Jeff
Jeff Cloud Systems Architect
1 min read / TL;DR

Configure Ubuquiti Edge Router VPN with SonicWall

Configure Ubuquiti Edge Router VPN with SonicWall

How to Setup a VPN between Ubiquiti Edge Router and SonicWall Devices


I just spent all day trying to setup a new VPN connection between a Ubiquiti Edge Router Light (ERL) and a SonicWALL TZ210. While there are several articles and blogs out there which pointed me in the right direction, I still encountered issues. I wanted to jot down my notes before I forget them.

I started off by following a now deleted wiki article from Ubiquiti’s wiki site. In this example, I will use the following IP Address

Local Site Public IP: 1.1.1.1
Local Site Private IP: 192.168.1.0/24
Remote Site Public IP: 2.2.2.2
Remote Site Private IP: 10.10.1.0/24

Ubiquiti ERL Configuration – Local Site

ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN compression disabled
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN lifetime 3600
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN mode tunnel
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN pfs disable
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN proposal 1
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN proposal 1 encryption aes128
ubnt@ubnt# set vpn ipsec esp-group ESPSonicWallVPN proposal 1 hash sha1
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN lifetime 28800
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN proposal 1
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN proposal 1 dh-group 2
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN proposal 1 encryption aes128
ubnt@ubnt# set vpn ipsec ike-group IKESonicWallVPN proposal 1 hash sha1
ubnt@ubnt# set vpn ipsec ipsec-interfaces interface eth0
ubnt@ubnt# set vpn ipsec logging log-modes all
ubnt@ubnt# set vpn ipsec logging log-modes control
ubnt@ubnt# set vpn ipsec nat-traversal enable
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 local-address 1.1.1.1
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 authentication mode pre-shared-secret
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret mysecretvpnkey1010
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 connection-type initiate
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group ESPSonicWallVPN
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 ike-group IKESonicWallVPN
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-nat-networks disable
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-public-networks disable
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 esp-group ESPSonicWallVPN
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix 192.168.1.0/24
ubnt@ubnt# set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix 10.10.1.0/24
ubnt@ubnt# commit
ubnt@ubnt# save
ubnt@ubnt# quit

SonicWall Configuration Log into the web management of your SonicWall device and click VPN, then click “Add…”

General

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: Any name you want
IPsec Primary Gateway Name or Address: Public IP of your Ubiquiti
IPsec Secondary Gateway Name or Address: Blank
Shared Secret: mysecretvpnkey1010
Confirm Shared Secret: mysecretvpnkey1010
Local IKE ID: IP Address – Public IP Of your SonicWall
Peer IKE ID: IP Address – Public IP Of your Ubiquiti

Network

Choose local network form list: Firewalled Subnets
Choose destination network from list: Ubiquity LAN Network

Proposals

Ike (Phase 1) Proposal

Exchange: Main Mode
DH Group: Group 2
Encryption: AES-128
Authentication: SHA1
Lime Time (seconds): 28800
Ike (Phase 2) Proposal

Protocol: ESP
Encryption: AES-128
Authentication: SHA1
Uncheck Perfect Forward Secrecy
Life Time (seconds): 3600

Advanced Leave everything unchecked and set the VPN Policy Bound to dropdown to your WAN interface name

Troubleshooting After configuring both devices, I saw that the tunnel came online but was not passing any traffic. After hours of playing around, I finally found the setting in the Ubiquiti device.

Log into the Ubiquiti through the web portal (default username is ubnt, default password is ubnt) Click the “Config Tree” menu item in the top right In the left menu tree, expand “vpn->ipsec” The “auto-update” field was blank on my device. After entering 3600 in the field and saving the config, data started to flow.