|
1
|
|
2
|
Select Use Interconnected Mode.
|
|
3
|
Select Manual Key.
|
|
5
|
Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this Dell SonicWALL GMS displays.
|
|
6
|
Select the SonicWALL appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWALL Group/Node field.
|
|
7
|
Select one of the encryption methods from the Encryption Method list box.
|
|
8
|
To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. |
|
9
|
To enable wireless secure bridging, select Wireless Secure Bridging Mode.
|
|
10
|
To enable NetBIOS broadcasts across the SA, select Enable Windows Networking (NetBIOS) Broadcast.
|
|
11
|
To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced ). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office.
|
|
12
|
To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.
|
|
•
|
To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA are able to access the LAN, but not the DMZ.
|
|
•
|
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN.
|
|
•
|
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA.
|
|
•
|
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA.
|
|
•
|
To authenticate local users both locally and on the destination network, select Source and Destination.
|
|
17
|
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
|
|
1
|
|
2
|
Deselect Use Interconnected Mode.
|
|
3
|
Select Manual Key in the IPSec Keying mode section.
|
|
5
|
Enter a descriptive name for the SA in the Security Association Name field.
|
|
6
|
Enter the IP address of the remote firewall in the IPSec Gateway Address field. This address must be valid and is the public IP address if the remote LAN has NAT enabled.
|
|
7
|
To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. |
|
8
|
To enable wireless secure bridging, select Wireless Secure Bridging Mode.
|
|
9
|
To access remote resources within the Windows Network Neighborhood, select Enable Windows Networking (NetBIOS) Broadcast.
|
|
10
|
To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address.
|
|
11
|
To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWALL appliance to receive VPN traffic, decrypt and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, be sure to enable this option for all SAs.
|
|
12
|
To require local users to authenticate locally before accessing the SA, select Require authentication of local users.
|
|
13
|
To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select Require authentication of remote users.
|
|
14
|
Select one of the encryption methods from the Encryption Method list box.
|
|
15
|
Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys must be exactly 16 characters long and be composed of hexadecimal characters. Encryption keys less than 16 characters are not accepted; keys longer than 16 characters are truncated.
Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” This key must match the encryption key of the remote VPN gateway or client. If encryption is not used, this field is ignored. |
|
16
|
Enter the key used for authentication in the Authentication Key field. The authentication key must be exactly 32 characters long and be composed of hexadecimal characters. Authentication keys less than 32 characters will not be accepted; keys longer than 32 characters are truncated.
Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef1234567890abcdef.” This key must match the authentication key of the remote VPN gateway or client. If authentication is not used, this field is ignored. |
|
17
|
Enter the Security Parameter Index (SPI) that the remote location sends to identify the Security Association used for the VPN Tunnel in the Incoming SPI field.
The SPI might be up to eight characters long and be composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). The hexadecimal characters “0” to “ff” inclusive are reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be “1234abcd.” The SPI for an SA must be unique when compared to SPIs for other SAs. However, the Incoming SPI can be the same as the Outgoing SPI on the same SA. |
|
18
|
|
•
|
To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
|
|
•
|
To specify destination networks, select Specify destination networks below. Then, click Modify and enter the destination network IP addresses and subnet masks.
|
|
20
|
When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
|