How can I setup Site to Site VPN with IKE2 Dynamic client Proposal?

10/12/2022 879 People found this article helpful 486,398 Views

Description

SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes globally rather than configure these IKE Proposal settings on an individual policy basis. This scenario could be used while one site has dynamic WAN IP address.
On the other site, "IPSec Primary Gateway Name or Address" in the VPN policy General tab will be filled in "0.0.0.0" or left blank.

Resolution

Configuration on the Central Office (Static WAN IP address)

Central location network configuration
LAN Subnet: 192.168.136.0
Subnet Mask: 255.255.255.0
WAN IP: 10.103.193.114
Local IKE ID SonicWall Identifier: Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)

Creating Address Object for remote Site

Login to the central location SonicWall appliance.
Navigate to Manage | Policies |Objects | Address Objects page.
At the top of the page and click Add button, enter the following settings.
- Name – Remote_Lan
- Zone – VPN
- Type – Network
- Network – 192.168.126.0
- Netmask – 255.255.255.0
Click OK .

Configuring a VPN Policy

Navigate to Manage | Connectivity | VPN | Base Settings.
Check the box Enable VPN under Global VPN Settings.
Click Add button under VPN Policies section. The VPN Policy window pops up.

General tab

Select the Authentication method as IKE Using Preshared Secret.
Name: To_Branch_Office.
IPSec Primary Gateway Name or Address: 0.0.0.0.

NOTE: Since the Remote WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway.
IPSec Secondary Gateway Name or Address: 0.0.0.0.
Shared Secret: SonicWall (The Shared Secret would be the same at both SonicWall’s).
Local IKE ID: SonicWall Identifier - Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier).
Peer IKE ID: SonicWall Identifier - San Jose (This could be any string except it has to match the remote location VPN's Local IKE ID SonicWall Identifier).

Network tab

Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
Select Choose destination network from list, and select the Address Object –Remote_Lan.

Proposals tab

IKE (Phase 1) Proposal
Exchange: IKEv2 Mode
DH Group: Group 5
Encryption: AES-256
Authentication: SHA-512
Life Time (seconds): 28800

NOTE:The menu "DH Group", "Encryption" and "Authentication" will be gray-out since "IPSec Primary Gateway Name or Address" in General tab is filled in "0.0.0.0" or leaved blank. And they will be configured in step (Configuring the IKEv2 Dynamic Client Proposal, below).
IPSec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Enable Perfect Forward Secrecy(not checked)

Advanced tab

Ensure that the VPN Policy bound to: Zone WAN.
Click OK .

Configuring the IKEv2 Dynamic Client Proposal:

Navigate to Manage | Connectivity | VPN | Advanced Settings.
Check the Cconfiguration under IKEv2 Settings. The configuration window pops up.
- DH Group: Group 5
- Encryption: AES-256
- Authentication: SHA-512
Click OK .

Configuration on the remote location (Dynamic WAN IP address)

Network Configuration

LAN Subnet: 192.168.126.0.
Subnet Mask: 255.255.255.0.
WAN IP: DHCP (As this is a Dynamic IP Address).
Local IKE ID SonicWall Identifier: San Jose (This has to match the central location VPN'sPeer IKE ID SonicWall Identifier).

Creating Address Object for remote site

Login to the Remote location SonicWall appliance.
Navigate to Manage | Policies |Objects | Address Objects page.
Scroll down to the bottom of the page and click on Add button, enter the following settings.
- Name – Central_Lan.
- Zone – VPN.
- Type – Network.
- Network – 192.168.136.0.
- Netmask – 255.255.255.0.
Click OK

Configuration VPN Policy

Navigate to Manage | Connectivity | VPN | Base Settings.
Check the box Enable VPN under Global VPN Settings.
Click on the Add button under the VPN Policies section. The VPN Policy window pops up.

General tab

Select the Authentication method as IKE Using Preshared Secret.
Name: To_Central_Office.
IPSec Primary Gateway Name or Address: 10.103.193.114.
IPSec Secondary Gateway Name or Address: 0.0.0.0.
Shared Secret: SonicWall.
Local IKE ID: SonicWall Identifier - San Jose (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
Peer IKE ID: SonicWall Identifier – Shanghai (This has to match the central location VPN's Local IKE ID SonicWall Identifier).

Network tab

Select Choose local network from list, and select the Address Object – LAN Primary Subnet.
Select Choose destination network from list, and select the Address Object – Central_Lan.