Configuration

In this example, a site-to-site VPN is configured between two TZ 200 appliance, with the following settings:

Local TZ 200 (home):
WAN IP: 10.50.31.150
LAN subnet: 192.168.61.0
Mask 255.255.255.0

Remote TZ 200 (office):
WAN IP: 10.50.31.104
LAN subnet: 192.168.15.0
Mask: 255.255.255.0

Authentication Method: IKE using a Pre-Shared Key
Phase 1 Exchange: Main Mode
Phase 1 Encryption: 3DES
Phase 1 Authentication SHA1
Phase 1 DH group: 2
Phase 1 Lifetime: 28800
Phase 2 Protocol: ESP
Phase 2 Encryption: 3DES
Phase 2 Authentication: SHA1
Phase 2 Lifetime: 28800
No PFS

1
In configure mode, create an address object for the remote network, specifying the name, zone assignment, type, and address. In this example, we use the name OfficeLAN:

(config[TZ200]> address-object Office LAN
(config-address-object[OfficeLAN])>

* 
NOTE: The prompt has changed to indicate the configuration mode for the address object.

(config-address-object[OfficeLAN])> zone VPN
(config-address-object[OfficeLAN])> network 192.168.15.0 255.255.255.0
(config-address-object[OfficeLAN])> finished

2
To display the address object, type the command show address-object [name]:

TZ200 > show address-object OfficeLAN

The output will be similar to the following:

address-object OfficeLAN
network 192.168.15.0 255.255.255.0
zone VPN

3
To create the VPN policy, type the command vpn policy [name] [authentication method]:

(config[TZ200])> vpn policy OfficeVPN pre-shared
(config-vpn[OfficeVPN])>

* 
NOTE: The prompt has changed to indicate the configuration mode for the VPN policy. All the settings regarding this VPN will be entered here.
4
Configure the Pre-Shared Key. In this example, the Pre-Shared Key is SonicWALL:

(config-vpn[OfficeVPN])> pre-shared-secret SonicWALL

5
Configure the IPsec gateway:

(config-vpn[OfficeVPN])> gw ip-address 10.50.31.104

6
Define the local and the remote networks:

(config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet"
(config-vpn[OfficeVPN])> network remote address-object "OfficeLAN"

7
Configure the IKE and IPsec proposals:

(config-vpn[OfficeVPN])> proposal ike main encr triple-des auth sha1 dh 2 lifetime 28800
(config-vpn[OfficeVPN])> proposal ipsec esp encr triple-des auth sha1 dh no lifetime 28800

8
In the Advanced tab in the UI configuration, enable keepalive on the VPN policy:

(config-vpn[OfficeVPN])> advanced keepalive

9
To enable the VPN policy, use the command vpn enable “name” :

(config[TZ200])> vpn enable "OfficeVPN"

10
Use the finished command to save the VPN policy and exit from the VPN configure mode:

(config-vpn[OfficeVPN])> finished
(config[TZ200])>

The configuration is complete.

* 
NOTE: The command prompt goes back to the configure mode prompt.