigate to Manage | Objects | Address Objects.
- Create a new Address Object for the network on the Cisco end you wish to reach (Cisco LAN).
Next, on the SonicWall you must create an SA.
- Navigate to Manage |VPN | Base Settings.
- Ensure that Enable VPN is selected.
- Click Add.
- Select authentication method to IKE using pre-shared secret.
- Name the SA, in this example CiscoIOS.
- Enter the WAN IP of the Cisco for IPSec Primary Gateway Name or Address.
- Enter your shared secret, EXAMPLE:password.
- Select the Network tab.
- Select Lan Subnets for local networks from the drop down box.
- Select the address object previously created for the destination network (CiscoNetwork).
- Select the Proposals tab.
- Change DH group under IKE Phase 1 to Group 1.
- Change authentication for IKE Phase 1 to MD5.
- Change the authentication for IPSec Phase 2 to MD5.
- Do not enable Perfect Forward Secrecy.
- Select Advanced tab.
- Ensure that keep alive is enabled on only one end of the tunnel.
- Select Enable Windows Networking (NetBIOS) Broadcast if you would like to pass NetBIOS across the VPN.
COMMANDS FOR CISCO IOS
Do not forget to issue the command “write memory” or “copy running-config startup-config” when configuration is complete.
Task: Set ACCESS LIST
Command:Access-list 101 permit ip 192.168.132.0 0.0.0.255 192.168.170.0 0.0.0.255
Description: Specify the inside and destination networks. This permits the IP network traffic you want to protect to pass through the router.
Task: Define IKE parameters
Command:crypto isakmp policy 15
Description: Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode).
Command:encryption 3des
Description: To specify the encryption algorithm.
Command:hash md5
Description: To specify the hash algorithm.
Command:authentication pre-share
Description: To specify the authentication.
Command:group 1
Description: To specify the Diffe-Hellman group identifier.
Command:lifetime 28800
Description: Specify the security association’s lifetime.
Command:exit
Description: To exit the config-isakmp command mode.
Command:crypto isakmp key password address 10.0.31.102
Description: To configure a pre-shared authentication key. In this case the pre-shared secret is password.
Task: Define IPSEC parameters
Command:crypto ipsec transform-set strong esp-3des esp-md5-hmac
Description: Configure a transform-set. This identifies the encryption and authentication methods you want to use.
Command:crypto map to SonicWall 15 ipsec-isakmp
Description: Create a crypto map that binds together elements of the IPSec configuration. (This command puts you into the crypto map command mode).
Command:match address 101
Description: To specify an extended access list for a crypto map entry.
Command:set transform-set strong
Description: To specify which transform sets can be used with the crypto map entry.
Command:set peer 10.0.31.102
Description: To specify an IPSec peer in a crypto map entry.
Command:exit
Description: To exit the crypto map command mode.
Task: Apply Crypto Map to an Interface
Command:interface fastethernet0/1
Description: Specify an interface on which to apply the crypto map. (This command puts you into the interface command mode).
NOTE: You need to specify the interface that you have defined as external (your WAN interface).
Command:crypto map to SonicWall
Description: Apply the previously defined crypto map set to an interface.
Command:exit
Description: Exit the interface command mode.
Command:exit
Description: Exit the global configuration mode.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
SonicWall Configuration
First, on the SonicWall, you must create an address object for the remote network.
- Log into the SonicWall.
- Navigate to Network|Address Objects.
- Create a new Address Object for the network on the Cisco end you wish to reach (Cisco LAN).
Next, on the SonicWall you must create an SA.
- Navigate to VPN|Settings (default view for VPN).
- Ensure that Enable VPN is selected.
- Click Add.
- Change the Authentication Method to IKE using pre-shared secret.
- Name the SA, in this example CiscoIOS.
- Enter the WAN IP of the Cisco for IPSec Primary Gateway Name or Address.
- Enter your shared secret, EXAMPLE: password.
- Select the Network tab.
- Select Lan Subnets for local networks from the drop down box.
- Select the address object previously created for the destination network.
- Select the Proposals tab.
- Change DH group under IKE Phase 1 to Group 1.
- Change authentication for IKE Phase 1 to MD5.
- Change the authentication for IPSec Phase 2 to MD5.
- Do not enable Perfect Forward Secrecy.
- Select Advanced tab.
- Ensure that keep alive is enabled on only one end of the tunnel.
- Select Enable Windows Networking (NetBIOS) Broadcast if you would like to pass NetBIOS across the VPN.
COMMANDS FOR CISCO IOS
Do not forget to issue the command write memory or copy running-config startup-config when configuration is complete.
Task: Set ACCESS LIST
Command: Access-list 101 permit ip 192.168.132.0 0.0.0.255 192.168.170.0 0.0.0.255
Description: Specify the inside and destination networks. This permits the IP network traffic you want to protect to pass through the router.
Task: Define IKE parameters
Command:crypto isakmp policy 15
Description: Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode).
Command:encryption 3des
Description: To specify the encryption algorithm.
Command:hash md5
Description: To specify the hash algorithm.
Command:authentication pre-share
Description: To specify the authentication.
Command:group 1
Description: To specify the Diffe-Hellman group identifier.
Command:lifetime 28800
Description: Specify the security association’s lifetime.
Command:exit
Description: To exit the config-isakmp command mode.
Command:crypto isakmp key password address 10.0.31.102
Description: To configure a pre-shared authentication key. In this case the pre-shared secret is password.
Task: Define IPSEC parameters
Command:crypto ipsec transform-set strong esp-3des esp-md5-hmac
Description: Configure a transform-set. This identifies the encryption and authentication methods you want to use.
Command: crypto map to SonicWall 15 ipsec-isakmp
Description: Create a crypto map that binds together elements of the IPSec configuration. (This command puts you into the crypto map command mode.)
Command:match address 101
Description: To specify an extended access list for a crypto map entry.
Command:set transform-set strong
Description: To specify which transform sets can be used with the crypto map entry.
Command:set peer 10.0.31.102
Description: To specify an IPSec peer in a crypto map entry.
Command:exit
Description: To exit the crypto map command mode.
Task: Apply Crypto Map to an Interface
Command:interface fastethernet0/1
Description: Specify an interface on which to apply the crypto map. (This command puts you into the interface command mode).
NOTE: You need to specify the interface that you have defined as external (your WAN interface).
Command:crypto map to SonicWall
Description: Apply the previously defined crypto map set to an interface.
Command:exit
Description: Exit the interface command mode.
Command:exit
Description: Exit the global configuration mode.
Related Articles
Categories