The purpose of this document is to provide configuration steps for establishing a Site-to-Site tunnel between a Versa SD-WAN device and any third-party device using Versa Director. In this scenario, the customer intends to route all intranet traffic through the Site-to-Site tunnel (policy-based) towards the central firewall at their premises, while internet traffic will break out locally via the available DIA/BB link.


This deployment is designed for customers utilizing Versa Secure SD-WAN services for their branch offices while continuing to manage security requirements through their on-premises firewall. The design primarily targets SMB and mid-market segments, where Versa can be deployed either as a Secure SD-WAN solution or as a standalone NGFW/UTM platform for local breakout security.


This document focuses on policy-based IPSEC tunnel configuration between Versa and third-party firewall vendors. While some vendors support route-based IPSEC, in certain cases, extensive modifications are required to accommodate tunnel interfaces and associate IPSEC configurations. For large-scale deployments with extensive route requirements, policy-based IPSEC is not recommended due to the challenges in maintaining and managing SAs across the deployment. Instead, route-based IPSEC is the preferred approach.


A key observation is that when one firewall is configured with policy-based IPSEC and the other with route-based IPSEC, the tunnel may fail to establish due to SA parameter mismatches in Phase 2. However, in some cases, the tunnel might still come up with the third-party firewall. It is important to note that this can lead to instability, as observed in customer deployments. So, always ensure both sides have same type of IPSEC for better operational stability.


High level design 

Step-by-step guide

  1. Configure Sonicwall Firewall with phase-1 and phase-2 parameters and relevant firewall policies to allow the traffic( Sonicwall has feature to automatically add a ACL when the IPSEC is created )
  2. Configure the Versa S2S IPSEC VPN profile with phase-1 and Phase-2 parameters
  3. Select the tunnel type as policy based tunnel and configure the intresting traffic from branch to the HQ/DC application routes
  4. No need to configure static routes while using policy based IPSEC
  5. Changes needed in the CGNAT rules for DIA traffic for local breakout
  6. Lastly, URLF/IPS/AV policy for local breakout traffic towards Internet


Sonicwall Firewall configurations 

  • Configure Sonicwall Firewall with the phase-1 parameters, here the "ipsec primary gateway address" would the sonicwall firewall local WAN public IP, and the local IKE and remote IKE ID would be the public IP address of the local firewall and remote end versa device public IP, incase of the broadband link you need chang the ike id type.


  • Configure the Phase-1 negotiation and phase-2 negotiation parameters, and configure address object in sonicwall for the networks to map and configure in the traffic selector and the destination subnet list must contain your branch suffixes (Versa LAN).



Versa configurations 

1. Configure IPSEC VPN S2 profile with Policy based ipsec, configure the traffic selector routes between branch to HQ


2. Configure local and peer-IP 


3. Configure Phase-1 and Phase-2 encryption and IKE id parameters


In the IKE Security associations brief output, you must be able to see 2 SA's or if more number of traffic selectors configured for each route prefix there would be a SA built in the 


>show orgs org-services ACREED_INDUSTRIES ipsec vpn-profile HO_IPSEC security-associations brief
Remote Gateway Transform Inbound SPI Bytes/sec Outbound SPI Bytes/sec Up Time Next Rekey Time
--------------- --------- ----------- --------- ------------ --------- -------- ---------------
103.7.4.5 aes-cbc 0x200031e 56 0xf0803862 0 23:17:53 04:56:41
103.7.4.5 aes-cbc 0x2002de9 0 0xc0405d7e 0 23:17:53 05:31:23
103.7.4.5 aes-cbc 0x2007495 28 0x2db810e6 0 23:17:53 05:20:49
1103.7.4.5 aes-cbc 0x2007193 0 0xfac023d1 0 23:17:53 05:37:42
[ok][2025-01-31 03:15:04]



CGNAT rules by default NAT's all traffic from the LAN because of the (L-ST) zone, You nee to modify it to source-zone as "W-ST"


  • By default, we don't install LAN routes in the transport-VR, so you need to add a static route in the transport-VR or you can edit the communities in the LAN-VR peer-group policies to announce the LAN routes to the BGP towards transport-vr.


Firewall policies for Versa CPE for the LBO NGFW