•

Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the SonicWall. Default is enabled.

•

Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The minimum is 3 seconds, the maximum is 120 seconds, and the default value is 60 seconds.

•

Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The minimum is 3 heartbeats, the maximum is 10, and the default value is 3.

•

Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The minimum time is 60 seconds, the maximum is 3600 seconds, and the default value is 600 seconds (10 minutes).

•

Enable Fragmented Packet Handling - If the VPN log report shows the log message, Fragmented IPsec packet dropped, select this feature. Do not select it until the VPN tunnel is established and in operation.

•

Ignore DF (Don't Fragment) Bit - Select this check box to ignore the DF (Don’t Fragment the packet) bit in the packet header. Some applications can explicitly set the Don’t Fragment option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless. If this option is not set, packets that exceed the PMTU and have the DF bit enabled are not forwarded. Instead, this message is returned to the sender: Fragmentation needed and do not fragment (DF) bit set.

•

Enable NAT Traversal - Select this setting if a NAT device is located between your VPN endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPsec peer.

•

Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address - When selected, this option breaks down SAs associated with old IP addresses and reconnects the SA to the peer. The default is enabled.

•

Preserve IKE Port for Pass-Through Connections - Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.

•

Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. For more information, see Using OCSP with SonicWall Security Appliances.

•

Send VPN Tunnel Traps only when tunnel status changes - Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.

•

Use RADIUS in <mode> mode for XAUTH (allows users to change expired passwords) - Select the MSCHAP version to use with RADIUS:

•

MSCHAP (default)

•

MSCHAPv2

•

DNS and WINS Server Settings for VPN Client - Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client. Clicking the Configure button launches the Add VPN DNS and WINS Server dialog:

•

DNS Servers — Configure DNS servers:

•

Inherit DNS Settings Dynamically using SonicWall’s DNS settings — Selecting this option automatically populates the DNS and WINS settings with the settings in the Network > DNS page. This option is selected by default.

•

Specify Manually — If you do not want to use the SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.

•

WINS Servers — Configure a WINS server in the WINS Server 1 field. You can configure a second WINS server, also.