SonicWall site-to-site VPNs in 2026 are more dangerous than they were two years ago. Two factors drove this. CVE-2024-40766 and CVE-2024-53704 enabled SSL-VPN session hijacks that the Akira ransomware group exploited at scale through 2025. Gen 6 firewalls reach end-of-support on April 16, 2026, with no further firmware updates. Many shops migrated Gen 6 configurations to Gen 7 without rotating credentials, and Akira walked through the front door using old PSKs.
If you run SonicWall for site-to-site VPN in 2026, three things matter: you are on SonicOS 7.3 or 8.x with current patches, you migrated configs without keeping old credentials, and you replaced any Gen 6 hardware before April 2026. Below is the current setup, the IKEv2 best practices, the vulnerabilities to know, and the common config mistakes.
Quick reference: SonicWall site-to-site VPN in 2026
| Item | Detail |
|---|---|
| Latest SonicOS | 8.x on Gen 7+, 7.3+ minimum hardened baseline |
| Gen 6 EOS | April 16, 2026 (no more firmware) |
| IKE version | IKEv2 only (IKEv1 deprecated, disabled by default on SonicOS 8) |
| Encryption | AES-256-GCM preferred, AES-256-CBC + SHA-256/384 acceptable |
| DH groups | 19, 20, 21 (ECP) preferred. 14+ for legacy peers. Avoid 1, 2, 5 |
| Phase 1 lifetime | 28800 seconds (8 hours) |
| Phase 2 lifetime | 3600 seconds (1 hour) |
| PFS | Required |
| DPD | Required, Dead Peer Detection enabled |
Recent vulnerabilities that matter
Two CVEs from 2024-2025 that drove the 2025 Akira ransomware campaign:
CVE-2024-40766: Improper access control in SonicOS management interface and SSL-VPN. Allowed unauthenticated access in some configurations. Actively exploited by Akira.
CVE-2024-53704: Authentication bypass allowing SSL-VPN session hijack on SonicOS 7.1.x (≤7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. Public PoC released, exploited in the wild from February 2025.
The 2025 Akira campaign hit Gen 7 SSL-VPNs at scale. The pattern: organizations migrated Gen 6 configurations to Gen 7 firewalls but kept old credentials. Akira used reused passwords from a 2023 breach to log in through the SSL-VPN and pivot.
The fix: SonicOS 7.3 added brute-force protection and MFA-bypass mitigations. If you upgraded from Gen 6 to Gen 7 without rotating local user passwords and VPN PSKs, you are exposed regardless of patches.
Site-to-site VPN setup (SonicOS 8 standard)
The basic IKEv2 site-to-site config:
Phase 1 (IKE_SA):
- IKE version: IKEv2
- Authentication: Pre-shared key or certificate (cert preferred for new deployments)
- Encryption: AES-256
- Hash: SHA-256 or SHA-384
- DH group: 19 (ECP-256) or 20 (ECP-384)
- Lifetime: 28800 seconds (8 hours)
Phase 2 (Child SA):
- Encryption: AES-256-GCM (preferred) or AES-256-CBC
- Hash: SHA-256 (with CBC) or none (with GCM, since GCM is authenticated)
- DH group: same as Phase 1, with PFS enabled
- Lifetime: 3600 seconds (1 hour)
Networks:
- Local network: Define on Network > Address Objects
- Remote network: Define matching object on the peer device
- Both peers must have identical Phase 1 and Phase 2 proposals
Firewall rules:
- Allow VPN > LAN traffic (incoming)
- Allow LAN > VPN traffic (outgoing)
- Both must be explicit. SonicOS does not auto-allow VPN traffic.
IKEv2 vs IKEv1 in 2026
Use IKEv2. IKEv1 main mode and aggressive mode are deprecated and disabled by default on new SonicOS 8 deployments. IKEv1 aggressive mode in particular has known cryptographic weaknesses that allow PSK extraction.
If a peer device only supports IKEv1 (older Cisco, legacy firewalls), the right move is to replace the peer device, not enable IKEv1 on SonicWall. The risk of running IKEv1 in 2026 is greater than the migration cost.
Gen 6 EOS migration (April 16, 2026)
If you still run Gen 6 hardware in May 2026, you are now without security updates. Migration is overdue.
Replacement model mapping:
- TZ300/400/500/600 → TZ270/370/470/570/670
- NSA 2600/3600/4600 → NSA 2700/3700/4700
- NSA 5600/6600 → NSA 5700/6700
SonicWall's Secure Upgrade Plus program offers discounted Gen 7 swaps for existing customers. Use it.
Critical migration step: do not just import Gen 6 configurations. Reset all local user passwords. Rotate VPN pre-shared keys. Enforce MFA on SSL-VPN. The 2025 Akira campaign exploited exactly this scenario: Gen 7 hardware with imported Gen 6 credentials.
Common config mistakes that break tunnels or expose risk
Six mistakes I see most often:
Mismatched Phase 1 or Phase 2 proposals: Both peers must agree on encryption, hash, DH group, and lifetime. A mismatch causes negotiation failure.
Identical PSKs across multiple tunnels: If one PSK leaks, every tunnel using it is compromised. Rotate per tunnel.
Aggressive mode IKEv1 enabled: PSK can be extracted from captured handshakes. Disable.
Overlapping local/remote subnets: Without NAT-over-VPN, traffic does not route. Common when both sides use 192.168.1.0/24.
Missing firewall access rules: SonicOS requires explicit VPN-to-LAN rules. Without them, the tunnel comes up but no traffic flows.
LAN-to-VPN traffic logging disabled: No audit trail. When a tunnel is misused, you have nothing to forensically reconstruct.
What changed in 2025-2026
Three real shifts:
Akira ransomware campaign at scale (2025): Forced industry-wide MFA-mandatory and ZTNA replacement of legacy SSL-VPN. SonicWall published a dedicated advisory in August 2025.
Gen 6 EOS (April 16, 2026): No more firmware updates. The hardware refresh cycle is forced by support deadlines.
SonicOS 7.3 hardening: Brute-force and MFA-bypass protections added. Required baseline after Gen 6 to Gen 7 migrations to prevent credential reuse attacks.
FAQ
What is the latest SonicOS version in 2026?
SonicOS 8.x ships on Gen 7+ hardware. SonicOS 7.3+ is the minimum hardened baseline. Gen 6 firewalls run 6.5.4.x and reach end of support April 16, 2026 with no further firmware updates.
Should I use IKEv2 or IKEv1 for SonicWall site-to-site VPN?
IKEv2 only. IKEv1 is deprecated and disabled by default on SonicOS 8. Aggressive mode IKEv1 in particular has cryptographic weaknesses that allow PSK extraction. Replace any peer device that only supports IKEv1.
What are the recent SonicWall vulnerabilities I should know about?
CVE-2024-40766 (improper access control on SSL-VPN, exploited by Akira) and CVE-2024-53704 (auth bypass on SSL-VPN session hijack, public PoC, exploited in wild). Both addressed in SonicOS 7.3+. Patch and rotate credentials.
What happens to Gen 6 SonicWall firewalls after April 2026?
End of support. No more firmware updates, no security patches. Replace before April 16, 2026 using the Secure Upgrade Plus program. Migrate configs but reset all credentials.
How do I prevent the 2025 Akira ransomware attack pattern?
Enforce MFA on all SSL-VPN access. Rotate all credentials after any firmware migration. Apply SonicOS 7.3 or 8.x. Disable SSL-VPN entirely for users who do not need it. Consider replacing SSL-VPN with a ZTNA solution.
Sources and further reading
- VPN Tracker’s write-up on the SonicWall backup leak
- SonicWall’s site-to-site Main Mode KB
- Spiceworks discussion on slow one-direction SMB over SonicWall VPN
Stop overpaying for AI tools you barely use. See how Dupple X helps your team adopt AI without the bloat.
