Technical Tips and Tricks

Monday, March 31, 2014

Juniper BGP Over IPSec Multipoint

In my lab, I wanted to utilize a dynamic routing protocol for my hub and spoke VPN topology. I decided to try it with BGP. The requirements were to utilize only one tunnel interface on the hub device for all IPSec tunnels, as well as deny all traffic between spoke sites. Below is the configuration, and it is based on the topology below:

SRX 1 (Hub Device):

Interface configuration (please note that the tunnel interface is configured as multipoint, which allows for the termination of multiple IPSec tunnels to a single logical interface.):
interfaces {
ge-0/0/0 {
unit 0 {
description "*** TRUST ***";
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
description "*** UNTRUST ***";
family inet {
address 172.16.1.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 1.1.1.1/32;
}
}
}
st0 {
unit 0 {
description "*** VPN ***";
multipoint;
family inet {
address 192.168.1.1/24;
}
}
}
}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.1.2;
}
router-id 1.1.1.1;
autonomous-system 65001;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.3 {
hold-time 30;
export 1;
peer-as 65003;
local-as 65001;
}
neighbor 192.168.1.4 {
hold-time 30;
export 1;
peer-as 65004;
local-as 65001;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.1.1.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:
security {
ike {
policy 1-3 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$rV4KWXVwgUjq7-jqmfn6revW7-"; ## SECRET-DATA
}
policy 1-4 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$ZCDH.QF/0BEP5BEcyW8ZUjHP5"; ## SECRET-DATA
}
gateway 3 {
ike-policy 1-3;
address 172.16.3.1;
external-interface ge-0/0/1.0;
}
gateway 4 {
ike-policy 1-4;
address 172.16.4.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy 1-3 {
proposal-set standard;
}
policy 1-4 {
proposal-set standard;
}
vpn 1-3 {
bind-interface st0.0;
ike {
gateway 3;
ipsec-policy 1-3;
}
establish-tunnels immediately;
}
vpn 1-4 {
bind-interface st0.0;
ike {
gateway 4;
ipsec-policy 1-4;
}
establish-tunnels immediately;
}
}

}

Security zone configuration (please note that for my lab testing, I am allowing almost everything. In a production environment it is required to enable the necessary services and protocols at the zone level in order for things to function properly (i.e. BGP, IKE, etc.)):

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone vpn {

policy deny-intra-spoke-traffic {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 3 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.3.3.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.3.1/30;

}

lo0 {

unit 0 {

family inet {

address 3.3.3.3/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.3/24;

}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.3.2;
}
router-id 3.3.3.3;
autonomous-system 65003;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65003;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.3.3.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:

security {

ike {

policy 3-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 3-1 {

ike-policy 3-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 3-1 {

proposal-set standard;

}

vpn 3-1 {

bind-interface st0.0;

ike {

gateway 3-1;

ipsec-policy 3-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 4 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.4.4.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.4.1/30;

}

lo0 {

unit 0 {

family inet {

address 4.4.4.4/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.4/24;

}

Default route configuration:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.4.2;
}
router-id 4.4.4.4;
autonomous-system 65004;
}

BGP configuration:

protocols {
bgp {
group 1 {
type external;
neighbor 192.168.1.1 {
hold-time 30;
export 1;
peer-as 65001;
local-as 65004;
}
}
}
}

Routing policy configuration:
policy-options {
policy-statement 1 {
term 1 {
from {
route-filter 10.4.4.0/24 exact;
}
then accept;
}
term 2 {
from {
route-filter 192.168.1.0/24 exact;
}
then accept;
}
term 3 {
then reject;
}
}

}

VPN configuration:

security {

ike {

policy 4-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 4-1 {

ike-policy 4-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 4-1 {

proposal-set standard;

}

vpn 4-1 {

bind-interface st0.0;

ike {

gateway 4-1;

ipsec-policy 4-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

Verification:

Here are some commands that can be run from operational mode for verification purposes:
show security ike security-associations
show security ipsec security-associations
show bgp neighbor
show bgp summary
show route

Tuesday, March 4, 2014

MAG-CM060 SSO with a Self-Signed Certificate

I am posting this because although Juniper Networks does provide very detailed instructions on how to configure SSO with a valid certificate issued from a certificate authority, a customer recently wanted me to configure SSO without a valid certificate. Here is how I did it:

From operational mode in the MAG-CM060, enter the following commands:

request security pki generate-key-pair certificate-id MY-CERT size 1024 type rsa
request security pki local-certificate generate-self-signed certificate-id MY-CERT domain-name domain.com email test@domain.com ip-address 10.1.1.10 subject CN=10.1.1.10,O=Test

From configuration mode in the MAG-CM060, enter the following commands:

set system services ftp
set system services web-management http port 80 interface em0.0
set system services web-management https port 443 interface em0.0 pki-local-certificate MY-CERT
commit

Using your favorite FTP program, connect to the MAG-CM060 and copy the certificate you created, which is located in /var/db/certs/common/local/MY-CERT.cert, to the location of your choice on your computer.
From within the administrator GUI of the MAG Service Module (i.e. MAG-SM60), perform the following steps:

Navigate to Authentication->Auth. Servers->Chassis Auth Server
Select Choose File under Upload Certificate, and upload the certificate you copied off of the MAG-CM060.
Click Save

Lastly, ensure that the date/time settings are the same on both the MAG-CM060 and the Service Module:

From operational mode on the MAG-CM060, enter the following command:

set date...

From the Dashboard in the GUI of the Service Module:

Click Edit next to System Date & Time

Enjoy!

Tuesday, January 7, 2014

Juniper OSPF Over IPSec Multipoint

In my lab, I wanted to utilize a dynamic routing protocol for my hub and spoke VPN topology. I decided to first try it with OSPF (BGP configuration here). The requirements were to utilize only one tunnel interface on the hub device for all IPSec tunnels, as well as deny all traffic between spoke sites. Below is the configuration, and it is based on the topology below:

Default route configuration:

routing-options {

static {

route 0.0.0.0/0 next-hop 172.16.1.2;

}

OSPF configuration:

protocols {

ospf {

area 0.0.0.0 {

interface ge-0/0/0.0;

interface lo0.0 {

passive;

}

interface st0.0;

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration (please note that there is a policy which denies traffic from spoke to spoke):

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone vpn {

policy deny-intra-spoke-traffic {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 3 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.3.3.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.3.1/30;

}

lo0 {

unit 0 {

family inet {

address 3.3.3.3/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.3/24;

}

Default route configuration:

routing-options {

static {

route 0.0.0.0/0 next-hop 172.16.3.2;

}

OSPF configuration:

protocols {

ospf {

area 0.0.0.0 {

interface st0.0;

interface ge-0/0/0.0;

interface lo0.0 {

passive;

}

VPN configuration:

security {

ike {

policy 3-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 3-1 {

ike-policy 3-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 3-1 {

proposal-set standard;

}

vpn 3-1 {

bind-interface st0.0;

ike {

gateway 3-1;

ipsec-policy 3-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

SRX 4 (Spoke Device):

Interface configuration:

interfaces {

ge-0/0/0 {

unit 0 {

description "*** TRUST ***";

family inet {

address 10.4.4.1/24;

}

ge-0/0/1 {

unit 0 {

description "*** UNTRUST ***";

family inet {

address 172.16.4.1/30;

}

lo0 {

unit 0 {

family inet {

address 4.4.4.4/32;

}

st0 {

unit 0 {

description "*** VPN ***";

family inet {

address 192.168.1.4/24;

}

Default route configuration:

routing-options {

static {

route 0.0.0.0/0 next-hop 172.16.4.2;

}

OSPF configuration:

protocols {

ospf {

area 0.0.0.0 {

interface st0.0;

interface ge-0/0/0.0;

interface lo0.0 {

passive;

}

VPN configuration:

security {

ike {

policy 4-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$QATV3/ABIcvWxp0WxNdg4QFn/p0"; ## SECRET-DATA

}

gateway 4-1 {

ike-policy 4-1;

address 172.16.1.1;

external-interface ge-0/0/1.0;

}

ipsec {

policy 4-1 {

proposal-set standard;

}

vpn 4-1 {

bind-interface st0.0;

ike {

gateway 4-1;

ipsec-policy 4-1;

}

establish-tunnels immediately;

}

Security zone configuration:

zones {

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

ike;

}

interfaces {

ge-0/0/1.0;

}

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

lo0.0;

ge-0/0/0.0;

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

interfaces {

st0.0;

}

Security policy configuration:

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone untrust to-zone trust {

policy default-deny {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

}

from-zone trust to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone vpn to-zone vpn {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

Monday, October 14, 2013

SonicWALL - Forward Packets to Remote VPNs

Older versions of the SonicWALL operating system used to include a feature called, "Forward packets to remote VPNs." This feature, when enabled in a hub and spoke VPN topology, allowed for spoke sites to communicate with each other via a hub site. This is advantageous for a few reasons:

SonicWALL does not support Group VPN (GDOI) or other mesh VPN technologies, leaving manual configuration as the only option.
Configuring site to site VPNs for each and every site in your organization is time consuming, and depending on your SonicWALL model you may be limited by the number of IPSec tunnels allowed on your device (i.e. The TZ-105 only allows 5 IPSec tunnels).

I recently ran into this very situation. I was deploying a phone system at multiple sites for a customer, which required LAN-like communication between all sites. Rather than building tunnels at each site to every other site, I remembered the 'Forward packets to remote VPNs," feature. It would be great because it would save me time, as all traffic would just route through the hub site. However, in newer versions of the software this option is no longer present, so I had to do some research on how to make it work. I thought I would share what I did, since there is really no information out there (none that I could find anyway...) that walks you through the process.

For simplicity's sake, let's assume that we have 3 sites:

Los Angeles - This is our main office (AKA the hub site). The LAN subnet for this site is 10.0.0.0/24.
Austin - This is a branch office (AKA our first spoke site). The LAN subnet for this site is 192.168.0.0/24.
Atlanta - This is a branch office (AKA our second spoke site). The LAN subnet for this site is 172.16.0.0/24.

Here are the general configuration steps:

On Los Angeles (the hub site):

Define address objects for each site under Network -> Address Objects:

Los Angeles:

Name: Los Angeles LAN
Zone Assignment: VPN
Type: Network
Network: 10.0.0.0
Netmask: 255.255.255.0

Austin:

Name: Austin LAN
Zone Assignment: VPN
Type: Network
Network: 192.168.0.0
Netmask: 255.255.255.0

Atlanta:

Name: Atlanta LAN
Zone Assignment: VPN
Type: Network
Network: 172.16.0.0
Netmask: 255.255.255.0

Create an address group for each site under Network -> Address Objects:

Create a group called Austin:

Add Atlanta LAN
Add Los Angeles LAN

Note that we are calling this group "Austin" even though we are not adding Austin LAN to the group. This group will be referenced in a VPN policy that will allow both the Los Angeles LAN and Atlanta LAN subnets to communicate with Austin. More information to follow...

Create a group called Atlanta:

Add Austin LAN
Add Los Angeles LAN

Same thing applicable here as above. We are calling the group Atlanta because it will be applied to the Atlanta VPN, but these address objects we are referencing do not include the Atlanta LAN address object.

Create VPNs to each remote site under VPN -> Settings:

Create a VPN called Austin:

Under the General tab:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: Austin
IPSec Primary Gateway Name or Address: (public IP of Austin site)
Shared Secret: (enter whatever password you want here, just remember that it has to match on both ends)

Under the Network tab:

Local Networks: (choose Austin from the list)
Remote Networks: (choose Ausitn LAN from the list)

Under the Proposals tab:

This varies, but I usually choose IKEv2 mode, and AES-256 for encryption at the very least.

Under the Advanced tab:

Check the Enable Keep Alive check box

Create a VPN called Atlanta:

Under the General tab:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: Atlanta
IPSec Primary Gateway Name or Address: (public IP of Atlanta site)
Shared Secret: (enter whatever password you want here, just remember that it has to match on both ends)

Under the Network tab:

Local Networks: (choose Atlanta from the list)
Remote Networks: (choose Atlanta LAN from the list)

Under the Proposals tab:

This varies, but I usually choose IKEv2 mode, and AES-256 for encryption at the very least.

Under the Advanced tab:

Check the Enable Keep Alive check box

On Austin (the spoke site):

Define address objects for each site under Network -> Address Objects:

Los Angeles:

Name: Los Angeles LAN
Zone Assignment: VPN
Type: Network
Network: 10.0.0.0
Netmask: 255.255.255.0

Austin:

Name: Austin LAN
Zone Assignment: VPN
Type: Network
Network: 192.168.0.0
Netmask: 255.255.255.0

Atlanta:

Name: Atlanta LAN
Zone Assignment: VPN
Type: Network
Network: 172.16.0.0
Netmask: 255.255.255.0

Create an address group for the other sites under Network -> Address Objects:

Create a group called Other Sites:

Add Atlanta LAN
Add Los Angeles LAN

Create a VPN to the Los Angeles site under VPN -> Settings:

Under the General tab:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: Los Angeles
IPSec Primary Gateway Name or Address: (public IP of Los Angeles site)
Shared Secret: (enter the same password you entered when you created the Austin VPN on the Los Angeles SonicWALL)

Under the Network tab:

Local Networks: (choose Austin LAN from the list)
Remote Networks: (choose Other Sites from the list)

Under the Proposals tab:

Enter the same information you entered on the Los Angeles SonicWALL

Under the Advanced tab:

Leave everything as is

On Atlanta (the other spoke site):

Define address objects for each site under Network -> Address Objects:

Los Angeles:

Name: Los Angeles LAN
Zone Assignment: VPN
Type: Network
Network: 10.0.0.0
Netmask: 255.255.255.0

Austin:

Name: Austin LAN
Zone Assignment: VPN
Type: Network
Network: 192.168.0.0
Netmask: 255.255.255.0

Atlanta:

Name: Atlanta LAN
Zone Assignment: VPN
Type: Network
Network: 172.16.0.0
Netmask: 255.255.255.0

Create an address group for the other sites under Network -> Address Objects:

Create a group called Other Sites:

Add Austin LAN
Add Los Angeles LAN

Create a VPN to the Los Angeles site under VPN -> Settings:

Under the General tab:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: Los Angeles
IPSec Primary Gateway Name or Address: (public IP of Los Angeles site)
Shared Secret: (enter the same password you entered when you created the Atlanta VPN on the Los Angeles SonicWALL)

Under the Network tab:

Local Networks: (choose Atlanta LAN from the list)
Remote Networks: (choose Other Sites from the list)

Under the Proposals tab:

Enter the same information you entered on the Los Angeles SonicWALL

Under the Advanced tab:

Leave everything as is

Upon completion, you will see a green light on the VPN -> Settings page, which indicates that the VPN is up. On the remote sites, you will see 2 green lights, indicating connectivity to both the hub and spoke sites.