Dell SonicWALL TZ400 and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Dell SonicWALL® TZ400.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.8.2.B668649
  • Dell SonicWALL TZ400
    • SonicOS Enhanced Version 6.5.4.11-97n

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a SonicWALL TZ400.

Screen shot of the topology diagram

Configure the Firebox

To configure a Branch Office VPN (BOVPN) connection on the Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.

Screenshot of the General Settings tab

  1. In the Gateway Name text box, type a name to identify this BOVPN gateway.
  2. From the Address Family drop-down list, select IPv4 Addresses.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.
  5. From the drop-down list, select String-Based .
  6. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

Screen shot of the Local Gateway settings

  1. From the External Interface drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  3. Select By IP Address.
  4. In the adjacent text box, type the primary IP address of the External Firebox interface.
  5. Select the Remote Gateway tab.

Screen shot of the Remote Gateway settings

  1. Select Static IP Address.
  2. In the adjacent text box, type the IP address of your SonicWALL WAN connection.
  3. Select By IP Address.
  4. In the adjacent text box, type the IP address of your SonicWALL WAN connection.
  5. Keep the default settings for all other options.
  6. Click OK.

Screen shot of the completed Gateway Endpoint configuration

  1. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.
  2. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 settings

  1. From the Version drop-down list, select IKEv2.
  2. Keep all other Phase 1 settings as the default values.
  3. Click Save.

Screen shot of the Gateways and Tunnels lists

  1. In the Tunnels section, click Add.

Screen shot of the Advanced settings

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screen shot of the Addresses tab

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This the local network protected by the Dell SonicWALL device.
  5. Click OK.

Screen shot of the Phase 2 settings

  1. Keep the default Phase 2 Settings.
  2. Click Save.

Configure the Dell SonicWALL TZ400

Zone and Interface Settings

  1. Log in to the Dell SonicWALL TZ400 Web UI at https://<IP address of TZ400>. The default IP address is 192.168.168.168.
  2. Configure interfaces and zones. For information about how to configure interfaces and zones, see the Dell SonicWALL TZ400 documentation.

Screen shot of the SonicWALL network interface settings

Screen shot of the SonicWALL zone settings

IPSec VPN Settings

To configure IPSec VPN settings:

  1. Select Manage > Policies > Objects > Address Objects.
  2. To add a new object, click Add.

Screenshot of sonicwall. picture3, address object settings

  1. In the Name text box, type the object name. In our example, the name is WGINT.
  2. From the Zone Assignment drop-down list, select VPN.
  3. From the Type drop-down list, select Network.
  4. In the Network text box, type the network address.
  5. In the Netmask/Prefix Length text box, type the netmask.
  6. Click Add.
  7. Click Close.

Screenshot of sonicwall, pictuer4, the address objects page

  1. Select Manage > Connectivity > VPN > Base Settings.
  2. In the VPN Policies section, click Add.

Screenshot of sonicwall, picture5, vpn policy, general settings

  1. From the Policy Type drop-down list, select Site to Site.
  2. From the Authentication Method drop-down list, select IKE using Preshared Secret.
  3. In the Name text box, type a descriptive name for this VPN. In our example, the name is VPN with WG.
  4. In the IPsec Primary Gateway Name or Address text box, type the peer IP address.
  5. Select Mask Shared Secret.
  6. In the Shared Secret and Confirm Shared Secret text boxes, type the pre-shared secret key.
  7. From the Local IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the SonicWALL outgoing public IP address.
  8. From the Peer IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the WatchGuard Firebox public IP address.
  9. For all other settings, keep the default values.
  10. Select the Network tab.

Screenshot of sonicwall, picture6, vpn policy, network settings

  1. In the Local Networks section, select Choose local network from list. From the adjacent drop-down list, select X2 Subnet.
  2. In the Remote Networks section, select Choose destination network from list. From the adjacent drop-down list, select WGINT.
  3. Select the Proposals tab.

Screenshot of sonicwall, picture7, vpn policy, proposal settings.

  1. In the IKE (Phase 1) Proposal section, from the Exchange drop-down list, select IKEv2 Mode.
  2. From the DH Group drop-down list, select Group 14.
  3. From the Encryption drop-down list, select AES-256.
  4. From the Authentication drop-down list, select SHA256.
  5. In the Ipsec (Phase 2) Proposal section, from the Protocol drop-down list, select ESP.
  6. From the Encryption drop-down list, select AES-256.
  7. From the Authentication drop-down list, select SHA256.
  8. Select the Enable Perfect Forward Secrecy check box.
  9. From the DH Group drop-down list, select Group 14.
  10. For all other settings, keep the default values.
  11. Select the Advanced tab.

Screenshot of sonicwall, picture8, vpn policy, advanced settings.

  1. In the Advanced Settings section, select the Enable Keep Alive check box.
  2. For VPN Policy bound to, from the adjacent drop-down list, select Interface X1.
  3. For all other settings, keep the default values.
  4. Click OK.

Screenshot of sonicwall, picture9, vpn, base settings, currently active VPN tunnels.

  1. Keep all default settings in Advanced VPN Settings.

Screenshot of sonicwall, picture9, vpn, base settings, currently active VPN tunnels.

Test the Integration

  1. Log in to the Firebox Web UI.
  2. Select System Status > VPN Statistics.
  3. Verify the VPN tunnel is active.
  4. Log in to the Dell SonicWALL TZ400 Web UI.
  5. Verify the VPN tunnel is active.
  6. Verify the hosts behind the Firebox and behind the SonicWALL can successfully ping each other.