VNS3 IPsec Configuration VNS3 to Sonicwall NSA 240

© 2018

Site-to-Site IPsec Tunnel

2

IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds.

• Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are:

• IKE1 or IKE2 • AES256 or AES128 or 3DES • SHA1 or MD5 • NAT-Traversal capability (some clouds require NAT-Traversal encapsulation -

AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (192.169.3.0/24) and the VNS3 Overlay Network (172.31.1.0/24).

This guide will provide steps to setup the Sonicwall side of the IPsec configuration.

The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability.

Public Cloud

Overlay Network Subnet: 172.31.1.0/24

Cloud Server Overlay IP: 172.31.1.1

Server B LAN IP: 192.168.3.100

Server A LAN IP: 192.168.3.50

Customer Remote Office Remote subnet: 192.168.3.0/24

VNS3 public IP: 184.73.174.250 overlay IP: 172.31.1.250

Firewall / IPsec Sonicwall

Active IPsec tunnel 192.168.3.0/24 - 172.31.1.0/24

© 2018

VPN Advanced Settings Page

3

Before configuring an IPsec tunnel on a Sonicwall device, it is recommended that you review the VPN global device settings.

Click VPN>Advanced from the left column menu.

The resulting page will display the default settings for your device.

Recommended settings (these are defaults on the Sonicwall):

• DPD Enabled - Interval is the number of seconds between heartbeat (R_U_There messages) and Trigger Level is how many missed heartbeats until the connection is automatically reset.

• Enable Fragmented Packed Handling and Ignore DF Bit - when not enabled, fragmented IPsec traffic is dropped. Sonicwall enables this by default to ensure traffic is successfully passed over a tunnel as IPsec traffic can become fragmented in transit for a number of reasons.

• Enable NAT-Traversal - Encapsulation is required IF your VNS3 had NAT-Traversal enabled. Many public clouds require NAT-Traversal Traversal to pass IPsec traffic across their edge (e.g. AWS EC2, Azure, HP Helion).

• Clean up Active tunnels... - this option enables the use of DNS Names to identify the other end of an IPsec connection. If name resolves to a different IP (as is the care with dynamic addressing), the old tunnel will be torn down. This option does not related to tunnels negotiated to VNS3 as the addresses are static.

Click Accept.

© 2018

VPN Settings Page

4

To add a IPsec VPN Policy (configuration), navigate to the VPN Settings Page.

Click VPN>Settings from the left column menu.

Click Add... under the VPN Policies section.

© 2018

Add VPN: General

5

On the resulting VPN Wizard, click on the General tab. This page sets up VNS3 as the Gateway the Sonicwall communicate with to build the IPsec tunnel.

Under the Security Policy section:

• Select IKE using Preshared Secret from the Authentication Method drop down.

• Enter a Name for the IPsec tunnel configuration in the Name field. • Enter the VNS3 Controller Public IP in the IPsec Primary Gateway Name or

Address. Under the IKE Authentication section:

• Enter the Preshared Secret (our example we use test) in the Shared Secret and Confirm Shared Secret fields.

• Enter the Sonicwall Private IP Address in the Local IKE ID field with IP Address selected from the drop down*.

• Enter the VNS3 Local Private IP Address (default is 192.0.2.254) in the Peer IKE ID with IP Address selected from the drop down**.

Click on the Network tab.

* Required if the Sonicwall is not on the network edge. If the Sonicwall is sitting on the network edge, leave Local IKE ID blank.

** Required if using NAT-Traversal encapsulation for the tunnel negotiation. If using native IPsec, leave Peer IKE ID blank.

© 2018

Add VPN: Network

6

The Network tab lets you define the local and remote networks that will communicate with one another via the IPsec tunnel.

Under the Local Networks and Destination Networks sections, click the Choose local network from list radio button.

Select Create new address object... from the Choose local network from list drop down.

One the resulting popup enter/select the following:

• Enter a Name in the Name field • Select LAN form the Zone Assignment drop down. • Select Network from the Type drop down. • Enter the appropriate Network and Netmask in the

Network and Netmask fields respectively. • For Local Network - use the subnet available "behind" the Sonicwall

device (192.168.6.0/24). • For Destination Networks - use the VNS3 Overlay Subnet (172.31.1.0/24).

Click on the Proposals tab.

© 2018

Add VPN: Proposals

7

The Proposals tab lets you define the tunnel parameters for both phase 1 and 2 of the IPsec negotiation. These settings must match the configured settings on the VNS3 Controller. The settings entered below are VNS3 defaults.

Under the IKE (Phase 1) Proposal section:

• Select Main Mode from the Exchange drop down. • Select Group 5 from the DH Group drop down • Select AES-256 from the Authentication drop down. • Select SHA1 from the Authentication drop down • Enter 3600 in the Life Time (seconds) field.

Under the IKE Authentication section: • Select ESP from the Protocol drop down. • Select AES-256 from the Encryption drop down. • Select SHA1 from the Authentication drop down. • Click the Enable Perfect Forward Secrecy check box. • Select Group 5 form the DH Group drop down • Enter 28800 in the Life Time (seconds) field.

Click on the Advanced tab.

© 2018

Add VPN: Advanced

8

The Advanced tab allows you to set extra configuration parameters for the IPsec tunnel. Enabling parameters are dependent on your use-case.

Make sure the VPN Policy bound to drop down is set to the Zone on the Sonicwall that has access to the public Internet (either directly out the edge or via an intermediate edge device). In our example this is Zone WAN.

© 2018

IPsec Review

9

Once the configuration is added the IPsec VPN Policy will be listed under the VPN Policy section.

When the tunnel is up, the tunnel will be listed in the Currently Active VPN Tunnels section.

© 2018

Troubleshooting

10

© 2018

Tunnel Traffic

11

Depending on your network architecture, tunnel traffic may need to be passed from the Sonicwall side of the connection to start the initial IPsec negotiation. Ping the VNS3 Controller instance's Overlay IP address (listed on the Runtime Status page) from a device on the Sonicwall local subnet.

© 2018

Peer ID

12

If VNS3 has NAT-Traversal enabled (VNS3 default setting), you will need to enter in the Peer ID in the General tab of the Add VPN wizard. Without this entered, there will be INVALID_ID errors in the VNS3 IPsec logs and the tunnel will not negotiate.

If VNS3 has NAT-Traversal disabled, you will not need to enter the Peer ID.

© 2018

VNS3 Document Links

13

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions (Free & Lite Editions | BYOL)Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Administration DocumentCovers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.

VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.