When setting up a non-Meraki Site-to-Site VPN between an MX Security Appliance and a Sonicwall, the following settings should be used on the Sonicwall to get the tunnel up and running.
General Tab
The settings configured on the General tab on the Sonicwall interface should follow the configuration below:
- Policy Type: Site to Site
- Authentication Method: IKE using Preshared Secret
- Name: Enter a name the security policy will be displayed as on the Sonicwall
- IPsec Primary Gateway Name or Address: Enter the public IP address of the MX.
- IPsec Secondary Gateway Name or Address: Use the address "0.0.0.0"
- Shared Secret: This should match the Preshared secret configured for this peer on the Security & SD-WAN > Configure > Site-to-site VPN page in Dashboard
- Local IKE ID: Select "IP Address" and enter the public IP address of the Sonicwall.
- Peer IKE ID: Select "IP Address" and enter the IP address configured on the MX's primary uplink. If the MX is relying on a cellular connection, use the IP address of the cellular modem.
- Local IKE and Peer IKE ID can be left blank.
Proposals Tab
The configuration of this page should match the phase 1 and 2 parameters as configured on the MX, if the MX is utilizing custom IPsec policies. If the MX is using the default parameters, then the settings configured on the Proposals tab should follow the configuration below, and match the screenshot provided:
- Exchange: Main Mode
- DH Group: Group 2
- Encryption: 3DES
- Authentication: SHA1
- Life Time (seconds): 28800
- Protocol: ESP
- Encryption: 3DES
- Authentication: SHA1
- Enable Perfect Forward Secrecy: False, the box should be unchecked
- Life Time (seconds): 28800
Additional Notes
- On the Advanced tab, ensure the box for Enable Keepalive is checked.
- Make sure that the remote subnets configured on Sonicwall exactly match the VPN subnets configured on the MX.