Configuring Aggressive Mode Site to Site VPN between SonicOS and SonicOS Enhanced (Dynamic WAN IP on one side)
This article will detail all the steps necessary to create a working IKE IPSec VPN tunnel between a SonicWALL security appliance running SonicOS and a SonicWALL security appliance running SonicOS Enhanced, using Aggressive Mode.
The SonicWALL, when negotiating Aggressive Mode VPN tunnels, uses the ‘Unique Firewall Identifier’ or serial number as its identity. The side that has dynamic IP will be identified by the other side through its UFI. In SonicOS Enhanced it’s controlled by setting the Local and Peer IKE ID’s in the VPN policy’s ‘General’ tab. For an example, see screenshot below.
Make sure the Local IKE ID is the UFI of the local SonicWALL and the Remote IKE ID is the UFI of the remote SonicWALL.
Configure SonicOS Enhanced VPN settings (central site)
How to Test:
From a system behind the remote site SonicWALL, attempt to connect to a network resource behind the central site, or ping the central site SonicWALL’s LAN interface IP address.
Once you’ve done this, log into the remote site SonicWALL’s management GUI and check the ‘VPN > Settings’ page. You should see the active VPN tunnel listed. On the remote site, you should see that the tunnel has negotiated with the Primary IPSec gateway.
If the tunnel does not negotiate successfully, check the SonicWALL’s log on the ‘Log > View’ page to see if there are any error messages for VPN negotiation. If the tunnel is not negotiating and there are error messages displayed, go over the settings on both side to make sure that they match and attempt to bring the tunnel up again.