Sonicwall to Palo Alto Networks VPN Configuration

Sonicwall to Palo Alto Networks VPN configuration

Overview:

This document will outline the basic steps involved in establishing an IPSec Site to Site VPN tunnel between a Palo Alto Networks (PAN) and a Sonicwall. This document is also assuming the Sonicwall has a dynamic DHCP address it will be connecting from like you might have in a home or small office location.
The Sonicwall device used is a TZ 170. The firmware versions used in the document are:

• PAN-OS version 5.0.8
• SonicOS Standard 3.1.2.6-97s

On the Palo Alto Device

1.  Navigate to the Network tab >IKE Gateways (click "new"):
2. Enter the remote Gateway Name, local interface and IP, Choose Dynamic Peer Type since the peer has a DCHP address, otherwise you could enter a Peer Address, also enter a Pre-Shared Key that will match the other side. Since we are using a Dynamic peer you will need to enter a peer identification. Choose User FQDN(email address) and add an email address.
3. You can leave the advanced Phase 1 options at there defaults.
4. Go to the tab Networks > Interface > Tunnel and click Add on the bottom of the screen to create a new tunnel.

5. Add an unused Tunnel id number, Assign it to a security zone, in this case the Trust zone and a virtual router.
6. Go to the tab Networks > IPSec Tunnels and click add.
7. On the general tab assign a tunnel name, choose the tunnel interface you created and choose the IKE Gateway you created from above.
   
8. Click on the Proxy IDs tab. Click add and enter a Proxy ID name, a local IP netmask, the remote IP netmask and Any protocol.

9. Go to the tab Network > Virtual Routers. On the general tab, add the Tunnel interface you create and ensure the used ethernet interfaces are added.
   
10. Click on the Static Routes tab and add a static route for the remote network. Assign the remote network subnet and mask in destination. For interface choose the tunnel you created, and choose Next Hop of None. 
    
11. Go to Policies > Security and create the needed policy rules to setup the tunnels and then allow traffic through the tunnel. 
    
12. Commit the changes

On the Sonicwall

1. Navigate to VPN > Settings
2. Check the Enable VPN checkbox and add the Unique Firewall Identifier. Make the Unique firewall identifier be the User FQDN you used in the peer identifier on the Palo Alto. 
   
3. In the VPN Policies, Click Add to Create a new VPN policy. 
   
4. For the IPSec Keying Mode choose IKE using Preshared Secret, assign a name, assign the IPSec primary gateway Name or Address as the Palo Alto's interface, assign the matching shared secret.
5. In the destination networks, we are assigning a specific network so only traffic headed to the assigned subnet will pass over the VPN.
6. In the proposals tab, you want to choose aggressive exchange mode so this tried to initiate connections. All the other settings here need to match want you have in the IKE Crypto and IPSec Crypto sections of the Palo Alto. You need to check the Enable Perfect Forward Secrecy Box. I believe all the other settings are default matches on both sides.
   
7. In the Advanced tab, check the box to Enable Keep Alive and ensure the VPN terminated option is set to LAN. 
   

You can now verify the that Tunnel is up in the Palo Alto and Sonicwall side. In the Palo Alto, all the lights in the Network > IPsec tunnels will be green. In the Sonicwall, you will see a green circle beside your VPN policy.

For additional troubleshooting see the following documents on the palo alto support site. https://live.paloaltonetworks.com/docs/DOC-1163