Step 2: Configuring a SonicWall IPSec Tunnel

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Important:

As with any router changes, Jamf strongly recommends that you configure these settings with care and possibly in a pre-production environment to avoid unintended service interruptions.

  1. Configure a Jamf Security Cloud VPN policy:
    1. Log in to your SonicWall router with administrator credentials.
    2. Navigate to VPN > Settings.
    3. Under the VPN Policies section, click Add.
    4. In the General tab, for Authentication Method, select "IKE using Preshared Secret".
    5. For Name enter an easily identified name.
    6. Set IPsec Primary Gateway Name or Address and IPsec Secondary Gateway Name or Address to 0.0.0.0.
    7. Under IKE Authentication in Shared Secret and Confirm Shared Secret, paste in the Pre-Shared Key created when configuring the IPSec interconnect in Jamf Security Cloud.
    8. For Local IKE ID, select Domain Name then enter the Customer IKE Domain ID value specified when setting up the IPSec interconnect in Jamf Security Cloud.
    9. For Peer IKE ID, select Domain Name then enter wpa.wandera.com.
    10. Click the Network tab at the top of the window.
    11. Under Local Networks select the address object or address group that defines the subnets that your servers, applications, or workloads reside on.
      Important:

      If you set the Customer Subnet in the IPSec interconnect wizard in Jamf Security Cloud to 0.0.0.0/0, you can select any address object or address group.

      Otherwise, the networks selected in Local Networks must match all Customer Subnets defined in Jamf Security Cloud.

    12. For Destination Networks, select Create new address object.
    13. In the window that appears, configure the following:
      • NameA name for the Jamf-side network; for example, JamfClientIPs.
      • Zone AssignmentTypically this should be VPN, but you may need to specify a different zone based on your router configuration.
      • TypeSelect Network.
      • NetworkSpecify the network address defined in the Jamf Subnet configuration in Jamf Security Cloud. The example Jamf recommends is 192.168.233.0/24, but you can get this value from the IPSec interconnect's View infographic.
      • NetmaskSpecify the subnet for the above network as submitted in Jamf Security Cloud. A /24 subnet is represented as 255.255.255.0.
    14. Save the network object and select it as the Destination Network in the VPN policy window.
    15. Select the "Proposals" menu item.
    16. Under IKE (Phase 1), configure the fields as follows:
      • ExchangeIKEv2 Mode
      • DH GroupGroup 14
      • EncryptionAES-256
      • AuthenticationSHA512
      • Lifetime (Seconds)28800
    17. Under IPSec (Phase 2), configure the fields as follows:
      • ProtocolESP
      • EncryptionAES-256
      • Enable Perfect Forward SecrecyYes (checked)
      • DH GroupGroup 14
      • Lifetime (Seconds)28800
    18. Select the Advanced tab at the top of the screen.
    19. Check Enable Keep Alive.
    20. Ensure VPN Policy Bound To is set to "Zone WAN" (or the other zone used to connect to external connections per your firewall configuration).
    21. Click OK to create the VPN policy.
    22. Check the Enabled box for the VPN policy that appears.

      If your configuration is successful, an entry for the VPN policy will appear in the Currently Active VPN Tunnels section.

  2. If you set the IPsec Primary Gateway Name or Address field to 0.0.0.0, you must configure Incoming IKEv2 Cyphers:
    Important:

    Changing this configuration may impact existing IKEv2 tunnels that connect from any IP address. Fixed IP tunnels are not affected. Review your other VPN connections before making this change.

    1. Navigate to VPN > Advanced Settings.
    2. Under IKEv2 Settings, click Configure.
    3. In the window that appears, configure the following settings to match the equivalent settings in Jamf Security Cloud:
      • DH GroupGroup 14
      • EncryptionAES-256
      • AuthenticationSHA512
    4. Click OK to save the configuration.
  3. Create and configure an Access Rule:
    Note:

    • If SonicOS does not automatically create one, you may need to define an access rule that allows traffic from the Jamf Security Cloud network to your servers and applications, before traffic will flow through the VPN tunnel.

    • These settings assume you are using typical zone configurations. Modify your access rule details as required.

    1. Navigate to Firewall > Access Rules.
    2. Click Add.
    3. In the window that appears, configure the VPN as follows:
      • ActionAllow
      • From ZoneVPN
      • To ZoneLAN
      • ServiceAny
      • SourcePick the Jamf address object you created earlier; for example, JamfClientIPs.
      • DestinationPick the network address object/group as configured in the VPN policy defined above.
      • Users AllowedAll
      • ScheduleAlways on
    4. Click OK to save the VPN rule.

The secure connection is created. It can take up to 10 minutes for connectivity to be established.

If the VPN does not appear in the Active VPN tunnels section, check the logs in the SonicWall interface and filter by VPN.

Common errors include:

  • A mis-match in cypher selection between Jamf and SonicOS for the IPSec/IKEv2 tunnel

  • If the "Country Restriction" feature is enabled, Jamf IPs may be classified as Unknown, which may result in them being denied. Add Jamf IPs address object(s) to the "Country and Botnet Exclusions" address group object to resolve this.