Setup a Site to Site IPsec VPN with TZ-470 vs OPNsense.

# Setup a Site to Site IPsec VPN with TZ-470 vs OPNsense. ###### tags: `TZ-470 IPsec VPN` Today we will setup a site to site IPsec VPN with TZ-470 vs OPNsense, which will be configured with PreShared key Authentication. After our tunnels are established, we will be able to reach the private clients over the VPN tunnels. ## Network Diagram ![](https://i.imgur.com/EmiSUBK.png) ## Configure OPNsense We will setup IPsec VPN through OPNsense GUI. ### IPsec VPN Tunnel Settings We will use the following settings for **Phase 1** and **Phase 2**: **Phase 1** **General Information** | Option | Value | | -------- | -------- | | Connection method | default | | Key Exchange version | V2 | | Connection method | default | | Internet Protocol | IPv4 | | Interface | WAN | | Remote gateway | 192.168.0.15 | | Dynamic gateway | Unchecked | | Description | Connect to TZ470 | **Phase 1 proposal (Authentication)** | Option | Value | | -------- | -------- | | Authentication method| Mutual PSK | | My identifier| My IP address | | Peer identifier| Peer IP address | | Pre-Shared Key| 12345678 | **Phase 1 proposal (Algorithms)** | Option | Value | | -------- | -------- | | Encryption algorithm | 3DES | | Hash algoritm | SHA1 | | DH key group | 2 (1024 bits) | | Lifetime | 28800 sec | ``` Refer “IPsec Policy Profiles” section to set your VPN networks. Phase 1 proposal (Algorithms) Phase 2 proposal (SA/Key Exchange) ``` **Advanced Options** | Option | Value | Note | | -------- | -------- |------| | Install policy | Checked | | | Disable Rekey | Unchecked |Renegotiate when connection is about to expire | | Disable Reauth | Unchecked |For IKEv2 only re-authenticate peer on rekeying | | Tunnel Isolation | Unchecked | |NAT Traversal| Disabled| For IKEv2 NAT traversal is always enabled | | Disable MOBIKE | Unchecked | | | Dead Peer Detection | Unchecked | | | Inactivity timeout | | Remain it as empty | | Margintime | | Remain it as empty | | Rekeyfuzz | | Remain it as empty | **Phase 2** **General information** | Option | Value | | -------- | -------- | | Mode | Tunnel IPv4 | | Description | Connect to TZ-470 | **Local Network** | Option | Value | Note | | -------- | -------- |------| | Local Network | LAN subnet | Route the local LAN subnet | **Remote Network** | Option | Value | | -------- | -------- | | Type | Network | | Address | 192.168.168.0/24 | **Phase 2 proposal (SA/Key Exchange)** | Option | Value | | -------- | -------- | | Protocol | ESP | | Encryption algorithms | AES256 | | Hash algortihms | SHA256 | | PFS Key group | off | | Lifetime | 3600 sec | Phase 1 proposal (Algorithms) Phase 2 proposal (SA/Key Exchange) **Advanced Options** | Option | Value | Note | | -------- | -------- |------| | Automatically ping host | | Remain it as empty | | Manual SPD entries | | Remain it as empty | Finally, Enable IPsec and apply changes. Now you should see the following screen: ![](https://i.imgur.com/7ZxzLQR.png) ### Firewall Rules **WAN** To allow IPsec Tunnel Connections, the following should be allowed on WAN for on sites: * Protocol ESP * UDP Traffic on Port 500 (ISAKMP) * UDP Traffic on Port 4500 (NAT-T) ![](https://i.imgur.com/EJ3xVZK.png) **IPsec** To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface. ![](https://i.imgur.com/Ppu2tG2.png) ## Configure TZ-470 We will setup IPsec VPN through Sonicwall GUI. ### IPsec VPN Tunnel Settings We will use the following settings for **Phase 1** and **Phase 2**: **General** **SECURITY POLICY** | Option | Value | | -------- | -------- | | Policy Type | Site to Site | | Authentication Method | IKE Using Preshared Secret | | Name | Connect to OPNsense | | IPsec Primary Gateway Name or Address | 192.168.0.215 | | IPsec Secondary Gateway Name or Address | 0.0.0.0 | **IKE AUTHENTICATION** | Option | Value | Note | | -------- | -------- |------| | Shared Secret | 12345678 | | | Mask Shared Secret | Enable | | | Confirm Shared Secret | 12345678 | | | Local IKE ID | IPv4 Address | 192.168.0.15 | | Peer IKE ID | IPv4 Address | 192.168.0.215 | **Network** **LOCAL NETWORKS** | Option | Value | Note | | -------- | -------- |------| | Choose local network from list | Unchecked |Because the GUI can't create new network profile, so we use any address. | Any address | Checked | or | Option | Value | Note | | -------- | -------- |------| | Choose local network from list | Checked | LAN Subnets | Any address | Unchecked | **REMOTE NETWORKS** | Option | Value | Note | | -------- | -------- |------| | Use this VPN Tunnel as default route for all Internet traffic | Unchecked | | | Choose destination netowrk from list | Checked | remote-net_192.168.123.0/24 | | Use IKEv2 IP Pool | Unchecked | | PS: When select Choose destination network from list, it should click **Create new Address Object** to Create remote-net_192.168.123.0/24 **Address Object Profile: remote-net_192.168.123.0/24** | Option | Value | | -------- | -------- | | Name | remote-net_192.168.123.0/24 | | Zone Assignment | WAN or VPN | | Type | Network | | Network | 192.168.123.0 | | Netmask/Prefix Length | 255.255.255.0 | **Proposals** **IKE (PHASE 1) PROPOSAL** | Option | Value | | -------- | -------- | | Exchange | IKEv2 Mode | | DH Group | Group 2 | | Encryption | 3DES | | Authentication | SHA1 | | Life Time (seconds) | 28800 | **IPSEC (PHASE 2) PROPOSAL** | Option | Value | | -------- | -------- | | Protocol | ESP | | Encryption | AES256 | | Authentication | SHA256 | | Enable Perfect Forward Secrecy | Unchecked | | Life Time (seconds) | 28800 | **Advanced** **ADVANCED SETTINGS** | Option | Value | | -------- | -------- | | Enable Keep Alive | Checked | | Suppress automatic Access Rules creation for VPN Policy | Unchecked | | Disable IPsec Anti-Replay | Unchecked | | Enable Windows Networking (NetBIOS) Broadcast | Unchecked | | Enable Multicast | Unchecked | | Permit Acceleration | Unchecked | | Display Suite B Compliant Algorithms Only | Unchecked | | Apply NAT Policies | Unchecked | | Allow SonicPointN Layer 3 Management | Unchecked | **MANGEMENT VIA THIS SA** | Option | Value | | -------- | -------- | | HTTPS | Unchecked | | SSH | Unchecked | | SNMP | Unchecked | **USER LOGIN VIA THIS SA** | Option | Value | | -------- | -------- | | HTTP | Unchecked | | HTTPS | Unchecked | | Default LAN Gateway (optional) | 192.168.0.4 | | VPN Policyy bound to | Zone WAN | **IKEv2 SETTINGS** | Option | Value | | -------- | -------- | | Do not send trigger packet during IKE SA negotiation | Unchecked | | Accept Hash & URL Certificate Type | Unchecked | | Accept Hash & URL Certificate Type Send Hash & URL certificate Type | Unchecked | Now you should see the following screen: **General** ![](https://i.imgur.com/visIfh7.png) **Network** ![](https://i.imgur.com/EizgXed.png) **Proposals** ![](https://i.imgur.com/ny54qNO.png) **Advanced** ![](https://i.imgur.com/DsrGxos.png) ### Firewall Rules TZ-470 will automatic generate IPsec VPN tunnel firwall rules. ### IPsec VPN Connection We can use IPsec status to check VPN connection status. **OPNsense Connection status** ![](https://i.imgur.com/n821wF3.png) **TZ-470 Connection status** ![](https://i.imgur.com/1Lyusik.png) ## Reference 1. [How can I configure a site-to-site VPN between A SonicWall and linux Openswan?](https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-site-to-site-vpn-between-a-sonicwall-and-linux-openswan/170504906528100/) 2. [VPN BETWEEN STRONGSWAN AND SONICWALL](https://koo.fi/blog/2015/04/04/vpn-between-strongswan-and-sonicwall/)