This article will guide you to configure Site-to-Site VPN between the two Sonicwall Firewall device Use Main mode.
1. Create Address Objects for VPN subnet
– On SonicWall interface, select Object at the top of the page.
– Move to Match Objects|Addresses, select Add.
– On TZ 670 (Site B)
– On TZ 570P (Site A)
2. Configure VPN policy on Site A
– Select Network at the top of the page.
– Go IPSec VPN | Rules and Settingsselect Add.
– In the VPN policy window, select General tab.
– Select IKE using Preshared Secret at the menu Authentication Method.
– Name the policy in section Name.
– Enter the Wan IP address of the remote site (in this example, the Wan address of the TZ 670) in the IPSec Primary GatewayName or Address.
– Enter Shared Secret password in section Shared Secret and Confirm Shared SecretShared Secret must have at least 4 characters and include letters and numbers.
– Additionally, you can specify Local IKE ID and Peer IKE ID for Policy. By default, the IP address is used for Main Mode and the SonicWall Identifier is used for Aggressive Mode.
– Move to Network tab.
– Under Local Networks, select the address object (eg: LAN Subnet) you want from the section Choose local network from list.
– Under Remote Networks, select the address object (for example, TZ -670 VPN Network) from the section Choose destination network from list.
– Select Proposals tab.
– Under IKE (Phase 1) Proposal, select Main Mode at the menu Exchange.
– Default values for DH Group, Encryption, Authentication and Life Time are accepted for most VPN configurations. Make sure that the Phase 1 values on the opposite side of the tunnel are configured the same. You can also select AES-128, AES-192 or AES-256 from the Authentication menu instead of 3DES for increased authentication security.
– Under IPSec (Phase 2) Proposal, the default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, DH Group, and Lifetime are accepted for most VPN configurations. Make sure that the Phase 2 values on opposite sides of the configured tunnel match.
– Select Advanced tab.
– Select enable Enable Keep Alive to use heartbeat messages between peers on VPN tunnel. If one end of the tunnel fails, the use of Keepalives will allow automatic renegotiation of the tunnel when both sides become connected again.
– Select enable feature Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources using Windows Network Neighborhood.
– If you want to use the router on the LAN for traffic into this tunnel intended for an unknown subnet, for example, if you configure the other side to use this VPN tunnel as the default path For all Internet traffic, you should enter your router’s IP address in the field Default LAN Gateway (optional).
– Select an interface or zone from the menu VPN Policy bound. Zone WAN is the preferred choice if you are using WAN Load Balancing and you want to allow the VPN to use one of the two WAN interfaces.
– Finally choose Save.
3. Configure VPN policy on Site B
– Select Network at the top of the page.
– Go IPSec VPN | Rules and Settingsselect Add.
– In the VPN policy window, select General tab.
– Select IKE using Preshared Secret at the menu Authentication Method.
– Name the policy in section Name.
– Enter the Wan IP address of the remote site (in this example, the Wan address of the TZ 570) in the IPSec Primary GatewayName or Address.
– Enter Shared Secret password in section Shared Secret and Confirm Shared SecretShared Secret must have at least 4 characters and include letters and numbers.
– Move to Network tab.
– Under Local Networks, select the address object (eg: LAN Subnet) you want from the section Choose local network from list.
– Under Remote Networks, select the address object (for example, TZ -570 VPN Network) from the section Choose destination network from list.
– Select Proposals tab.
– Settings must be the same as Site A.
– Select Advanced tab.
– Select enable Enable Keep Alive to use heartbeat messages between peers on VPN tunnel. If one end of the tunnel fails, the use of Keepalives will allow automatic renegotiation of the tunnel when both sides become connected again.
– Select enable feature Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources using Windows Network Neighborhood.
– If you want to use the router on the LAN for traffic into this tunnel intended for an unknown subnet, for example, if you configure the other side to use this VPN tunnel as the default path For all Internet traffic, you should enter your router’s IP address in the field Default LAN Gateway (optional).
– Select an interface or zone from the menu VPN Policy bound. Zone WAN is the preferred choice if you are using WAN Load Balancing and you want to allow the VPN to use one of the two WAN interfaces.
– Finally choose Save.
!!! Thank you for following the article!!!
Xem tiếp...
