Configuring a VPN Policy with IKE using Preshared Secret

To configure a VPN Policy using Internet Key Exchange (IKE):

Go to the VPN > Settings page.

Click the Add button. The VPN Policy dialog appears.

Under the General tab, from the Policy Type menu, select Site to Site.

Select IKE using Preshared Secret from the Authentication Method menu.

Enter a name for the policy in the Name field.

Enter the host name or IP address of the remote connection in the IPsec Primary Gateway Name or Address field.

If the Remote VPN device supports more than one endpoint, you may optionally enter a second host name or IP address of the remote connection in the IPsec Secondary Gateway Name or Address field.

Enter a Shared Secret password to be used to setup the Security Association in the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.

Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWall Identifier (ID_USER_FQDN) is used for Aggressive Mode.

Click the Network tab.

Under Local Networks, select one of these:

•

If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu. This is the default.

•

If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto added rules will be created between Trusted Zones and this VPN Zone.

NOTE: DHCP over VPN is not supported with IKEv2.

Under Remote Networks, select one of these;

•

If traffic from any local user cannot leave the SonicWall security appliance unless it is encrypted Use this VPN Tunnel as default route for all Internet traffic . You can only configure one SA to use this setting.

•

Select an address object or group from the Choose Destination network from list drop-down menu. You can create a new address object or address object group for the destination network. This is the default.

•

If IKEv2 Mode is selected for the Exchange method on the Proposals tab, a third option is available: the use IKEv2 IP Pool drop-down menu to assign remote clients with an IP address from the selected IP address pool. Select this option to support IKEv2 Config Payload. You can create a new address object for the IKEv2 IP address pool.

Click the Proposals tab.

in the IKE (Phase 1) Proposal section, from the Exchange drop-down menu, select one of these:

•

Main Mode

•

Aggressive Mode – Generally used when WAN addressing is dynamically assigned.

•

IKEv2 Mode– Causes all the negotiation to happen via IKEv2 protocols rather than using IKE Phase 1 and Phase 2. If you use IKEv2, both ends of the VPN tunnel must use IKEv2 Mode.

For the rest of the options in the IKE (Phase 1) Proposal section, the default values are acceptable for most VPN configurations:

•

DH Group – Default is Group 5. You can also choose Group 1, Group 2, or Group 14.

NOTE: The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.

•

Encryption – Default is 3DES. You can also choose AES-128, AES-192, or AES-256 from the Authentication menu instead of 3DES for enhanced authentication security.

•

Authentication – Default is SHA1. You can also choose SHA256, SHA384, or SHA512 for enhanced authentication security.

•

Life Time – Default is 28800.

NOTE: Be sure the IKE (Phase 1) Proposal values on the opposite side of the tunnel are configured to match.

Under IPsec (Phase 2) Proposal, the default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, DH Group, and Lifetime are acceptable for most VPN SA configurations. Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.

Click the Advanced tab. The options displayed on the Advanced tab depend on the mode selected for Exchange on the Proposals tab. Most Advanced Settings options, however, appear on for all modes. The IKEv2 Settings options appear only if IKEv2 Mode is selected for Exchange.

Advanced Settings section

Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using KeepAlive will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.

NOTE: The KeepAlive option will be disabled when the VPN policy is configured as Central Gateway for DHCP over VPN or with a Primary Gateway Name or Address of 0.0.0.0.

The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones. Select Suppress automatic Access Rules creation for VPN Policy to turn off the automatic access rules created between the LAN and VPN zones for this VPN policy.

IPsec Anti-Replay is a form of partial sequence integrity that detects arrival of duplicate IP datagrams (within a constrained window). To disable this feature, select Disable IPsec Anti-Replay. This option is not selected by default.

For Main Mode and Aggressive Mode only: To require XAUTH authentication by users prior to allowing traffic to traverse this tunnel, select Require authentication of VPN client by XAUTH. The User group for XAUTH users drop-down menu appears:

•

Select a User group to specify allowed users from the User group for XAUTH drop-down menu. You can create a new user group, also.

Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.

Select Enable Multicast to allow IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.

Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.

Select Apply NAT Policies if you want the SonicWall to translate the Local, Remote or both networks communicating via this VPN tunnel. When this option is selected, two drop-down menus appear:

•

To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down menu.

•

To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu.

NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

For Main Mode and Aggressive Mode only: To enable SonicPointN Layer 3 Management, select Allow SonicPointN Layer 3 Management. This option is not selected by default.

For Main Mode and Aggressive Mode only: To enable Phase 2 Dead Peer Detection, select Phase 2 Dead Peer Detection. This option is not selected by default.

To manage the local SonicWall through the VPN tunnel, select one or more of the following from Management via this SA: None are selected by default.

•

HTTP

•

HTTPS

•

SSH

•

SNMP

Select HTTP, HTTPS, or both for User login via this SA to allow users to login using the SA.

If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic or if you have more than one gateway and you want this one always to be used first, you should enter the IP address of your router into the Default LAN Gateway (optional) field.

Select an interface or zone from the VPN Policy bound to drop-down menu. A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface. Zone WAN is the default.

NOTE: Two different WAN interfaces cannot be bound to the same VPN Gateway IP address. To use multiple VPN tunnels to the same VPN peer, use a tunnel interface.

If you selected Main Mode or Aggressive Mode for Exchange in the Proposals tab, go to Step 35.

IKEv2 Settings section: IKEv2 Mode only

The Do not send trigger packet during IKE SA negotiation checkbox is not selected by default and should only be selected when required for interoperability if the peer cannot handle trigger packets.

The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.

Select one or both of the following two options for the IKEv2 VPN policy:

•

Accept Hash & URL Certificate Type – When this option is selected, the firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.

•

Send Hash & URL Certificate Type – When this option is selected, the firewall, upon receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a "Hash and URL of X.509c” certificate to the requestor.

NOTE: In a VPN, two peer firewalls (FW1 and FW2) negotiate a tunnel. From the perspective of FW1, FW2 is the remote gateway and vice versa.

Select these options if your devices can send and process hash and certificate URLs instead of the certificates themselves. Using these options reduces the size of the messages exchanged.

Click OK.