Note: This guide was created using the SonicWall firmware version 6.5. Depending on your specific firmware version, there may be minor differences between this guide and your actual application. Also note that, if you already have more than a simple routing configuration, the BGP configuration may vary greatly from this configuration example.



Prerequisites

Follow the steps in Connecting to a Site VPN - Route-Based Static on the Pureport side to create the VPN. 


You will need the following information from the Pureport Console to configure the SonicWall device

  • Phase1 and Phase 2 security settings for the VPN as configured on the Pureport side
  • Gateway IP addresses for the primary and secondary gateways
  • Preshared Keys for for the primary and secondary gateways
  • Customer VTI IP address for the primary and secondary gateways

Additionally you will need a list of the IP subnets you wish to reach from your site (clouds and other sites) in order to build the static route table on your SonicWall.


BGP Pre-Requisites

  • SonicOS Expanded (for BGP support)
  • SSH management enabled (for command line access)
  • An SSH client (one is available as part of Windows 10 and is built into Mac OS)
  • A customer-side autonomous system number (see What Autonomous System Number (ASN) should I use?)


Dead Peer Detection

Before you begin, review your global Deed Peer Detection settings on the SonicWall Advanced VPN Settings page: 


We recommend using the following settings:

  • Dead Peer Detection Interval: Enter 5 seconds.
  • Failure Trigger Level: Enter 3 missed heartbeats.

Depending on your average network latency to Pureport, you may select more aggressive settings.

 

Creating the VPN on the SonicWall device

To create the VPN on the SonicWall device, you will:

  1. Log into the SonicWall device
  2. Create the VPNs
  3. Create the Tunnel Interfaces
  4. Configure BGP via the Command Line
  5. Create Address Objects
  6. Set up any required firewall rules


Create the VPNs

Before you begin, record the VPN Settings (from the Pureport console): 


To create the VPN:

  1. From the SonicWall device, in the Connectivity menu, select VPN > Base Settings.
    On the VPN Global Settings page, click ADD
  2. On the General tab, enter the following information in each field:
    • Policy Type: Select Tunnel Interface.
    • Name: Enter a descriptive name for the VPN.
    • IPSec Primary Gateway Address: Enter the Pureport Gateway IP from the Primary Gateway settings in the Pureport console.
    • Shared Secret: Enter the Pre-shared key from the Primary Gateway settings in the Pureport console.

  3. Click the Proposals tab to configure the security proposals.
    You must use the same the information you chose when creating the VPN connection in the Pureport console: 
    On the Proposals tab, enter the following information in each field:
    • Phase 1
      • Exchange: Select the same IKE version from the Pureport console.
      • DH Group: Select the same IKE DH Group from the Pureport console.
      • Encryption: Select the same IKE encryption from the Pureport console.
      • Authentication: Select the same IKE Integrity from the Pureport console.
      • Life Time: Leave as the default value.
    • Phase 2
      • Protocol: Leave set to ESP.
      • Encryption: Select the same ESP Encryption from the Pureport console.
      • Authentication: Select the same ESP Integrity from the Pureport console.
      • DH Group: Select the Enable Perfect Forward Secrecy option and select the same ESP DH Group from the Pureport console.
      • Life Time: Leave as the default value.

  4. Click on the Advancedtab for the final VPN settings:
    • Check the EnableKeep Alive setting
    • Ensure the VPN Policy bound to setting specifies your WAN interface
    • Ensure all other settings are unchecked

      Enter the following information in each field, then click OK.
      • Enable Keep Alive: Enable this setting.
      • VPN Policy bound to: Verify that this setting specifies your WAN interface.

        Important: Ensure all other settings are unselected.

Repeat this procedure for the Secondary Gateway from the Pureport console. This will establish both tunnels and ensure high availability.


Create the Tunnel Interfaces

After creating the VPNs, you must create the tunnel interfaces. You will need information from the Pureport console, specifically the IP addressing for the Customer VTI IPs(virtual tunnel interfaces IP addresses) for each VPN. 


  1. From the SonicWall device, in the System Setup menu, select Network > Interfaces. > Base Settings.

  2. On the Interface Settings page, in the Add Interface field select VPN Tunnel Interface.


  3. On the General tab, set values for the highlighted fields fields:
    • VPN Policy
    • Name:
    • IP Address:
    • Subnet Mask:
    • Management:
       
  4. On the Advanced tab, enable Enable Asymmetric Route Support option, then click OK.


Repeat this procedure for the second tunnel interface.



Configure BGP

Next you will need to enable Advanced Routing and BGP and then configure BGP via the command line. 

  1. From the SonicWall device, in the System Setup menu, select Network > Routing.
  2. Select the Settings tab.

    Confirm the following settings:
    • Routing Mode: Select Advanced Routing.
    • BGP: Select Enabled.

  3. Use an SSH client to connect to your firewall. An SSH client is included with both Windows 10 and with Mac OS.

    Open a command/terminal window and run the following command:
    ssh <administrator>@<IP ADDRESS>


    Where:

    • administrator = Your username
    • IP ADDRESS = The IP address of your router

  4. Run the following commands, replacing bold fields (YOUR-ASN, LOCAL NETWORK TO ANNOUNCE, and the VTI1 and VTI2 interfaces) with your specific information from the Pureport console:

    configure
    routing

    bgp

    configure terminal

    router bgp {YOUR-ASN}

    network {LOCAL NETWORK TO ANNOUNCE}
    # REPEAT FOR EACH LOCAL NETWORK

    neighbor {PUREPORT VTI 1} remote-as 394351
    neighbor {PUREPORT VTI 1} soft-reconfiguration inbound

    neighbor {PUREPORT VTI 2} remote-as 394351

    neighbor {PUREPORT VTI 2} soft-reconfiguration inbound

    end
    write
    exit

    commit
    end
    end
    exit


Use the SonicWall Web Interface to check the BGP peering status:

  1. From the SonicWall device, in the System Setup menu, select Network > Routing.

  2. Select the Settings tab.

  3. Click BGP Status.

The Up/Down column shows the the elapsed time that the peering has been up. If peering is not established, you must troubleshoot the connection.




Create Address Objects

Next, create address objects in order to create the firewall rules necessary to permit desired traffic.


  1. From the SonicWall device, in the Policies menu, select Objects > Address Objects.

  2. Select the Address Objects tab (not the Address Groups tab), and click Add.

  3. In the Add Objects window, enter the following information in each field and click Add.


    • Name: Enter a descriptive name for the object
    • Zone Assignment: Select the appropriate Zone for your security policy.
    • Type: Select Network.
    • Network
    • Netmask Prefix:

Repeat this procedure for each network requiring a static route and firewall rules


Note: To simply your configuration, you can add all of the Address Objects to a Group Object.



Firewall Rules

After creating the VPNs, you must add firewall rules to allow traffic between networks in SonicWall. 


Although default rules may be created when adding the static routes, you may need additional rules, based on your internal security policy.


From the SonicWall device, in the Policies menu, select Rules > Access Rules.  Refer to the SonicWall documentation for details.