SonicWALL VPN, based on the industry-standard IPsec VPN implementation, provides a easy-to-setup, secure solution for connecting mobile users, telecommuters, remote offices and partners via the Internet. Mobile users, telecommuters, and other remote users with broadband (DSL or cable) or dialup Internet access can securely and easily access your network resources with the Dell SonicWALL Global VPN Client and GroupVPN on your firewall. Remote office networks can securely connect to your network using site-to-site VPN connections that enable network-to- network VPN connections.
The GroupVPN feature provides automatic VPN policy provisioning for Global VPN Clients. The GroupVPN feature on the Dell SonicWALL network security appliance and the Global VPN Client dramatically streamlines VPN deployment and management. Using the Client Policy Provisioning technology, you define the VPN policies for Global VPN Client users. This policy information downloads automatically from the firewall (VPN Gateway) to Global VPN Clients, saving remote users the burden of provisioning VPN connections.
You can configure GroupVPN or site-to-site VPN tunnels on the VPN > Settings page. You can define up to four GroupVPN policies, one for each zone. You can also create multiple site-to-site VPN. The maximum number of policies you can add depends on your SonicWALL model.
|
|
NOTE: Remote users must be explicitly granted access to network resources on the Users > Local Users or Users > Local Groups page. When configuring local users or local groups, the VPN Access tab affects the ability of remote clients using GVC to connect to GroupVPN; it also affects remote users using NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the allow list on the VPN Access tab.
|
GroupVPN policies facilitate the set up and deployment of multiple Global VPN Clients by the firewall administrator. GroupVPN is only available for Global VPN Clients and it is recommended you use XAUTH/RADIUS or third party certificates in conjunction with the Group VPN for added security.
From the Network > Zones page, you can create GroupVPN policies for any zones. SonicOS provides two default GroupVPN policies for the WAN and WLAN zones, as these are generally the less trusted zones. These two default GroupVPN policies are listed in the VPN Policies panel on the VPN > Settings page:
In the VPN Policy dialog, from the Authentication Method menu, you can choose either the IKE using Preshared Secret option or the IKE using 3rd Party Certificates option for your IPsec Keying Mode.
SonicOS supports the creation and management of IPsec VPNs.
|
1
|
Click the Edit icon for the WAN GroupVPN entry. The VPN Policy dialog displays.
|
In the General tab, IKE using Preshared Secret is the default setting for Authentication Method.
You cannot change the name of any GroupVPN policy.
|
3
|
Click the Proposals tab to continue the configuration process.
|
|
4
|
In the IKE (Phase 1) Proposal section, use the following settings:
|
|
•
|
Group 1, Group 2 (default), Group 5, or Group 14 – Select Group 2 from the DH Group drop-down menu.
|
|
•
|
Select DES, 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
5
|
In the IPsec (Phase 2) Proposal section, select the following settings:
|
|
•
|
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
|
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
•
|
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
|
•
|
Management via this SA: - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
|
|
•
|
Default Gateway - Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall.
|
As packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the firewall looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
|
•
|
Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.
|
|
•
|
Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you clear Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.
|
|
8
|
Click the Client tab, select any of the following settings you want to apply to your GroupVPN policy.
|
|
•
|
Never - Global VPN Client is not allowed to cache the username and password. The user will be prompted for a username and password when the connection is enabled, and also every time there is an IKE Phase 1 rekey.
|
|
•
|
Single Session - Global VPN Client user prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey.
|
|
•
|
Always - Global VPN Client user prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
|
|
•
|
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
|
In instances where predictable addressing was a requirement, it is necessary to obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration.
|
•
|
None - A Virtual Adapter is not used by this GroupVPN connection.
|
|
•
|
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
|
|
•
|
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
|
|
•
|
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
|
•
|
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
|
|
•
|
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
|
|
•
|
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
|
|
•
|
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting.
|
|
1
|
In the VPN > Settings page, click the Edit icon under Configure. The VPN Policy dialog is displayed.
|
|
2
|
In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication Method drop-down menu.
|
|
•
|
Distinguished Name - This is based on the certificate’s Subject Distinguished Name field, which is contained in all certificates by default.
|
The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWALL, Inc./OU=TechPubs/CN=Joe Pub.
Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, for example, c=us.
|
•
|
Email ID and Domain Name (default) - Both the Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter does not work.
|
The Email ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@sonicwall.com when Email ID is selected allows anyone with an email address that ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is selected allows anyone with a domain name that ended in sv.us.sonicwall.com to have access.
|
6
|
Check Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu.
|
|
8
|
In the IKE (Phase 1) Proposal section, select the following settings:
|
|
•
|
Group 1, Group 2, Group 5, or Group 14
|
|
•
|
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption menu.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
9
|
In the IPsec (Phase 2) Proposal section, select the following settings:
|
|
•
|
Select 3DES (default), AES-128, AES-192, or AES-256 from the Encryption drop-down menu.
|
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
10
|
Click on the Advanced tab and select any of the following optional settings that you want to apply to your GroupVPN Policy:
|
|
•
|
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
|
•
|
Management via this SA - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
|
|
•
|
Default Gateway - Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA check box. Default LAN Gateway allows you to specify the IP address of the default LAN route for incoming IPsec packets for this SA.
|
Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the firewall looks up a route for the LAN. If no route is found, the firewall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
|
11
|
Click on the Client tab and select any of the following boxes that you want to apply to Global VPN Client provisioning:
|
|
•
|
Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.
|
|
•
|
Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.
|
|
•
|
Always - The user will be prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
|
|
•
|
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
|
In instances where predictable addressing was a requirement, it is necessary to obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration. This feature requires the use of SonicWALL GVC.
|
•
|
None - A Virtual Adapter is not used by this GroupVPN connection.
|
|
•
|
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
|
|
•
|
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
|
|
•
|
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
|
•
|
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
|
|
•
|
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked.
|
•
|
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
|
|
•
|
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.
|
|
1
|
Click the Export icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy dialog appears.
|
|
3
|
Click Yes. The VPN Policy Export dialog displays.
|
|
4
|
Select a VPN Access Networks from the Select the client Access Network(s) you wish to export drop-down menu.
|
|
5
|
Type a password in the Password field and reenter it in the Confirm Password field, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.
|
|
6
|
Click Submit. If you did not enter a password, a message appears confirming your choice.
|
|
7
|
Click OK. You can change the configuration file before saving.
|
The file can be saved or sent electronically to remote users to configure their Global VPN Clients.
When designing VPN connections, be sure to document all pertinent IP addressing information and create a network diagram to use as a reference. A sample planning sheet is provided on the next page. The firewall must have a routable WAN IP address whether it is dynamic or static. In a VPN network with dynamic and static IP addresses, the VPN gateway with the dynamic address must initiate the VPN connection.
Site-to-Site VPN configurations can include the following options:
|
•
|
Branch Office (Gateway to Gateway) - A SonicWALL is configured to connect to another SonicWALL via a VPN tunnel. Or, a SonicWALL is configured to connect via IPsec to another manufacturer’s firewall.
|
|
•
|
Hub and Spoke Design - All SonicWALL VPN gateways are configured to connect to a central hub, such as a corporate firewall. The hub must have a static IP address, but the spokes can have dynamic IP addresses. If the spokes are dynamic, the hub must be a Dell SonicWALL network security appliance.
|
|
•
|
Mesh Design - All sites connect to all other sites. All sites must have static IP addresses.
|
You can create or modify existing VPN policies using the VPN Policy dialog. Clicking the Add button under the VPN Policies table displays the VPN Policy dialog for configuring the following IPsec Keying mode VPN policies:
This section also contains information on configuring a static route to act as a failover in case the VPN tunnel goes down. See Configuring VPN Failover to a Static Route for more information.
To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below:
|
1
|
Go to the VPN > Settings page. The VPN Policy page is displayed.
|
|
2
|
Click the Add button. The VPN Policy dialog appears.
|
|
3
|
From the Policy Type drop-down menu on the General tab, select the type of policy that you want to create:
|
|
4
|
Select IKE using Preshared Secret from the Authentication Method drop-down menu.
|
|
8
|
In the IKE Authentication section, enter in the Shared Secret and Confirm Shared Secret fields a Shared Secret password to be used to setup the Security Association. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
|
|
10
|
Optionally, specify a Local IKE ID and Peer IKE ID for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the firewall Identifier (ID_USER_FQDN) is used for Aggressive Mode.
|
You can select from the following IDs:
Then, enter the address, name, or ID in the field after the drop-down menu.
|
|
NOTE: If you selected Tunnel Interface for Policy Type on the General tab, the Network tab does not display. Go to Step 14.
|
|
12
|
Under Local Networks, select one of these
|
|
13
|
Under Destination Networks, select one of these:
|
|
15
|
Under IKE (Phase 1) Proposal, select one of these from the Exchange menu:
|
|
•
|
Main Mode - Uses IKE Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
|
|
•
|
Aggressive Mode – Generally used when WAN addressing is dynamically assigned. Uses IKE Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
|
|
•
|
IKEv2 Mode – Causes all negotiation to happen via IKE v2 protocols, rather than using IKE Phase 1 and IPsec Phase 2.
|
|
16
|
Under IKE (Phase 1) Proposal, the default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
|
You can also select Group 1, Group 2, Group 5, or Group 14 for DH Group.
|
20
|
In the IPsec (Phase 2) Proposal section, the default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations.
|
|
21
|
If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:
|
You can also select DES, 3DES, AES-128, AES-192, or AES-256 for Encryption.
|
22
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy. The options change depending on whether in the Proposals tab you selected
|
|
•
|
Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
|
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
|
•
|
Select Disable IPsec Anti-Replay to disable anti-replay, which is a form of partial sequence integrity that detects the arrival of duplicate IP datagrams (within a constrained dialog).
|
|
•
|
Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
|
•
|
Select Enable Multicast to allow IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
|
•
|
Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
|
|
•
|
Select an interface or zone from the VPN Policy bound to drop-down menu. A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
|
When IKE2 Mode is selected on the Proposals tab, the Advanced tab has two sections:
The Advanced settings are the same as for Main Mode or Aggressive Mode Options with these exceptions:
|
•
|
The Enable Keep Alive option is dimmed.
|
|
•
|
The Require authentication of VPN clients by XAUTH option is not displayed.
|
|
•
|
The Do not send trigger packet during IKE SA negotiation checkbox is not selected by default and should be selected only when required for interoperability if the peer cannot handle trigger packets.
|
The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.
Select these options if your devices can send and process hash and certificate URLs instead of the certificates themselves. Using these options reduces the size of the messages exchanged.
When the Accept Hash & URL Certificate Type option is selected, the firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.
When the Send Hash & URL Certificate Type option is selected, the firewall, on receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a “Hash and URL of X.509c” certificate to the requestor.
In a VPN, two peer firewalls (FW1 and FW2) negotiate a tunnel. From the perspective of FW1, FW2 is the remote gateway and vice versa.
|
1
|
Click Add on the VPN > Settings page. The VPN Policy dialog displays.
|
|
2
|
In the General tab of the VPN Policy dialog, select Manual Key from the Authentication Method drop-down menu. The VPN Policy dialog displays only the Manual Key options.
|
|
6
|
Under Local Networks, select one of these
|
|
7
|
Under Destination Networks, select one of these:
|
|
9
|
Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length.
|
|
10
|
The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations.
|
|
|
NOTE: The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.
|
|
|
TIP: Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser dialog.
|
|
13
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy.
|
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
|
•
|
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
|
•
|
Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
|
|
15
|
Click Accept on the VPN > Settings page to update the VPN Policies.
|
|
1
|
Click Add on the VPN > Settings page. The VPN Policy dialog displays.
|
|
2
|
In the General tab, select Manual Key from the Authentication Method drop-down menu.
|
|
6
|
Under Local Networks, select one of these
|
|
7
|
Under Destination Networks, select one of these:
|
|
9
|
Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length.
|
|
10
|
The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations.
|
|
|
NOTE: The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.
|
|
|
TIP: Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the UI page.
|
|
13
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy:
|
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
|
•
|
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
|
•
|
Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
|
|
15
|
Click Accept on the VPN > Settings page to update the VPN Policies.
|
|
1
|
In the VPN > Settings page, click Add. The VPN Policy dialog is displayed.
|
|
2
|
In the Authentication Method list in the General tab, select IKE using 3rd Party Certificates.The VPN Policy dialog displays the third-party certificate options in the IKE Authentication section.
|
|
6
|
Under IKE Authentication, select a third-party certificate from the Local Certificate drop-down menu. You must have imported local certificates before selecting this option.
|
|
•
|
Email ID (UserFQDN) and Domain Name (FQDN) - The Email ID (UserFQDN) and Domain Name (FQDN) types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site-to-site VPNs, wild card characters (such as * for more than one character or ? for a single character) cannot be used.
|
The full value of the Email ID or Domain Name must be entered. This is because site-to-site VPNs are expected to connect to a single peer, as opposed to Group VPNs, which expect to connect to multiple peers.
|
•
|
Distinguished Name (DN) - Based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. As with the Email ID and Domain Name above, the entire Distinguished Name field must be entered for site-to-site VPNs. Wild card characters are not supported.
|
The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWALL, Inc./OU=TechPubs/CN=Joe Pub
|
10
|
Under Local Networks, select one of these
|
|
11
|
Under Destination Networks, select one of these:
|
|
13
|
In the IKE (Phase 1) Proposal section, select the following settings:
|
|
•
|
Select Main Mode or Aggressive Mode from the Exchange menu.
|
|
•
|
Group 1, Group 2, Group 5, or Group 14
|
|
•
|
256-Bit Random ECP Group, 384-Bit Random ECP Group, 521-Bit Random ECP Group, 192-Bit Random ECP Group, or 224-Bit Random ECP Group
|
|
•
|
Select 3DES, AES-128, AES-192, or AES-256 from the Encryption menu.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
14
|
In the IPsec (Phase 2) Proposal section, select the following settings:
|
|
•
|
Select 3DES, AES-128, AES-192, or AES-256 from the Encryption menu.
|
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. Select Group 2 from the DH Group menu.
|
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
|
15
|
Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy:
|
|
•
|
Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
|
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
|
•
|
Select Disable IPsec Anti-Replay to disable anti-replay, which is a form of partial sequence integrity that detects the arrival of duplicate IP datagrams (within a constrained window).
|
|
•
|
Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
|
•
|
Select Enable Multicast to allow multicast traffic through the VPN tunnel.
|
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance
|
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
|
•
|
Select an interface or zone from the VPN Policy bound to menu. A zone is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
|
|
•
|
Under IKEv2 Settings (visible only if you selected IKEv2 for Exchange on the Proposals tab), The Do not send trigger packet during IKE SA negotiation checkbox is cleared by default and should only be selected when required for interoperability.
|
The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.
Select these options if your devices can send and process hash and certificate URLs instead of the certificates themselves. Using these options reduces the size of the messages exchanged.
When the Accept Hash & URL Certificate Type option is selected, the firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.
When the Send Hash & URL Certificate Type option is selected, the firewall, on receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a “Hash and URL of X.509c” certificate to the requestor.
In a VPN, two peer firewalls (FW1 and FW2) negotiate a tunnel. From the perspective of FW1, FW2 is the remote gateway and vice versa.
Optionally, you can configure a static route to be used as a secondary route in case the VPN tunnel goes down. The Allow VPN path to take precedence option allows you to create a secondary route for a VPN tunnel. By default, static routes have a metric of one and take precedence over VPN traffic. The Allow VPN path to take precedence option gives precedence over the route to VPN traffic to the same destination address object. This results in the following behavior:
|
5
|
Enable the Allow VPN path to take precedence checkbox.
|
For more information on configuring static routes and Policy Based Routing, see Network > Routing .
For complete information on the SonicOS implementation of IPv6, see IPv6 .
IPSec VPNs can be configured for IPv6 in a similar manner to IPv4 VPNs after selecting the IPv6 option in the View IP Version radio button at the top right of the VPN Policies section.
There are certain VPN features that are currently not supported for IPv6, including:
When configuring an IPv6 VPN policy, on the General tab, the gateways must be configured using IPv6 addresses. FQDN is not supported. When configuring IKE authentication, IPV6 addresses can be used for the local and peer IKE IDs.
On the Network tab of the VPN policy, IPV6 address objects (or address groups that contain only IPv6 address objects) must be selected for the Local Networks and Remote Networks.
DHCP Over VPN is not supported, thus the DHCP options for protected network are not available.
The Any address option for Local Networks and the Tunnel All option for Remote Networks are removed. An all-zero IPv6 Network address object could be selected for the same functionality and behavior.
On the Proposals tab, the configuration is identical for IPv6 and IPv4, except IPv6 only supports IKEv2 mode.
The Advanced tab for IPv6 is similar to that of IPv4, with only the options shown in Table 85 being IP-version specific. If the option are dimmed when not available for the version.
