IKE Using SonicWALL Certificates

Policy Configuration : VPN SA Management Overview

IKE Using SonicWALL Certificates

The following sections describe how to configure SAs for Internet Key Exchange (IKE) using SonicWALL certificates:

•

When All Appliances are Managed by Dell SonicWALL GMS

•

When One Appliance Is Not Managed by Dell SonicWALL GMS

NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN.

A digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for establishing the identity of peer VPN devices and users.

Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network.

NOTE: Although SAs can be established with most IPSec-compliant devices, SonicWALL Certificates can only be used between SonicWALL appliances.

This section describes how to establish SAs between SonicWALL appliances that are managed by Dell SonicWALL GMS and SonicWALL appliances that are not managed by Dell SonicWALL GMS.

NOTE: Before establishing SAs using SonicWALL certificates, you must obtain a Public Key Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance.

When All Appliances are Managed by Dell SonicWALL GMS

To enable VPN using certificates, complete the following steps:

1

Expand the VPN tree and click Configure. The VPN Configure page displays.

2

Select Use Interconnected Mode.

3

For the IPSec Keying Mode, Select IKE using SonicWALL Certificates.

4

Select from the following:

•

To add a new SA, select Add a new Security Association.

•

To delete an existing SA, select Delete an existing Security Association.

•

To edit an existing SA, select Modify an existing Security Association.

5

Click Select Destination.
A dialog box that contains all SonicWALL appliances managed by this Dell SonicWALL GMS displays.

6

Select the SonicWALL appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWALL Group/Node field.

7

Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.

8

Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

9

Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box.

10

Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.

11

Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.

12

To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through this destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

13

To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours).

14

To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy.

15

To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive.

16

To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs.

17

To disable this SA, select Disable This SA.

18

Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection.

19

To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast.

20

To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs.

Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced ). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office.

NOTE: To create a “hub and spoke” network, make sure to select Forward Packets to Remote VPNs for each SA.

21

To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN.

NOTE: Only one SA can have this option enabled.

22

Select one the following VPN termination options:

•

To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA are able to access the LAN, but not the OPT.

•

To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN.

•

To allow users on the other side of the SA to access both the LAN and DMZ, select LAN/OPT.

23

Select from the following NAT and Firewall Rules:

•

To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled.

•

To enable NAT and firewall rules for the selected SonicWALL appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA.

•

To enable NAT and firewall rules for the selected SonicWALL appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA.

NOTE: Applying firewall rules can dramatically affect services that run between the networks. For more information, refer to Understanding the Network Access Rules Hierarchy .

24

Select how local users are authenticated:

•

To disable authentication for local users, select Disabled.

•

To configure local users to be authenticated locally, either through the SonicWALL device or the RADIUS server, select Source.

•

To configure local users to be authenticated on the destination network, either through the SonicWALL device or the RADIUS server, select Destination.

•

To authenticate local users both locally and on the destination network, select Source and Destination.

25

Similarly, select how remote users are authenticated.

26

When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by Dell SonicWALL GMS

Although SAs can be established with most IPSec-compliant devices, certificates can only be used between SonicWALL appliances.

This section describes how to establish SonicWALL certificate-based SAs between SonicWALL appliances that are managed by Dell SonicWALL GMS and SonicWALL appliances that are not managed by Dell SonicWALL GMS.

To create SAs using certificates, complete the following steps:

1

Expand the VPN tree and click Configure. The VPN Configure page displays.

2

Deselect Use Interconnected Mode.

3

Select IKE using SonicWALL Certificates.

4

Select the appropriate option to add, delete or modify a Security Association.

5

Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address.

6

Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches.

7

To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours).

8

To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

9

To disable this SA, select Disable This SA.

10

To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy.

11

Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection.

12

To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast.

13

To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address.

14

To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs.

15

To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive.

16

To configure the SonicWALL appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs.

17

To require local users to authenticate locally before accessing the SA, select Require authentication of local users.

18

To require remote users to authenticate with this SonicWALL appliance or the local RADIUS server before accessing resources, select Require authentication of remote users.

19

Enter the serial number of the target SonicWALL appliance in the Peer SonicWALL Serial # field.

20

Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.

21

Select the Diffie-Hellman group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box.

NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value.

22

Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box.

23

Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box.

24

Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box.

25

Specify the destination networks by selecting from the following:

•

To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic.

•

If the destination network receives its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP.

•

To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks.

26

When you are finished, click Update. The settings are changed for each selected SonicWALL appliance. To clear all screen settings and start over, click Reset.