You can configure GroupVPN or site-to-site VPN tunnels on the VPN > Settings page. You can define up to four GroupVPN policies, one for each zone. You can also create multiple site-to-site VPN. The maximum number of policies you can add depends on your SonicWALL model.
NOTE: Remote users must be explicitly granted access to network resources on the Users > Local Users or Users > Local Groups page. When configuring local users or local groups, the VPN Access tab affects the ability of remote clients using GVC to connect to GroupVPN; it also affects remote users using NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the allow list on the VPN Access tab.
|
GroupVPN policies facilitate the set up and deployment of multiple Global VPN Clients by the firewall administrator. GroupVPN is only available for Global VPN Clients and it is recommended you use XAUTH/RADIUS or third party certificates in conjunction with the Group VPN for added security.
From the Network > Zones page, you can create GroupVPN policies for any zones. SonicOS provides two default GroupVPN policies for the WAN and WLAN zones, as these are generally the less trusted zones. These two default GroupVPN policies are listed in the VPN Policies panel on the VPN > Settings page:
In the VPN Policy dialog, from the Authentication Method menu, you can choose either the IKE using Preshared Secret option or the IKE using 3rd Party Certificates option for your IPsec Keying Mode.
SonicOS supports the creation and management of IPsec VPNs.
|
1
|
In the General tab, IKE using Preshared Secret is the default setting for Authentication Method.
2
|
A Shared Secret is automatically generated by the firewall in the Shared Secret field. You can generate your own shared secret. Shared Secrets must be a minimum of four characters.
|
You cannot change the name of any GroupVPN policy.
3
|
Click the Proposals tab to continue the configuration process.
|
4
|
In the IKE (Phase 1) Proposal section, use the following settings:
|
•
|
Select the DH Group from the DH Group drop-down menu:
|
•
|
•
|
•
|
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, or SHA512.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
5
|
•
|
•
|
•
|
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
6
|
Click the Advanced tab.
|
•
|
Disable IPsec Anti-Replay - Stops packets with duplicate sequence numbers from being dropped.
|
•
|
Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.
|
•
|
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
•
|
Accept Multiple Proposals for Clients - Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
|
•
|
Management via this SA: - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
|
•
|
Default Gateway - Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall.
|
•
|
Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.
|
•
|
Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you clear Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.
|
8
|
Click the Client tab, select any of the following settings you want to apply to your GroupVPN policy.
|
•
|
Cache XAUTH User Name and Password on Client - Allows the Global VPN Client to cache the user name and password.
|
•
|
Never - Global VPN Client is not allowed to cache the username and password. The user will be prompted for a username and password when the connection is enabled, and also every time there is an IKE Phase 1 rekey.
|
•
|
Single Session - Global VPN Client user prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey.
|
•
|
Always - Global VPN Client user prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
|
•
|
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
|
•
|
None - A Virtual Adapter is not used by this GroupVPN connection.
|
•
|
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
|
•
|
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
|
•
|
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
•
|
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
|
•
|
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
|
•
|
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
|
•
|
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting.
|
•
|
Use Default Key for Simple Client Provisioning - Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.
|
9
|
Click OK.
|
1
|
In the VPN > Settings page, click the Edit icon under Configure. The VPN Policy dialog is displayed.
|
2
|
In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication Method drop-down menu.
|
3
|
Select a certificate for the firewall from the Gateway Certificate drop-down menu.
|
4
|
Select one of the following Peer ID types from the Peer ID Type drop-down menu:
|
•
|
Distinguished Name - This is based on the certificate’s Subject Distinguished Name field, which is contained in all certificates by default.
|
Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, for example, c=us.
•
|
Email ID and Domain Name (default) - Both the Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter does not work.
|
The Email ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@sonicwall.com when Email ID is selected allows anyone with an email address that ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is selected allows anyone with a domain name that ended in sv.us.sonicwall.com to have access.
5
|
Enter the Peer ID filter in the Peer ID Filter field.
|
6
|
Check Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu.
|
7
|
Click the Proposals tab.
|
8
|
In the IKE (Phase 1) Proposal section, select the following settings:
|
•
|
Select the DH Group from the DH Group menu.
|
•
|
•
|
•
|
Select the desired authentication method from the Authentication menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
9
|
•
|
•
|
•
|
Select the desired authentication method from the Authentication drop-down menu: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBX, or None.
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
10
|
Click on the Advanced tab and select any of the following optional settings that you want to apply to your GroupVPN Policy:
|
•
|
Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows Network Neighborhood.
|
•
|
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
•
|
Management via this SA - If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
|
•
|
Default Gateway - Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA check box. Default LAN Gateway allows you to specify the IP address of the default LAN route for incoming IPsec packets for this SA.
|
•
|
Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. See Using OCSP with Dell SonicWALL Network Security Appliances .
|
•
|
Require Authentication of VPN Clients via XAUTH - Requires that all inbound traffic on this VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
|
•
|
User group for XAUTH users - Allows you to select a defined user group for authentication.
|
•
|
Allow Unauthenticated VPN Client Access - Allows you to specify network segments for unauthenticated Global VPN Client access.
|
11
|
Click on the Client tab and select any of the following boxes that you want to apply to Global VPN Client provisioning:
|
•
|
Cache XAUTH User Name and Password - Allows the Global VPN Client to cache the user name and password. Select from:
|
•
|
Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.
|
•
|
Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.
|
•
|
Always - The user will be prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.
|
•
|
Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
|
•
|
None - A Virtual Adapter is not used by this GroupVPN connection.
|
•
|
DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page.
|
•
|
DHCP Lease or Manual Configuration - When the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, there are currently no limitations on IP address assignments for the Virtual Adapter. Only duplicate static addresses are not permitted.
|
•
|
Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
•
|
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
|
•
|
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
|
If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without Set Default Route as this Gateway, then the Internet traffic is blocked.
•
|
Split Tunnels - Allows the VPN user to have both local Internet connectivity and VPN connectivity.
|
•
|
Set Default Route as this Gateway - Enable this check box if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.
|
•
|
Use Default Key for Simple Client Provisioning - Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.
|
12
|
Click OK.
|
1
|
Click the Export icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy dialog appears.
|
2
|
rcf format is required for SonicWALL Global VPN Clients is selected by default. Files saved in the rcf format can be password encrypted. The firewall provides a default file name for the configuration file, which you can change.
|
3
|
4
|
Select a VPN Access Networks from the Select the client Access Network(s) you wish to export drop-down menu.
|
5
|
Type a password in the Password field and reenter it in the Confirm Password field, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.
|
6
|
Click Submit. If you did not enter a password, a message appears confirming your choice.
|
7
|
Click OK. You can change the configuration file before saving.
|
9
|
Click Close.
|
The file can be saved or sent electronically to remote users to configure their Global VPN Clients.
|
Site-to-Site VPN configurations can include the following options:
•
|
Branch Office (Gateway to Gateway) - A SonicWALL is configured to connect to another SonicWALL via a VPN tunnel. Or, a SonicWALL is configured to connect via IPsec to another manufacturer’s firewall.
|
•
|
Hub and Spoke Design - All SonicWALL VPN gateways are configured to connect to a central hub, such as a corporate firewall. The hub must have a static IP address, but the spokes can have dynamic IP addresses. If the spokes are dynamic, the hub must be a Dell SonicWALL network security appliance.
|
•
|
Mesh Design - All sites connect to all other sites. All sites must have static IP addresses.
|
You can create or modify existing VPN policies using the VPN Policy dialog. Clicking the Add button under the VPN Policies table displays the VPN Policy dialog for configuring the following IPsec Keying mode VPN policies:
This section also contains information on configuring a static route to act as a failover in case the VPN tunnel goes down. See Configuring VPN Failover to a Static Route for more information.
VIDEO: Informational videos with Site-to-Site VPN configuration examples are available online. For example, see How to Create a Site to Site VPN in Main Mode using Preshared Secret or How to Create Aggressive Mode Site to Site VPN using Preshared Secret.
Additional videos are available at: https://support.software.dell.com/videos-product-select. |
To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below:
1
|
2
|
3
|
From the Policy Type drop-down menu on the General tab, select the type of policy that you want to create:
|
NOTE: If you select Tunnel Interface for the Policy Type, the IPsec Secondary Gateway Name or Address option and the Network tab are not available.
|
4
|
5
|
Enter a name for the policy in the Name field.
|
6
|
Enter the host name or IP address of the remote connection in the IPsec Primary Gateway Name or Address field.
|
7
|
If the Remote VPN device supports more than one endpoint, you may optionally enter a second host name or IP address of the remote connection in the IPsec Secondary Gateway Name or Address field.
|
8
|
In the IKE Authentication section, enter in the Shared Secret and Confirm Shared Secret fields a Shared Secret password to be used to setup the Security Association. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
|
10
|
Optionally, specify a Local IKE ID and Peer IKE ID for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the firewall Identifier (ID_USER_FQDN) is used for Aggressive Mode.
|
You can select from the following IDs:
Then, enter the address, name, or ID in the field after the drop-down menu.
11
|
Click the Network tab.
|
NOTE: If you selected Tunnel Interface for Policy Type on the General tab, the Network tab does not display. Go to Step 14.
|
12
|
Under Local Networks, select one of these
|
•
|
If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu.
|
•
|
If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules will be created between Trusted Zones and the VPN Zone.
|
13
|
Under Destination Networks, select one of these:
|
•
|
If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.
|
•
|
Alternatively, select Choose Destination network from list, and select the address object or group.
|
14
|
Click Proposals.
|
15
|
•
|
Main Mode - Uses IKE Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
|
•
|
Aggressive Mode – Generally used when WAN addressing is dynamically assigned. Uses IKE Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
|
•
|
IKEv2 Mode – Causes all negotiation to happen via IKE v2 protocols, rather than using IKE Phase 1 and IPsec Phase 2.
|
If IKE v2 is selected, these options are dimmed: DH Group, Encryption, and Authentication. |
16
|
Under IKE (Phase 1) Proposal, the default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
|
17
|
In Main Mode or Aggressive Mode, for the DH Group you can select from five Diffie Hellman groups that are included in Suite B cryptography:
|
You can also select Group 1, Group 2, Group 5, or Group 14 for DH Group.
18
|
If you selected Main Mode or Aggressive Mode, select one of 3DES, DES, AES-128, AES-192, or AES-256 from the Encryption drop-down list. 3DES is the default.
|
19
|
If you selected Main Mode or Aggressive Mode, for enhanced authentication security you can choose one of SHA-1, MD5, SHA256, SHA384, or SHA512 from the Authentication drop-down list. SHA1 is the default.
|
20
|
In the IPsec (Phase 2) Proposal section, the default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations.
|
21
|
If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:
|
You can also select DES, 3DES, AES-128, AES-192, or AES-256 for Encryption.
22
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy. The options change depending on whether in the Proposals tab you selected
|
•
|
Main Mode or Aggressive Mode
|
•
|
Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
•
|
Select Disable IPsec Anti-Replay to disable anti-replay, which is a form of partial sequence integrity that detects the arrival of duplicate IP datagrams (within a constrained dialog).
|
•
|
To require XAUTH authentication by users prior to allowing traffic to traverse this tunnel, select Require authentication of VPN client by XAUTH and then select a User group to specify allowed users from the now displayed User group for XAUTH drop-down menu.
|
•
|
Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
•
|
Select Enable Multicast to allow IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
•
|
To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
|
•
|
To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu.
|
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
|
•
|
•
|
•
|
If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into the Default LAN Gateway (optional) field.
|
•
|
Select an interface or zone from the VPN Policy bound to drop-down menu. A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
|
IMPORTANT: Two different WAN interfaces cannot be selected from the VPN Policy bound to drop-down menu if the VPN Gateway IP address is the same for both.
|
When IKE2 Mode is selected on the Proposals tab, the Advanced tab has two sections:
The Advanced settings are the same as for Main Mode or Aggressive Mode Options with these exceptions:
•
|
The Enable Keep Alive option is dimmed.
|
•
|
The Require authentication of VPN clients by XAUTH option is not displayed.
|
•
|
The Do not send trigger packet during IKE SA negotiation checkbox is not selected by default and should be selected only when required for interoperability if the peer cannot handle trigger packets.
|
The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.
When the Accept Hash & URL Certificate Type option is selected, the firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.
When the Send Hash & URL Certificate Type option is selected, the firewall, on receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a “Hash and URL of X.509c” certificate to the requestor.
23
|
Click OK.
|
1
|
2
|
In the General tab of the VPN Policy dialog, select Manual Key from the Authentication Method drop-down menu. The VPN Policy dialog displays only the Manual Key options.
|
3
|
Enter a name for the policy in the Name field.
|
4
|
Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address field.
|
5
|
Click the Network tab.
|
6
|
Under Local Networks, select one of these
|
•
|
If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu.
|
•
|
If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules will be created between Trusted Zones and the VPN Zone.
|
7
|
Under Destination Networks, select one of these:
|
•
|
If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.
|
•
|
Alternatively, select Choose Destination network from list, and select the address object or group.
|
8
|
Click on the Proposals tab.
|
9
|
Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length.
|
10
|
The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations.
|
NOTE: The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.
|
11
|
Enter a 48-character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the firewall.
|
12
|
Enter a 40-character hexadecimal authentication key in the Authentication Key field or use the default value. Write down the key to use while configuring the firewall settings.
|
13
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy.
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
•
|
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
•
|
To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
|
•
|
To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu.
|
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
|
TIP: Informational videos with interface configuration examples are available online. For example, see How to Configure NAT over VPN in a Site to Site VPN with Overlapping Networks.
Additional videos are available at: https://support.software.dell.com/videos-product-select. |
•
|
To manage the local SonicWALL through the VPN tunnel, select HTTPS, SSH, SNMP, or any combination of these three from Management via this SA.
|
•
|
•
|
•
|
Select an interface from the VPN Policy bound to drop-down menu.
|
IMPORTANT: Two different WAN interfaces cannot be selected from the VPN Policy bound to drop-down menu if the VPN Gateway IP address is the same for both.
|
14
|
Click OK.
|
15
|
1
|
2
|
3
|
Enter a name for the SA in the Name field.
|
4
|
Enter the host name or IP address of the local connection in the IPsec Gateway Name or Address field.
|
5
|
Click the Network tab.
|
6
|
Under Local Networks, select one of these
|
•
|
If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu.
|
•
|
If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules will be created between Trusted Zones and the VPN Zone.
|
7
|
Under Destination Networks, select one of these:
|
•
|
If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.
|
•
|
Alternatively, select Choose Destination network from list, and select the address object or group.
|
8
|
9
|
Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length.
|
10
|
The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations.
|
NOTE: The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.
|
11
|
Enter a 48-character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the remote SonicWALL.
|
12
|
Enter a 40-character hexadecimal authentication key in the Authentication Key field or use the default value. Write down the key to use while configuring the remote SonicWALL settings.
|
13
|
Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy:
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
•
|
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance.
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
•
|
To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
|
•
|
To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu.
|
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
|
•
|
To manage the remote SonicWALL through the VPN tunnel, select HTTP, SSH, SNMP, or any combination of these three from Management via this SA.
|
•
|
•
|
•
|
Select an interface from the VPN Policy bound to menu.
|
IMPORTANT: Two different WAN interfaces cannot be selected from the VPN Policy bound to drop-down menu if the VPN Gateway IP address is the same for both.
|
14
|
Click OK.
|
15
|
1
|
2
|
In the Authentication Method list in the General tab, select IKE using 3rd Party Certificates.The VPN Policy dialog displays the third-party certificate options in the IKE Authentication section.
|
3
|
Type a Name for the Security Association in the Name field.
|
4
|
Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in the IPsec Primary Gateway Name or Address field.
|
5
|
If you have a secondary remote SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPsec Secondary Gateway Name or Address field.
|
6
|
Under IKE Authentication, select a third-party certificate from the Local Certificate drop-down menu. You must have imported local certificates before selecting this option.
|
7
|
Select one of the following Peer ID types from the Peer IKE ID Type drop-down menu:
|
•
|
Email ID (UserFQDN) and Domain Name (FQDN) - The Email ID (UserFQDN) and Domain Name (FQDN) types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site-to-site VPNs, wild card characters (such as * for more than one character or ? for a single character) cannot be used.
|
NOTE: To find the certificate details (Subject Alternative Name, Distinguished Name, etc.), navigate to the System > Certificates page and click on the Export button for the certificate.
|
•
|
Distinguished Name (DN) - Based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. As with the Email ID and Domain Name above, the entire Distinguished Name field must be entered for site-to-site VPNs. Wild card characters are not supported.
|
•
|
IP Address (IPV4) - Based on the IPv4 IP address.
|
8
|
9
|
Click on the Network tab.
|
10
|
Under Local Networks, select one of these
|
•
|
If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu.
|
•
|
If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
|
11
|
Under Destination Networks, select one of these:
|
•
|
If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.
|
•
|
Alternatively, select Choose Destination network from list, and select the address object or group.
|
12
|
Click the Proposals tab.
|
13
|
In the IKE (Phase 1) Proposal section, select the following settings:
|
•
|
•
|
Select the desired DH Group from the DH Group menu:
|
•
|
•
|
256-Bit Random ECP Group, 384-Bit Random ECP Group, 521-Bit Random ECP Group, 192-Bit Random ECP Group, or 224-Bit Random ECP Group
|
•
|
•
|
Select the desired authentication method from the Authentication menu.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
14
|
•
|
Select the desired protocol from the Protocol menu.
|
•
|
•
|
Select the desired authentication method from the Authentication menu.
|
•
|
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. Select Group 2 from the DH Group menu.
|
•
|
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
|
15
|
Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy:
|
•
|
Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
|
•
|
The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by default to allow the VPN traffic to traverse the appropriate zones.
|
•
|
Select Disable IPsec Anti-Replay to disable anti-replay, which is a form of partial sequence integrity that detects the arrival of duplicate IP datagrams (within a constrained window).
|
•
|
To require XAUTH authentication by users prior to allowing traffic to traverse this tunnel, select Require authentication of VPN client by XAUTH, and select a User group to specify allowed users from the User group for XAUTH.
|
•
|
Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
|
•
|
Select Enable Multicast to allow multicast traffic through the VPN tunnel.
|
•
|
Select Permit Acceleration to enable redirection of traffic matching this policy to the WAN Acceleration (WXA) appliance
|
•
|
Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks communicating via this VPN tunnel. Two drop-down menus display:
|
•
|
To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
|
•
|
To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu.
|
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
|
•
|
Select Enable OCSP Checking to check VPN certificate status and specify the URL where to check certificate status. See Using OCSP with Dell SonicWALL Network Security Appliances .
|
•
|
To manage the remote SonicWALL through the VPN tunnel, select HTTP, HTTPS, or both from Management via this SA. Select HTTP, SSH, HTTPS, or any combination of the three in the User login via this SA to allow users to login using the SA.
|
•
|
If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into the Default LAN Gateway (optional) field.
|
•
|
Select an interface or zone from the VPN Policy bound to menu. A zone is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
|
IMPORTANT: Two different WAN interfaces cannot be selected from the VPN Policy bound to drop-down menu if the VPN Gateway IP address is the same for both.
|
•
|
Under IKEv2 Settings (visible only if you selected IKEv2 for Exchange on the Proposals tab), The Do not send trigger packet during IKE SA negotiation checkbox is cleared by default and should only be selected when required for interoperability.
|
The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers.
When the Accept Hash & URL Certificate Type option is selected, the firewall sends an HTTP_CERT_LOOKUP_SUPPORTED message to the peer device. If the peer device replies by sending a “Hash and URL of X.509c” certificate, the firewall can authenticate and establish a tunnel between the two devices.
When the Send Hash & URL Certificate Type option is selected, the firewall, on receiving an HTTP_CERT_LOOKUP_SUPPORTED message, sends a “Hash and URL of X.509c” certificate to the requestor.
16
|
Click OK.
|
Optionally, you can configure a static route to be used as a secondary route in case the VPN tunnel goes down. The Allow VPN path to take precedence option allows you to create a secondary route for a VPN tunnel. By default, static routes have a metric of one and take precedence over VPN traffic. The Allow VPN path to take precedence option gives precedence over the route to VPN traffic to the same destination address object. This results in the following behavior:
•
|
When a VPN tunnel is active: static routes matching the destination address object of the VPN tunnel are automatically disabled if the Allow VPN path to take precedence option is enabled. All traffic is routed over the VPN tunnel to the destination address object.
|
1
|
Navigate to the Network > Routing page.
|
2
|
3
|
4
|
5
|
Enable the Allow VPN path to take precedence checkbox.
|
6
|
Click OK.
|
For more information on configuring static routes and Policy Based Routing, see Network > Routing .
For complete information on the SonicOS implementation of IPv6, see IPv6 .
IPSec VPNs can be configured for IPv6 in a similar manner to IPv4 VPNs after selecting the IPv6 option in the View IP Version radio button at the top right of the VPN Policies section.
There are certain VPN features that are currently not supported for IPv6, including:
When configuring an IPv6 VPN policy, on the General tab, the gateways must be configured using IPv6 addresses. FQDN is not supported. When configuring IKE authentication, IPV6 addresses can be used for the local and peer IKE IDs.
On the Network tab of the VPN policy, IPV6 address objects (or address groups that contain only IPv6 address objects) must be selected for the Local Networks and Remote Networks.
DHCP Over VPN is not supported, thus the DHCP options for protected network are not available.
The Any address option for Local Networks and the Tunnel All option for Remote Networks are removed. An all-zero IPv6 Network address object could be selected for the same functionality and behavior.
On the Proposals tab, the configuration is identical for IPv6 and IPv4, except IPv6 only supports IKEv2 mode.
The Advanced tab for IPv6 is similar to that of IPv4, with only the options shown in Table 85 being IP-version specific. If the option are dimmed when not available for the version.
Enable Keep Alive – Disabled when the VPN policy is configured:
|
||||
WXA Group drop-down menu |
||||
Using Primary IP Address – default |
||||
Preempt Secondary Gateway – Preempts the secondary gateway when the time specified in the Primary Gateway Detection Interval field is exceeded. This option is selected by default. |
||||