How can I setup Site to Site VPN with IKE2 Dynamic client Proposal?

Description

SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes globally rather than configure these IKE Proposal settings on an individual policy basis. This scenario could be used while one site has dynamic WAN IP address.
On the other site, "IPSec Primary Gateway Name or Address" in the VPN policy General tab will be filled in "0.0.0.0" or left blank.

Resolution

Configuration on the Central Office  (Static WAN IP address)

  • Central location network configuration 
    LAN Subnet: 192.168.136.0
    Subnet Mask: 255.255.255.0
    WAN IP: 10.103.193.114
    Local IKE ID SonicWall Identifier: Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)
     

Creating Address Object for remote Site

  1. Login to the central location SonicWall appliance.
  2. Navigate to Manage | Policies |Objects | Address Objects page.
  3. At the top of the page and click Add button, enter the following settings. 

    • Name – Remote_Lan
    • Zone – VPN
    • Type – Network
    • Network – 192.168.126.0
    • Netmask – 255.255.255.0
  4. Click OK .
    Image

 

Configuring a VPN Policy 

  1. Navigate to  Manage | Connectivity | VPN Base Settings.
  2. Check the box Enable VPN under Global VPN Settings.
  3. Click  Add button under VPN Policies section. The VPN Policy window pops up.

 

General tab 

  • Select the Authentication method as IKE Using Preshared Secret.
  • Name: To_Branch_Office.
  • IPSec Primary Gateway Name or Address: 0.0.0.0.

    NOTE: Since the Remote WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway.

  • IPSec Secondary Gateway Name or Address: 0.0.0.0.
  • Shared Secret: SonicWall (The Shared Secret would be the same at both SonicWall’s).
  • Local IKE ID: SonicWall Identifier - Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier).
  • Peer IKE ID: SonicWall Identifier - San Jose (This could be any string except it has to match the remote location VPN's Local IKE ID SonicWall Identifier). Image



Network
 tab 

  • Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
  • Select Choose destination network from list, and select the Address Object –Remote_Lan.
    Image

 


Proposals
 tab 

  • IKE (Phase 1) Proposal
  • Exchange:  IKEv2 Mode
  • DH Group: Group 5
  • Encryption: AES-256
  • Authentication: SHA-512
  • Life Time (seconds): 28800  

    NOTE:The menu "DH Group", "Encryption" and "Authentication" will be gray-out since "IPSec Primary Gateway Name or Address" in General tab is filled in "0.0.0.0" or leaved blank. And they will be configured in step (Configuring the IKEv2 Dynamic Client Proposal, below).

  • IPSec (Phase 2) Proposal
  • Protocol:  ESP
  • Encryption: 3DES 
  • Authentication: SHA1
  • Enable Perfect Forward Secrecy(not checked)
    Image

 

 

Advanced tab 

  • Ensure that the VPN Policy bound to: Zone WAN.
  • Click OK .
    Image



Configuring the IKEv2 Dynamic Client Proposal:


  1. Navigate to Manage | Connectivity | VPN | Advanced Settings.
  2. Check the Cconfiguration under IKEv2 Settings. The configuration window pops up.

    •  DH Group: Group 5
    • Encryption: AES-256 
    • Authentication: SHA-512
  3. Click OK .

    Image




Configuration on the remote location (Dynamic WAN IP address)
 
Network Configuration 

  • LAN Subnet: 192.168.126.0.
  • Subnet Mask: 255.255.255.0.
  • WAN IP: DHCP (As this is a Dynamic IP Address).
  • Local IKE ID SonicWall Identifier: San Jose (This has to match the central location VPN'sPeer IKE ID SonicWall Identifier).

     

Creating Address Object for remote site

  1. Login to the Remote location SonicWall appliance.
  2. Navigate to Manage | Policies |Objects | Address Objects page.
  3. Scroll down to the bottom of the page and click on Add button, enter the following settings.

    • Name – Central_Lan.
    • Zone – VPN.
    • Type – Network.
    • Network – 192.168.136.0.
    • Netmask – 255.255.255.0.
  4. Click OK 
    Image

 

Configuration VPN Policy
 

  1. Navigate to Manage | Connectivity | VPN | Base Settings.
  2. Check the box Enable VPN under Global VPN Settings.
  3. Click on the  Add  button under the VPN Policies section. The VPN Policy window pops up.
     

General tab 

  • Select the Authentication method as  IKE Using Preshared Secret.
  • Name: To_Central_Office.
  • IPSec Primary Gateway Name or Address: 10.103.193.114.
  • IPSec Secondary Gateway Name or Address: 0.0.0.0.
  • Shared Secret: SonicWall.
  • Local IKE ID: SonicWall Identifier - San Jose (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
  • Peer IKE ID: SonicWall Identifier – Shanghai (This has to match the central location VPN's Local IKE ID SonicWall Identifier).
    Image
     


Network
 tab 

  • Select Choose local network from list, and select the Address Object – LAN Primary Subnet.
  • Select Choose destination network from list, and select the Address Object – Central_Lan.
    Image

 

Proposals
 tab
 

  • IKE (Phase 1) Proposal..
  • Exchange: IKEv2Mode.
  • DH Group:  Group 5.
  • Encryption: AES-256.
  • Authentication: SHA-512.
  • Life Time (seconds): 28800 .
  • IPSec (Phase 2) Proposal.
  • Protocol:  ESP.
  • Encryption: 3DES .
  • Authentication: SHA1.
  • Enable Perfect Forward Secrecy (not checked).
    Image

 

Advanced
 tab 

  • Enable Keep Alive box should be checked.
  • VPN Policy bound to: Zone WAN.
  • Click OK .
    Image

How to Test: From the remote location try to ping an IP address on the central location

NOTE: Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.

Related Articles

  • How to export and import connection profiles in NetExtender
    Read More
  • Unable access High availability idle device using monitoring IP address
    Read More
  • SSL Control enabled with "Detect Certificate signed by an Untrusted CA" causes Windows Update to fail.
    Read More
not finding your answers?
was this article helpful?