How can I setup Site to Site VPN with IKE2 Dynamic client Proposal?
10/12/2022 879 People found this article helpful 497,722 Views
Description
SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes globally rather than configure these IKE Proposal settings on an individual policy basis. This scenario could be used while one site has dynamic WAN IP address.
On the other site, "IPSec Primary Gateway Name or Address" in the VPN policy General tab will be filled in "0.0.0.0" or left blank.
Resolution
Configuration on the Central Office (Static WAN IP address)
- Central location network configuration
LAN Subnet: 192.168.136.0
Subnet Mask: 255.255.255.0
WAN IP: 10.103.193.114
Local IKE ID SonicWall Identifier: Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)
Creating Address Object for remote Site
- Login to the central location SonicWall appliance.
- Navigate to Manage | Policies |Objects | Address Objects page.
- At the top of the page and click Add button, enter the following settings.
- Name – Remote_Lan
- Zone – VPN
- Type – Network
- Network – 192.168.126.0
- Netmask – 255.255.255.0
- Click OK .
Configuring a VPN Policy
- Navigate to Manage | Connectivity | VPN | Base Settings.
- Check the box Enable VPN under Global VPN Settings.
- Click Add button under VPN Policies section. The VPN Policy window pops up.
General tab
Network tab
- Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
- Select Choose destination network from list, and select the Address Object –Remote_Lan.
Proposals tab
- IKE (Phase 1) Proposal
- Exchange: IKEv2 Mode
- DH Group: Group 5
- Encryption: AES-256
- Authentication: SHA-512
- Life Time (seconds): 28800
NOTE:The menu "DH Group", "Encryption" and "Authentication" will be gray-out since "IPSec Primary Gateway Name or Address" in General tab is filled in "0.0.0.0" or leaved blank. And they will be configured in step (Configuring the IKEv2 Dynamic Client Proposal, below).
- IPSec (Phase 2) Proposal
- Protocol: ESP
- Encryption: 3DES
- Authentication: SHA1
- Enable Perfect Forward Secrecy(not checked)
Advanced tab
- Ensure that the VPN Policy bound to: Zone WAN.
- Click OK .
Configuring the IKEv2 Dynamic Client Proposal:
- Navigate to Manage | Connectivity | VPN | Advanced Settings.
- Check the Cconfiguration under IKEv2 Settings. The configuration window pops up.
- DH Group: Group 5
- Encryption: AES-256
- Authentication: SHA-512
- Click OK .
Configuration on the remote location (Dynamic WAN IP address)
Network Configuration
- LAN Subnet: 192.168.126.0.
- Subnet Mask: 255.255.255.0.
- WAN IP: DHCP (As this is a Dynamic IP Address).
- Local IKE ID SonicWall Identifier: San Jose (This has to match the central location VPN'sPeer IKE ID SonicWall Identifier).
Creating Address Object for remote site
- Login to the Remote location SonicWall appliance.
- Navigate to Manage | Policies |Objects | Address Objects page.
- Scroll down to the bottom of the page and click on Add button, enter the following settings.
- Name – Central_Lan.
- Zone – VPN.
- Type – Network.
- Network – 192.168.136.0.
- Netmask – 255.255.255.0.
- Click OK
Configuration VPN Policy
- Navigate to Manage | Connectivity | VPN | Base Settings.
- Check the box Enable VPN under Global VPN Settings.
- Click on the Add button under the VPN Policies section. The VPN Policy window pops up.
General tab
- Select the Authentication method as IKE Using Preshared Secret.
- Name: To_Central_Office.
- IPSec Primary Gateway Name or Address: 10.103.193.114.
- IPSec Secondary Gateway Name or Address: 0.0.0.0.
- Shared Secret: SonicWall.
- Local IKE ID: SonicWall Identifier - San Jose (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
- Peer IKE ID: SonicWall Identifier – Shanghai (This has to match the central location VPN's Local IKE ID SonicWall Identifier).
Network tab
- Select Choose local network from list, and select the Address Object – LAN Primary Subnet.
- Select Choose destination network from list, and select the Address Object – Central_Lan.
Proposals tab
- IKE (Phase 1) Proposal..
- Exchange: IKEv2Mode.
- DH Group: Group 5.
- Encryption: AES-256.
- Authentication: SHA-512.
- Life Time (seconds): 28800 .
- IPSec (Phase 2) Proposal.
- Protocol: ESP.
- Encryption: 3DES .
- Authentication: SHA1.
- Enable Perfect Forward Secrecy (not checked).
Advanced tab
- Enable Keep Alive box should be checked.
- VPN Policy bound to: Zone WAN.
- Click OK .
How to Test: From the remote location try to ping an IP address on the central location
NOTE: Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.
Related Articles
Categories
Was This Article Helpful?
YESNO