Novell Home

AppNote: Configuring SonicWALL for S2S VPN

Novell Cool Solutions: AppNote
By John Fuge

Digg This - Slashdot This

Posted: 4 Jan 2005
 

Configuring SonicWALL for Site-to-Site VPN with a BorderManager 3.8 SP1 Master Server

This article explains how to configure the SonicWALL TZ 170 SP Wireless security appliance for a site-to-site VPN with a Novell BorderManager 3.8 Master Server. Instructions are given for network setup, BorderManager setup, and SonicWALL setup.

About the SonicWALL TZ 170

SonicWALL Internet firewall/VPN security appliances are built on stateful inspection firewall technology, and a dedicated security processor designed to ensure maximum performance for VPN-enabled applications. The SonicWALL TZ 170 SP Wireless security appliance is a total security platform that delivers enterprise-class wireless and wired security to small networks, and ensures continuous network uptime for critical, secure data connectivity through integrated and automated fail-over and failback.

Network Setup

There are four basic parts to the required network setup:

1. BM Public IP

The dynamic NAT is 192.168.0.100/24; the GW is 192.168.0.254/24 (DLink Wireless Router Private IP); and the BorderManager Private IP is 172.17.0.1.

2. Dlink to Cisco Router

This has the route for 172.16.0.0/16 to the Cisco Router 192.168.0.160/24. The private IP is 192.168.0.254; the public IP is x.x.x.x (whatever connects to the Internet - this is just for testing routes).

3. Cisco Router IPs

The Cisco Router IP addresses are 192.168.0.160/24 and 172.16.0.254/16. There are no NAT's on any interfaces. The IP Route for Dlink is 0.0.0.0 - 0.0.0.0 - 192.168.0.254.

4. SonicWALL TZ 170

The Standard OS is 2.2.1; the Public NAT is 172.16.0.1/16 (NAT); the Private interface is 10.10.0.1/16' and the GW is 172.16.0.254 (Cisco Interface).

BorderManager Configuration

Note: The MAST site-to-site configuration must already be configured. There is a great book by Craig Johnson (see http://nscsysop.hypermart.net/) and documentation by Novell (see http://www.novell.com/documentation/nbm38/index.html?page=/documentation/nbm38/inst_admin/data/amljjt7.html) to help you set up a VPN Master server.

Larger image

Figure 1: Modifying the site-to-site service in iManager

First, you need to set up the slave (see Figure 2). Note: The Slave server name is the same as the name in the VPN-Settings "Unique Firewall Identifier" setting on the SonicWALL appliance.

  1. Create the slave server by going to https:<BM SERVER PRIVATE IP>/nps/iManager.
  2. Log in as the admin user.
  3. Click the NBM VPN Configuration.
  4. Select VPN Site-to-Site Configuration.
  5. Click Add.
  6. Enter the Slave Server's Name at the top.

Larger image

Figure 2: Master Server, certificate setup

Larger image

Figure 3: Server setup, PSS key

Note: The IP Server address must be the public IP bound to the SonicWALL (or router, if one is in front, and it is statically NAT'ed inside). The Tunnel IP must be an IP with in the same subnet as the master. For example, if the master is 5.0.0.1/8, then the slave could be 5.0.0.2 or any IP in that range. This IP will never be used by the SonicWALL - it is just for Border Manager to have in its configuration.

  1. Check the Non-BorderManager VPN box.
  2. For the Authentication Method, choose PSS.
  3. Type the PSS Key.
  4. Under Protected IP Networks and Hosts, add the remote network, slave, and LAN subnet to the list at the bottom. (For my test lab that was 10.10.0.0/16). Do not enable RIP.
  5. Click Apply.

  6. Now you need to set up the third-party traffic rules. See Figure 4 for details.

  7. Click the 3rd Party Traffic Rules tab.
  8. Click New.
  9. Type the Name of the rule (such as <SLAVE SERVER NAME>_rules).
  10. Check the Enable Rule box.
  11. Select the Public IP of the Slave server/device you're configuring for the 3rd-party server gateway address.
  12. Next to "Rule applies to:" (on the next line down), select Only Use IP List.
  13. Click Add (at the right). The list will contain your Slave LAN (10.10.0.0/16).
  14. Under NBM Server Protected Network, next to "Rule Applies To:" select All Hosts.
  15. Leave Define Action as it is. These are the settings used on the SonicWALL.
  16. Click Apply at the bottom of the screen.
  17. Click OK until you return to the beginning screen.

Larger image

Figure 4: Third-party traffic rules setup

SonicWALL Configuration

Note: You should set up the SonicWALL according to the manufacturer's instructions so you'll have the public IP and private IP you want on the device. No other changes are necessary at this time - just complete the steps below. If additional security settings need to be made to better secure the device, you should complete those after your VPN tunnel is up. Make one change at a time, with reboots, to ensure that issues don't appear later on.

  1. Open the VPN Global Settings page (see Figure 5).
  2. For the VPN Settings Unique Firewall Identifier, type the same name you chose for the Slave Server on the NBM server.
  3. Click the Go to the VPN Settings tab on the SonicWALL.
  4. Click Add under VPN Policies.

Larger image

Figure 5: SonicWALL VPN Global Settings

Setting Security Policies

The Security Policy window opens (see Figure 6).

Larger image

Figure 6: SonicWALL Security Policy settings, General tab

  1. For the Name, type the name you gave the Master VPN Server. For my tests I gave it the name "Master."
  2. For the IPSec Primary Gateway Name or Address, type the public IP of the NBM server.
  3. Click "Use This VPN as default route for all Internet traffic." This setting will force all traffic out to the internet through this gateway. No additional firewall rules will be necessary, and no rules need to be deleted.

Setting Security Proposals

    Click the Proposals tab.
    First, you need to set up IKE Phase 1.

  1. Select Main Mode for the exchange if your SonicWALL has a public IP Address bound to it. If it does not, then select Aggressive Mode.
  2. Select Group 2 as the DH Group.
  3. Select 3DES for the Encryption setting.
  4. Select SHA as the Authentication protocol.

  5. Next, set up IPsec Phase 2.

  6. Select ESP as the protocol.
  7. Select 3DES for the Encryption setting.
  8. Select MD5 as the Authentication protocol.
  9. Enable PFS.
  10. Select Group 2 as the DH Group.
  11. Set the Life Time to 7200 seconds (120 minutes).

Using Advanced Settings

  1. Click the Advanced tab (see Figure 7).
  2. Check the box for Enable Keep Alive.
  3. For "VPN Terminated at" select LAN.

Larger image

Figure 7: SonicWALL Advanced VPN settings

Defining Static Routes

  1. Access the Network Routing (Static Routes) page (see Figure 8).

  2. Now you need to add a Route statement for Master server network. This will ensure that the Slave LAN knows how to route through the NBM Tunnel to the BM private infrastructure.

  3. Add 172.17.0.0/26 to 192.168.0.100 on the WAN interface.

Larger image

Figure 8: SonicWALL Network Routing: Static Routes

Note: You may need to reboot the SonicWALL and NBM server for the tunnels to come up correctly. (I recommend that you power the appliance on and off - I found it worked better that way.) No additional changes to the appliance are necessary at this time.

Additional SonicWALL Configuration Screens

Larger image

Figure 9: SonicWALL IP Configuration

Larger image

Figure 10: SonicWALL Advanced VPN Settings

Larger image

Figure 11: Firewall Access Rules


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell