# SonicWall

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration:**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your SonicWall
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 14 - modp2048 
* **Diffie-Hellman Groups (Phase 2)** - 14 - modp2048 
  {% endhint %}

## Step 2 - Creating new address objects

Log in to your SonicWall device, and go to **Object** > **Match Objects** > **Addresses** > **Address Objects**. Click **+ Add**.

{% hint style="info" %}
You have to create **two** objects - **gateway** and **subnet**.
{% endhint %}

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F9RWnNrZVffTuacAqsGfl%2FBranch_Connector_SonicWall_01.png?alt=media&#x26;token=94998003-945b-4d48-b819-2152cc55e533" alt="Router&#x27;s graphical user interface (GUI) highlighting key steps to creating a new address object."><figcaption><p>Creating a new address object</p></figcaption></figure>

### Gateway

* **Name** - Give the object a name
* **Zone Assignment** - VPN
* **Type** - Host
* **IP Address** - IP of your GoodAccess Gateway

Click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FkKmvo30O0lYhH04pyTz0%2FBranch_Connector_SonicWall_02.png?alt=media&#x26;token=4a5caa2c-b1fa-4a9d-b1a2-31254073cf5c" alt="Router&#x27;s graphical user interface (GUI) highlighting key steps to configuring the Gateway address object."><figcaption><p>Setting up the Gateway address object</p></figcaption></figure>

### Subnet

* **Name** - Give the object a name
* **Zone Assignment** - VPN
* **Type** - Network
* **Network** - Subnet of your GoodAccess Gateway
* **Netmask / Prefix Length** - Subnet Mask of your GoodAccess Gateway

Click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FIfKZzlB80I0sZmilto2l%2FBranch_Connector_SonicWall_03.PNG?alt=media&#x26;token=1253122e-1240-4e8e-911e-9ac11ad341d2" alt="Router&#x27;s graphical user interface (GUI) highlighting key steps to configuring the Subnet address object."><figcaption><p>Setting up the Subnet address object</p></figcaption></figure>

## Step 3 - Creating a new site-to-site connection

Go to **Network** > **IPSec VPN** > **Rules and Settings** > **Policies** > **IPv4**, and click **+ Add**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FtIDK4poaBzbdgJbN0FUv%2FBranch_Connector_SonicWall_04.png?alt=media&#x26;token=e83be73e-b5fb-47a1-8f45-1a4e4cbdc65c" alt="Router&#x27;s graphical user interface (GUI) highlighting key steps to creating a new site-to-site connection."><figcaption><p>Creating a new site-to-site connection</p></figcaption></figure>

### General

#### Security Policy

* **Policy Type** - Site to Site
* **Authentication Method** - IKE Using Preshared Secret
* **Name** - Give the connection a name
* **IPsec Primary Gateway Name or Address** - IP of your GoodAccess Gateway

#### IKE Authentication

* **Shared Secret / Confirm Shared Secret** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)
* **Local IKE ID** - IPv4 Address + IP of your SonicWall
* **Peer IKE ID** - IPv4 Address + IP of your GoodAccess Gateway

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F7Gs4NR8iZWbOiQrn9X5G%2FBranch_Connector_SonicWall_05.png?alt=media&#x26;token=3bb24b31-165b-454b-8ea9-a8681c59f7a1" alt="Router&#x27;s graphical user interface (GUI) showing the configuration of the General section of a VPN policy."><figcaption><p>Setting up the General section</p></figcaption></figure>

### Network

#### Local Networks

* **Choose local network from list** - Select local network you want to access with GoodAccess

#### Remote Networks

* **Choose destination network from list** - Select your [Subnet address object](#subnet)

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F5NWoeSoB8rfKlka0ipdl%2FBranch_Connector_SonicWall_06.png?alt=media&#x26;token=e6f7d39e-4b16-433f-b31a-f6d99b2c4843" alt="Router&#x27;s graphical user interface (GUI) showing the configuration of the Network section of a VPN policy."><figcaption><p>Setting up the Network section</p></figcaption></figure>

### Proposals

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

#### IKE (Phase 1) Proposal

* **Exchange** - IKEv2 Mode
* **DH Group** - Group 14
* **Encryption** - AES-256
* **Authentication** - SHA256
* **Life Time (seconds)** - IKE Lifetime (Phase 1)

#### IPSec (Phase 2) Proposal

* **Protocol** - ESP
* **Encryption** - AES-256
* **Authentication** - SHA256
* **Enable Perfect Forward Secrecy**
* **DH Group** - Group 14
* **Life Time (seconds)** - Tunnel Lifetime (Phase 2)

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FUlmdB66wCNtxRzpjLZ6I%2FBranch_Connector_SonicWall_07.png?alt=media&#x26;token=59ce8ed1-e441-4e28-9469-0547dc587d60" alt="Router&#x27;s graphical user interface (GUI) showing the configuration of the Proposals section of a VPN policy."><figcaption><p>Setting up the Proposals section</p></figcaption></figure>

### Advanced

* **Enable Keep Alive**

Click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F2oUHd1HhrDl3vBVuNnwI%2FBranch_Connector_SonicWall_08.png?alt=media&#x26;token=c52a91a6-c94b-4245-901b-c0888a1fc7ea" alt="Router&#x27;s graphical user interface (GUI) showing the configuration of the Advanced section of a VPN policy."><figcaption><p>Setting up the Advanced section</p></figcaption></figure>

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **SonicWall:** Go to **Network > IPSec VPN > Rules & Settings > Active Tunnels**.
  {% endhint %}