Setting up site-to-site on SonicWall


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Creating objects in SonicWall

1. Go to Objects in SonicWall

2. Go to Address Object

3. Select Add

4. Add the IP of your NordLayer dedicated server

01_Setting_up_site-to-site_on_SonicWall.png

  • Name: Give the object a name "NordLayer-Gateway"
  • Zone Assignment: VPN
  • Type: Host
  • IP Address: Put the IP of your NordLayer dedicated server

5. Add NordLayer Subnet Network (10.6.0.0)

02_Setting_up_site-to-site_on_SonicWall.png

  • Name: Give the object a name: "NordLayer-Network"
  • Zone Assignment: VPN
  • Type: Network
  • Network: put 10.6.0.0
  • Netmask/Prefix Length: put 255.255.240.0

Access Rule

1. Go to Policy:-> Rules

2. Select Add

3. First Rule to add: VPN to WAN

03_Setting_up_site-to-site_on_SonicWall.png

  • Policy Name: NordLayer-WAN
  • Action: Allow
  • From: VPN
  • To: WAN
  • Source Port: Any
  • Service: Any
  • Source: NordLayer-Gateway object
  • Destination: Your external internet interface object
  • Select Add.

Second Rule: VPN to LAN

04_Setting_up_site-to-site_on_SonicWall.png

  • Policy Name: NordLayer-LAN
  • Action: Allow
  • From: VPN
  • To: LAN
  • Source Port: Any
  • Service: Any
  • Source: NordLayer: Network object
  • Destination: Your internal subnet object
  • Select Add.

 

Site-to-Site creation

1. Go to VPN

2. Under Base Settings add VPN Policy
General Tab:

05_Setting_up_site-to-site_on_SonicWall.pngSecurity Policy

  • Policy Type: Site to Site
  • Authentication Method: IKE using Preshared Secret
  • Name: Give it name ex. "NordLayer-Office"
  • IPsec Primary Gateway Name or Address: put your NordLayer gateway address
  • IPsec Secondary Gateway Name or Address: leave blank

IKE Authentication

  • Shared Secret: generate a key (we will also need this value on our end)
  • Confirm Secret: put the secret again
  • Local IKE ID: "IPv4 Address: put your public office IP address
  • Peer IKE ID: "IPv4 Address:" put the IP of your NordLayer dedicated server

Network Tab

06_Setting_up_site-to-site_on_SonicWall.png

Local Networks

  • Select a local network from the list: choose your local network object

Remote Networks

  • Select the destination network from the list: choose NordLayer-Network object

Proposals Tab

07_Setting_up_site-to-site_on_SonicWall.png

IKE (Phase 1) Proposal

  • Exchange: Main Mode
  • DH Group: Group 2 (Group 14 recommended if your device supports it)
  • Encryption: AES-256
  • Authentication: SHA1 (SHA256 recommended if your device supports it)
  • Life Time (seconds): 28800

IPsec (Phase 2) Proposal

  • Protocol: ESP
  • Encryption: AES-256
  • Authentication: SHA1 (SHA256 recommended if your device supports it)
  • Mark v for "Enable Perfect Forward Security"
  • DH Group: Group 2 (Group 14 recommended if your device supports it)
  • Life Time (seconds): 3600

Advanced Tab

08_Setting_up_site-to-site_on_SonicWall.png

Advanced Setting

1. Mark v in Enable Keep Alive.

2. Select OK to create the new VPN Policy

09_Setting_up_site-to-site_on_SonicWall.png
Make sure the new Policy you created is enabled.
You can select the play button right to the Currently Active VPN Tunnels and you should see that your new tunnel is up.
If the tunnel won't start you should go to Event Logs and look for errors regarding the new VPN policy you created.

 

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

 


Return to top