Sep 29, 2020


Managed I.T., Security, Cloud & Infrastructure


Envision Technology Advisors

Recently the GUI was updated to handle IPsec VPN configurations beyond the USG to USG configuration that was present in earlier revisions. Below is an outline of a configuration for a USG to SonicWALL IPsec VPN.

The SonicWALL side was straightforward - configure the primary gateway, shared secrets, and ID’s on the General configuration tab:

SonicWALL General Configuration

Configure the Local and Remote networks on the Network tab. Leave the proposals at their defaults and finally check “Enable Keep Alive” on the Advanced tab.

The USG side required a bit more customization away from its defaults to match up with the SonicWALL default proposal.

Under Settings -> Network I chose the Site-to-Site VPN radio button option along with the IPsec VPN Type below. This opened all the familiar options that are necessary to get this functional. Plug in your Peer and Local information, along with your Remote Subnets and Pre-Shared Key. Change your Key Exchange Version to IKEv2 with 3DES Encryption SHA1 Hash and Diffie-Hellman Group 2. Disable perfect forwarding secrecy and dynamic routing, then save your configuration.

USG Settings > Network

Unfortunately, from the USG GUI there is no indication that the VPN is established. From the SonicWALL side, you will however see the familiar green circle indicating the VPN is live and you will be able to pass traffic over the tunnel. If you want to see the status from the USG, you can log into the CLI and type the command “show vpn ipsec status” which will indicate if the IPsec tunnel is active.

Another small issue I’ve noticed is the check box to disable the VPN connection on the USG side doesn’t seem to work. Disabling the Site-to-Site and saving the configuration results in no change to the tunnel status and upon inspecting the configuration the Enabled checkbox doesn’t toggle to disabled. I’ve looked through the CLI at the configuration specifically for the VPN and don’t see a reference to disabling/enabling the VPN configuration so perhaps the development is in the works.