Note: This guide was created using the SonicWall firmware version 6.5. Depending on your specific firmware version, there may be minor differences between this guide and your actual application. Also note that, if you already have more than a simple routing configuration, the BGP configuration may vary greatly from this configuration example.
Prerequisites
Follow the steps in Connecting to a Site VPN - Route-Based Static on the Pureport side to create the VPN.
You will need the following information from the Pureport Console to configure the SonicWall device
- Phase1 and Phase 2 security settings for the VPN as configured on the Pureport side
- Gateway IP addresses for the primary and secondary gateways
- Preshared Keys for for the primary and secondary gateways
- Customer VTI IP address for the primary and secondary gateways
Additionally you will need a list of the IP subnets you wish to reach from your site (clouds and other sites) in order to build the static route table on your SonicWall.
BGP Pre-Requisites
- SonicOS Expanded (for BGP support)
- SSH management enabled (for command line access)
- An SSH client (one is available as part of Windows 10 and is built into Mac OS)
- A customer-side autonomous system number (see What Autonomous System Number (ASN) should I use?)
Dead Peer Detection
Before you begin, review your global Deed Peer Detection settings on the SonicWall Advanced VPN Settings page:
We recommend using the following settings:
- Dead Peer Detection Interval: Enter 5 seconds.
- Failure Trigger Level: Enter 3 missed heartbeats.
Depending on your average network latency to Pureport, you may select more aggressive settings.
Creating the VPN on the SonicWall device
To create the VPN on the SonicWall device, you will:
- Log into the SonicWall device
- Create the VPNs
- Create the Tunnel Interfaces
- Configure BGP via the Command Line
- Create Address Objects
- Set up any required firewall rules
Create the VPNs
Before you begin, record the VPN Settings (from the Pureport console):
To create the VPN:
- From the SonicWall device, in the Connectivity menu, select VPN > Base Settings.
On the VPN Global Settings page, click ADD. - On the General tab, enter the following information in each field:
- Policy Type: Select Tunnel Interface.
- Name: Enter a descriptive name for the VPN.
- IPSec Primary Gateway Address: Enter the Pureport Gateway IP from the Primary Gateway settings in the Pureport console.
- Shared Secret: Enter the Pre-shared key from the Primary Gateway settings in the Pureport console.
- Click the Proposals tab to configure the security proposals.
You must use the same the information you chose when creating the VPN connection in the Pureport console:
On the Proposals tab, enter the following information in each field:- Phase 1
- Exchange: Select the same IKE version from the Pureport console.
- DH Group: Select the same IKE DH Group from the Pureport console.
- Encryption: Select the same IKE encryption from the Pureport console.
- Authentication: Select the same IKE Integrity from the Pureport console.
- Life Time: Leave as the default value.
- Phase 2
- Protocol: Leave set to ESP.
- Encryption: Select the same ESP Encryption from the Pureport console.
- Authentication: Select the same ESP Integrity from the Pureport console.
- DH Group: Select the Enable Perfect Forward Secrecy option and select the same ESP DH Group from the Pureport console.
- Life Time: Leave as the default value.
- Protocol: Leave set to ESP.
- Phase 1
- Click on the Advancedtab for the final VPN settings:
- Check the EnableKeep Alive setting
- Ensure the VPN Policy bound to setting specifies your WAN interface
- Ensure all other settings are unchecked
Enter the following information in each field, then click OK.- Enable Keep Alive: Enable this setting.
- VPN Policy bound to: Verify that this setting specifies your WAN interface.
Important: Ensure all other settings are unselected.
Repeat this procedure for the Secondary Gateway from the Pureport console. This will establish both tunnels and ensure high availability.
Create the Tunnel Interfaces
After creating the VPNs, you must create the tunnel interfaces. You will need information from the Pureport console, specifically the IP addressing for the Customer VTI IPs(virtual tunnel interfaces IP addresses) for each VPN.
- From the SonicWall device, in the System Setup menu, select Network > Interfaces. > Base Settings.
- On the Interface Settings page, in the Add Interface field select VPN Tunnel Interface.
- On the General tab, set values for the highlighted fields fields:
- VPN Policy:
- Name:
- IP Address:
- Subnet Mask:
- Management:
- On the Advanced tab, enable Enable Asymmetric Route Support option, then click OK.
Repeat this procedure for the second tunnel interface.
Configure BGP
Next you will need to enable Advanced Routing and BGP and then configure BGP via the command line.
- From the SonicWall device, in the System Setup menu, select Network > Routing.
- Select the Settings tab.
Confirm the following settings:- Routing Mode: Select Advanced Routing.
- BGP: Select Enabled.
- Use an SSH client to connect to your firewall. An SSH client is included with both Windows 10 and with Mac OS.
Open a command/terminal window and run the following command:ssh <administrator>@<IP ADDRESS>
Where:- administrator = Your username
- IP ADDRESS = The IP address of your router
- Run the following commands, replacing bold fields (YOUR-ASN, LOCAL NETWORK TO ANNOUNCE, and the VTI1 and VTI2 interfaces) with your specific information from the Pureport console:
configure
routing
bgp
configure terminal
router bgp {YOUR-ASN}
network {LOCAL NETWORK TO ANNOUNCE}
# REPEAT FOR EACH LOCAL NETWORK
neighbor {PUREPORT VTI 1} remote-as 394351
neighbor {PUREPORT VTI 1} soft-reconfiguration inbound
neighbor {PUREPORT VTI 2} remote-as 394351
neighbor {PUREPORT VTI 2} soft-reconfiguration inbound
end
write
exit
commit
end
end
exit
Use the SonicWall Web Interface to check the BGP peering status:
- From the SonicWall device, in the System Setup menu, select Network > Routing.
- Select the Settings tab.
- Click BGP Status.
The Up/Down column shows the the elapsed time that the peering has been up. If peering is not established, you must troubleshoot the connection.
Create Address Objects
Next, create address objects in order to create the firewall rules necessary to permit desired traffic.
- From the SonicWall device, in the Policies menu, select Objects > Address Objects.
- Select the Address Objects tab (not the Address Groups tab), and click Add.
- In the Add Objects window, enter the following information in each field and click Add.
- Name: Enter a descriptive name for the object
- Zone Assignment: Select the appropriate Zone for your security policy.
- Type: Select Network.
- Network:
- Netmask Prefix:
Repeat this procedure for each network requiring a static route and firewall rules
Note: To simply your configuration, you can add all of the Address Objects to a Group Object.
Firewall Rules
After creating the VPNs, you must add firewall rules to allow traffic between networks in SonicWall.
Although default rules may be created when adding the static routes, you may need additional rules, based on your internal security policy.
From the SonicWall device, in the Policies menu, select Rules > Access Rules. Refer to the SonicWall documentation for details.