Note: This guide was created using  of the SonicWall firmware version 6.5. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. 


Prerequisites

Follow the steps in Connecting to a Site VPN - Route-Based Static on the Pureport side to create the VPN. You will need the following information from the Pureport Console to configure the SonicWall device:

  • Phase1 and Phase 2 security settings for the VPN, as configured on the Pureport side
  • Gateway IP addresses for the primary and secondary gateways
  • Pre-shared Keys for for the primary and secondary gateways
  • Customer VTI IP address for the primary and secondary gateways

Additionally, you will need a list of the IP subnets to reach from your site (clouds and other sites) in order to build the static route table on your SonicWall.


Dead Peer Detection

Before you begin, review your global Deed Peer Detection settings on the SonicWall Advanced VPN Settings page:


We recommend using the following settings:

  • Dead Peer Detection Interval: Enter 5 seconds.
  • Failure Trigger Level: Enter 3 missed heartbeats.

Depending on your average network latency to Pureport, you may select more aggressive settings.


Creating the VPN on the SonicWall 

To create the VPN on the SonicWall device, you will:

  1. Log into the SonicWall device.
    Refer to your SonicWall user guide for details.
  2. Create the VPNs.
  3. Create the Tunnel Interfaces.
  4. Create Address Objects.
  5. Set up static routes.
  6. Set up any required firewall rules.


Create the VPNs

Before you begin, record the VPN Settings (from the Pureport console):


To create the VPN:

  1. From the SonicWall device, in the Connectivity menu, select VPN > Base Settings.
    On the VPN Global Settings page, click ADD.

  2. On the General tab, enter the following information in each field:
    • Policy Type: Select Tunnel Interface.
    • Name: Enter a descriptive name for the VPN.
    • IPSec Primary Gateway Address: Enter the Pureport Gateway IP from the Primary Gateway settings in the Pureport console.
    • Shared Secret: Enter the Pre-shared key from the Primary Gateway settings in the Pureport console.

  3. Click the Proposals tab to configure the security proposals.
    You must use the same the information you chose when creating the VPN connection in the Pureport console:
    On the Proposals tab, enter the following information in each field:
    • Phase 1
      • Exchange: Select the same IKE version from the Pureport console.
      • DH Group: Select the same IKE DH Group from the Pureport console.
      • Encryption: Select the same IKE encryption from the Pureport console.
      • Authentication: Select the same IKE Integrity from the Pureport console.
      • Life Time: Leave as the default value.
    • Phase 2
      • Protocol: Leave set to ESP.
      • Encryption: Select the same ESP Encryption from the Pureport console.
      • Authentication: Select the same ESP Integrity from the Pureport console.
      • DH Group: Select the Enable Perfect Forward Secrecy option and select the same ESP DH Group from the Pureport console.
      • Life Time: Leave as the default value.

  4. Click the Advanced tab for the final VPN settings:

    Enter the following information in each field, then click OK.
    • Enable Keep Alive: Enable this setting.
    • VPN Policy bound to: Verify that this setting specifies your WAN interface.

      Important: Ensure all other settings are unselected.


Repeat this procedure for the Secondary Gateway from the Pureport console. This will establish both tunnels and ensure high availability.


Create the Tunnel Interfaces

After creating the VPNs, you must create the tunnel interfaces. You will need information from the Pureport console, specifically the IP addressing for the Customer VTI IPs (virtual tunnel interfaces IP addresses) for each VPN.


  1. From the SonicWall device, in the System Setup menu, select Network > Interfaces. > Base Settings.

  2. On the Interface Settings page, in the Add Interface field select VPN Tunnel Interface.

  3. On the General tab, set values for the highlighted fields fields:
    • VPN Policy
    • Name:
    • IP Address:
    • Subnet Mask:
    • Management:

  4. On the Advanced tab, enable Enable Asymmetric Route Support option, then click OK.


Repeat this procedure for the second tunnel interface.



Create Address Objects

Next, create address objects for each network you will need to reach across the VPN. These include any clouds and/or other sites you need to access from the site you're connecting. These address objects will be used for both the static routes you'll create and for the accompanying firewall rules.


  1. From the SonicWall device, in the Policies menu, select Objects > Address Objects.

  2. Select the Address Objects tab (not the Address Groups tab), and click Add.

  3. In the Add Objects window, enter the following information in each field and click Add.

    Enter the following information in each field and click Add:
    • Name: Enter a descriptive name for the object
    • Zone Assignment: Select the appropriate Zone for your security policy.
    • Type: Select Network.
    • Network: The network number (eg: 192.168.0.0)
    • Netmask Prefix: The subnet mask for the network (eg: 255.255.255.0)

Repeat this procedure for each network requiring a static route and firewall rules


Note: To simply your configuration, you can add all of the Address Objects to a Group Object.



Create Static Routes

Next you will create static routes pointing the networks to your two Tunnel interfaces.

  1. From the SonicWall device, in the System Setup menu, select Network > Routings.

  2. Select the Route Policies tab, then click Add.


  3. Select the General tab. Next give the rule a Name, select the Address Object or Address Group created in the previous step, set the Gateway Number to 2, select the two Tunnel Interfaces, and set the Metric to 1  as shown
    Enter the following information in each field:

Repeat this procedure for each Address Object (or Address Group) needed.


Firewall Rules

After creating the VPNs, you must add firewall rules to allow traffic between networks in SonicWall. 


Although default rules may be created when adding the static routes, you may need additional rules, based on your internal security policy.