VPN Access with IPSec tunnels
Skill level: Expert (requires knowledge of IPSec tunnel setup)
Goal
To build an IPSec tunnel through the 63xx device's WAN internet connection, and use that IPSec tunnel to access endpoints inside a VPN.
Setup
For this setup, the 63xx series device will need an active WAN internet connection (cellular for the 6300-series, cellular or Ethernet for the 635x-SR series).
You will also need to know the IPSec credentials and settings needed to build a tunnel to the IPSec endpoint.
NOTE: the 63xx series of devices support building IPSec tunnels to the following endpoints:
- SonicWall routers
- strongswan IPSec servers
- OpenVPN IPSec servers
- other 63xx series devices. See the site-to-site tunnel article for an example.
Sample
The sample configuration below shows a 6350-SR building a tunnel to a VPN server at 12.13.14.15 through it's cellular modem. The client laptop connected to the LAN Ethernet port of the 6350-SR can then use that IPSec tunnel to access any IP address in the 10.255.0.0/16 range behind the IPSec server. Any traffic not destined for 10.255.0.0/16 will instead go through the cellular modem straight to the Internet.
Sample Configuration
Open the configuration profile for the 6350-SR. Under IPSec, create a new entry titled Tunnel, and add your IPSec settings to the new entry. The following settings reflect the sample setup in the diagram above.
- Enter in the PSK into the Pre-shared key.
- (optional) In XAUTH client, check the Enable box and enter in the account, username, and password.
- Check the Enable MODECFG client box.
- Change Local endpoint -> ID -> ID type to KeyID
- Set the local ID in Local endpoint -> ID -> KEYID ID Value
- (optional) Set Local endpoint -> type to Interface,and set Local endpoint -> Interface to Modem. This configures the 63xx-series device to only build the tunnel through the cellular modem WAN interface. Leaving Local endpoint -> type to Interface as Default route will allow the tunnel to be built through any available WAN interface.
- Change Remote endpoint -> ID -> ID type to IPv4
- Set the IP address of the IPSec server in Remote endpoint -> Hostname and Remote endpoint -> ID -> IPv4 ID Value. In the example, this is 12.13.14.15
- Set IKE -> Mode to Aggressive mode.
- Set IKE -> Phase 1 Proposals and IKE -> Phase 2 Proposals to match the IKE settings required by the IPSec server. In this example, both proposals are set to AES128, SHA1, MOD768.
Under Policies, click Add to create a new policy, and enter the following settings:
- Set Policy -> Local network -> Type to Request a network.
- Set Policy -> Remote network to the IPv4 network you wish to access through the tunnel. In the sample, this is 10.255.0.0/16
(alternative) If you would instead like to have all outbound traffic go through this tunnel, set Policy -> Remote network to 0.0.0.0/0