How To: Configure IPSec with Sonicwall

A few months ago, I had the pleasure of installing and configuring a VPN link between an outdated Linux box and a Sonicwall TZ170. Oh the joys I had in getting this to work ..

The Sonicwall device was located in a data center, whilst the Linux machine was located in an office protecting a 192.168.0.0/24 network, and my task was to join the two devices using IPSec. The best way to illustrate this setup is by displaying the configuration files. As an example, the following are the IP addresses used in the config samples.

Sonicwall TZ170 = 111.111.111.111
Linux machine = 222.222.222.222

The Linux IPSec Server

The Linux server is running Debian so a simple “apt-get install ipsec” had IPSec installed in no time.
Initially, I decided to use a simple preshared password for authentication. PLEASE NOTE the order that my ipsec.secrets file is displayed, there are many articles on Google which flip the left and right sides around.

My /etc/ipsec.secrets file

222.222.222.222 111.111.111.111 : PSK “test”

My /etc/ipsec.conf file

conn sonicwall
auth=esp
authby=secret
auto=add
esp=3des-sha1
ike=3des-sha1
keyexchange=ike
keyingtries=1
pfs=no
type=tunnel
left=111.111.111.111
leftsubnet=111.111.111.111/32
leftnexthop=%defaultroute
right=222.222.222.222
rightsubnet=192.168.0.0/24

The Sonicwall TZ170

Please note, even one incorrect setting will render your IPSec connection useless so triple check everything. Once logged into the Sonicwall TZ170 device, click the VPN menu then click the “Add” button.

To get this point-to-point VPN working with a Linux server using IPSec, you MUST use the exact details in the following diagrams. Simply substitute 111.111.111.11 with the Public IP of the Sonicwall device and substitute 222.222.222.222 with the Public IP of the Linux server.

Where it has “Choose Local network from list”, you’ll need to create a network object which represents the local network your protecting. In my example it was 192.168.0.0/24. Where it says Choose destination network, you’ll need to create a network object that represents the Linux server, so for this example it would be a single internet host with an IP of: 222.222.222.222

Once both sides have been configured, switch back to your Linux machine and from the console (be sure your logged in as root) simpy type;

ipsec auto –up sonicwall

Hopefully you see something like; (The main part to look for is the “established” part.

Oct 23 20:54:06 localhost pluto[18968]: “sonicwall” #2411: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

If you run into troubles look through the logs on the Sonicwall to see why the connection failed. Another good place to look is on the Linux machine under /var/log/secure



One Response to “How To: Configure IPSec with Sonicwall”

  1. [...] with a VPN-Cubed overlay network inside of EC2 is just minimal firewall/router configuration. …How To: Configure IPSec with SonicwallThe Linux server is running Debian so a simple apt-get install ipsec had IPSec installed in no time. [...]

Leave a Reply

You must be logged in to post a comment.