How to configure SonicWall VPN Auto Provisioning in SonicOS 6.2.7 and above
03/26/2020 18 People found this article helpful 487,915 Views
Description
From SonicOS release 6.2.7.0, SonicWall firewall introduces the VPN Auto Provisioning feature(a.k.a EasyVPN). This feature provides automatic VPN provisioning for box?to?box hub?and?spoke configurations. The user experience is similar to that seen when using SonicWall Global VPN Client to connect from a client machine to a firewall, in which none of the complexity is visible to the user
Resolution
Example Hub and Spoke Specifications
Auto Provisioning Client TZ400W at branch office will connect to an Auto Provisioning Server NSA3600 at the corporate headquarter. Review the specifications in the following table:
NSA3600 (AP Server, Hub) |
LAN Subnet |
192.168.136.0/24 |
|
WAN IP Address |
10.103.193.116 |
|
LAN PC1 IP Address |
192.168.136.1 |
|
|
|
TZ400w (AP Client, Spoke) |
LAN Subnet |
192.168.41.0/24 |
|
LAN PC2 IP Address |
192.168.41.65 |
Deployment Steps:
Step 1. Creating Address Objects for VPN subnets on NSA3600.
Step 2. Configuring an AP Server policy on SonicWall NSA3600.
Step 3. Configuring an AP Client policy on SonicWall TZ 400W.
Step 4. How to test this scenario.
Procedure:
To configure the VPN AP, follow the steps below:
Step 1: Creating Address Objects for VPN subnets on NSA3600
1. Login to the SonicWall Management Interface
2. Navigate to Network | Address Objects, click on ADD button.
3. Configure the Address Object as mentioned in the figure above, click OK when finished.
Step 2. Configuring an AP Server policy on SonicWall NSA3600
1. Navigate to VPN | Settings page. Click Add button. The VPN Policy window is displayed.
2. Click the General tab
- Select SonicWall Auto Provisioning Server from the Authentication Method menu.
- Enter a name for the policy in the Name field.
- Select Preshared Secret next to Authentication Method
- Enter a name for the VPN AP Client ID field. And this name should be as same as the one which defined in the NSA3600 corresponding VPN policy.
- Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning.
3. Click the Network tab
- Under Local Networks, select X0 Subnet from Allow Unauthenticated VPN AP Client Access menu.
- Under Remote Networks, select 400w_branch from Choose destination network from list menu.
4. Click Advanced button, then Proposals and tabs are displayed.
- You can leave all the values in Proposals tab as default. In Advanced tab choose the proper interface next to VPN Policy bound to if there are multiple WAN interfaces on the firewall.
- Click OK to apply the settings.
Note: To simplify auto-provisioning, parameter choices for Phase 1 have been limited. IKE Aggressive Mode is always used, the Phase 1 DH Group is always Group 5, the Phase 1 encryption algorithm is always AES-256, and SHA-1 is always used for the Phase 1 hash algorithm. Phase 2 does not need to be restricted other than allowing only ESP. The other parameters are automatically provisioned prior to Phase 2 establishment so there is no chance of configuration discrepancies between the VPN AP Server and Client.
Step 3. Configuring an AP Client policy on SonicWall TZ 400W.
1. Login to the appliance and navigate to VPN | Settings page and Click Add button. The VPN Policy window is displayed.
- Select SonicWall Auto Provisioning Server from the Authentication Method menu.
- Enter the name for the policy in the Name field.
- Enter the NSA3600's WAN IP address in the IPsec Primary Gateway Name or Address field
- Select Preshared Secret next to Authentication Method
- Enter a name for the VPN AP Client ID field. And this name should be as same as the one which defined in the TZ400W corresponding VPN policy.
- Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters. Alternatively, you can check the box Use Default Provisioning Key to establish the initial Security Association and Auto Provisioning.
- Click OK to apply the settings.
Step 4. How to test this scenario.
- From the Lan PC2 which behind AP client TZ400W, ping the Lan PC1 which behind AP server NSA3600.
Note: Traffic from AP Client to AP Server is a must to trigger the IKE phase 2 negotiation so that the IPSec VPN tunnel can be established whereafter.
- The IPSec VPN tunnel will be established and the ping result should be successful.
Related Articles
Categories