Setup Sonicwall VPN

Configuring Aggressive Mode Site to Site VPN between SonicOS and SonicOS Enhanced (Dynamic WAN IP on one side)

This article will detail all the steps necessary to create a working IKE IPSec VPN tunnel between a SonicWALL security appliance running SonicOS and a SonicWALL security appliance running SonicOS Enhanced, using Aggressive Mode.

The SonicWALL, when negotiating Aggressive Mode VPN tunnels, uses the ‘Unique Firewall Identifier’ or serial number as its identity. The side that has dynamic IP will be identified by the other side through its UFI. In SonicOS Enhanced it’s controlled by setting the Local and Peer IKE ID’s in the VPN policy’s ‘General’ tab. For an example, see screenshot below. Unique Firewall Identifier

Make sure the Local IKE ID is the UFI of the local SonicWALL and the Remote IKE ID is the UFI of the remote SonicWALL.

Remote Site LAN Address ObjectConfigure SonicOS Enhanced VPN settings (central site)

  • Log into the SonicWALL Management interface of the central site Sonicwall.
  • Navigate to the Network > Address Objects page.
  • Create a new Address Object named "Remote Site LAN" with details as per the screenshot: 


  • Navigate to the VPN > Settings page.
  • Create a VPN policy with details as per the following screenshots.




    Alert: The Proposals on Site A and Site B must be the same for establishing a successful VPN connection





Configure SonicOS Enhanced VPN settings (remote site)

  • Log into the SonicWALL Management interface of the remote site Sonicwall.
  • Navigate to the VPN > Settings page.
  • Click on the Add button under the VPN Policies section.
  • Create a VPN policy with details as per the following screenshots.
  • When done click on the OK button to save the settings.






How to Test:

From a system behind the remote site SonicWALL, attempt to connect to a network resource behind the central site, or ping the central site SonicWALL’s LAN interface IP address.

Once you’ve done this, log into the remote site SonicWALL’s management GUI and check the ‘VPN > Settings’ page. You should see the active VPN tunnel listed. On the remote site, you should see that the tunnel has negotiated with the Primary IPSec gateway.

If the tunnel does not negotiate successfully, check the SonicWALL’s log on the ‘Log > View’ page to see if there are any error messages for VPN negotiation. If the tunnel is not negotiating and there are error messages displayed, go over the settings on both side to make sure that they match and attempt to bring the tunnel up again.