Policies_VPN_Configure_Snwls

Configuring VPNs in SonicOS Standard

This section describes how to configure VPN version 1.0 for SonicOS Standard. To configure VPN for SonicOS Enhanced, refer to the Configuring VPNs in SonicOS Enhanced.

SonicWALL GMS supports several methods for establishing and maintaining security associations (SAs). These include:

• IKE Using SonicWALL Certificates
• IKE Using Third-Party Certificates
• IKE Using Pre-Shared Secret
• Manual Keying

IKE Using SonicWALL Certificates

The following sections describe how to configure SAs for Internet Key Exchange (IKE) using SonicWALL certificates:

• When All Appliances are Managed by Dell SonicWALL GMS
• When One Appliance Is Not Managed by Dell SonicWALL GMS

Note: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.

A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for establishing the identity of peer VPN devices and users.

Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network.

Note: Although SAs can be established with most IPSec-compliant devices, SonicWALL Certificates can only be used between SonicWALL appliances.

This section describes how to establish SAs between SonicWALL appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS.

Note: Before establishing SAs using SonicWALL certificates, you must obtain a Public Key Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance.

When All Appliances are Managed by SonicWALL GMS

To enable VPN using certificates, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Select the Use Interconnected Mode check box.
3. For the IPSec Keying Mode, Select IKE using SonicWALL Certificates.
4. Select from the following:
• To add a new SA, select Add a new Security Association.
• To delete an existing SA, select Delete an existing Security Association.
• To edit an existing SA, select Modify an existing Security Association.
5. Click Select Destination.

A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays.

6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field.
7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

9. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To disable this SA, select Disable This SA.
18. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection.
19. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box.
20. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to the Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office.

Note: To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA.

21. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box.

When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.

Note: Only one SA can have this option enabled.

22. Select one the following VPN termination options:
• To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT.
• To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN.
• To allow users on the other side of the SA to access both the LAN and DMZ, select LAN/OPT.
23. Select from the following NAT and Firewall Rules:
• To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled.
• To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
• To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.

Note: Applying firewall rules can dramatically affect services that run between the networks. Understanding the Network Access Rules Hierarchy

24. Select how local users are authenticated:
• To disable authentication for local users, select Disabled.
• To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source.
• To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination.
• To authenticate local users both locally and on the destination network, select Source and Destination.
25. Similarly, select how remote users are authenticated.
26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by SonicWALL GMS

Although SAs can be established with most IPSec-compliant devices, Certificates can only be used between SonicWALL appliances.

This section describes how to establish SonicWALL certificate-based SAs between SonicWALL appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS.

To create SAs using certificates, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Deselect the Use Interconnected Mode check box.
3. Select IKE using SonicWALL Certificates.
4. Select the appropriate option to add, delete or modify a Security Association.
5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
6. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches.
7. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

9. To disable this SA, select Disable This SA.
10. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
11. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection
12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box.
13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box.

This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.

14. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.

15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box.
18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
19. Enter the serial number of the target SonicWALL appliance in the Peer SonicWALL Serial # field.
20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

22. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
23. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
24. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
25. Specify the destination networks by selecting from the following:
• To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
• If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP.
• To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

IKE Using Third-Party Certificates

Note: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.

A digital certificate is an electronic means to verify identity by using a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. The difference between third party certificates and the SonicWALL Authentication Service is the ability to select the source for your CA certificate. Using Certificate Authority Certificates and Local Certificates is a more manual process than using the SonicWALL Authentication Service; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates.

Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network.

SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate revocation list. SonicWALL supports the following two vendors of Certificate Authority Certificates:

• VeriSign

• Entrust

Obtaining a Certificate

To obtain a certificate, refer to the Generating a Certificate Signing Request. After you have obtained certificates for both devices, continue to configure the VPN.

• When All Appliances are Managed by Dell SonicWALL GMS
• When One Appliance Is Not Managed by Dell SonicWALL GMS

When All Appliances are Managed by SonicWALL GMS

Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered.

To enable VPN using third-party certificates when both devices are managed by SonicWALL GMS, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Select the Use Interconnected Mode check box.
3. Select IKE using 3rd Party Certificates.

Note: SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable.

4. Select the appropriate option to add, delete, or modify a security association.
5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays.
6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field.
7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8. Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

9. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through this destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box.
19. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to the Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office.

Note: To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA.

20. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box.

When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.

Note: Only one SA can have this option enabled.

21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target.
22. Select one the following VPN termination options:
• To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA will be able to access the LAN, but not the DMZ.
• To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN.
• To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT.
23. Select from the following NAT and Firewall Rules:
• To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled.
• To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
• To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.

Note: Applying firewall rules can dramatically affect services that run between the networks. Understanding the Network Access Rules Hierarchy

24. Select how local users are authenticated:
• To disable authentication for local users, select Disabled.
• To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source.
• To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination.
• To authenticate local users both locally and on the destination network, select Source and Destination.
25. Similarly, select how remote users are authenticated.
26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by SonicWALL GMS

This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS. To create SAs using third-party certificates, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Deselect the Use Interconnected Mode check box.
3. Select IKE using 3rd Party Certificates.
4. Select the appropriate option to add, delete or modify a security association.
5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
6. Select the certificate to use from the Select Certificate list box.
7. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name or Address.
8. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
9. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

10. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
11. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box.
13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box. This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.
14. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel.This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box.
18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
19. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
20. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

21. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
22. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
23. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
24. Select whether the peer device uses a distinguished name, email ID, or domain name as its certificate ID from the Peer Certificate’s ID list box.
25. Enter the peer device’s certificate ID in the Peer Certificate’s ID field.
26. Select from the following:
• To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
• If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP.
• To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.
27. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Note: To disable this SA without deleting it, select the Disable this SA check box and click Update.

IKE Using Pre-Shared Secret

When using IKE with a pre-shared secret, two VPN devices establish encryption and authentication keys using a shared secret. After the SA expires, the SonicWALL appliances will reestablish an SA using the same shared secret, but will not use the same security and authentication keys.

• When All Appliances are Managed by Dell SonicWALL GMS
• When One Appliance Is Not Managed by Dell SonicWALL GMS

When All Appliances are Managed by SonicWALL GMS

Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered.

To configure an SA using IKE with pre-shared secrets, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Select the Use Interconnected Mode check box.
3. Select IKE using Pre-shared Secret.
4. Select the appropriate option to add, delete, or modify a security association.
5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays.
6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field.
7. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.



Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

9. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
12. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (8 hours).
14. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking Broadcast check box.
19. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to the Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office.

Note: To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA.

20. To force all network traffic to the WAN through a VPN to a central site, select the Route all internet traffic through destination unit check box.

When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.

Note: Only one SA can have this option enabled.

21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable "Destination network obtains IP addresses using DHCP through this SA" on Target.
22. Select one the following VPN termination options:
• To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT.
• To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN.
• To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT.
23. Select from the following NAT and Firewall Rules:
• To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled.
• To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
• To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.

Note: Applying firewall rules can dramatically affect services that run between the networks. Understanding the Network Access Rules Hierarchy

24. Select how local users are authenticated:
• To disable authentication for local users, select Disabled.
• To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source.
• To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination.
• To authenticate local users both locally and on the destination network, select Source and Destination.
25. Similarly, select how remote users are authenticated.
26. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.
27. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

Note: To disable this SA, select the Disable this SA check box and click Update.

When One Appliance Is Not Managed by SonicWALL GMS

This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS.

To enable VPN using IKE with a pre-shared secret, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Deselect the Use Interconnected Mode check box.
3. Select IKE using Pre-Shared Secret in the IPSec Keying mode section.
4. Select the appropriate option to add, delete, or modify a security association.
5. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.
6. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches.
7. Enter the amount of time before an IKE SA will automatically negotiate (120 to 2,499,999 seconds) in SA Lifetime.
8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

9. To prevent repeated compromises of the same security key when reestablishing a tunnel, select the Enable Perfect Forward Secrecy check box.
10. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
11. To access remote resources within the Windows Network Neighborhood, select the Enable Windows Networking (NetBIOS) Broadcast check box.
12. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box.

This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.

13. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.

14. To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select the Enable Keep Alive check box.
15. To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select the Try to bring up all possible SAs check box.
16. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box.
17. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
18. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.

Note: Only SonicWALL VPN clients can authenticate to a RADIUS server. Users tunneling from another VPN gateway will not be able to complete the VPN tunnel if this check box is selected.

19. Enter the shared secret in the Shared Secret field.
20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

Note: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

22. Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box.
23. Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.
24. Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.
25. Select from the following:
• To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
• If the destination network will receive its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP.
• To specify destination networks, select Specify destination networks below. Then, click Add Network and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
27. Create an SA in the remote VPN device for each SonicWALL appliance that you have configured.

Note: To disable this SA without deleting it, select the Disable this SA check box and click Update.

Manual Keying

Manual keying involves exchanging keys in encryption and authentication keys in advance. Although this is the simplest method of establishing an SA between two VPN devices, the SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they will remain compromised until the keys are changed.

• When All Appliances are Managed by Dell SonicWALL GMS
• When One Appliance Is Not Managed by Dell SonicWALL GMS

When All Appliances are Managed by SonicWALL GMS

Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWALL appliances managed by SonicWALL GMS, all selected appliances are automatically configured based on the settings that you entered.

To enable VPN using manual keying, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Select the Use Interconnected Mode check box.
3. Select Manual Key.
4. Select the appropriate option to add, delete, or modify a security association.
5. Click Select Destination. A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS displays.
6. Select the SonicWALL appliance or group to which you will establish SAs and click the Select button. The name of the target displays in the Target SonicWALL Group/Node field.
7. Select one of the encryption methods from the Encryption Method list box.
8. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

9. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
10. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking (NetBIOS) Broadcast check box.
11. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to the Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices via the corporate office.

Note: To create a “hub and spoke” network, make sure to select the Forward Packets to Remote VPNs check box for each SA.

12. To force all network traffic to the WAN through a VPN to a central site, select the Route all Internet traffic through destination unit check box.

When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.

13. Select one the following VPN termination options:
• To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA will be able to access the LAN, but not the DMZ.
• To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA will be able to access the OPT, but not the LAN.
• To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT.
14. Select from the following NAT and Firewall Rules:
• To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled.
• To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and network firewall rules will be applied to all traffic on this SA.
• To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance will appear to originate from a single IP address and all traffic originating from its peer will appear to originate from a single IP address. Network firewall rules will be applied to all traffic on this SA.

Note: Applying firewall rules can dramatically affect services that run between the networks. Understanding the Network Access Rules Hierarchy

15. Select how local users are authenticated:
• To disable authentication for local users, select Disabled.
• To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source.
• To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination.
• To authenticate local users both locally and on the destination network, select Source and Destination.
16. Similarly, select how remote users are authenticated.
17. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by SonicWALL GMS

This section describes how to configure VPN when the target appliance is not managed by SonicWALL GMS.

To enable VPN using manual keying, perform the following steps:

1. Expand the VPN tree and click Configure. The VPN Configure page displays.





2. Deselect the Use Interconnected Mode check box.
3. Select Manual Key in the IPSec Keying mode section.
4. Select the appropriate option to add, delete or modify a security association.
5. Enter a descriptive name for the SA in the Security Association Name field.
6. Enter the IP address of the remote firewall in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled.
7. To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all Internet traffic through destination unit check box. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

8. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
9. To access remote resources within the Windows Network Neighborhood, select the Enable Windows Networking (NetBIOS) Broadcast check box.
10. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT and firewall rules check box.

This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear to originate from a single IP address.

11. To allow the remote VPN tunnel to be included in the routing table, select the Forward Packets to Remote VPNs check box.

This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.

12. To require local users to authenticate locally before accessing the SA, select the Require authentication of local users check box.
13. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select the Require authentication of remote users check box.
14. Select one of the encryption methods from the Encryption Method list box.
15. Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys must be exactly 16 characters long and be composed of hexadecimal characters. Encryption keys less than 16 characters will not be accepted; keys longer than 16 characters will be truncated.

Note: Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”

This key must match the encryption key of the remote VPN gateway or client. If encryption is not used, this field is ignored.

16. Enter the key used for authentication in the Authentication Key field. The authentication key must be exactly 32 characters long and be composed of hexadecimal characters. Authentication keys less than 32 characters will not be accepted; keys longer than 32 characters will be truncated.

Note: Valid hexadecimal characters are “0” to “9”, and “a” to “f” (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef1234567890abcdef.”

This key must match the authentication key of the remote VPN gateway or client. If authentication is not used, this field is ignored.

17. Enter the Security Parameter Index (SPI) that the remote location will send to identify the Security Association used for the VPN Tunnel in the Incoming SPI field.




Note: The SPI may be up to eight characters long and be composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (e.g., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). The hexadecimal characters “0” to “ff” inclusive are reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be “1234abcd.”

Note: The SPI for an SA must be unique when compared to SPIs for other SAs. However, the Incoming SPI can be the same as the Outgoing SPI on the same SA.

18. Enter the Security Parameter Index (SPI) that the local SonicWALL VPN will transmit to identify the Security Association used for the VPN Tunnel in the Outgoing SPI field.
19. Select from the following:
• To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.
• To specify destination networks, select Specify destination networks below. Then, click Modify and enter the destination network IP addresses and subnet masks.
20. When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.
21. Create an SA in the remote VPN device for each SonicWALL appliance that you have configured.