Networking

How Do I... Configure SonicWALL VPN Connections?

Whether you are talking security or user experience, properly configuring any VPN connection is essential. Here are the basic configuration steps you need to take when configuring the SonicWALL PRO 1260 series router for VPN tunneling.

This article is also available as a TechRepublic download.

Hundreds of thousands of organizations turn to SonicWALL hardware to fulfill their firewall and network switching needs. SonicWALL firewalls also power effective VPN connections, providing secure remote access for everyone from mobile employees to executive staff.

Here are the most common steps required for configuring SonicWALL VPN connections. While this article describes administering SonicWALL VPN tunnels using the manufacturer's popular PRO 1260 series router, the steps are quite similar for other SonicWALL models, too.

Essentially, there are three steps to the process: Configuring the SonicWALL firewall, creating VPN user accounts and installing and configuring the SonicWALL Global VPN Client.

Configuring the router

SonicWALL’sGroupVPN service simplifies configuring secure remote connections. Enable SonicWALLGroupVPN using the SonicWALL VPN Wizard by following these steps:

  1. Log in to the SonicWALL device.
  2. Click on the VPN button.
  3. Click the VPN Policy Wizard button; the Welcome To TheSonicWALL VPN Wizard screen will appear.
  4. Click Next.
  5. Specify whether you wish to create a Site-to-Ste VPN (such as you might wish to do when connecting a SonicWALL wireless router to another SonicWALL device) or a WAN GroupVPN (to enable incoming VPN connections to the SonicWALL firewall). In this example we’re creating VPN connections to enable remote employee access, so we need to select the WAN GroupVPN radio button and click the Next button. (Figure A)

Figure A

Administrators must specify whether a site-to-site or WAN GroupVPN policy is to be created.
  1. The IKE Phase 1 Key Method screen appears. Specify whether you wish to use a default key or use a preshared key. Make a note of the preshared key if you select that option, then click Next.
  2. The Security Settings menu appears. In addition to specifying the encryption and authentication methods, drop-down boxes appear for specifying the DH (Diffie-Hellman) key group (SonicWALL devices support groups 1, 2 and 5) and Life Time. Typically SonicWALL’s default settings work well for most organizations.
  3. After clicking Next, the User Authentication menu appears. Administrators must specify whether user authentication should be implemented. Ensure the Enable User Authentication box is checked and select Trusted Users to ensure only the trusted users you specify later can connect to the organization’s network using the SonicWALL VPN. Then, click Next.
  4. The Configure Virtual IP Adapter menu appears next. The Virtual IP Adapter is used to obtain special IP addresses when connecting to the SonicWALL device, enabling the client to appear to be on the internal LAN. Check the box if you wish to enable the Virtual IP Adapter and click Next.
  5. The WAN GroupVPN Configuration Summary menu appears. The confirmation screen reviews the settings that will be implemented upon clicking the Apply button. Click the Apply button to finish enabling the VPN settings.
  6. The SonicWALL device will store the SonicWALL configuration, then display a congratulatory message stating the SonicWALL VPN Wizard completed successfully.
  7. While the SonicWALL creates the VPN, it doesn’t enable it by default. Log back in to the SonicWALL device and click the SonicWALL’s VPN button, and then check the Enable box to activate the VPN. (Figure B)

Figure B

Don’t forget to enable VPN policies from the VPN | Settings screen on the SonicWALL device.

You can edit a VPN’s settings and configuration at any time by logging in to the SonicWALL router, clicking VPN and clicking the Configure icon (the pencil and paper symbol) associated with each VPN entry.

Specifying authorized VPN users

The next step is to specify those users authorized to access the VPN. To do so:

  1. Log in to the SonicWALL device.
  2. Click the Users button.
  3. Click the Local Users button.
  4. Click the Add button.
  5. Within the Settings tab, enter the user’s name, a password and any comments to help identify the user account. (Figure C)

Figure C

Supply user information on the Settings tab.
  1. From the Groups tab, specify group memberships for the user.
  2. From the VPN Access tab, specify the networks you wish the user to access. (Figure D)

Figure D

A wide variety of network options exist; make your selections by highlighting entries and clicking the corresponding arrow buttons.
  1. Click OK to complete the user configuration.

Figure E

Once a user account is created, the entry will appear within the SonicWALL’s Users | Local Users screen, as shown here.

You can make edits to the user’s account (Figure E) at any time by clicking the Configure icon (the pencil and paper symbol) associated with each user’s account within the SonicWALL’s Users | Local Users menu.

Installing the SonicWALL Global VPN Client

Now you’re ready to install the SonicWALL Global VPN Client software on the end user’s system. Follow these steps to configure the end user client:

  1. Download (from www.mysonicwall.com or the CD-ROM supplied with the SonicWALL device) the SonicWALL Global VPN Client executable. Once you’ve downloaded the file, double-click it to begin installing the VPN client.
  2. The Preparing Setup window will appear. When it completes, the Welcome To TheSonicWALLInstallshield Wizard menu will display. Click Next.
  3. Next you’ll see a warning message indicating that antivirus and firewall programs must be disabled to install the SonicWALL Global VPN Client. Disable any such programs and click Next.
  4. Read the license agreement, then select the I Accept The Terms Of The License Agreement radio button and click Next.
  5. Specify the location of the SonicWALL Global VPN Client. By default, SonicWALL’sInstallshield will place the files in the C:\Program Files\SonicWALL Global VPN Client directory. Click Next to proceed (or click the Browse button, specify the directory you wish to use, and then click Next).
  6. Click Install to install the SonicWALL Global VPN Client in the directory you specified in the last step.
  7. The Setup program will install the VPN client, tracking its progress as it completes. When it finishes, it will display the SonicWALL Global VPN Client Setup Complete screen, which will include two checkboxes (Figure F). Check the respective boxes if you wish to start the VPN client automatically when users log in and launch the program immediately upon completing the wizard. Then, click Finish.

Figure F

Check the supplied boxes to automatically start the VPN connection when users log in and to launch the program immediately upon completing setup.
  1. Windows Firewall may block the SonicWALL Global VPN Client. If Windows Firewall presents a warning message, click Unblock.
  2. The New Connection Wizard will appear. Click Next.
  3. The Choose Scenario menu displays next. Specify whether you wish to implement Remote Access or an Office Gateway. Choose Office Gateway if you’re connecting two SonicWALL devices. Choose Remote Access if you wish to enable secure connectivity for remote staff. As we’re enabling remote access, we’ll choose that option and click Next. (Figure G)

Figure G

Specify whether the VPN connection is being used to provide remote access or to connect two SonicWALL devices (Office Gateway).
  1. Specify the SonicWALL’s IP address or domain name, provide a connection name and click Next.
  2. The Completing The New Connection Wizard menu appears next. Check the appropriate boxes to create a desktop shortcut for the new connection and automatically enable the connection whenever the end user launches the SonicWALL Global VPN Client. Then, click Finish.

The SonicWALL Global VPN Client is then created. To connect to the VPN, end users need only double-click the SonicWALL Global VPN Client and enter any required credentials. As with configuring VPNs and end users, the end user can edit a VPN connection’s settings and configuration at any time by right-clicking it from within the SonicWALL Global VPN Client window and selecting Properties.

26 comments
rdewolff
rdewolff

How can I remote connect via Mac OS X Mavericks ? ( 10.9  )

yoelco9
yoelco9

you did best job , really save me time . thank you.

f_bernal
f_bernal

I have a TZ100 firewall with ssl-vpn enabled. I'm using netextender to establish the vpn connection to our firewall from remote offices. Windows 7 computers connect with no problems. Windows xp stations connect but disconnect after 2 to 3 minutes. Any ideas on how to fix this issue?

jorran
jorran

I was having issues with my sonicwalls and still not sure the issue. I had to delete the vpn tunnel on both ends and then add each back. For some reason I have no idea why, but I dont get an active vpn tunnel anymore. I am almost positive everything is configured correctly but I am afraid that it might be something very simple and I am just overlooking it. Anyone want to help me out. Our store is completely down from some of our main programs that need vpn access to the other store. We do have internet.

yingwaing146
yingwaing146

short to the point. needed just enough for interview

dima1
dima1

how do i test my VPN after creating it? what is the sonicwall's IP add?

Shaij
Shaij

Hi Mr. Erik, Thanks for your help to us. But unfortunatly i couldn't find the first step as u said (figure A)and i am getting the options Typical or Custome then policy name and ipsec gateway name or address then remote network and network mask. i don't know how to get your options. if u don't mind can u expalin how to do in ur way please... I do have VPN license and using 1260 PRO Shaji

Darwood
Darwood

Why do you need to install the Sonicwall VPN client? Can't you just create a VPN in Windows instead?

dnyaneshwarnidavanche
dnyaneshwarnidavanche

I want to access at a same time two client so how do i configure clientside vpn setup

ssommer
ssommer

I am trying to configure a site to site VPN between a SonicWALL and a Cisco router. The tunnel is configured but I need policy nat on the SonicWALL for specific translation when traffic is traversing the tunnel. I read that this is possible if both ends are SonicWALL devices, but I cannot find docuemtation for my specific issue. I wonder why it would make a difference what was on the remote end. Can someone please help me.

rizvi_dna
rizvi_dna

I need a help about vpn why always it will change the ip of wan and when i am going to change dynamic to static it will not change so always i am going to change the peer of client computer so how can i fix the wan ip one time fix it will not change.

garnet.steen
garnet.steen

How do you connect clients that do not support the Sonicwall Global VPN software? I'm speaking specifically of mobile devices like smartphones or the iphone.

skit1973
skit1973

I'm Using a D-Link wireless router DI-524. Each time i get connected, it disconnetcs again. is there any settings i should make on the router?

andyrob.davis
andyrob.davis

Very helpful I have a TZ170 that I inherited it, it doesn't use the local users it authenticates against the domain but I don't know how this works

admin
admin

Step 6 made mention of remembering the key. I didn't see any directions about configuring the client software with a key that was referenced in step 6.

probinson
probinson

About five years ago, we deployed SonicWall Pro 200 units at our main data center. Deploying the VPN client was a consummate pain and the tech support available at the time was awful! (Overseas outsource) A year ago, we replaced the SonicWall units with FireBox X700 units from WatchGuard. As the network engineer who is primarily responsible for the firewall/VPN systems, I found the FireBox to be light years ahead of the SonicWall units we had. I don't believe that was solely due to the three years newer technology that the FireBox used. It's good to see that it appears SonicWall has responded to their user base and made the VPN deployment a lot less cryptic.

Mark W. Kaelin
Mark W. Kaelin

Telecommuting employees and a mobile workforce has made the reliable VPN connection an absolute must for many organizations. How important has VPN become for your organization? Are you currently looking to upgrade or make other changes to your VPN system?

seanferd
seanferd

That's covered in the latter two thirds of the article. Other than that, have them both connected to the router. At the same time.

mkrom
mkrom

Vpn clients are connected to Sonicwall using the Global VPN client application download from Sonicwall. I would guess that you will have to get a version of GVC that runs on you mobile device.

techrepublic
techrepublic

Upon first attempt at connection the Sonicwall VPN client will prompt you for the key...

ianr
ianr

I have over 100 users that access my systems remotely. I have a Juniper-Netscreen Firewall/VPN infrastructure (yea, I have used SonicWALL and Firebox in the past, we can argue them later) and it became a mess handling that many users. About a two years ago, we migrated to the Neoteris' (then purchased by Netscreen and then Juniper) SSL VPN box. It was an awful tool at first. Now, it's my life line. With ADS integration and AES128 VPN tunnels I am in love. I have a lot more functionality than any Firewall based VPN solution can provide.

cweaver
cweaver

We have been setting VPN up more and more for employees over the recent months. It is nice I must say. As a matter of fact, I work at our satellite office, but using my VPN connection from home is much faster. I'm not a engineering genius or anything, but I do know there are issues not resolved, but since I'm the rookie, they just ignore me...that's another story. Anyway, I am a fan of the SonicWALL VPN. I like the ease of use, reliability, and the services that it provides. Definately a single device solution for many SMBs.

tim
tim

I do not receive a request to enter the key. My connection hangs in connecting... Is there another place / way to specify the key?

steball
steball

My knowledge of firewalls and VPN connections is limited, so I'm doing the best I can with what information I can find. I am the only IT guy for a small hospital, and I've only been here a few short months. I'm trying to create a VPN connection from my laptop so that I can remote in, instead of having to drive in 45 minutes from home whenever I get a call at 2:00 on Sunday morning (which has happened a couple of times already). I followed all of the above steps for setting up this connection, and I'm getting this same problem (a couple posts above) with the GVC hainging in the "Connecting" state. In the log I'm getting the following messages: Failed to find MAC address 00:60:73:xx:xx:xx:xx in the system interfaces table. Starting ISAKMP phase 1 negotiation. An error occurred The peer is not responding to phase 1 ISAKMP requests. Every several seconds, the messages will repeat. Any ideas? Just for fun, I tried pinging both the WAN IP and the domain name form outside the network. The IP timed out, and the domain name could not be resoloved. Correct me if I'm wrong, when the connection wizard in the GVC requests an IP Address, is it not referring to the WAN IP Address located under the Network tab of the SonicWall web interface? The fact that I cannot ping it might explain the messages in the log, why I can't connect. But the question is then, why would I not be able to ping that IP? Is there something in my firewall configuration that needs to be changed? Any help that I can get here would be greatly appreciated.

bjtill
bjtill

The need for the IKE preshared secret is overridden by "Simple Client Provisioning", which means the firewall and the VPN clients use a default preshared key. See VPN Policies > WAN GroupVPN > click the view settings icon. In that popup, see the Client tab > Client Initial Provisioning where you can turn this setting off. Presumably when it is off, you get prompted to enter the shared secret (defined in the General tab) when you try to connect via your VPN client. I can't test that theory without messing with my production firewall, though...

dima1
dima1

why did people stop talking about it .. i'm still not able to find the answers for question that were asked more than a week ago ... can anyone please help

Editor's Picks