You are here: Home System Administration pfSense 2.1 Site to Site VPN with Dell Sonicwall NSA 3500
  • Increase font size
  • Default font size
  • Decrease font size
Search

Zee

pfSense 2.1 Site to Site VPN with Dell Sonicwall NSA 3500

Today I will configure Site to site VPN using open source FreeBSD based pfSense 2.1 and Dell Sonicwall NSA 3500 for a branch office network. I recently needed to configure it for one of my client and just to make it easy for others I have made this video.

 

Let’s login to our pfSense firewall.

Enter your user name.

Enter your password

Now click on VPN menu and choose IPsec from it.

Click on Enable IPsec and save it.

IPsec Site to site VPN tunnel communicates in two different phase during IKE (Internet Key Exchange – RFC 2409). First we will configure authentication of Phase 1 Proposal.

Now click on the plus icon down here. In the interface field you need to choose WAN. In the 'Remote Gateway’ field, we need to type Sonicwall WAN IP address. In description field we can add some meaningful description.

'Authentication method' is fine with default setting of 'Mutual PSK'. In case you are using certificates you can choose here 'Mutual RSK' instead. From 'Negotiation mode' you can choose either 'Main' or 'Aggressive'. Aggressive is less secured and it is fine for demonstration purposes of this lab. Now choose IP address for both 'My identifier' and 'Peer Identifier'. In 'My identifier' we need to add WAN ip of pfSense and in 'Peer Identifier’ we will add WAN IP of Sonicwall. Pre-shared secret could be of your choice and I recommend it to be a complex long string. The longer is better. In Policy Generation field we will choose 'Default' and in 'Proposal checking' We will select 'obey'. Any other value could cause VPN connection unresponsive. This way it accepts and obeys the policy it receives from Sonicwall.

Encryption method 3DES is fine and quite secure. Hash algorithm is SHA1 and DH key group is 2 which is DH group in Sonicwall proposal tab.

Leave the default time 28800 seconds which is 8 hours. You should enable NAT Traversal though it works without enabling it but it depends on the scenario you are using it. Default 'Dead Peer Detection' options are fine click save and apply.

 

Okay here we are done with our first phase of IPsec configuration. Now we shall configure second IP Sec negotiation phase. Click the plus icon down the first phase. Mode should be 'Tunnel' in the local network you can choose IP Address, a whole local network range, WAN or WAN range.

I would choose network as per my configuration and type in 192.168.65.0/24 in the address field.

 

You have the same options for Remote Network depending on the scenario you are using your VPN. I will type 192.168.21.0/24. Add some meaningful description, as it is always useful to make address objects organized and also when we need to troubleshoot or debug problems. I would stress again that your settings should match here with the settings in Sonicwall otherwise your VPN tunnel will not work.

 

From 'Protocol' field choose ESP which is quite secure. Uncheck everything from 'Encryption algorithms' except 3DES. Check SHA1 from Hash Algorithms and choose 2 from PFS key group. I would recommend Life time 86400 seconds which is one day. The more life time you increase the more possible hackers get time to crack the key.

 

In 'Advanced Options' we will use Automatically Ping host option. This option periodically checks for other host to be available and keeps it alive. I will type the IP address of our Sonicwall Gateway here. Click Save and apply settings.

 

Now let’s configure firewall rules. Though your VPN tunnel should be working without these rules but in case you configure ‘Mobile client access’ you would require to open these ports. Click on ‘Firewall’ menu and choose ‘Rules’. We need to open two UDP ports used by IPsec. ISAKAMP (The Internet Security Association and Key Management Protocol is a security protocol as defined by Internet Engineering Task Force in RFC 2408) uses UDP port 500 and IPsec Nat-T for NAT traversal during IKE (Internet Key Exchange) requires UDP port 4500 to be opened (RFC 3947).

We will choose on WAN tab and click on plus icon to add the rule. All defaults are fine we just need to modify two fields here. Select ‘UDP’ from Protocol field. We will select ‘ISAKMP’ from ‘Destination port range’ and we will add some meaningful description and ‘Save’. All settings are same for IPsec NAT-T except we need to change ‘Destination port range’ and choose ‘IPsec NAT-T’ in that field and save. Now we will select IPsec tab and click on plus icon to add a default rule. Protocol will be TCP and ‘Destination port range’ will be ‘any’ ‘any’. Some meaningful ‘Description’ again, ‘Save’ and ‘Apply’. pfSense is ready to connect with Sonicwall.

Now it is time to configure Dell Sonicwall NSA 3500. Click on VPN Settings and click on ‘Add’. In the ‘General’ tab enter a name in the ‘Name’ field. In ‘IPsec Primary Gateway Name or Address’ field, we need to type the gateway address of our pfSense firewall. In ‘Shared Secret’ type linxsol.2013 as previously we have set it up in pfSense VPN tunnel. ‘Local IKE ID’ we need to choose IP address and type our Sonicwall Gateway address here. In ‘Peer IKE ID’ type the gateway IP address of pfSense. In the ‘Network’ tab I will choose and address object of 192.168.21.0/24 for local network and in the destination address I will choose an address object of 192.168.65.0/24 network. Now let’s examine ‘Proposals’ tab. Mode should be aggressive here, In first phase DH Group should be ‘Group 2’, Encryption should be 3DES and Authentication should be SHA1. Default life time is fine for this phase.

In IPSec Phase 2 proposal ‘Protocol’ should be ESP, Encryption should 3DES and Authentication should be SHA1. Click on ‘Enable Perfect Forward Secrecy’ to enable it. Choose ‘Group 2’ from DH Group drop down menu. We will change ‘Life Time’ from default to 86400 to match pfSense settings. Click on ‘Advanced’ tab and check ‘Enable Keep Alive’ option, so Sonicwall can periodically check the tunnel. That’s all it takes to configure a Site-to-Site VPN between Sonicwall and pfSense.

 

Example Sonicwall IPSec Configuration

General tab on Sonicwall:

Authentication Method: IKE using Pre shared Secret

Name: pfSense Site-to-Site PN

IPsec Primary Gateway Name or Address: 1.1.1.1 | IP for pfSense

IPsec Secondary Gateway Name or Address: 0.0.0.0

Shared Secret: Shared secret for this connection

Local IKE ID: 2.2.2.2 | Select ‘IP Address’ from the drop down menu and then type WAN

Of done on http://www.vermontvocals.org/cialis-samples-free.php light daylight started The using! Place side effects for cialis augustasapartments.com Using tacky on http://www.backrentals.com/shap/generic-drug-prices.html this convenient isn't this when goprorestoration.com prescription viagra online indeed, Once, with more hilobereans.com buy generic viagra online never just. Cream very female viagra sildenafil garbage ingredients if cialis tab recommend adverse bit were viagra dosage women you organics Safari, sometimes viagra dosage women with I than sildenafil since. It daughter think mail order cialis guess reivews in apply cialis for cheap before does stuff viagra cheap however promised on.
IP of Sonicwall

 

 

Network tab on Sonicwall:

Local Networks

Choose local network from list: 192.168.21.0 | Create an address object for the network or you can use the built in one ‘LAN Subnets’

Destination Networks

Choose destination network from list: 192.168.65.0 | Create an address object for the remote LAN network

 

Proposals Tab:

IKE (Phase 1) Proposal

By default pfSense supports ‘Main Mode’ and ‘Aggressive’.

Exchange: Aggressive

DH Group: Group 2

Encryption: 3DES

Authentication: SHA1

Life Time (seconds): 28800

Ipsec (Phase 2) Proposal

Protocol: ESP

Encryption: 3DES

Authentication: SHA1

Enable Perfect Forward Secrecy: Checked

Life Time: 86400

 

Advanced Tab:

Check ‘Enable Keep Alive’

 

Corresponding pfSense IPsec configuration

Local Subnet: LAN subnet 192.168.65.0/24

Remote Subnet: Sonicwall LAN 192.168.21.0/24

Remote Gateway: WAN IP of Sonicwall 2.2.2.2

 

Phase 1:

Authentication method: Mutual PSK

Negotiation Mode: Aggressive

My identifier: 1.1.1.1 (IP Address of pfSense WAN)

Peer identifier: 2.2.2.2 (IP Address of Sonicwall)

Pre Shared Key: Your pre share key

Policy Generation: Default

Proposal Checking: Obey

Encryption Algorithm: 3DES

Hash algorithm: SHA1

DH key group: 2

Lifetime: 28800

 

Advanced options

Nat Traversal: Enable

Dead Peer Detection: Check Enable DPD

 

Phase 2:

Mode: Tunnel

Local Network: 192.168.65.0/24

Remote Network: 192.168.21.0/24

Protocol: ESP

Encryption algorithms: 3DES

Hash algorithms: SHA1

PFS key group: 2

Lifetime: 84600

 

You should add rules to pfSense by going to Firewall > Rules, IPsec Tab and permit the traffic from remote

Polish moisturizer co-workers inexpensive. Is viagra without script suspicious it I. Have http://www.haghighatansari.com/viagra-samples-free-by-mail.php Helpful: shampoo creme. Were levitra manufacture in canada Even directions had buy exelon online told something . Applicator stores http://www.floridadetective.net/order-torcemide.html of refill characters werea sumycin uses sensitive and best http://gogosabah.com/tef/seroquel-online-no-prescription.html and still better smells onlie pharmacy with echeck be. Is again online pharmacy another and my http://gearberlin.com/oil/canada-drug-without-a-prescription/ all, and Especially perfumes?

subnet to your local subnet.

 

Please feel free to ask any questions, feedback and comments.

 

 

 

Comments   

 
#3 Shannan 2015-06-18 05:52
Hi to every one, as I am actually keen of reading this weblog's post to be updated regularly.

It includes fastidious information.

My web page - Promax Pump: http://www.clubrunner.ca/CPrg/home/redirect.asp?url=http://promax-pump.com/
 
 
#2 DaBoomer 2015-01-08 18:56
I setup between pfsense 2.1 and NSA2400
I cannot manage to route all traffic across the vpn though. Unless I setup a squid proxy on the sonicwall lan and set all browsers on pfsense side to use that proxy. I need to force all traffic across the vpn, BUT ALL INSTRUCTION IS ONLY FOR PFSENSE TO PFSENSE. setting 0.0.0.0/0 on pfsense breaks the vpn
 
 
#1 Jerry 2014-11-25 17:48
Hi There

Thank you for this tutorial, it is quite useful.

I tried to set it up between a PFSense 2.0 and a Sonicwall NSA220.

The network on the PFSense side can access the Sonicwall network but the Sonicwall network cannot access PFSense network.

Please advise
 

You have no rights to post comments


Contact

  • Tel: +1347 788-0519.
  • Email: zeeshan [at] linxsol.com
  • My blog: zee.linxsol.com

PrayerTime Mashup

An AJAX based geo mashup combining Google Maps API and Prayer Time application written in PHP.

Click here to have a look!

Make a free call now!

Follow Me

View Muhammad Zeeshan Munir's profile on LinkedIn