Configuring GroupVPN Policies

GroupVPN policies facilitate the set up and deployment of multiple Global VPN Clients by the firewall administrator. GroupVPN is only available for Global VPN Clients and it is recommended you use XAUTH/RADIUS or third party certificates in conjunction with the Group VPN for added security.

From the Network > Zones page, you can create GroupVPN policies for any zones. SonicOS provides two default GroupVPN policies for the WAN and WLAN zones, as these are generally the less trusted zones. These two default GroupVPN policies are listed in the VPN Policies panel on the VPN > Settings page:

In the VPN Policy dialog, from the Authentication Method menu, you can choose either the IKE using Preshared Secret option or the IKE using 3rd Party Certificates option for your IPsec Keying Mode.

SonicOS supports the creation and management of IPsec VPNs.

Topics:

Configuring GroupVPN with IKE using Preshared Secret on the WAN Zone

To configure the WAN GroupVPN, follow these steps:

1
Click the Edit icon for the WAN GroupVPN entry. The VPN Policy dialog is displayed.

In the General tab, IKE using Preshared Secret is the default setting for Authentication Method.

2
A Shared Secret is automatically generated by the firewall in the Shared Secret field. You can generate your own shared secret. Shared Secrets must be a minimum of four characters.

You cannot change the name of any GroupVPN policy.

3
Click the Proposals tab to continue the configuration process.

4
In the IKE (Phase 1) Proposal section, use the following settings:
Select the DH Group from the DH Group drop-down menu:
Group 1, Group 2 (default), Group 5, or Group 14 – Select Group 2 from the DH Group drop-down menu.
Select DES, 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, or SHA512.
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
5
In the IPsec (Phase 2) Proposal section, select the following settings:
Select the desired protocol from the Protocol drop-down menu. Currently, ESP is the only option.
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
6
Click the Advanced tab.

7
Advanced Settings
Disable IPsec Anti-Replay - Stops packets with duplicate sequence numbers from being dropped.
Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
Accept Multiple Proposals for Clients - Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
Management via this SA: - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
Default Gateway - Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall.

As packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the firewall looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

Client Authentication
Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.
Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you clear Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.
8
Click the Client tab, select any of the following settings you want to apply to your GroupVPN policy.

User Name and Password Caching
Cache XAUTH User Name and Password on Client - Allows the Global VPN Client to cache the user name and password.
Never - Global VPN Client is not allowed to cache the username and password. The user will be prompted for a username and password when the connection is enabled, and also every time there is an IKE Phase 1 rekey.
Single Session - Global VPN Client user prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey.
Always - Global VPN Client user prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
Client Connections
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.

In instances where predictable addressing was a requirement, it is necessary to obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration.

None - A Virtual Adapter will not be used by this GroupVPN connection.
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting.
Client Initial Provisioning
Use Default Key for Simple Client Provisioning - Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.
9

Configuring GroupVPN with IKE using 3rd Party Certificates

To configure GroupVPN with IKE using 3rd Party Certificates, follow these steps:
1
In the VPN > Settings page click the Edit icon under Configure. The VPN Policy window is displayed.
2
In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication Method drop-down menu.

 
3
4
Distinguished Name - This is based on the certificate’s Subject Distinguished Name field, which is contained in all certificates by default.

The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWALL, Inc./OU=TechPubs/CN=Joe Pub.

Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, for example, c=us.

Email ID and Domain Name (default) - Both the Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter does not work.

The Email ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@sonicwall.com when Email ID is selected allows anyone with an email address that ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is selected allows anyone with a domain name that ended in sv.us.sonicwall.com to have access.

5
6
Check Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu.
7
Click on the Proposals tab.

8
In the IKE (Phase 1) Proposal section, select the following settings:
Group 1, Group 2, Group 5, or Group 14
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption menu.
Select the desired authentication method from the Authentication menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
9
In the IPsec (Phase 2) Proposal section, select the following settings:
Select the desired protocol from the Protocol menu. Currently, ESP is the only option.
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
10
Click on the Advanced tab and select any of the following optional settings that you want to apply to your GroupVPN Policy:

Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows Network Neighborhood.
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
Management via this SA - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
Default Gateway - Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA check box. Default LAN Gateway allows you to specify the IP address of the default LAN route for incoming IPsec packets for this SA.

Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the firewall looks up a route for the LAN. If no route is found, the firewall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. See Using OCSP with Dell SonicWALL Network Security Appliances .
Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
User group for XAUTH users - Allows you to select a defined user group for authentication.
Allow Unauthenticated VPN Client Access - Allows you to specify network segments for unauthenticated Global VPN Client access.
11
Click on the Client tab and select any of the following boxes that you want to apply to Global VPN Client provisioning:

Cache XAUTH User Name and Password - Allows the Global VPN Client to cache the user name and password. Select from:
Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.
Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.
Always - The user will be prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.

In instances where predictable addressing was a requirement, it is necessary to obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration. This feature requires the use of SonicWALL GVC.

None - A Virtual Adapter will not be used by this GroupVPN connection.
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.

If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked.

NOTE: Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.
Use Default Key for Simple Client Provisioning - Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.
12

Exporting a VPN Client Policy

If you want to export the Global VPN Client configuration settings to a file for users to import into their Global VPN Clients, follow these instructions:

1
Click the Export icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears.

2
rcf format is required for SonicWALL Global VPN Clients is selected by default. Files saved in the rcf format can be password encrypted. The firewall provides a default file name for the configuration file, which you can change.
3
Click Yes. The VPN Policy Export window appears.

4
Select a VPN Access Networks from the Select the client Access Network(s) you wish to export drop-down menu.
5
Type a password in the Password field and reenter it in the Confirm Password field, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.
6
Click Submit. If you did not enter a password, a message appears confirming your choice.
7
Click OK. You can change the configuration file before saving.
8
9
Click Close.

The file can be saved or sent electronically to remote users to configure their Global VPN Clients.