Configure a site-to-site VPN between two SonicWall TZ-215 UTM

    January 6th, 2021


    This tutorial will walk you through the setup of configuring two remote SonicWall TZ-215 Firewalls as a VPN bridge otherwise known as a site-to-site. A site-to-site VPN is used in instances where there are remote offices and you'd like to consilidate your network to one intranet instead of multiple. It can help mitigate against external threats and encrypt data across networks in a uniform fashion.


    To have this properly setup, between two FWs, you will want one FW to act as the master and one as the initiator. This configuration will work if you have a main intranet or are configuring tunnels between two branch offices.

    Step 1

    (Configuring Master FW)

    On the device you are considering as the "Master", login to the configuration page and head to VPN and then Settings.

    Ensure that Enable VPN is turned on and change the Unique Firewall Identifier to something that you can identify internally. Then click Accept. Make sure to write down the UFI that you named above as you will use it in the coming steps.

    Step 2

    (Configure VPN Policies)

    While logged into the VPN page, click add under VPN policies. For a site-to-site configuration, make sure you fill out as follows:
    Policy type:Site to Site
    Authentication method:IKE using pre-shared secret
    Name: This will be your chosen name of the OTHER firewall (not the master).
    Primary and Secondary Gateways: (Remember, this device is being configured as the "Master" so it will only listen and be passed the GW info from the initiator)
    Shared Secret: Generate a secure password that passes the modern password requirements rigor
    Local IKE ID: Select the UFI that you created for THIS SonicWall's name.
    Peer IKE ID: Select the initiator's UFI that you created.

    Step 3

    (Configure Network settings)

    Select the Network tab and under Choose local networks from the list, select LAN Subnets.

    Under Remote Networks, select Create New Adress Objectand fill in the info for the LAN at the other end of the VPN.

    Step 4

    (Configure IKE proposal)

    Click on Proposals and configure it as follows:

    IKE (Phase 1) Proposal
    Exchange: Aggressive Mode
    DH Group: Group 2
    Encryption: 3DES
    Authentication: SHA1
    Lifetime: 28800

    IPsec (Phase 2) Proposal
    Protocol: ESP
    Encryption: 3DES
    Enable Perfect Forward Secrecy Unchecked
    Life Time (seconds): 28800

    Step 5 

    (Configure Advanced Settings)

    The only thing checked should be Enable Phase2 Dead Peer Detection and it should be filled out with these settings:
    Dead Peer Detection Interval (seconds):180
    Failure Trigger Level (missed heartbeats): 3

    These other settings are needed as well
    Default LAN Gateway:
    VPN Policy bound to: Zone WAN
    Click Ok to save the settings.

    If you've followed this far and not fallen into some archaic error or sheer boredom then AWESOME! You have officially set things up....on one firewall. Next step is the other one with a few differences.

    Step 6

    (Configuring the "Iniatiator" firewall)

    So you're going to want to setup the other SonicWall just like the steps above but with these differences:

    On the VPN Policies page under General, you're going to want to keep the same settings except for the IPsec Primary Gateway Name or Address. You're going to want to enter the WAN IP address or FQDN of the Master firewall. Remember, the 2nd FW needs to know what it's connecting to.

    On the Network tab and under Remote Networks, make sure to choose the Master FW's LAN from the list.

    On the Advanced tab, the only change to make is the Enable Keep Alive

    Click on OK to save and you should be good to go!

    Was this article helpful?

    Send feedback

    Can’t find what you’re looking for?

    Pilot’s local support team is here for you.

    Contact Support