|
1
|
Click the Network tab. Select which local networks are establishing VPN connections with the destination networks:
|
|
•
|
Choose local network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance.
|
|
•
|
Local network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the local network obtain their IP addresses from the destination network.
|
|
•
|
Any address—configures all networks to establish VPN connections with the specified destination networks.
|
|
•
|
Use this VPN Tunnel as default route for all Internet traffic—configures all networks on the destination network to use this VPN for all Internet traffic.
|
|
•
|
Destination network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the destination network obtain their IP addresses from the local network.
|
|
•
|
Choose destination network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWALL appliance.
|
|
3
|
(Optional) Click the Proposals tab.
|
|
•
|
Exchange—Select the exchange mode from the Exchange list box. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. Otherwise, select Main Mode.
|
|
•
|
DH Group—specifies the Diffie-Hellman group to use when the VPN devices are negotiating encryption and authentication keys.
|
|
•
|
Encryption—specifies the type of encryption key to use when the VPN devices are negotiating encryption keys.
|
|
•
|
Authentication—specifies the type of authentication key to use when the VPN devices are negotiating authentication keys.
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Life Time (seconds)—specifies how long a tunnel remains active before being renegotiated. We recommend a value of 28,800 seconds (eight hours).
|
|
•
|
Protocol—specifies the type of protocol to use for VPN communications (AH or ESP).
|
|
•
|
Encryption—specifies the type of encryption key to use when the VPN devices after negotiating encryption keys.
|
|
•
|
Authentication—specifies the type of authentication key to use when the VPN devices after negotiating authentication keys.
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
|
•
|
Enable Perfect Forward Secrecy—when selected, this option prevents repeated compromises of the same security key when reestablishing a tunnel.
|
|
•
|
DH Group—specifies the Diffie-Hellman group to use when the VPN devices after negotiating encryption and authentication keys.
|
|
•
|
Life Time (seconds)—specifies how long a tunnel remains active before being renegotiated. We recommend a value of 28,800 seconds (eight hours).
|
|
6
|
(Optional) Click the Advanced tab.
|
|
7
|
Configure the following Advanced settings:
|
|
•
|
Enable Keep Alive—configures the VPN tunnel to remain open as long as there is network traffic on the SA.
|
|
•
|
Allow Advanced Routing - Adds this Tunnel Interface to the list of interfaces in the Advanced Routing table on the Network > Routing page. By making this an optional setting, this avoids adding all Tunnel Interfaces to the Advanced Routing table, which helps streamline the routing configuration. (This option is supported for SonicOS versions 5.6 and higher.)
|
|
•
|
Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead of Tunnel Mode. This has been introduced for compatibility with Nortel. When this option is enabled on the local firewall, it MUST be enabled on the remote firewall as well for the negotiation to succeed. (This option is supported for SonicOS versions 5.6 and higher.)
|
|
•
|
Enable Windows Networking (NetBIOS) Broadcast—enables NetBIOS broadcasts across the SA.
|
|
•
|
Enable Multicast - Allows multicast traffic through the VPN tunnel.
|
|
•
|
Permit Acceleration - Dedicates WXA clustered groups to a VPN and BPR policy.
|
|
•
|
Accept Multiple Proposals for Clients—enables the system to accept multiple proposals for clients. (This option is supported for SonicOS versions 6.1 and higher.)
|
|
•
|
Enable IKE Mode Configuration— enables you to configure the IKE Mode feature. (This option is supported for SonicOS versions 6.1 and higher.)
|
|
•
|
IP Pool for Clients—select an IP pool type from the drop-down menu.
|
|
•
|
Address Expiry Time—enter an expiration time (in seconds) for the address.
|
|
•
|
Apply NAT Policies—enables NAT for the selected networks.
|
|
•
|
Enable Phase2 Dead Peer Detection—Select if you want inactive VPN tunnels to be dropped by the SonicWALL.
|
|
•
|
Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
|
|
•
|
Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL appliance. The SonicWALL appliance uses a UDP packet protected by Encryption as the heartbeat.
|
|
•
|
Management via this SA—specifies which protocols can be used to manage the SonicWALL appliance through this SA. In addition to HTTP, HTTPS, and SNMP, you can enable the SSH management of the device through the IPsec tunnel. When SSH is selected in an IPsec Policy, an SSH session can be initiated to the device using the IPsec tunnel for the policy.
|
|
•
|
User login via this SA—specifies the protocols that users can use to login to the SonicWALL appliance through this SA.
|
|
•
|
Default LAN Gateway—specifies the default gateway when routing all traffic through this tunnel (required for Enhanced-to-Standard configuration, optional for Enhanced-to-Enhanced).
|
|
•
|
Enable OCSP Checking—enables checking of the Online Certificate Status Protocol. (This option is supported for SonicOS versions 6.1 and higher.)
|
|
•
|
OCSP Responder URL—enter the URL for the Online Certificate Status Protocol responder.
|
|
•
|
VPN Policy bound to—specifies the zone or interface to which the VPN tunnel terminates.
|
|
•
|
Preempt Secondary Gateway— enables preemption of a secondary gateway to the primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec Policy, an IPsec tunnel is established with the secondary gateway when the primary gateway is unreachable. If this option is enabled in the policy, a periodic discovery is attempted for the primary gateway and if discovered successfully, tunnels are switched back to the primary gateway from the secondary gateway.
|
|
•
|
Primary Gateway Detection Interval— specifies the time interval in seconds for the discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120 and the maximum value is 28800.
|
|
•
|
Enable Windows Networking Broadcast—enables NetBIOS broadcasts across the SA.
|
|
8
|
Click the Client tab (Group VPNs only).
|
|
9
|
Configure the following Client settings (This option is supported for SonicOS versions 6.1 and higher):
|
|
•
|
Username and Password—select the settings for the username and password by clicking the drop-down menu and selecting Never, Single Session, or Always.
|
|
•
|
Virtual Adapter Settings—select the virtual adapter settings from the drop-down menu (None, DHCP Lease, DHCP Lease or Manual Configuration).
|
|
•
|
Allow Connections to—selects the allowed connections by Split Tunnels, This Gateway Only, or All Secure Gateways.
|
|
•
|
Select Default Route as this Gateway—select to set the default route as this gateway.
|
|
•
|
Apply VPN Access Control List—select to apply the VPN Access Control list.
|
|
•
|
Client Initial Provisioning—select to use the default key for simple client provisioning.
|
|
10
|
When you are finished, click OK. Dell SonicWALL GMS begins establishing VPN tunnels between all specified networks.
|