SonicWALL Security Appliances and Cisco VPN 3000 Series Concentrators

Similar documents
UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

VPN Wizard Default Settings and General Information

7. Configuring IPSec VPNs

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

Configure IPSec VPN Tunnels With the Wizard

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

IP Office Technical Tip

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

IPsec VPN Application Guide REV:

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

VPN Configuration of ProSafe Client and Netgear ProSafe Router:

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

IPSec Pass through via Gateway to Gateway VPN Connection

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Internet. SonicWALL IP SEV IP IP IP Network Mask

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

RF550VPN and RF560VPN

TechNote. Configuring SonicOS for MS Windows Azure

Configure VPN between ProSafe VPN Client Software and FVG318

Configuring SonicOS for Microsoft Azure

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

How to configure VPN function on TP-LINK Routers

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Windows XP VPN Client Example

Configuring WAN Failover & Load-Balancing

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Scenario: Remote-Access VPN Configuration

Katana Client to Linksys VPN Gateway

Using SonicWALL NetExtender to Access FTP Servers

Connecting Remote Offices by Setting Up VPN Tunnels

Scenario: IPsec Remote-Access VPN Configuration

How To Industrial Networking

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Application Notes. How to Configure UTM with Apple OSX and ios Devices for IPsec VPN

How to configure VPN function on TP-LINK Routers

SonicWALL NAT Load Balancing

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

TechNote. Configuring SonicOS for Amazon VPC

Chapter 8 Virtual Private Networking

ISG50 Application Note Version 1.0 June, 2011

VPN Configuration Guide. Dell SonicWALL

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

SSL-VPN 200 Getting Started Guide

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

Virtual Private Network and Remote Access Setup

Firewall Defaults and Some Basic Rules

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Chapter 5 Virtual Private Networking Using IPsec

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Chapter 6 Virtual Private Networking

Using IPsec VPN to provide communication between offices

VPN Configuration Guide LANCOM

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

Chapter 4 Virtual Private Networking

Global VPN Client Getting Started Guide

VPN. VPN For BIPAC 741/743GE

Configuring IPsec VPN with a FortiGate and a Cisco ASA

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Gateway to Gateway VPN Connection

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

IP Office Technical Tip

HOWTO: How to configure IPSEC gateway (office) to gateway

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

SonicOS Enhanced Release Notes SonicWALL, Inc. Software Release: May 3, 2006

Using Opensource VPN Clients with Firetunnel

SonicOS Enhanced 4.0: NAT Load Balancing

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Configuring a VPN for Dynamic IP Address Connections

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Setting up D-Link VPN Client to VPN Routers

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

VPN Configuration of ProSafe VPN Lite software and NETGEAR ProSafe Router:

VPN Tracker for Mac OS X

VPN L2TP Application. Installation Guide

SonicOS Enhanced 3.2 IKE Version 2 Support

Interoperability Guide

Setting up VPN connection: DI-824VUP+ with Windows PPTP client

SonicOS Enhanced Release Notes

Chapter 6 Basic Virtual Private Networking

Configuring the PIX Firewall with PDM

Transcription:

VPN Interoperability SonicWALL Security Appliances and Cisco VPN 3000 Series Concentrators Introduction This Tech Note details how to configure a working VPN tunnel between a SonicWALL security appliance running SonicOS and a Cisco 3000-series VPN Concentrator (3005, 3015, 3020, 3030, 3060). The following deployment scenarios are covered: 1. SonicOS Standard to Cisco, both sides have static WAN IP address 2. SonicOS Enhanced to Cisco, both sides have static WAN IP address 3. SonicOS Standard to Cisco, SonicWALL has dynamically-obtained WAN IP address For this Tech Note, a Cisco 3005 running 4.1.7 firmware, a SonicWALL TZ 170 running SonicOS Standard 3.1.0.1, a SonicWALL PRO 2040 running SonicOS Enhanced 3.1.0.1, and a SonicWALL TZ 170 running SonicOS Standard were used to validate all settings and configuration documented in this Tech Note. For the first two deployment scenarios, bidirectional negotiation was successful; in the third, negotiation from the SonicWALL to the Cisco was successful. In all cases, the tunnels remained up and passed traffic through multiple SA renegotiations (testing time was 72 hours). Recommended Versions SonicOS Standard 3.1.0.1 or newer SonicOS Enhanced 3.1.0.1 or newer Cisco 3000-Series 4.1.7 or newer Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days. Customers with a valid Cisco SmartNET support contract can obtain firmware for the Cisco 3000-series devices from Cisco s support Website. Caveats Cisco and SonicWALL use incompatible methods of NAT Traversal, so this feature must be disabled on both sides. Cisco and SonicWALL use incompatible methods of IKE Dead Peer Detection, so this feature must be disabled on both sides. The LAN-to-LAN connector on the Cisco 3000-series does not accept fully-qualified domain names (FQDNs), nor does it accept 0.0.0.0 as an entry. This means that you must explicitly enter the static WAN IP address of the remote SonicWALL device, so the DDNS feature in SonicOS cannot be used to specify the remote SonicWALL s WAN address. If the SonicWALL has a dynamically-obtained WAN IP address, you must configure the Cisco 3000-series s Base Group connector how to do so is covered in Scenario Three of this Tech Note. You cannot set the local or peer IKE ID s on the Cisco 3000-series device. You cannot specify Aggressive Mode when using the LAN-to-LAN connector on the Cisco 3000-series device. You cannot use the NetBIOS Broadcast feature of the SonicWALL security appliance across the VPN tunnel to the Cisco 3000-series device. You cannot use digital certificates during IKE negotiation between a Cisco 3000-series and SonicWALL device; only preshared key (PSK) is supported at this time. Use the keepalive feature on the SonicWALLs to keep the VPN tunnels permanently negotiated between both sides.

If you have multiple subnets on your internal network that devices behind the remote SonicWALL security appliances will need to be able to reach, you will need to do two things: (1) make sure to route the SonicWALL s LAN-side subnets to point to the LAN interface of the Cisco 3000-series device, as this device is often placed inline or on a DMZ of an existing firewall, and (2) make sure to include these subnets as remote destination networks when configuring the VPN settings of the SonicWALL device. How to do so is covered in Scenarios Two and Three of this document. If either side is behind a NAT device, and the SonicWALL is running SonicOS Enhanced, make sure to adjust the appropriate local/peer ID to that of the WAN address. SonicWALL security appliances do not support Cisco s Reverse Route Injection and Network AutoDiscovery features for VPN tunnels. Sample Network Diagram For All Three Deployment Scenarios Figure 1 Sample network for Cisco/SonicWALL VPN tunnel showing three deployment methods

Scenario One: SonicOS Standard to Cisco, both sides have static WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Standard 3.1.0.1 or newer and a Cisco VPN 3000 Series Concentrator running firmware 4.1.7 or newer. Both sides have statically-assigned WAN IP addresses and are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has one subnet behind the LAN interface (the OPT port is not active and not configured). Tasklist Enable VPN on SonicWALL (if it is not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create internal networks list on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Standard 3.1.0.1 or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware 4.1.7 or newer, as some of the features detailed in this Tech Note were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable NAT Traversal and Enable IKE Dead Peer Detection. Leave all other settings as-is. For an example, see Figure 2. Figure 2 SonicWALL VPN > Advanced settings page

3. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Click on the Add button under Destination Networks and create entries for each subnet behind the Cisco. For an example, see Figure 3. Figure 3 VPN Settings General tab 4. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 4. Figure 4 VPN Settings Proposals tab

5. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive and Try to bring up all possible Tunnels. Leave all other settings as-is. For an example, see Figure 5. Figure 5 VPN Settings Advanced tab 6. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions. Cisco Side 7. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 6. Figure 6 Cisco NAT Transparency settings 8. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter 28800 in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 7.

Figure 7 Cisco IKE Proposals page 9. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 8. Figure 8 Cisco Network Lists page 10. Go to the Configuration > Tunneling and Security > IPSec > LAN-to-LAN page and click on the Add button. On the page that appears, check the box next to Enable and give the entry a unique name in the field next to Name. Choose the Cisco s WAN interface from the drop-down next to Interface. Choose Bi-directional from the drop-down next to Connection Type. In the field next to Peers, enter in the static WAN IP address of the SonicWALL security appliance (as noted previously, you can only enter a static IP address and not a FQDN or 0.0.0.0). Choose None (Use Preshared Keys from the drop-down next to Digital Certificate. Enter the complex preshared key you created in Step 3 in the field next to Preshared Key. Choose ESP/SHA/HMAC-160 from the drop-down next to Authentication. Choose 3DES-168 from the drop-down next to Encryption. Choose sonicwall from the drop-down next to IKE Proposal. Leave the settings for Filter, IPSec NAT-T, Bandwidth Policy, and Routing as-is. For an example, see Figure 9.

Figure 9 Cisco LAN-to-LAN page 11. On this same page, select internal from the drop-down next to the Local Network s Network List (or, whatever you named it when you created it in a previous step). In the field next to IP address under Remote Network, enter in the SonicWALL s LAN IP subnet, and enter its subnet in the field next to Wildcard Mask. When done, click on the Add button to save and activate this VPN tunnel. For an example, see Figure 10 below. Figure 10 Cisco LAN-to-LAN page, continued Testing/Troubleshooting From the management station on the Cisco side, attempt to ping the management station on the SonicWALL side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the LAN-to-LAN session enabled and active. For examples, see Figures 11 and 12.

Figure 11 SonicWALL VPN status page showing active tunnels Figure 12 Cisco VPN status page showing active tunnels

Scenario Two: SonicOS Enhanced to Cisco, both sides have static WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Enhanced 3.1.0.1 or newer and a Cisco VPN 3000 Series Concentrator running firmware 4.1.7 or newer. Both sides have statically-assigned WAN IP addresses and are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has two subnets (one behind the LAN interface and one behind the DMZ interface). Tasklist Enable VPN on SonicWALL (if it s not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create Address Objects for Cisco-side subnets on SonicWALL Create Address Group with Cisco-side subnets on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create internal/external networks lists on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Enhanced 3.1.0.1 or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware 4.1.7 or newer, as some of the features detailed in this document were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable IKE Dead Peer Detection and Enable NAT Traversal. Leave all other settings as-is. For an example, see Figure 13.

Figure 13 SonicWALL VPN > Advanced settings 3. On the Network > Address Objects page, go to the bottom of the page and click on the Add button. Create two address objects, one for each subnet behind the Cisco, and name them cisco_subnet_one and cisco_subnet_two. For both objects, select VPN from the drop-down next to Zone Assignment:, and select Network from the drop-down next to Type:. In the fields next to Network: and Mask:, enter the subnet and mask information for the two subnets behind the Cisco. When done, click on the OK button to save and activate the entries. For an example, see Figure 14. Figure 14 SonicWALL Network > Address Objects for Cisco subnets 4. On the Network > Address Objects page, go to the top of the page and click on the Add Group button. In the field next to Name:, enter cisco_subnets. From the pane on the left, move cisco_subnet_one and cisco_subnet_two to the right pane. When done, click on the OK button to save and activate the group. For an example, see Figure 15.

Figure 15 SonicWALL Network > Address Objects group for Cisco subnets 5. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Leave all other settings as-is. For an example, see Figure 16. Figure 16 SonicWALL VPN General tab 6. Now click on the Network tab. From the drop-down next to Choose local network from list, select Firewalled Subnets. From the drop-down next to Choose destination network from list, select cisco_subnets. For an example, see Figure 17.

Figure 17 SonicWALL VPN Network tab 7. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 18. Figure 18 SonicWALL VPN Proposals tab 8. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive. Check the boxes next to HTTP and HTTPS next to Management via this SA. Leave all other settings as-is. For an example, see Figure 19.

Figure 19 SonicWALL VPN Advanced tab 9. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions. Cisco Side 10. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 20. Figure 20 Cisco NAT Transparency page 11. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter 28800 in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 21.

Figure 21 Cisco IKE Proposals page 12. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 22. Figure 22 Cisco Network Lists page 13. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named pro2040_subnets and populate it with the subnets behind the SonicWALL that the Cisco will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 23.

Figure 23 Cisco Network Lists page 14. Go to the Configuration > Tunneling and Security > IPSec > LAN-to-LAN page and click on the Add button. On the page that appears, check the box next to Enable and give the entry a unique name in the field next to Name. Choose the Cisco s WAN interface from the drop-down next to Interface. Choose Bi-directional from the drop-down next to Connection Type. In the field next to Peers, enter in the static WAN IP address of the SonicWALL security appliance (as noted previously, you can only enter a static IP address and not a FQDN or 0.0.0.0). Choose None (Use Preshared Keys from the drop-down next to Digital Certificate. Enter the complex preshared key you created in Step 3 in the field next to Preshared Key. Choose ESP/SHA/HMAC-160 from the drop-down next to Authentication. Choose 3DES-168 from the drop-down next to Encryption. Choose sonicwall from the drop-down next to IKE Proposal. Leave the settings for Filter, IPSec NAT-T, Bandwidth Policy, and Routing as-is. For an example, see Figure 24. Figure 24 Cisco LAN-to-LAN page 15. On this same page, select internal from the drop-down next to the Local Network s Network List (or, whatever you named it when you created it in a previous step). In the field next to IP address under Remote Network, enter in the SonicWALL s LAN IP subnet, and enter its subnet in the field next to Wildcard Mask. When done, click on the Add button to save and activate this VPN tunnel. For an example, see Figure 25.

Figure 25 - Cisco LAN-to-LAN page, continued Testing/Troubleshooting From the management station on the Cisco side, attempt to ping the management station on the SonicWALL side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the LAN-to-LAN session enabled and active. For examples, see Figures 26 and 27. Figure 26 SonicWALL VPN status page showing active VPN tunnels Figure 27 Cisco VPN status page showing active VPN tunnels

Scenario Three: SonicOS Standard to Cisco, SonicWALL has dynamic WAN IP address This deployment method shows how to set up a VPN tunnel between a SonicWALL security appliance running SonicOS Standard 3.1.0.1 or newer and a Cisco VPN 3000 Series Concentrator running firmware 4.1.7 or newer. In this scenario, the SonicWALL security appliance has a dynamic WAN IP address (via DHCP, PPPoE, L2TP, PPTP). As noted, the LANto-LAN connector in the Cisco VPN 3000 Concentrator cannot be configured with a FQDN or a 0.0.0.0; because of this, it is not possible to set up a LAN-to-LAN connection with a remote device whose WAN IP address changes on a frequent basis. It is also not possible to initiate a VPN tunnel from the Cisco device to any remote device whose WAN IP address is obtained dynamically. The Cisco must be configured to accept the remote device s incoming VPN connections through the Base Group connector, which is normally used to accept incoming Cisco VPN Client connections. The following section will detail how to do so. Both sides are negotiating multiple subnets across the VPN tunnel. The Cisco has two subnets behind the LAN interface and the SonicWALL has two subnets (one behind the LAN interface and one behind the OPT interface). Tasklist Enable VPN on SonicWALL (if it s not already) Disable NAT Traversal and IKE Dead Peer Detection on SonicWALL Create VPN tunnel to Cisco side on SonicWALL Create IKE entry to match SonicWALL settings on Cisco Create SA entry on Cisco Create internal networks list on Cisco Disable NAT Traversal on Cisco Create VPN tunnel to SonicWALL side on Cisco via Base Group Test VPN tunnel negotiation from each side Check each side s status screens for successful VPN tunnel negotiation Before You Begin As noted in the Recommended Versions section, SonicWALL recommends running SonicOS Standard 3.1.0.1 or newer on the SonicWALL security appliance. On the Cisco VPN 3000 Series concentrator, it is recommended that you run firmware 4.1.7 or newer, as some of the features detailed in this Tech Note were released with this version. For testing purposes, you may wish to place a management station or laptop behind the LAN interfaces of all sites. This will greatly aid successful testing/troubleshooting of the VPN configuration between the central and remote sites. Setup Steps SonicWALL Side 1. Log into the SonicWALL s management GUI, go to the VPN > Settings page, and make sure the checkbox next to Enable VPN is checked. 2. On the VPN > Advanced page, uncheck the boxes next to Enable IKE Dead Peer Detection and Enable NAT Traversal. Leave all other settings as-is. For an example, see Figure 28.

Figure 28 SonicWALL VPN > Advanced settings 3. On the VPN > Settings page, click on the Add button under the VPN Policies section. A pop-up window will appear. On this window s General tab, select IKE using Preshared Secret from the drop-down next to IPSec Keying Mode:, enter a name for the VPN tunnel in the field next to Name:, enter the Cisco s static WAN IP address or fully-qualified domain name (FQDN), and enter in a complex shared secret in the field next to Shared Secret: (remember this as you will need to enter this on the Cisco as well). Click on the Add button under Destination Networks and create entries for each subnet behind the Cisco. For an example, see Figure 29. Figure 29 SonicWALL VPN General tab 4. Now click on the Proposals tab. For this Tech Note, we will be using the default settings of the SonicWALL, and adjusting the Cisco device to match. For an example, see Figure 30.

Figure 30 SonicWALL VPN Proposals tab 5. Now click on the Advanced tab. Check the boxes next to Enable Keep Alive and Try to bring up all possible Tunnels. Select the radio button next to LAN/OPT under the VPN Terminated At: section. Leave all other settings as-is. For an example, see Figure 31. Figure 31 SonicWALL Advanced tab 6. When done, click on the OK button to save and activate this VPN tunnel. In the next several steps, we ll configure the Cisco device, and then test VPN tunnel negotiation from both sides to ensure that both devices are configured correctly and traffic can successfully pass in both directions.

Cisco Side 7. Log into the Cisco s management GUI. Go to the Configuration > Tunneling and Security > IPSec > NAT Transparency page and uncheck the boxes next to IPSec over TCP and IPSec over NAT-T. For an example, see Figure 32. Figure 32 Cisco NAT Transparency page 8. Go to the Configuration > Tunneling and Security > IPSec > IKE Proposals page and click on the Add button. Create a proposal named sonicwall select Preshared Keys from the drop-down next to Authentication Mode, select SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the dropdown next to Encryption Algorithm, select Group 2 (1024-bits) from the drop-down next to Diffie-Hellman Group, select Time from the drop-down next to Lifetime Measurement, and enter 28800 in the field next to Time Lifetime. When done, click on the Apply button to save and activate this entry (NOTE: make sure to move this entry to the Active Proposals side of the IKE Proposals page). For an example, see Figure 33. Figure 33 Cisco IKE Proposals page

9. Go to the Configuration > Policy Management > Traffic Management > Security Associations page and click on the Add button. Create a SA named sonicwall select From Rule from the drop-down next to Inheritance, select ESP/SHA/HMAC-160 from the drop-down next to Authentication Algorithm, select 3DES-168 from the drop-down next to Encapsulation Mode, select Disabled from the drop-down next to Perfect Forward Secrecy, select Time from the drop-down next to Lifetime Measurement, enter 28800 in the field next to Time Lifetime, and select sonicwall from the drop-down next to IKE Proposal. Leave all other settings as-is. When you are done, click on the Apply button to save and activate the SA. For an example, see Figure 34. Figure 34 Cisco Security Associations page 10. Go to the Configuration > Policy Management > Traffic Management > Network Lists page and click on the Add button. Create a list named internal and populate it with the subnets behind the Cisco s LAN interface that the SonicWALL will need to access. Make sure to use wildcard masks and not subnet masks for all entries. When done, click on the Apply button to save and activate the entry. For an example, see Figure 35.

Figure 35 Cisco Network Lists page 11. Go to the Configuration > User Management > Base Group page. On the General tab, make sure the box next to IPSec in the Tunnelling Protocols section is checked. Leave all other settings as-is. For an example, see Figure 36. Figure 36 Cisco Base Group General tab 12. Click on the IPSec tab. Select sonicwall from the drop-down next to IPSec SA. Select Do not check from the drop-down next to IKE Peer Identity Validation. Uncheck the box next to IKE Keepalive. Select Remote Access from the drop-down next to Tunnel Type. Select None from the drop-down next to Authentication. Select None from the drop-down next to Authorization. Uncheck the box next to Authorization Required. Select None from the drop-down next to IPComp. Enter the complex preshared key you entered on the SonicWALL in the field next to Default Preshared Key. Uncheck the box next to Reauthentication on Rekey. Uncheck the box next to Mode Configuration. Leave all other settings as-is. For an example, see Figure 37.

Figure 37 Cisco Base Group IPSec tab 13. Click on the Client Config tab. At the bottom of this tab, select the radio button next to Only tunnel networks in this list, and select internal from the drop-down next to Split Tunnelling Network List. Leave all other settings on this tab as-is. When done, click on the Apply button to save and activate the changes. For an example, see Figure 38. Figure 38 - Cisco Base Group Client Config tab

Testing/Troubleshooting From the management station on the SonicWALL side, attempt to ping the management station on the Cisco side. If not successful, review all steps above to ensure that the devices have been configured correctly. Once the tunnel is up successfully, log into the management GUIs of both devices. On the SonicWALL, go to the VPN > Settings page you should see all subnets successfully negotiated under the Currently Active VPN Tunnels section of the page. On the Cisco, go to the Monitoring > Sessions page you should see the Remote Access Session enabled and active. For examples, see Figures 39 and 40. Figure 39 SonicWALL VPN status page showing active VPN tunnels Figure 40 Cisco VPN status page showing active VPN tunnels Created: 05/17/2005 Updated: 05/20/2005 Version 1.1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information