SonicOS/X 7 IPSec VPN

Technical Documentation>  Rules and Settings>  Adding a Tunnel Interface
Table of Contents

Adding a Tunnel Interface

Route-based VPN configuration is a two-step process:

  1. Create a Tunnel Interface. The cryptography suites used to secure the traffic between two end-points are defined in the Tunnel Interface.
  2. Create a static or dynamic route using Tunnel Interface.

The Tunnel Interface is created when a Policy of type Tunnel Interface is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

To add a Tunnel Interface

  1. Navigate to NETWORK | IPSec VPN > Rules and Settings.
  2. Select IPv4 or IPv6 as the IP Version option.

  3. Click +Add.

  4. On the General screen, select Tunnel Interface as the Policy Type. The options change.

  5. Select one the following for Authentication Method:

    • Manual Key
    • IKE using Preshared Secret (default)
    • IKE using 3rd Party Certificates
    • SonicWall Auto Provisioning Client
    • SonicWall Auto Provisioning Server

    The remaining fields in the General screen change depending on which option you select.

    For more information about the available selections, see:

  6. Click Proposals.

  7. Under IKE (Phase 1) Proposal, choose one of the following options from the Exchange drop-down menu:

    Main Mode Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
    Aggressive Mode Generally used when WAN addressing is dynamically assigned. Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
    IKEv2 Mode

    Causes all negotiation to happen through IKEv2 protocols, rather than using IKEv1 phases.

    If you select IKE v2 Mode, both ends of the VPN tunnel must use IKE v2. When selected, the DH Group, Encryption, and Authentication fields are disabled and cannot be defined.

  8. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.

    Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.

    1. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several Diffie-Hellman exchanges:

      Diffie-Hellman Groups Included in Suite B Cryptography Other Diffie-Hellman Options
      256-bit Random ECP Group Group 1
      384-bit Random ECP Group Group 2
      521-bit Random ECP Group Group 5
      192-bit Random ECP Group Group 14
      224-bit Random ECP Group  
    2. For the Encryption field, if Main Mode or Aggressive Mode was selected, choose DES, 3DES, AES-128 (default), AES-192, or AES-256 from the drop-down menu.
    3. For the Authentication field, if Main Mode or Aggressive Mode was selected, choose SHA-1 (default), MD5, SHA256, SHA384, or SHA512 for enhanced authentication security.
    4. For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800 forces the tunnel to renegotiate and exchange keys every eight hours.

  9. Set the options in the IPsec (Phase 2) Proposal section. The default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations.

    Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.

    1. In the Protocol field, select ESP or AH.

    2. In the Encryption field, if you selected ESP in the Protocol field, you can select from six encryption algorithms that are included in Suite B cryptography:

      Suite B Cryptography Options Other Options
      AESGCM16-128 DES
      AESGCM16-192 3DES
      AESGCM16-256 AES-128
      AESGMAC-128 AES-192
      AESGMAC-192 AES-256
      AESGMAC-256 None

      If you selected AH in the Protocol field, the Encryption field is disabled, and you cannot select any options.

    3. In the Authentication field, select the authentication method from the drop-down menu:

      • MD5
      • SHA1 (default)
      • SHA256
      • SHA384
      • SHA512
      • AES-XCBC

    4. Select Enable Perfect Forward Secrecy if you want added security.

    5. Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

  10. Click Advanced.

  11. The following advanced options can be configured; by default, none are selected:

    Advanced Settings
    Options Main Mode or Aggressive Mode IKEv2 Mode
    Enable Keep Alive Cannot be selected for a route-based interface. Cannot be selected for a route-based interface.
    Disable IPsec Anti-Replay Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window) Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window)
    Allow Advanced Routing Adds this Tunnel Interface to the list of interfaces in the Routing Protocols table on the NETWORK | System > Dynamic Routing page. Adds this Tunnel Interface to the list of interfaces in the Routing Protocols table on the NETWORK | System > Dynamic Routing page.
      NOTE: This option must be selected if the Tunnel Interface is to be used for advanced routing (RIP, OSPF). Making this an optional setting avoids adding all Tunnel Interfaces to the Routing Protocols table, which helps streamline the routing configuration.
    Enable Transport Mode This option is used to protect packets that are already encapsulated by another tunneling protocol such as Generic Routing Encapsulation (GRE). It encrypts only the payload and ESP trailer, so the IP header of the original packet is not encrypted. Not available for IKEv2 Mode.
    Enable Windows Networking (NetBIOS) Broadcast Select to allow access to remote network resources by browsing the Windows Network Neighborhood. Select to allow access to remote network resources by browsing the Windows Network Neighborhood.
    Enable Multicast Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel. Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel.
    WXA Group Select None (default) or Group One. Select None (default) or Group One.
    Display Suite B Compliant Algorithms Only Select if you want to show only the Suite B compliant algorithms. Select if you want to show only the Suite B compliant algorithms.
    Apply NAT Policies

    Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.

    Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

    Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.

    Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
    Management via this SA Select any of HTTPS, SSH, or SNMP for this option to manage the local SonicWall firewall through the VPN tunnel. Select any of HTTPS, SSH, or SNMP for this option to manage the local SonicWall firewall through the VPN tunnel.
    User login via this SA

    Select HTTP, HTTPS, or both to allow users to login using the SA.

    HTTP user login is not allowed with remote authentication.

    Select HTTP, HTTPS, or both to allow users to login using the SA.

    HTTP user login is not allowed with remote authentication.
    VPN Policy bound to

    Select an interface from the drop-down menu.

    Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

    Select an interface from the drop-down menu.

    Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.
    IKEv2 Settings
    Options Main Mode or Aggressive Mode IKEv2 Mode
    Do not send trigger packet during IKE SA negotiation Not available Is not selected (default). It should only be selected when required for interoperability if the peer cannot handle trigger packets. The recommended practice is to include trigger packets to help the IKEv2 Responder select the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it might be appropriate to disable the inclusion of trigger packets to some IKE peers.
    Accept Hash & URL Certificate Type Not available Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, sends a message to the peer device saying that HTTP certification look-up is supported.
    Send Hash & URL Certificate Type Not available Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, responds to the message from the peer device and confirms HTTP certification look-up is supported.
  12. Click Save.

  13. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.