VPN VPN Interopobility between SonicWALL TELE3 SP and NetScreen ScreenOS 4x/ 5x

Introduction
This technote provides all the steps necessary to create a working IKE IPSec VPN tunnel between a
SonicWALL TELE3 SP and a NetScreen 25. Each site will have multiple subnets and the SonicWALL TELE3
SP will be configured for automated fail-over with its integrated analog modem, which ensures continuous
uptime for IPSec VPN tunnels whenever the broadband connection fails.
Recommended Versions
SonicWALL TELE3 SP device running firmware 6.6.0.1
NetScreen device running ScreenOS 5
Caveats
This only works with pre-shared keys as the VPN tunnel setup authentication mechanism.
SonicWALL devices use the SA Lifetime field for both phase 1 and phase 2 negotiations, use the
same time for both the SAKMP and IPSEC fields in the NetScreen device.
Do not use the group feature to combine multiple LAN IP subnet address book entries on the
NetScreen device when creating a VPN policy. Create a separate policy for each LAN IP subnet of
the NetScreen.
NetScreen has a feature that allows you to specify an address book group for the policy setup, but
instead of breaking out each subnet in the group to a separate phase 2 exchange. It attempts to send
all subnets in the group into single phase 2 exchanges. Most other vendors, including SonicWALL, do
not support this. Therefore, its necessary to write a policy for each subnet pair on the NetScreen, so
that it negotiates each subnet pair as separate phase 2 exchange. On the SonicWALL side, you do
not have to do this and can still set up a single SA with all the networks behind the NetScreen device.
For example, the validation platform had four subnets behind the NetScreen and two behind the
SonicWALL. The NetScreen required eight policies so that each subnet on each side could
communicate with one another.
NetScreen has a multiple option for address objects in Policies, but it does not work when the tunnel
is dynamic.
When a NetScreen is acting as an IKE Responder for dynamic VPN tunnels, its necessary to specify
a remote peer IKE identity (Peer ID), since the remote peers WAN IP cannot be known in advance.
The NetScreen appears to accept three types of IKE for remote peers: ID_USER_FQDN, ID_FQDN,
and IPV4_ADDR. While there is no explicit control to define exactly which identity type should be
used, the NetScreen appears to parse incoming IKE identity values to determine if the remote peer is
sending the correct value. What can potentially make this difficult is that any SonicWALL running 6.x
firmware sends its UFI as the ID_USER_FQDN IKE identity when negotiating a tunnel in Aggressive
Mode (used when a WAN is dynamically obtained). Simply specifying the SonicWALLs UFI on the
NetScreen does not work it appears that the NetScreen rejects it because its looking for an @ in
the value since we tell the NetScreen during the ISAKM
P exchange that its ID_USER_FQDN. To avoid this, set the SonicWALLs UFI to an email address
(for example, snwl@notreal.com) and specify this same email address as the remote peer ID in the
NetScreen. Also, specify the NetScreens local ID and use this value as the name of the SA in the
SonicWALL.
Use Aggressive Mode on both sides, since the TELE3SP will fail over to a dynamic IP address.
Because of this, the IP address is unknown. Dynamic setup must be used in this scenario.

Sample Diagram

Tasklist
On the SonicWALL:
Configure additional LAN subnet.
Create new IPSEC Security Association to the NetScreen device.
Edit SA properties.
Add new VPN destination networks.
Edit network properties.
Set up Modem Failover.
On the NetScreen:
Create local LAN IP subnet object in the Address Book Trusted section (may exist already).
Create remote LAN IP subnet object in the Address Book Untrusted section.
Create a custom phase 1 policy in the VPN section.
Create a custom phase 2 policy in the VPN section.
Create a Gateway object in the VPN section.
Create an AutoKey IKE object in the VPN section.

2
Create an outgoing access rule in the Policy section.
Create an incoming access rule in the Policy section.
Before You Begin
If you have not already done so, set up a management system connecting to the SonicWALLs internal LAN
interface. The SonicWALL should already be configured for Internet access; if not, do this before completing
any further steps. The NetScreen should also be similarly configured for Internet access.
Setup Steps
SonicWALL Setup: Configure a second LAN Subnet interface
1. Log into the SonicWALLs management using a current web browser.


2. Click on the General button on the left side menu to add the second LAN subnet. Then click the
Network tab along the top.


3
3. Under LAN Settings, next to Add LAN Subnet, enter a network gateway address in the Network
Gateway field and a Subnet Mask field.
4. Click Update.

SonicWALL Setup: Createnew IPSEC Security Association to the NetScreen Device
1. Next, Click the VPN button on the left side, and then click on the Configure tab along the top.


2. Go to Add/Modify IPSec Security Associations section. From the Security Association drop-down
box, select -Add New SA-.


4
3. From the IPSec Keying Mode drop-down box, select IKE using Preshared Secret.


4. In the Name field, enter a unique name for your tunnel to the NetScreen device.



5
5. In the IPSec Gateway Address field, enter the static IP address of the Public interface of the
NetScreen device.

SonicWALL Setup: Edit SA Properties
1. Go to the Security Policy section on the same page. From the Exchange drop-down box, choose
Aggressive Mode.


2. From the Phase 1 DH Group drop-down box, choose Group 2.



6
3. In the SA Life time (secs) field, enter 28800.


4. From the Phase 1 Encryption/Authentication drop-down box, choose 3DES & MD5.


5. From the Phase 2 Encryption/Authentication drop-down box, choose Strong Encrypt and
Authenticate (ESP 3DES HMAC MD5).



7
6. In the Shared Secret field, enter in the shared secret you wish to use for the VPN tunnel to the
NetScreen device.


SonicWALL Setup: Add New VPN Destination Networks
1. Go to Destination Networks section on the same page. Choose the Specify destination networks
below radio button.


2. Click the Add New Network button.




8
3. In the pop-up screen that appears, enter in the subnet and mask that are behind the Private
interface of the NetScreen device (you need to use the Add New Network... button multiple times to
add multiple subnets).
4. Click on the Update button when you are done.


5. Click on the Advanced Settings button.



9
6. In the pop-up screen that appears, check the Enable Keep Alive box and the Try to bring up all
possible SAs box.
7. Click OK when you are done.



10
8. Click on the Update button in the lower right hand of the screen to save all changes.

SonicWALL Setup: Set up Modem Failover
1. For the modem and failover setup, click on the Modem button on the left side menu.
2. Click on the Profiles tab along the top.


3. On the Profiles page go to the Current Profile drop-down box and select Add New Profile to
configure a new profile.
4. Enter a name for the new profile in the Name field.

11
5. Under the ISP Settings section, enter in the primary phone number for your ISP in the Primary
Phone Number field. (You may optionally enter a secondary number in the Secondary Phone
Number field).
6. Enter the user account in the User field, password in the password field. Confirm the password by
entering it again in the Confirm field.
7. Select the Dial Retries per Phone Number radio button and enter the value 1. Leave the other
settings at default.
8. Click the Update button on the bottom of the page to save the profile.


12
9. Next, click on the Configure tab to select a profile and setup failover options.
10. From the Primary Profile drop-down box, select the profile created in the previous step.
11. In the Failover Settings section, select the Enable WAN Failover radio button and the Preempt
Mode radio button.
12. Select the Enable Probing radio button and select Ethernet Only from the Probe through drop-
down box.
13. Click the Update button on the bottom of the page to save the settings.

NetScreen Setup: Create a Local LAN IP Subnet Object in Address Book-Trusted
1. Log into the NetScreen device management interface using a current web browser.



13
2. From the menu on the left, navigate to Objects >Addresses >List. From the zone drop-down box on top,
select Trust. There should be an object labeled NetScreen_lan_subnet containing the LAN IP subnet.

3. If this object does not appear, click on the New button on the top.
4. In the Address Name field, enter in NetScreen_lan_subnet.
5. In the IP Address/Domain Name field, enter in the NetScreen devices LAN IP subnet.
6. In the Netmask field, enter in the subnet mask for the NetScreen devices LAN IP subnet.
7. From the Zone drop-down box, select Trust.
8. Click on the OK button to save. Repeat this section three times for a total of four trusted network objects.


14
NetScreen Setup: Create a Remote LAN IP Subnet object in Assress Book- Untrusted
1. From the menu on the left, navigate to Objects >Addresses >List.
2. From the Zone drop-down box on top, select Untrust. Click on the New button on the top.
3. In the Address Name field, enter in sonicwall_lan. In the IP Address/Domain Name field, enter in
the SonicWALL devices LAN IP subnet.
4. In the Netmask field, enter in the subnet mask for the SonicWALL devices LAN IP subnet.
5. From the Zone drop-down box, select Untrust.
6. Click on the OK button to save. Repeat this section for the second SonicWALL LAN subnet.

NetScreen Setup: Create a Custom Phase One Policy in the VPN Section
1. From the menu on the left, navigate on VPNs >Autokey Advanced >P1 Proposal.
2. Click on the New button on the top. In the Name field, enter in sonicwall.
3. From the Authentication Method drop-down box, select Preshare.
4. From the DH Group drop-down box, select Group 2.
5. From the Encryption Algorithm: drop-down box, select 3DES-CBC.
6. In the Lifetime field, enter in 28800 and then select the Sec radio button directly under the field.
7. Click OK.

15

NetScreen Setup: Create a Custom Phase Two Policy in the VPN Section
1. From the menu on the left, navigate to VPNs >Autokey Advanced >P2 Proposal tab.
2. Click the New button on the top.
3. In the Name field, enter in sonicwall.
4. From the Perfect Forward Secrecy drop-down box, select NO-PFS.
5. Under Encapsulation, select the Encryption (ESP) radio button.
6. From the Encryption Algorithm drop-down box, select 3DES-CBC.
7. From the Authentication Algorithm drop-down box directly under that, select MD-5.
8. In the Lifetime In Time field, enter in 28800. Select the Sec radio button directly under the dialog
box.
9. Click OK.



16
NetScreen Setup: Create a Gateway Object in the VPN Section
1. From the menu on the left, navigate to VPNs then Autokey Advanced >Gateway.
2. Click on the New button on the top.
3. In the Gateway Name field, enter in sonicwall. Under Security Level select the Custom radio
button.
4. For Remote Gateway Type choose the Dynamic IP Address radio button.
5. For the Peer ID field enter sonicwall@yourcompany.com.
6. In the Preshared Key field, enter in the shared secret you wish to use for the VPN tunnel to the
SonicWALL device.
7. For the Local ID field enter NetScreen.yourcompany.com.
8. Then click on the Advanced button on the bottom.
9. Under Security Level subsection User Defined choose the Custom radio button.
10. For Phase 1 drop- down box, select the phase one proposal created earlier from the drop-down box
named sonicwall.
11. Click on the Return button and then the OK button to save.



17
NetScreen Setup: Create an Autokey IKE Object in the VPN Section
1. From the menu on the left, navigate to VPNs then Autokey IKE.
2. Click on the New button on the top. In the VPN Name field, enter to_sonicwall.
3. For Security Level click the Custom radio button. Under the Remote Gateway section, choose
sonicwall from the drop-down box.
4. Click on the Advanced button on the bottom.
5. Under Security Level subsection User Defined choose the Custom radio button.
6. For Phase 2 Proposal drop-down box select the phase two proposal created earlier from the drop-
down box named sonicwall.
7. Click on the Return button and then the OK button to save.


NetScreen Setup: Create outgoing and Incoming Access Rules
8. From the menu on the left, navigate to Policies.
9. On the top, select Trust in the From drop-down box and Untrust in the To drop-down box.
10. Click on the New button on the top.


11. The four LAN subnets behind the NetScreen will need separate policies for both SonicWALL LAN
subnets, so eight policies will be needed. In the Name (optional) field, enter in a name if desired.
12. From the Source Address section, select the Address Book Entry radio button and from the drop-
down box select NetScreen_lan.
13. For the Destination Address section, select the Address Book Entry radio button and from the
drop-down box select sonicwall_lan.
14. Select Tunnel from the Action drop-down box.
15. Under the Tunnel section, select To_sonicwall from the VPN drop-down box. Select the radio button
next to Modify matching bidirectional VPN policy to create a matching policy for inbound traffic.
Select the Logging radio button to enable logging.

18

19
16. Click the OK button to save. Repeat this section until all eight policies have been created.

NetScreen to Sonicwall_lan policies


20

21

Testing
From the management consoles of both the SonicWALL and NetScreen, verify the active VPN
tunnels.
Pass traffic between all subnets to verify tunnel operation.
Disconnect the WAN connection on the SonicWALL to verify the automated fail-over. When the
modem takes over the WAN connection, verify that traffic is again flowing.
Reconnect the WAN connection. Verify that the modem disconnects and that the WAN connection
becomes active; verify that traffic is again flowing.
If the environment allows downtime, reboot both the SonicWALL and NetScreen appliance and verify
that the tunnels re-establish; verify that traffic is flowing.
Troubleshooting
Create a diagram of the network. Include all network information and security association parameters.
Include desired traffic flows. Be as specific as possible. When the diagram is complete, compare it
with the configuration of each device. Verify that the configuration of each device is consistent with
the diagram. This exercise should rule out most common configuration errors. The diagram is also
good documentation.
Verify that Aggressive Mode is used on both sides of the tunnel. The SonicWALL has an unknown
IP address due to the modem fail-over capability. For the configuration to fully function, the
SonicWALL must be considered to have a dynamic IP address even if the normal WAN IP address is
static.
Verify that each subnet pair has the correct policies. Due to the separate Phase 2 exchanges for
each subnet pair, a large number of policies can be required and each must be correct to properly
function.
Verify all IPSec Security Association parameters match. Verify the Security policy parameters match.
Verify that the VPN destination network parameters match. Verify the modem parameters. Verify the
objects created match. This may sound repetitive, but one error can cause the configuration to not
work.














Created: March 4, 2004
Updated: June 12, 2004
Version 1.1