Wizards

Wizards_VPN

Wizards > VPN Wizard

The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWALL Management Interface for optional advanced configuration options.

Using the VPN Policy Wizard

In the top right corner of the VPN > Settings page, click on VPN Policy Wizard.
Click Next.
In the VPN Policy Type page, select WAN GroupVPN and click Next.
In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy:

Default Key: If you choose the default key, all your Global VPN Clients will automatically use the default key generated by the SonicWALL to authenticate with the SonicWALL.
Use this Key: If you choose a custom preshared key, you must distribute the key to every VPN Client because the user is prompted for this key when connecting to the SonicWALL.

Note If you select Use this Key, and leave the default key as the value, you must still distribute the key to your VPN clients.

Click Next.
In the IKE Security Settings page, you select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the defaults settings.

DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to create the key pair.
Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES-256. The VPN uses this for all data through the tunnel.
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).

Warning The SonicWALL Global VPN Client version 1.x is not capable of AES encryption, so if you chose this method, only SonicWALL Global VPN Client versions 2.x and higher will be able to connect.

Click Next.
In the User Authentication page, select if you want the VPN Users to be required to authenticate with the firewall when they connect. If you select Enable User Authentication, you must select the user group which contains the VPN users. For this example, leave Enable User Authentication unchecked.

Note If you enable user authentication, the users must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page.

Click Next.
In the Configure Virtual IP Adapter page, select whether you want to use the SonicWALL’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range. Therefore, when a user connects, it appears that the user is inside the LAN. Check the Use Virtual IP Adapter box and click Next.
The Configuration Summary page details the settings that will be pushed to the SonicWALL when you apply the configuration. Click Accept to create your GroupVPN.

Connecting the Global VPN Clients

Remote SonicWALL Global VPN Clients install the Global VPN Client software. Once the application is installed, they use a connection wizard to setup their VPN connection. To configure the VPN connection, the client must have the following information:

A public IP address (or domain name) of the WAN port for your SonicWALL
The shared secret if you selected a custom preshared secret in the VPN Wizard.
The authentication username and password.

Configuring a Site-to-Site VPN using the VPN Wizard

You use the VPN Policy Wizard to create the site-to-site VPN policy.

Using the VPN Wizard to Configure Preshared Secret

On the System > Status page, click on Wizards.
In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard and click Next.
In the VPN Policy Type page, select Site-to-Site and click Next.
In the Create Site-to-Site Policy page, enter the following information:

Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office.
Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWALL generated Preshared Key.
I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWALL can initiate the contact with the named remote peer.

If you do not check this option, the peer must initiate contact to create a VPN tunnel. This device will use aggressive mode for IKE negotiation.

For this example, leave the option unchecked.

Remote Peer IP Address (or FQDN): If you checked the option above, enter the IP address or Fully Qualified Domain Name (FQDN) of the remote peer (For example, boston.yourcompany.com).

Click Next.
In the Network Selection page, select the local and destination resources this VPN will be connecting:

Local Networks: Select the local network resources protected by this SonicWALL that you are connecting with this VPN. You can select any address object or group on the device, including networks, subnets, individual servers, and interface IP addresses.

If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets.

Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example:

Select Create new Address Group.
In the Name field, enter “LAN Group”.
In the list on the left, select LAN Subnets and click the -> button.
Click OK to create the group and return to the Network Selection page.
In the Destination Networks field, select the newly created group.
Click Next.
In the IKE Security Settings page, select the security settings for IKE Phase 2 negotiations and for the VPN tunnel. You can use the default settings.

DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to create the key pair.
Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES-256. The VPN uses this for all data through the tunnel
Authentication: This is the hashing method used to authenticate the key, once it is exchanged during IKE negotiation. You can choose MD5 or SHA-1.
Life Time (seconds): This is the length of time the VPN tunnel stays open before needing to re-authenticate. The default is eight hours (28800).

The Configuration Summary page details the settings that will be pushed to the security appliance when you apply the configuration.
Click Accept to create the VPN.