Policies_VPN_Settings_Snwls

Configuring VPN Settings

To configure VPN settings, perform the following steps:

1. Expand the VPN tree and click Settings. The VPN Settings page displays.





2. Under Global IPSec Settings, select the Enable VPN check box.
3. To disable all NetBIOS broadcasts, select the Disable all VPN Windows Networking (NetBIOS) broadcast check box.
4. To improve interoperability with other VPN gateways and applications that use a large data packet size, select the Enable Fragmented Packet Handling check box. Packet fragmentation overburdens a network router by resending data packets and causes network traffic to slow down between networks.

The Enable Fragmented Packet Handling option configures the SonicWALL appliance to listen to the intermediate router and, if necessary, send Internet Control Message Protocol (ICMP) messages to the router to decrease the size of the data packets. Enabling this option is recommended if the VPN tunnel logs contain many “Fragmented IPSec packets dropped” messages.

5. To ignore Don’t Fragment (DF) bits from routers connected to the SonicWALL appliance, select the Ignore DF Bit check box.
6. NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without affecting the integrity of the IPsec packet. To enable NAT traversal, select the Enable NAT Traversal check box.
7. Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time field.
8. To enable detection of a dead peer, select the Enable IKE Dead peer detection. Then, specify how often the SonicWALL appliance attempt to detect a peer in the Dead peer detection Interval field and specify the number of failed attempts that must occur before closing the VPN tunnel in the Failure Trigger Level field.
9. Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN connections to be dropped by the SonicWALL security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field.
10. Select VPN Single Armed mode to use single armed mode, allowing the appliance to act as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point.
11. Select Clean up Active Tunnels when Peer Gateway DNS names resolves to a different IP address to break down SAs associated with old IP addresses and reconnect to the peer gateway.
12. Select Preserve IKE Port for Pass-Through Connections to preserve UDP 500/4500 source port and IP address information for pass-through VPN connections.
13. Select Enable OCSP Checking and enter the OCSP Responder URL to enable use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
14. Select Send vpn tunnel traps only when tunnel status changes to send tunnel traps when the tunnel status changes. By default, the firewall sends traps for VPN up/down status. To minimize email alerts based on VPN traps, check this box.
15. Select Use RADIUS in and then select either MSCHAP or MSCHAPv2 mode for XAUTH to allow VPN client users to change expired passwords at login time.
16. Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies to IKEv2 peers as an authentication tool.





17. Use the IKEv2 Dynamic Client Proposal settings to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can now be configured with the following IKE Proposal settings:
• DH Group—Select Group 1, Group 2, or Group 5 from the pull-down list. This sets DH group in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways.
• Encryption—Select DES, 3DES, AES-128, AES-192, or AES-256 from the pull-down list. This sets the encryption algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static.
• Authentication—Select MD5 or SHA1 from the pull-down list. This sets the authentication algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static.

If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis.

Note: The VPN policy on the remote gateway must also be configured with the same settings.

18. When you are finished, click Update. To clear all screen settings and start over, click Reset.