|
•
|
|
•
|
To obtain a certificate, refer to Generating a Certificate Signing Request . After you have obtained certificates for both devices, continue to configure the VPN.
|
1
|
|
2
|
Select Use Interconnected Mode.
|
|
3
|
Select IKE using 3rd Party Certificates.
|
|
5
|
Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this Dell SonicWALL GMS displays.
|
|
6
|
Select the SonicWALL appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWALL Group/Node field.
|
|
7
|
Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
|
|
8
|
|
9
|
Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
|
|
10
|
Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
|
|
11
|
Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
|
|
12
|
To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through this destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. |
|
13
|
To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours).
|
|
14
|
To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy.
|
|
15
|
|
16
|
To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs.
|
|
17
|
To enable wireless secure bridging, select Wireless Secure Bridging Mode.
|
|
18
|
To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast.
|
|
19
|
To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced ). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office.
|
|
20
|
To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
|
|
21
|
If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable “Destination network obtains IP addresses using DHCP through this SA” on Target.
|
|
•
|
To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA are able to access the LAN, but not the DMZ.
|
|
•
|
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN.
|
|
•
|
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA.
|
|
•
|
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA.
|
|
•
|
To authenticate local users both locally and on the destination network, select Source and Destination.
|
|
26
|
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
|
|
1
|
|
2
|
Deselect Use Interconnected Mode.
|
|
3
|
Select IKE using 3rd Party Certificates.
|
|
4
|
Select the appropriate option to add, delete or modify a security association.
|
|
5
|
Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
|
|
6
|
Select the certificate to use from the Select Certificate list box.
|
|
7
|
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and is the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name or Address.
|
|
8
|
To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours).
|
|
9
|
To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. |
|
10
|
To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy.
|
|
11
|
To enable wireless secure bridging, select Wireless Secure Bridging Mode.
|
|
12
|
To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast.
|
|
13
|
To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address.
|
|
14
|
To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.
|
|
15
|
|
16
|
To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs.
|
|
17
|
To require local users to authenticate locally before accessing the SA, select Require authentication of local users.
|
|
18
|
To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select Require authentication of remote users.
|
|
19
|
Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
|
|
20
|
|
21
|
Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box.
|
|
22
|
Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
|
|
23
|
Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
|
|
24
|
Select whether the peer device uses a distinguished name, email ID, or domain name as its certificate ID from the Peer Certificate’s ID list box.
|
|
25
|
Enter the peer device’s certificate ID in the Peer Certificate’s ID field.
|
|
•
|
To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
|
|
•
|
If the destination network receives its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP.
|
|
•
|
To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.
|
|
27
|
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
|