SONICWALL SonicOS 7.1 IPSec VPN User Guide

SONICWALL SonicOS 7.1 IPSec VPN

Product Information

Specifications:

• Product Name: SonicOS 7.1 IPSec VPN
• Version: 7.1
• Supported VPN Types: IPsec VPN, DHCP over VPN, L2TP with IPsec, SSL VPN
• Supported Security Protocols: IKEv1, IKEv2
• Supported Cryptography: Suite B Cryptography

About SonicOS

SonicOS is a powerful operating system that enables the administration and configuration of the SonicWall Network Security Appliances. It provides a comprehensive set of features and tools to manage and secure your network.

Working with SonicOS
Working with SonicOS involves performing various tasks related to network configuration, security policies, and VPN management. The administration interface provides an intuitive workflow to guide you through these tasks.

SonicOS Workflow

The SonicOS workflow is designed to simplify the configuration process and ensure that all necessary steps are followed. It consists of the following steps:

1. Planning Site to Site Configurations
2. General VPN Configuration
3. Configuring Settings on the General Tab
4. Configuring Settings on the Network Tab
5. Configuring Settings on the Proposals Tab
6. Configuring Settings on the Advanced Tab
7. Managing GroupVPN Policies
8. Configuring IKE Using a Preshared Secret Key
9. Configuring IKE Using 3rd Party Certificates
10. Downloading a GroupVPN Client Policy
11. Creating Site to Site VPN Policies
12. Configuring with a Preshared Secret Key
13. Configuring with a Manual Key
14. Configuring with a Third-Party Certificate
15. Configuring the Remote SonicWall Network Security Appliance
16. Configuring VPN Failover to a Static Route
17. VPN Auto Provisioning
18. Configuring a VPN AP Server
19. Configuring VPN AP Server Settings on General
20. Configuring VPN AP Server Settings on Network
21. Configuring Advanced Settings on Proposals
22. Configuring Advanced Settings on Advanced
23. Configuring a VPN AP Client
24. Adding a Tunnel Interface
25. Creating a Static Route for the Tunnel Interface
26. Configuring Advanced VPN Settings
27. Configuring IKEv2 Settings
28. Using OCSP with SonicWall Network Security Appliances
29. Loading Certificates to Use with OCSP
30. Using OCSP with VPN Policies
31. DHCP over VPN
32. Configuring the Central Gateway for DHCP Over VPN
33. Configuring DHCP over VPN Remote Gateway
34. Current DHCP over VPN Leases
35. L2TP Servers and VPN Client Access
36. Configuring the L2TP Server
37. Viewing Currently Active L2TP Sessions
38. Configuring Microsoft Windows L2TP VPN Client Access
39. Configuring Google Android L2TP VPN Client Access
40. AWS VPN
41. Creating a New VPN Connection
42. Reviewing the VPN Connection
43. Configuration on the Firewall
44. Configuration on Amazon Web Services
45. Route Propagation
46. Deleting VPN Connections

How to Use the SonicOS Administration Guides
The SonicOS Administration Guides provide detailed instructions on how to configure and manage SonicOS. To use the guides effectively, follow these steps:

1. Identify the specific topic or feature you want to configure.
2. Refer to the corresponding section in the Administration Guide.
3. Follow the step-by-step instructions provided in the guide.
4. If needed, refer to the Guide Conventions section for clarification on terminology and formatting used in the guides.

Guide Conventions

The SonicOS Administration Guides use the following conventions:

• Text in italics represents user input or variable values.
• Text in bold represents interface elements, such as buttons or menu options.
• Text in monospace font represents command-line instructions or code snippets.

Product Usage Instructions

Site to Site VPN Configuration
To configure a site-to-site VPN connection using SonicOS, follow these steps:

Step 1: Planning Site to Site Configurations

1. Identify the remote SonicWall Network Security Appliance and its network settings.
2. Determine the VPN settings, including encryption algorithms and authentication methods.

Step 2: General VPN Configuration

1. Access the SonicOS administration interface.
2. Navigate to the VPN section and select “Site to Site”.
3. Click on the “Add” button to create a new site-to-site VPN policy.

Step 3: Configuring Settings on the General Tab

1. Enter a name for the VPN policy.
2. Select the local network and remote network.
3. Choose the VPN type (IPsec, L2TP, or SSL).

Step 4: Configuring Settings on the Network Tab

1. Specify the local and remote IP addresses.
2. Configure the IKE Phase 1 and Phase 2 settings.

Step 5: Configuring Settings on the Proposals Tab

1. Select the encryption and authentication algorithms.
2. Set the Diffie-Hellman Group and lifetime values.

Step 6: Configuring Settings on the Advanced Tab

1. Enable or disable advanced features like Perfect Forward Secrecy (PFS) or Dead Peer Detection (DPD).
2. Configure any additional advanced settings as required.

Step 7: Managing GroupVPN Policies

1. If using GroupVPN, configure the GroupVPN policies.
2. Choose the appropriate authentication method and configure the required settings.

Step 8: Configuring IKE Using a Preshared Secret Key
If using a preshared secret key for IKE authentication, configure the key value.

Step 9: Configuring IKE Using 3rd Party Certificates
If using 3rd party certificates for IKE authentication, configure the certificate settings.

Step 10: Downloading a GroupVPN Client Policy
If using GroupVPN, download the client policy for distribution to VPN clients.

Step 11: Creating Site to Site VPN Policies
Create additional site-to-site VPN policies as needed.

VPN Auto Provisioning

To configure VPN auto provisioning using SonicOS, follow these steps:

Step 1: About VPN Auto Provisioning
Understand the concept and benefits of VPN auto provisioning.

Step 2: Defining VPN Auto Provisioning
Define the VPN auto provisioning settings and requirements.

Step 3: Benefits of VPN Auto Provisioning
Understand the advantages of using VPN auto provisioning for VPN configuration management.

Step 4: How VPN Auto Provisioning Works
Learn how SonicOS handles VPN auto provisioning and the underlying mechanisms.

Step 5: Configuring a VPN AP Server

1. Access the SonicOS administration interface.
2. Navigate to the VPN section and select “VPN Auto Provisioning”.
3. Click on the “Add” button to create a new VPN AP server configuration.

Step 6: Starting the VPN AP Server Configuration
Configure the basic settings for the VPN AP server, such as the server name and IP address.

Step 7: Configuring VPN AP Server Settings on General
Specify the general settings for the VPN AP server, such as the authentication method and encryption settings.

Step 8: Configuring VPN AP Server Settings on Network
Configure the network settings for the VPN AP server, including the allowed networks and routing options.

Step 9: Configuring Advanced Settings on Proposals
Enable or disable advanced settings for the VPN AP server, such as PFS or DPD.

Step 10: Configuring Advanced Settings on Advanced
Configure any additional advanced settings for the VPN AP server as required.

SonicOS 7.1 IPSec VPN
Administration Guide

About SonicOS

This guide is a part of the SonicOS collection of administrative guides that describes how to administer and monitor the SonicWall family of firewalls. SonicOS provides the management interface, API (Application Program Interface), and the Command Line Interface (CLI) for firewall configuration. This guide focuses on options provided by the features for configuring and displaying your VPN policies. You can configure various types of IPsec VPN policies, such as site-to-site policies, including GroupVPN, and route-based Tunnel Interface policies.

Topics:
Working with SonicOS l SonicOS Workflow l How to Use the SonicOS Administration Guides l Guide Conventions

Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system. The SonicOS management interface facilitates:
l Setting up and configuring your firewall l Configuring external devices like access points or switches l Configuring networks and external system options that connect to your firewall l Defining objects and policies for protection l Monitoring the health and status of the security appliance, network, users, and connections l Monitoring traffic, users, and threats l Investigating events SonicWall offers two different modes of operation in SonicOS; the modes differ mainly in the areas of policy, object configuration and diagnostics.

SonicOS 7.1 IPSec VPN Administration Guide

5

About SonicOS

l Policy Mode provides a unified policy configuration work flow. It combines Layer 3 to Layer 7 policy enforcement for security policies and optimizes the work flow for other policy types. This unified policy work flow gathers many security settings into one place, which were previously configured on different pages of the management interface.
l Classic Mode is more consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.
This table identifies which modes can be used on the different SonicWall firewalls:

Firewall Type TZ Series
NSa Series
NSsp 10700, NSsp 11700, NSsp 13700 NSsp 15700
NSv Series

Classic Mode yes yes
yes no
yes

Policy Mode Comments

no

The entry level TZ Series, also known as desktop

firewalls, deliver revamped features such as 5G

readiness, better connectivity options, improved

threat, SSL and decryption performance that

address HTPPS bandwidth issues; built-in SD-

WAN, and lawful TLS 1.3 decryption support.

no

NSa firewalls provide your mid sized network with

enhanced security . They are designed

specifically for businesses with 250 and up. it can

provide cloud-based and on-box capabilities like

TLS/SSL decryption and inspection, application

intelligence and control, SD-WAN, real-time

visualization, and WLAN management.

no

The NSsp platforms high-end firewalls that

deliver the advanced threat protection and fast

speeds that large enterprises, data centers, and

service providers need.

yes

The NSsp 15700 is designed for large distributed

enterprises, data centers, government agencies

and services providers. It provides advanced

threat protection like Real-Time Deep Memory

Inspection, multi-instance firewall configuration,

and unified policy creation and modification, with

scalability and availability.

yes

The NSv series firewalls offers all the security

advantages of a physical firewall with the

operational and economic benefits of

virtualization. The NSv firewalls can operate in

either Policy Mode or Classic Mode. You can

switch between modes, but some configuration

information from extra interfaces is removed.

In addition to the management interface, SonicOS also has a full-featured API and a CLI to manage the firewalls. For more information, refer to:
l SonicOS 7.1 API Reference Guide

SonicOS 7.1 IPSec VPN Administration Guide

6

About SonicOS

l SonicOS Command Line Interface Reference Guide
SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a guide for setting up your security solution.
You begin your planning as you start making your purchasing decisions. Your sales partners can help you assess your network and make recommendations based on the kinds of security services you need. You can learn more about SonicWall products by reviewing product information and solutions. After selecting the solution, you can schedule your implementation. After planning and scheduling your solution, you begin setting up the firewalls. The Getting Started Guides for your products can help you begin setting up the pieces to your solution. The getting started guides are designed to help you install the firewall to a minimal level of operation. Before performing any detailed configuration tasks described in the SonicOS Administration Guides, you should have your firewall set up and basic operation validated. The configuration block of the workflow refers to the many tasks that combine to define how your firewall is integrated into your security solution and how it behaves when protecting your environment. Depending on the features of your security solution, this task can be quite complex. The System Administration Guides are broken into the key command sets and features. Some documents may be used for all solutions, but others may be used use only if you integrated that feature into your solution. For example, High Availability or Wireless Access Points are not necessarily used by all customers. More information about a feature’s workflow is presented in the feature administration guide. Refer to the specific Administration Guide for a SonicOS feature for more information. Configuration tends to be a one-time activity, although you might make minor adjustments after monitoring performance or after diagnosing an issue. The configuration activity can be broken down into the more detailed flow as the following figure shows. This also mirrors the key functions that are listed across the top of the management interface.

SonicOS 7.1 IPSec VPN Administration Guide

7

About SonicOS

There is some flexibility in the order in which you do things, but this is the general work-flow you would follow when configuring your firewall. Start by defining the settings on the firewall. Next you set up the system and other devices that your firewall is connected to, and you can choose to implement High Availability when done. After your device, network, and system is configured, you should define the objects that you want to monitor. Then you use those objects to define the policies that protect your network. The final step to preparing your setup is to validate the user authentication.
How to Use the SonicOS Administration Guides
The SonicOS Administration Guide is a collection of guides that detail the features represented by each of the main menu items in the management interface. Within each guide, you can find topics covering commands in that menu group, along with procedures and in-depth information. The exceptions are the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine the topics for each of those functions into a single book.
To help you understand how the books align with the features and commands, the following figure shows the books organized like the SonicWall management interface.

The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available on the https://www.sonicwall.com/support/technical-documentation/.

SonicOS 7.1 IPSec VPN Administration Guide

8

About SonicOS

Guide Conventions

These text conventions are used in this guide:
NOTE: A NOTE icon indicates supporting information. IMPORTANT: An IMPORTANT icon indicates supporting information. TIP: A TIP icon indicates helpful information. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

Convention Bold text
Function | Menu group > Menu item
Code
Italics

Description
Used in procedures to identify elements in the management interface like dialog boxes, windows, screen names, messages, and buttons. Also used for file names and text or values you are being instructed to select or type into the interface.
Indicates a multiple step menu choice on the user interface. For example, NETWORK | System > Interfaces means to select the NETWORK functions at the top of the window, then click on System in the left navigation menu to open the menu group (if needed) and select Interfaces to display the page.
Indicates sample computer programming code. If bold, it represents text to be typed in the command line interface.
Represents a variable name. The variable name and angle brackets need to be replaced with an actual value. For example in the segment serialnumber=<your serial number>, replace the variable and brackets with the serial number from your device, such as serialnumber=2CB8ED000004.
Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence, such as the first instance of a significant term or concept.

SonicOS 7.1 IPSec VPN Administration Guide

9

About SonicOS

IPSec VPN Overview
The VPN options provide the features for configuring and displaying your VPN policies. You can configure various types of IPsec VPN policies, such as site- to-site policies, including GroupVPN, and route-based Tunnel Interface policies. For specific details on the setting for these kinds of policies, go to the following sections:
l Site to Site VPNs l VPN Auto Provisioning l Tunnel Interface Route-based VPN This section provides information on VPN types, discusses some of the security options you can select, and describes the interface for the NETWORK | IPSec VPN > Rules and Settings page. Subsequent sections describe how to configure site to site and route-based VPN, advanced settings, DHCP over VPN and L2TP servers.
Topics: l About Virtual Private Networks l VPN Types l VPN Security l VPN Base Settings and Displays l IPv6 VPN Configuration l VPN Auto-Added Access Rule Control
About Virtual Private Networks
A Virtual Private Network (VPN) provides a secure connection between two or more computers or protected networks over the public Internet. It provides authentication to ensure that the information is going to and from the correct parties. It also offers security to protect the data from viewing or tampering en route. A VPN is created by establishing a secure tunnel through the Internet. This tunnel is a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. It is flexible in that you can change it at any time to add more nodes, change the nodes, or remove them altogether. VPN is less costly, because it uses the existing Internet infrastructure.
SonicOS 7.1 IPSec VPN Administration Guide 10 IPSec VPN Overview

VPNs can support either remote access–connecting a user’s computer to a corporate network–or site to site, which is connecting two networks. A VPN can also be used to interconnect two similar networks over a dissimilar middle network: for example, two IPv6 networks connecting over an IPv4 network. VPN systems might be classified by:
l Protocols used to tunnel the traffic l Tunnel’s termination point location, for example, on the customer edge or network provider edge l Type of topology of connections, such as site to site or network to network l Levels of security provided l OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity l Number of simultaneous connections
VPN Types
Several types of VPN protocols can be configured for use: l IPsec VPN l DHCP over VPN l L2TP with IPsec l SSL VPN
SonicOS 7.1 IPSec VPN Administration Guide 11 IPSec VPN Overview

IPsec VPN
SonicOS supports the creation and management of IPsec VPNs. These VPNs are primarily configured at NETWORK | IPSec VPN > Rules and Settings and NETWORK | IPSec VPN > Advanced. IPsec (Internet Protocol Security) is a standards-based security protocol that was initially developed for IPv6, but it is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals of authentication, integrity, and confidentiality. IPsec uses encryption and encapsulates an IP packet inside an IPsec packet. De- encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination. An advantage of using IPsec is that security arrangements can be handled without requiring changes to individual user computers. It provides two types of security service:
l Authentication Header (AH), which essentially allows authentication of the sender of data l Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption
of data You can use IPsec to develop policy-based VPN (site to site) or route- based VPN tunnels or Layer 2 Tunneling Protocol (L2TP).
DHCP over VPN
SonicOS allows you to configure a firewall to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, you want to have all VPN networks on one logical IP subnet and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels. The firewall at the remote and central sites are configured for VPN tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites. The firewall at the remote site passes DHCP broadcast packets through its VPN tunnel. The firewall at the central site relays DHCP packets from the client on the remote network to the DHCP server on the central site.
L2TP with IPsec
Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support VPNs or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself, and because of that lack of confidentiality in the L2TP protocol, it is often implemented along with IPsec. The general process for setting up an L2TP/IPsec VPN is:
1. Negotiate an IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (also called pre-shared keys), public keys, or X.509 certificates on both ends, although other keying methods exist.
SonicOS 7.1 IPSec VPN Administration Guide 12 IPSec VPN Overview

2. Establish Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for ESP is 50 (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place.
3. Negotiate and establish L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses UDP port 1701.
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Because the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, UDP port 1701 does not need to be opened on firewalls between the endpoints, because the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. In contrast to the traditional IPsec VPN, an SSL VPN does not require the installation of specialized client software on the end user’s computer. It can be used to give remote users access to Web applications, client/server applications, and internal network connections.
An SSL VPN consists of one or more VPN devices to which the user connects by using his Web browser. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. An SSL VPN offers versatility, ease of use and granular control for a range of users on a variety of computers, accessing resources from many locations. The two major types of SSL VPNs are:
l SSL Portal VPN l SSL Tunnel VPN
The SSL Portal VPN allows single SSL connection to a Web site so the end user can securely access multiple network services. The site is called a portal because it is one door (a single page) that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies himself or herself to the gateway using an authentication method supported by the gateway and is then presented with a Web page that acts as the portal to the other services.
The SSL tunnel VPN allows a Web browser to securely access multiple network services, including applications and protocols that are not Web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.
SSL uses a program layer located between the Internet’s Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. It also uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. An SRA/SMA appliance uses SSL to secure the VPN tunnel. One advantage of SSL VPN is that SSL is built into most web browsers. No special VPN client software or hardware is required.
SonicOS 7.1 IPSec VPN Administration Guide 13 IPSec VPN Overview

NOTE: SonicWall makes Secure Mobile Access (SMA) appliances you can use in concert with or independently of a SonicWall network security appliance running SonicOS. For information on SonicWall SMA appliances, refer to https://www.sonicwall.com/products/remote-access/remote-access-appliances.

VPN Security

IPsec VPN traffic is secured in two stages:
1. Authentication: The first phase establishes the authenticity of the sender and receiver of the traffic using an exchange of the public key portion of a public-private key pair. This phase must be successful before the VPN tunnel can be established.
2. Encryption: The traffic in the VPN tunnel is encrypted, using an encryption algorithm such as AES or 3DES.
Unless you use a manual key (which must be typed identically into each node in the VPN), the exchange of information to authenticate the members of the VPN and encrypt/decrypt the data uses the Internet Key Exchange (IKE) protocol for exchanging authentication information (keys) and establishing the VPN tunnel. SonicOS supports two versions of IKE:

IKE version 1 (IKEv1) IKE version 2 (IKEv2)

Uses a two phase process to secure the VPN tunnel. First, the two nodes authenticate each other and then they negotiate the methods of encryption.
You can find more information about IKEv1 in the three specifications that initially define IKE: RFC 2407, RFC 2408, and RFC 2409. They are available on the web at:
l http://www.faqs.org/rfcs/rfc2407.html ­ The Internet IP Security Domain of Interpretation for ISAKMP
l http://www.faqs.org/rfcs/rfc2408.html ­ RFC 2408 – Internet Security Association and Key Management Protocol (ISAKMP)
l http://www.faqs.org/rfcs/rfc2409.html ­ RFC 2409 – The Internet Key Exchange (IKE)
Is the default type for new VPN policies because of improved security, simplified architecture, and enhanced support for remote users. A VPN tunnel is initiated with a pair of message exchanges. The first pair of messages negotiate cryptographic algorithms, exchange nonces (random values generated and sent to guard against repeated messages), and perform a public key exchange. The second pair of messages authenticates the previous messages, exchange identities and certificates, and establish the first CHILD_SA (security association). Parts of these messages are encrypted and integrity protected with keys established through the first exchange, so the identities are hidden from eavesdroppers and all fields in all the messages are authenticated.
You can find more information about IKEv2 in the specification, RFC 4306, available on the Web at: http://www.ietf.org/rfc/rfc4306.txt.

IMPORTANT: IKEv2 is not compatible with IKEv1. When using IKEv2, all nodes in the VPN must use IKEv2 to establish the tunnels.

SonicOS 7.1 IPSec VPN Administration Guide 14 IPSec VPN Overview

DHCP over VPN is not supported in IKEv2. For more VPN security information, see:
l About IKEv1 l About IKEv2 l Mobility and Multi-homing Protocol for IKEv2 (MOBIKE) l About IPsec (Phase 2) Proposal l About Suite B Cryptography
About IKEv1
In IKEv1, two modes are used to exchange authentication information: l Main Mode: The node or gateway initiating the VPN queries the node or gateway on the receiving end, and they exchange authentication methods, public keys, and identity information. This usually requires six messages back and forth. The order of authentication messages in Main Mode is: 1. The initiator sends a list of cryptographic algorithms the initiator supports. 2. The responder replies with a list of supported cryptographic algorithms. 3. The initiator send a public key (part of a Diffie-Hellman public/private key pair) for the first mutually supported cryptographic algorithm. 4. The responder replies with the public key for the same cryptographic algorithm. 5. The initiator sends identity information (usually a certificate). 6. The responder replies with identity information. l Aggressive Mode: To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one algorithm and the responder replies if it supports that algorithm: 1. The initiator proposes a cryptographic algorithm to use and sends its public key. 2. The responder replies with a public key and identity proof. 3. The initiator sends an identification proof. After authenticating, the VPN tunnel is established with two SAs, one from each node to the other.

About IKEv2
IKE version 2 (IKEv2) is a newer protocol for negotiating and establishing security associations. Secondary gateways are supported with IKEv2. IKEv2 is the default proposal type for new VPN policies. IKEv2 is not compatible with IKEv1. When using IKEv2, all nodes in the VPN must use IKEv2 to establish the tunnels. DHCP over VPN is not supported in IKEv2. IKEv2 has the following advantages over IKEv1:
SonicOS 7.1 IPSec VPN Administration Guide 15 IPSec VPN Overview

l More secure l More reliable l Simpler l Faster l Extensible

l Fewer message exchanges to establish connections l EAP Authentication support l MOBIKE support l Built-in NAT traversal l Keep Alive is enabled as default

IKEv2 supports IP address allocation and EAP to enable different authentication methods and remote access scenarios. Using IKEv2 greatly reduces the number of message exchanges needed to establish a Security Association over IKEv1 Main Mode, while being more secure and flexible than IKEv1 Aggressive Mode. This reduces the delays during re-keying. As VPNs grow to include more and more tunnels between multiple nodes or gateways, IKEv2 reduces the number of Security Associations required per tunnel, thus reducing required bandwidth and housekeeping overhead.
Security Associations (SAs) in IKEv2 are called Child SAs and can be created, modified, and deleted independently at any time during the life of the VPN tunnel.

Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
The Mobility and Multi-homing Protocol (MOBIKE) for IKEv2 provides the ability for maintaining a VPN session, when a user moves from one IP address to another, without the need for reestablishing IKE security associations with the gateway. For example, a user could establish a VPN tunnel while using a fixed Ethernet connection in the office. MOBIKE allows the user to disconnect the laptop and move to the office’s wireless LAN without interrupting the VPN session.
MOBIKE operation is transparent and does not require any extra configuration by you or consideration by users.

About IPsec (Phase 2) Proposal

The IPsec (Phase 2) proposal occurs with both IKEv1 and IKEv2. In this phase, the two parties negotiate the type of security to use, which encryption methods to use for the traffic through the tunnel (if needed), and negotiate the lifetime of the tunnel before re-keying is needed.

The two types of security for individual packets are:

l Encryption Secured Payload (ESP), in which the data portion of each packet is encrypted using a protocol negotiated between the parties.
l Authentication Header (AH), in which the header of each packet contains authentication information to ensure the information is authenticated and has not been tampered with. No encryption is used for the data with AH.

SonicOS supports the following Encryption methods for traffic through the VPN:

l DES l 3DES

l AES-128 l AES-192

l AESGCM16-128 l AESGCM16-192

l AESGMAC-128 l AESGMAC-192

SonicOS 7.1 IPSec VPN Administration Guide 16 IPSec VPN Overview

l None

l AES-256

l AESGCM16-256

SonicOS supports the following Authentication methods:

l MD5

l SHA1 l SHA256 l SHA384 l SHA512

l AES-XCBC

l AESGMAC-256 l None

About Suite B Cryptography
SonicOS supports Suite B cryptography, which is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It serves as an interoperable cryptographic base for both classified and unclassified information. Suite B cryptography is approved by National Institute of Standards and Technology (NIST) for use by the U.S. Government.
Most of the Suite B components are adopted from the FIPS standard:
l Advanced Encryption Standard (AES) with key sizes of 128 to 256 bits (provides adequate protection for classified information up to the SECRET level).
l Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures (provides adequate protection for classified information up to the SECRET level).
l Elliptic Curve Diffie-Hellman (ECDH) key agreement (provides adequate protection for classified information up to the SECRET level).
l Secure Hash Algorithm 2 (SHA256, SHA384, SHA512) message digest (provides adequate protection for classified information up to the TOP SECRET level).

VPN Base Settings and Displays
The VPN pages offer a series of tables and settings, depending on the options selected. For details on the NETWORK | IPSec VPN > Rules and Settings page, refer to the following:
l Policies l Active Tunnels l Settings

SonicOS 7.1 IPSec VPN Administration Guide 17 IPSec VPN Overview

IPSEC VPN > RULES AND SETTINGS PAGE

View IP Version

Sets IP version view. Options are IPv4 or IPv6.

NOTE: SonicWall VPN supports both IPv4 and IPv6 (Internet Protocol version 4 and Internet Protocol version 6). You can toggle between the versions by selecting the one you want in the upper left side of the window. The default view is for IPv4.

Policies
All defined VPN policies are displayed in the NETWORK | IPSec VPN > Rules and Settings on the Policies tab.

Each entry displays the following information: l Name ­ The default name or user-defined VPN policy name. l Gateway ­ The IP address of the remote firewall. If the wildcard IP address, 0.0.0.0, is used, it is displayed as the IP address. l Destinations ­ The IP addresses of the destination networks. l Crypto Suite ­ The type of encryption used for the VPN policy. l Enable ­ Shows whether the policy is enabled. A checked box enables the VPN Policy. Clearing the box disables it. l Configure ­ Options for managing the individual VPN policies: l Edit icon allows you to edit the VPN policy. l Delete icon deletes the policy on that line. The predefined GroupVPN policies cannot be deleted, so the Delete icons are dimmed. l Export icon exports the VPN policy configuration as a file for local installation by SonicWall Global VPN Clients.
SonicOS 7.1 IPSec VPN Administration Guide 18 IPSec VPN Overview

The following buttons are shown in the Policies table:

Search +Add Delete
Delete All

Standard search engine to help locate specific VPN policies.
Accesses the VPN Policy window to configure site to site VPN policies.
Deletes the selected (checked box before the VPN policy name in the Name column first). You cannot delete the GroupVPN policies.
Deletes all VPN policies in the VPN Policies table except the default GroupVPN policies.

NOTE: You can refresh the active tunnels by using the Refresh option at the top of the Policies and Active Tunnels tables.
Some statistics about the VPN policies are also summarized below the table, for both site to site and GroupVPN policies:
l Number of policies defined
l Number of policies enabled
l Maximum number of policies allowed
You can define up to four GroupVPN policies, one for each zone. These GroupVPN policies are listed by default in the VPN Policies table as WAN GroupVPN, LAN GroupVPN, DMZ GroupVPN, and WLAN GroupVPN. Clicking on the Edit icon in the Configure column for the GroupVPN displays the Security Policy window for configuring the GroupVPN policy.
NOTE: A VPN Policy cannot have two different WAN interfaces if the VPN Gateway IP is the same.

Active Tunnels
A list of currently active VPN tunnels is displayed in this section.

The Currently Active VPN Tunnels table displays this information for each tunnel:

Search Created Name Local Remote Gateway

Standard search engine to help locate specific active tunnels. Date and time the tunnel was created Name of the VPN Policy Local LAN IP address of the tunnel Remote destination network IP address Peer gateway IP address

SonicOS 7.1 IPSec VPN Administration Guide 19 IPSec VPN Overview

Left-arrow icon

When the mouse hovers over the Left-arrow icon, the respective VPN policy is displayed in the middle of the VPN Policies table

You can refresh the active tunnels by using the Refresh option at the top of the Policies and Active Tunnels tables.

Settings
The Settings tab of the NETWORK | IPSec VPN > Rules and Settings page displays the following information:

Enable VPN Unique Firewall Identifier

Select to enable VPN policies through the SonicWall® security policies.
Identifies this SonicWall appliance when configuring VPN tunnels. The default value is the serial number of the appliance. You can change the identifier to something meaningful to you.

IPv6 VPN Configuration
Site to Site VPNs can be configured for IPv6 in a similar manner to IPv4 VPNs on the IPv6 tab on the NETWORK | IPSec VPN > Rules and Settings page. There are certain VPN features that are currently not supported for IPv6, including:
l IKEv1 is not supported. l GroupVPN is not supported. l Tunnel Interface route-based VPN is not supported. l DHCP Over VPN is not supported. l L2TP Server is not supported.
When configuring an IPv6 VPN policy:
l On the General screen: l The Gateways must be configured using IPv6 addresses. FQDN is not supported. l Under IKE Authentication, IPV6 addresses can be used for the local and peer IKE IDs.
l On the Network screen: l IPV6 address objects (or address groups that contain only IPv6 address objects) must be selected for the Local Network and Remote Network.

SonicOS 7.1 IPSec VPN Administration Guide 20 IPSec VPN Overview

l DHCP Over VPN is not supported, thus the DHCP options for protected network are not available. l The Any address option for Local Networks and the Tunnel All option for Remote Networks
are removed, but you can select an all zero IPv6 Network address object for the same functionality and behavior. l On the Proposals screen, only IKEv2 mode is supported. l On the Advanced screen, several options are disabled for IPv6 VPN policies: l Suppress automatic Access Rules creation for VPN Policy is disabled. l Enable Windows Networking (NetBIOS) Broadcast is disabled. l Enable Multicast is disabled. l Apply NAT Policies is disabled. NOTE: Because an interface might have multiple IPv6 address, sometimes the local address of the tunnel might vary periodically. If the user needs a consistent IP address, configure the VPN policy bound to option as an interface instead of a zone, and specify the address manually. The address must be one of the IPv6 addresses for that interface.
SonicOS 7.1 IPSec VPN Administration Guide 21 IPSec VPN Overview

3
Site to Site VPNs
SonicWall VPN is based on the industry-standard IPsec VPN implementation. It provides a easy-to-setup, secure solution for connecting mobile users, telecommuters, remote offices and partners through the Internet. Mobile users, telecommuters, and other remote users with broadband (DSL or cable) or dial-up Internet access can securely and easily access your network resources with the SonicWall Global VPN Client and GroupVPN on your firewall. Remote office networks can securely connect to your network using site to site VPN connections that enable network-to-network VPN connections. The maximum number of policies you can add depends on which SonicWall model you have. The larger models allow more connections.
NOTE: Remote users must be explicitly granted access to network resources. Depending on how you define access, you can affect the ability of remote clients using GVC to connect to GroupVPN, but you can also affect remote users using NetExtender and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the allow list on the VPN Access window. To access this window, select the DEVICE | Users > Local Users & Groups > Local Users > Add User > VPN Access. This section describes site to site policies, including GroupVPN. Other sections describe auto provisioning and Tunnel Interface policies for route-based VPN. For specific details on the setting for these kinds of policies, go to the following sections: l VPN Auto Provisioning l Tunnel Interface Route-based VPN
Topics: l Planning Site to Site Configurations l General VPN Configuration l Managing GroupVPN Policies l Creating Site to Site VPN Policies
Planning Site to Site Configurations
You have many options when configuring site to site VPN and can include the following options:
SonicOS 7.1 IPSec VPN Administration Guide 22 Site to Site VPNs

Branch Office (Gateway to Gateway) Hub and Spoke Design
Mesh Design

A SonicWall firewall is configured to connect to another SonicWall firewall through a VPN tunnel. Or, a SonicWall firewall is configured to connect through IPsec to another manufacturer’s firewall.
All SonicWall VPN gateways are configured to connect to a central hub, such as a corporate firewall. The hub must have a static IP address, but the spokes can have dynamic IP addresses. If the spokes are dynamic, the hub must be a SonicWall network security appliance.
All sites connect to all other sites. All sites must have static IP addresses.

SonicWall has video clips and knowledge base articles that can help you with some of those decisions.
VIDEO: Informational videos with site to site VPN configuration examples are available online. For example, see How to Create a Site to Site VPN in Main Mode using Preshared Secret or How to Create Aggressive Mode Site to Site VPN using Preshared Secret. Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.

TIP: See the knowledge base articles for information about Site to Site VPNs: VPN: Types of Site to Site VPN Scenarios and Configurations (SW12884) Troubleshooting articles of Site to Site VPN (SW7570)

When designing your VPN configurations, be sure to document all pertinent IP addressing information. You might want to create a network diagram to use as a reference. A few other things to note:
l The firewall must have a routable WAN IP address whether it is dynamic or static.
l In a VPN network with dynamic and static IP addresses, the VPN gateway with the dynamic address must initiate the VPN connection.

General VPN Configuration

This section reviews the general process for site to site configurations. Specific scenarios might be different and some are described in subsequent sections. Note that configuring IPsec VPNs for IPv4 and IPv6 are very similar; however, certain VPN features are currently not supported in IPv6. See IPv6 VPN Configuration for information.
To configure a VPN:
1. Navigate to the NETWORK | IPSec VPN > Rules and Settings page. 2. Make the appropriate version selection either IPv4 or IPv6. 3. Click +Add. 4. Complete the General, Network, Proposals, and Advanced tabs on the VPN Policy dialog. The
following sections provide additional information for each of those tabs.

SonicOS 7.1 IPSec VPN Administration Guide 23 Site to Site VPNs

Topics: l Configuring Settings on the General Tab l Configuring Settings on the Network Tab l Configuring Settings on the Proposals Tab l Configuring Settings on the Advanced Tab
Configuring Settings on the General Tab
On the General tab, begin defining the site to site VPN policy. There are some slight differences between IPv4 and IPv6 networks, which are noted. IPV4 +ADD VPN POLICY: GENERAL

1. If configuring an IPv4 VPN, select Policy Type from the drop-down menu. NOTE: The Policy Type field is not available for IPv6.
2. Select the authentication method from the Authentication Method drop-down menu. The remaining fields in the General tab change depending on which option you select. The following options are available.

IPv4 Manual Key IKE using Preshared Secret (default) IKE using 3rd Party Certificates

IPv6 Manual Key IKE using Preshared Secret (default) IKE using 3rd Party Certificates

SonicOS 7.1 IPSec VPN Administration Guide 24 Site to Site VPNs

IPv4 SonicWall Auto Provisioning Client SonicWallAuto Provisioning Server

IPv6

3. Type in a Name for the policy.
4. For IPsec Primary Gateway Name or Address, type in the gateway name or address.
5. For IPsec Secondary Gateway Name or Address, type in the gateway name or address.
6. Under IKE Authentication, provide the required authentication information. NOTE: When configuring IKE authentication, IPv6 addresses can be used for the local and peer IKE IDs.

Configuring Settings on the Network Tab
On the Network tab, define the networks that comprise the site to site VPN policy. IPV4 +ADD VPN POLICY: NETWORK

On the Network tab of the VPN policy, select the local and remote networks from the Local Network and Remote Network options.
For IPv6, the drop-down menus are the only option provided and only address objects that can be used by IPv6 are listed. Because DHCP is not supported, those options are not available. Also the Any address option for Local Networks and the Tunnel All option for Remote Networks are removed. An all- zero IPv6 Network address object could be selected for the same functionality and behavior.
For IPv4, additional options are provided. Under Local Networks, you can Choose local network from list or choose Any address. If Any address is selected, auto-added rules are created between Trusted Zones and the VPN zone.
For IPv4 under Remote Networks, you can chose one of the following:
SonicOS 7.1 IPSec VPN Administration Guide 25 Site to Site VPNs

l Use this VPN tunnel as default route for all Internet traffic. l Choose destination network from list. If none are listed you can create a new address object or
address group. l Use IKEv2 IP Pool. Select this to support IKEv2 Config Payload.
Configuring Settings on the Proposals Tab
On the Proposals tab, define the security parameters for your VPN policy. The page is the same for IPv4 and IPv6, but the options are different depending on what you selected. IPv4 offers both IKEv1 and IKEv2 options in the Exchange field, whereas IPv6 only has IKEv2. IPV4 +ADD VPN POLICY: PROPOSALS
Configuring Settings on the Advanced Tab
The Advanced tabs for IPv4 and IPv6 are similar, but some options are available only for one version or the other, as shown in Advanced Settings: Option Availability. Options also change depending on the authentication method selected.
SonicOS 7.1 IPSec VPN Administration Guide 26 Site to Site VPNs

ADVANCED SETTINGS: OPTION AVAILABILITY

Option

IP Version

Enable Keep Alive Suppress automatic Access Rules creation for VPN Policy Disable IPsec Anti-Replay Enable Windows Networking (NetBIOS) Broadcast Enable Multicast Display Suite B Compliant Algorithms Only Apply NAT Policies Using Primary IP Address Specify the local gateway IP address Preempt Secondary Gateway Primary Gateway Detection Interval (seconds) Do not send trigger packet during IKE SA negotiation Accept Hash & URL Certificate Type Send Hash & URL Certificate Type

IPv4 Supported Supported
Supported Supported
Supported Supported
Supported ­ ­ Supported Supported
Supported
Supported Supported

IPv6 Supported ­
Supported ­
­ Supported
­ Supported Supported Supported Supported
Supported
Supported Supported

Because an interface might have multiple IPv6 addresses, sometimes the local address of the tunnel might vary periodically. If a user needs a consistent IP address, select either the Using Primary IP Address or Specify the local gateway IP address option, or configure the VPN policy to be bound to an interface instead of a Zone. With Specify the local gateway IP address, specify the address manually. The address must be one of the IPv6 addresses for that interface.

SonicOS 7.1 IPSec VPN Administration Guide 27 Site to Site VPNs

IPV6+ADD VPN POLICY: ADVANCED
Managing GroupVPN Policies
The GroupVPN feature provides automatic VPN policy provisioning for Global VPN Clients (GVC). The GroupVPN feature on the SonicWall network security appliance and GVC streamlines VPN deployment and management. Using the Client Policy Provisioning technology, you define the VPN policies for GVC users. This policy information downloads automatically from the firewall (VPN Gateway) to GVC, saving remote users the burden of provisioning VPN connections. GroupVPN policies facilitate the set up and deployment of multiple Global VPN Clients by the firewall administrator. GroupVPN is only available for GVC and you should use XAUTH/RADIUS or third-party certificates in conjunction with it for added security. For more information on how to create GroupVPN policies for any zones, navigate to OBJECT | Match Objects > Zones | +Add Zone.
SonicOS 7.1 IPSec VPN Administration Guide 28 Site to Site VPNs

SonicOS provides default GroupVPN policies for the WAN zone and the WLAN zone, as these are generally the less trusted zones. These default GroupVPN policies are listed in the VPN Policies table on the NETWORK | IPSec VPN > Rules and Settings page and can be customized:
l WAN GroupVPN l WLAN GroupVPN NOTE: GroupVPN policies are not automatically created in SonicOS with factory default settings. However, these policies remain unchanged on appliances that are upgraded from an earlier version of SonicOS. For information about Group VPN and Global VPN Client, refer to Types of Group VPN/Global VPN Client Scenarios and Configurations (SW7411). Topics: l Configuring IKE Using a Preshared Secret Key l Configuring IKE Using 3rd Party Certificates l Downloading a GroupVPN Client Policy
Configuring IKE Using a Preshared Secret Key
To configure the WAN GroupVPN using a preshared secret key: 1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click the Edit icon for the WAN GroupVPN policy.
On the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A shared secret code is automatically generated by the firewall and written in the Shared Secret field. You can generate your own shared secret. A self-defined shared secret code must be a minimum of four characters.
NOTE: You cannot change the name of any GroupVPN policy. 3. Click Proposals to continue the configuration process.
SonicOS 7.1 IPSec VPN Administration Guide 29 Site to Site VPNs

4. In the IKE (Phase 1) Proposal section, select the following settings: l Select Group 2 (default) from the DH Group drop-down menu. NOTE: The Windows XP L2TP client only works with DH Group 2. l In the Encryption drop-down menu, select DES, 3DES (default), AES-128, AES-192, or AES256. l From the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, or SHA512. l In the Life Time (seconds) field, enter a value. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
5. In the IPsec (Phase 2) Proposal section, select the following settings: l From the Protocol drop-down menu, select ESP (default). l In the Encryption drop-down menu, select 3DES (default), AES-128, AES-192, or AES-256. l In the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBC, or None. l Check Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. l Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
6. Click Advanced.
SonicOS 7.1 IPSec VPN Administration Guide 30 Site to Site VPNs

7. Select any of the following optional settings you want to apply to your GroupVPN policy:

Advanced Settings

Disable IPsec Anti- Stops packets with duplicate sequence numbers from being dropped. Replay

Enable Multicast

Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.

Accept Multiple

Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or

Proposals for Clients the IKE (Phase 2) Proposal, to be accepted.

Enable IKE Mode Configuration

Allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients, like iOS devices or Avaya IP phones.

Management via this If using the VPN policy to manage the firewall, select the management

SA:

method, either HTTP, SSH, or HTTPS.

NOTE: SSH is valid for IPv4 only.

SonicOS 7.1 IPSec VPN Administration Guide 31 Site to Site VPNs

Advanced Settings

Default Gateway

Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. As packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPsec tunnel, the firewall looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

Client Authentication

Require Authentication of VPN Clients via XAUTH

Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.

Allow

Allows you to enable unauthenticated VPN client access. If you clear

Unauthenticated VPN Require Authentication of VPN Clients via XAUTH, the Allow

Client Access

Unauthenticated VPN Client Access menu is activated. Select an

Address Object or Address Group from menu of predefined options, or

select Create new address object or Create new address group to

create a new one.

8. Click Client.

9. Select any of the following settings you want to apply to your GroupVPN policy.
SonicOS 7.1 IPSec VPN Administration Guide 32 Site to Site VPNs

USER NAME AND PASSWORD CACHING

Cache XAUTH User Allows the Global VPN Client to cache the user name and password:

Name and Password l If Never is selected, the Global VPN Client is not allowed to cache the

on Client

username and password. The user is prompted for a username and

password when the connection is enabled and also every time there is an

IKE Phase 1 rekey. This is the default.

l If Single Session is selected, the Global VPN Client user is prompted for username and password each time the connection is enabled and is valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey.

l If Always is selected Global VPN Client user prompted for username and password only once when the connection is enabled. When prompted, the user is given the option of caching the username and password.

CLIENT CONNECTIONS

Virtual Adapter Settings

The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter. In instances where predictable addressing is a requirement, obtain the MAC address of the Virtual Adapter and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter’s IP configuration.
This feature requires the use of SonicWall GVC.
Select one of the following:
Choose None if a Virtual Adapter is not used by this GroupVPN connection. This is the default.
Choose DHCP Lease if the Virtual Adapter obtains its IP configuration from the DHCP Server only, as configured in the VPN > DHCP over VPN page.
Choose DHCP Lease or Manual Configuration when the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so it can proxy ARP for the manually assigned IP address. By design, the Virtual Adapter currently has no limitations on IP address assignments. Only duplicate static addresses are not permitted.

SonicOS 7.1 IPSec VPN Administration Guide 33 Site to Site VPNs

Allow Connections to Client network traffic that matches the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. Select one of the following:

l This Gateway Only allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.

l All Secured Gateways allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
If this option is selected along with Set Default Route as this Gateway, Internet traffic is also sent through the VPN tunnel.

l If this option is selected along without Set Default Route as this Gateway, the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.

l Split Tunnels allows the VPN user to have both local Internet connectivity and VPN connectivity. This is the default.

Set Default Route as Select this checkbox if all remote VPN connections access the Internet

this Gateway

through this VPN tunnel. You can only configure one VPN policy to use this

setting. By default, this option is not enabled.

Apply VPN Access Control List

Select this checkbox to apply the VPN access control list. When this option is enabled, specified users can access only those networks configured for them. This option is not enabled by default.

CLIENT INITIAL PROVISIONING

Use Default Key for Uses Aggressive mode for the initial exchange with the gateway, and VPN

Simple Client

clients uses a default Preshared Key for authentication. This option is not

Provisioning

enabled by default.

10. Click OK. 11. Click ACCEPT on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.

Configuring IKE Using 3rd Party Certificates
Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the firewall.
To configure GroupVPN with IKE using 3rd Party Certificates: 1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click the Edit icon for the WAN GroupVPN policy.

SonicOS 7.1 IPSec VPN Administration Guide 34 Site to Site VPNs

3. In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication Method drop-down menu. NOTE: The VPN policy name is GroupVPN by default and cannot be changed.
4. Select a certificate for the firewall from the Gateway Certificate drop- down menu. If you did not download your third-party certificates before starting this procedure, the Gateway Certificates field shows – No verified third-party certs.
5. In the Peer Certificates section, select one of the following from the Peer ID Type drop-down menu:

Distinguished Name
E-mail ID Domain ID

Based on the certificate’s Subject Distinguished Name field, which is contained on all certificates by default and is set by the issuing Certificate Authority.
The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub.
Up to three organizational units can be specified. The usage is c=;o=;ou=;ou=;ou=;cn=. The final entry does not need to contain a semi- colon. You must enter at least one entry, for example, c=us.
E-mail ID and Domain ID are based on the certificate’s Subject Alternative Name field, which is not contained on all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter does not work.

6. Enter the Peer ID filter in the Peer ID Filter field.
The Email ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and? (for a single character). For example, when Email ID is selected, the string

SonicOS 7.1 IPSec VPN Administration Guide 35 Site to Site VPNs

@SonicWall.com allows anyone with an email address that ended in @SonicWall.com to have access; when Domain Name is selected, the string sv.us.SonicWall.com allows anyone with a domain name that ended in sv.us.SonicWall.com to have access. 7. Select Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu. 8. Click Proposals.
9. In the IKE (Phase 1) section, select the following settings: a. For DH Group, select Group 1, Group 2 (default), Group 5, or Group 14. NOTE: The Windows XP L2TP client only works with DH Group 2. b. For Encryption, select DES, 3DES (default), AES-128, AES-192, or AES-256. c. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384,SHA512, AES-XCBC, or None. d. In the Life Time (seconds) field, enter a value. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
10. In the IPsec (Phase 2) section, select the following settings: a. For Protocol, select ESP (default). b. For Encryption, select 3DES (default), AES-128, AES-192, or AES-256. c. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384,SHA512, AES-XCBC, or None d. Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security. e. Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
SonicOS 7.1 IPSec VPN Administration Guide 36 Site to Site VPNs

11. Click Advanced.

12. Select any of the following optional settings that you want to apply to your GroupVPN Policy:

Disable IPsec Anti-Replay
Enable Multicast
Accept Multiple Proposal fro Clients Enable IKE Mode Configuration Management via this SA

Anti-Replay is a form of partial sequence integrity and it detects arrival of duplicated I datagrams (within a constrained window).
Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
Allows SonicOS to assign internal IP address, DNS Server or WINS Server to Third-Party Clients like iOS devices or Avaya IP Phones.
If using the VPN policy to manage the firewall, select one or more management methods, HTTP, SSH, or HTTPS.
NOTE: SSH is valid for IPv4 only.

SonicOS 7.1 IPSec VPN Administration Guide 37 Site to Site VPNs

Default Gateway

Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA checkbox. Default LAN Gateway allows you to specify the IP address of the default LAN route for incoming IPsec packets for this SA.

Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPsec tunnel, the firewall looks up a route for the LAN. If no route is found, the firewall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

Enable OCSP Checking and Enables use of Online Certificate Status Protocol (OCSP) to check

OCSP Responder URL

VPN certificate status and specifies the URL where to check

certificate status.

Require Authentication of VPN Clients via XAUTH

Requires that all inbound traffic on this VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.

User group for XAUTH users

Allows you to select a defined user group for authentication.

Allow Unauthenticated VPN Allows you to specify network segments for unauthenticated Global

Client Access

VPN Client access.

13. Click Client.

14. Select any of the following boxes that you want to apply to Global VPN Client provisioning:
SonicOS 7.1 IPSec VPN Administration Guide 38 Site to Site VPNs

Cache XAUTH User Allows the Global VPN Client to cache the user name and password: Name and Password l Choose Never to prohibit the Global VPN Client from caching the
username and password. The user is prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.

l Choose Single Session to prompt the user for username and password each time the connection is enabled, which is valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.

l Choose Always to prompt the user for username and password only once when the connection is enabled. When prompted, the user is given the option of caching the username and password.

Virtual Adapter Settings

The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
In instances where predictable addressing is a requirement, obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, configure the GroupVPN to accept static addressing of the Virtual Adapter’s IP configuration. This feature requires the use of SonicWall GVC.

l Choose None to not use the Virtual Adapter by this GroupVPN connection.

l Choose DHCP Lease to have the Virtual Adapter obtain its IP configuration from the DHCP Server only, as configured in the VPN > DHCP over VPN page.

l Choose DHCP Lease or Manual Configuration and when the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, IP address assignments currently has no limitations on for the Virtual Adapter. Only duplicate static addresses are not permitted.

SonicOS 7.1 IPSec VPN Administration Guide 39 Site to Site VPNs

Allow Connections to Client network traffic that matches the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. Select one of the following options:

l This Gateway Only allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel.
If this option is selected with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.

l All Secured Gateways allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.
If this option is selected along with Set Default Route as this Gateway, Internet traffic is also sent through the VPN tunnel. If this option is selected along without Set Default Route as this Gateway, the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
NOTE: Only one of the multiple gateways can have Set Default Route as this Gateway enabled.

l Split Tunnels allows the VPN user to have both local Internet connectivity and VPN connectivity. This is the default.

Set Default Route as Enable this checkbox if all remote VPN connections access the Internet

this Gateway

through this SA. You can only configure one SA to use this setting.

Apply VPN Access Enable this option to control client connections with an access control list. Control List

Use Default Key for Simple Client Provisioning

Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.

15. Click Ok. 16. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.

Downloading a GroupVPN Client Policy
You can provide a file to your end users that contains configuration settings for their Global VPN clients. Simply download the GroupVPN client policy from the firewall.
IMPORTANT: The GroupVPN SA (Secure Association) must be enabled on the firewall to download a configuration file.

SonicOS 7.1 IPSec VPN Administration Guide 40 Site to Site VPNs

To download the Global VPN Client configuration settings: 1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Be sure the policy you want to export is enabled. 3. Click the Download icon in the Configure column for the GroupVPN entry in the VPN Policies table.
rcf format is required for SonicWall Global VPN Clients is the default. Files saved in the rcf format can be password encrypted. The firewall provides a default file name for the configuration file, which you can change. 4. Click Yes.
5. In the drop-down menu for Select the client Access Network(s) you wish to export, select VPN Access Network.
6. Type a password in the Password field and reenter it in the Confirm Password field, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.
7. Click Submit. If you did not enter a password, a message appears confirming your choice. 8. Click Ok. You can change the configuration file before saving. 9. Save the file. 10. Click Close.
SonicOS 7.1 IPSec VPN Administration Guide 41 Site to Site VPNs

The file can be saved or sent electronically to remote users to configure their Global VPN Clients.
Creating Site to Site VPN Policies
A site to site VPN allows offices in multiple locations to establish secure connections with each other over a public network. It extends the company’s network, making computer resources from one location available to employees at other locations. You can create or modify existing site to site VPN policies. To add a policy, click +Add in the VPN Policies table; to modify an existing policy click the Edit icon for that policy. The following options can be set up when configuring a site to site VPN:
l Configuring with a Preshared Secret Key l Configuring with a Manual Key l Configuring with a Third-Party Certificate l SonicWall Auto Provisioning Client or SonicWall Auto Provisioning Server. For information about
these options, see VPN Auto Provisioning. This section also contains information on how to configure the remote SonicWall firewall and how to configure a static route to act as a failover in case the VPN tunnel failure.
l Configuring the Remote Network Security Appliance l Configuring VPN Failover to a Static Route NOTE: Informational videos with site to site VPN configuration examples are available online. For example, see How to Create a Site to Site VPN in Main Mode using Preshared Secret or How to Create Aggressive Mode Site to Site VPN using Preshared Secret. Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
Configuring with a Preshared Secret Key
To configure a VPN Policy using Internet Key Exchange (IKE) with a preshared secret key: 1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy.
SonicOS 7.1 IPSec VPN Administration Guide 42 Site to Site VPNs

3. From Policy Type on the General screen, select Site to Site. 4. From Authentication Method, select IKE using Preshared Secret. 5. Enter a name for the policy in the Name field. 6. Enter the host name or IP address of the remote connection in the IPsec Primary Gateway Name or
Address field. 7. If the Remote VPN device supports more than one endpoint, enter a second host name or IP address of
the remote connection in the IPsec Secondary Gateway Name or Address field (optional). 8. In the IKE Authentication section, in the Shared Secret and Confirm Shared Secret fields, enter a
Shared Secret password. This is used to set up the SA (Security Association). The Shared Secret password must be at least four characters long, and should include both numbers and letters. 9. To see the shared secret key in both fields, clear the checkbox for Mask Shared Secret. By default, Mask Shared Secret is selected, which causes the shared secret key to be displayed as black circles. 10. Optionally, specify a Local IKE ID and Peer IKE ID for this Policy. You can select from the following IDs from the drop-down menu:
l IPv4 Address l Domain Name l E-mail Address
SonicOS 7.1 IPSec VPN Administration Guide 43 Site to Site VPNs

l Firewall Identifier
l Key Identifier By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the firewall Identifier (ID_USER_FQDN) is used for Aggressive Mode.
11. Enter the address, name, or ID in the Local IKE ID and Peer IKE ID fields.
12. Click Network.

13. Under Local Networks, select one of the following:

Choose local network from list
Any address

Select a local network from the drop-down menu if a specific network can access the VPN tunnel.
Use this option if traffic can originate from any local network or if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
NOTE: DHCP over VPN is not supported with IKEv2.

14. Under Remote Networks, select one of the following:

Use this VPN Tunnel Select this option if traffic from any local user cannot leave the firewall

as default route for all unless it is encrypted.

Internet traffic

NOTE: You can only configure one SA to use this setting.

Destination network obtains IP addresses using DHCP through this VPN Tunnel

Select this option if the remote network requests IP addresses from a DHCP Server in the local network.
NOTE: This option is only available if Main Mode or Aggressive Mode is selected on the Proposals tab.

Choose Destination Select a remote network from the drop-down menu. network from list

SonicOS 7.1 IPSec VPN Administration Guide 44 Site to Site VPNs

Use IKEv2 IP Pool 15. Click Proposals.

Select this option to support IKEv2 Config Payload.
NOTE: This option is only available if IKEv2 Mode is selected on the Proposals tab.

16. Under IKE (Phase 1) Proposal, choose one of the following options from the Exchange drop-down menu:

Main Mode Aggressive Mode IKEv2 Mode

Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
Generally used when WAN addressing is dynamically assigned. Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
Causes all negotiation to happen through IKEv2 protocols, rather than using IKEv1 phase 1.
NOTE: If you select IKE v2 Mode, both ends of the VPN tunnel must use IKE v2. When selected, the DH Group, Encryption, and Authentication fields are dimmed and cannot be defined.

17. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.

SonicOS 7.1 IPSec VPN Administration Guide 45 Site to Site VPNs

NOTE: If IKEv2 Mode is selected for the Exchange field, the DH Group, Encryption, and Authentication fields are dimmed and no selection can be made for those options. NOTE: Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.
a. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several DiffieHellman exchanges:

Diffie-Hellman Groups Included in Suite B Cryptography
256-bit Random ECP Group 384-bit Random ECP Group 521-bit Random ECP Group 192-bit Random ECP Group 224-bit Random ECP Group

Other Diffie-Hellman Options Group 1 Group 2 Group 5 Group 14

b. For the Encryption field, if Main Mode or Aggressive Mode was selected, choose 3DES, DES, AES-128 (default), AES-192, or AES-256 from the drop-down menu.
c. For the Authentication field, if Main Mode or Aggressive Mode was selected, choose SHA-1 (default), MD5, SHA256, SHA384, or SHA512 for enhanced authentication security.
d. For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
1. Set the options in the IPsec (Phase 2) Proposal section. The default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations. NOTE: Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.
l If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:

Suite B Cryptography Options AESGCM16-128 AESGCM16-192 AESGCM16-256 AESGMAC-128 AESGMAC-192 AESGMAC-256

Other Options DES 3DES AES-128 AES-192 AES-256 None

l If you selected AH in the Protocol field, the Encryption field is dimmed and you cannot select any options.

SonicOS 7.1 IPSec VPN Administration Guide 46 Site to Site VPNs

18. Click Advanced.
19. Select any of the optional settings you want to apply to your VPN policy. The options change depending on options you selected in the Proposals screen.
SonicOS 7.1 IPSec VPN Administration Guide 47 Site to Site VPNs

Options

Main Mode or Aggressive Mode

(See figure Advanced Settings

for Main and Aggressive

KEv2 Mode (See figure Advanced

Modes below)

Settings for IKEv2 Mode below)

Advanced Settings

Enable Keep Alive

Select to use heartbeat messages Cannot be selected for IKEv2 mode. between peers on this VPN tunnel if one end of the tunnel fails, using a keep-alive heartbeat allows automatic renegotiation of the tunnel after both sides are available again without having to wait for the proposed Life Time to expire.
NOTE: The Keep Alive option is disabled when the VPN policy is configured as a central gateway for DHCP over VPN or with a primary gateway name or address 0.0.0.0.

Suppress automatic When not selected (default),

When not selected (default),

Access Rules

accompanying Access Rules are accompanying Access Rules are created

creation for VPN created automatically. See VPN automatically. See VPN Auto- Added

Policy

Auto-Added Access Rule Control Access Rule Control for more information.

for more information.

Disable IPsec AntiReplay

Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window).

Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window).

Require authentication of VPN clients by XAUTH

Requires that all inbound traffic on Not available in IKEv2 Mode. this VPN policy is from a user authenticated by XAUTH/RADIUS. Unauthenticated traffic is not allowed on the VPN tunnel.

Enable Windows Networking (NetBIOS) Broadcast

Select to allow access to remote network resources by browsing the Windows Network Neighborhood.

Select to allow access to remote network resources by browsing the Windows Network Neighborhood.

SonicOS 7.1 IPSec VPN Administration Guide 48 Site to Site VPNs

Options

Main Mode or Aggressive Mode

(See figure Advanced Settings

for Main and Aggressive

KEv2 Mode (See figure Advanced

Modes below)

Settings for IKEv2 Mode below)

Advanced Settings

Enable Multicast

Select to allow multicasting traffic, Select to allow multicasting traffic, such as

such as streaming audio

streaming audio (including VoIP) and

(including VoIP) and video

video application, to pass through the VPN

application, to pass through the tunnel.

VPN tunnel.

WXA Group

Select None (default) or Group Select None (default) or Group One. One.

Display Suite B Compliant Algorithms Only

Select if you want to show only the Select if you want to show only the Suite B Suite B compliant algorithms. compliant algorithms.

Apply NAT Policies

Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two dropdown menus.
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two dropdown menus.
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

Management via this Select any of HTTPS, SSH, or

SA

SNMP for this option to manage

the local SonicWall firewall

through the VPN tunnel.

Select any of HTTPS, SSH, or SNMP for this option to manage the local SonicWall firewall through the VPN tunnel.

User login via this SA

Select HTTP, HTTPS, or both to allow users to login using the SA. HTTP user login is not allowed with remote authentication.

Select HTTP, HTTPS, or both to allow users to login using the SA. HTTP user login is not allowed with remote authentication.

SonicOS 7.1 IPSec VPN Administration Guide 49 Site to Site VPNs

Options

Main Mode or Aggressive Mode

(See figure Advanced Settings

for Main and Aggressive

KEv2 Mode (See figure Advanced

Modes below)

Settings for IKEv2 Mode below)

Advanced Settings

Default LAN Gateway (optional)

f you want to route traffic that is If you want to route traffic that is destined

destined for an unknown subnet for an unknown subnet through a LAN

through a LAN before entering this before entering this tunnel, select this

tunnel, select this option. For

option. For example, if you selected Use

example, if you selected Use this this VPN Tunnel as a default route for all

VPN Tunnel as a default route for Internet traffic (on the Network screen,

all Internet traffic (on the Network under Remote Networks) enter the router

screen, under Remote Networks) addr

enter the router address.

VPN Policy bound to Select an interface or zone from the drop-down menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Important: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

Select an interface or zone from the dropdown menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Important: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

Preempt Secondary To preempt a second gateway To preempt a second gateway after a

Gateway

after a specified time, select this specified time, select this checkbox and

checkbox and configure the

configure the desired time in the Primary

desired time in the Primary

Gateway Detection Interval (seconds)

Gateway Detection Interval

option. The default time is 28800 seconds,

(seconds) option. The default time or 8 hours.

is 28800 seconds, or 8 hours.

IKEv2 Settings

Do not send trigger packet during IKE SA negotiation

Not available in Main or Aggressive modes.

Is not selected (default). Should only be selected when required for interoperability if the peer cannot handle trigger packets. The recommended practice is to include trigger packets to help the IKEv2 Responder select the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it might be appropriate to disable the inclusion of trigger packets to some IKE peers.

SonicOS 7.1 IPSec VPN Administration Guide 50 Site to Site VPNs

Options

Main Mode or Aggressive Mode

(See figure Advanced Settings

for Main and Aggressive

KEv2 Mode (See figure Advanced

Modes below)

Settings for IKEv2 Mode below)

Advanced Settings

Accept Hash & URL Not available in Main or

Certificate Type

Aggressive modes.

Send Hash & URL Not available in Main or

Certificate Type

Aggressive modes.

Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, sends a message to the peer device saying that HTTP certification look-up is supported.
Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, responds to the message from the peer device and confirms HTTP certification look-up is supported.

20. Click OK. 21. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.

Configuring with a Manual Key
You can manually define encryption keys for establishing an IPsec VPN tunnel. You define manual keys when you need to specify what the encryption or authentication key is (for example, when one of the VPN peers requires a specific key) or when you need to disable encryption and authentication.
To configure a VPN policy using Manual Key:
1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy. 3. In the Authentication Method field, select Manual Key from drop- down menu. The window shows only
the Manual Key options.

SonicOS 7.1 IPSec VPN Administration Guide 51 Site to Site VPNs

4. Enter a name for the policy in the Name field. 5. Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address
field. 6. Click Network.
7. Under Local Networks, select one of these options: l If a specific local network can access the VPN tunnel, select a that local network from the Choose local network from list drop-down menu. l If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
8. Under Destination Networks, select one of these: l If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic. NOTE: You can only configure one SA to use this setting.
SonicOS 7.1 IPSec VPN Administration Guide 52 Site to Site VPNs

l Alternatively, select Choose Destination network from list, and select the address object or group.
9. Click Proposals.
10. Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal and can range from 3 to 8 characters in length. IMPORTANT: Each Security Association (SA) must have unique SPIs; no two SAs can share the same SPIs. However, each SA Incoming SPI can be the same as the Outgoing SPI.
11. The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations; otherwise, select values from the drop-down menu. NOTE: The values for Protocol, Encryption, and Authentication must match the values on the remote firewall. l If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography: l DES l 3DES l AES-128 (default) l AES-192 l AES-256 l None l If you selected AH in the Protocol field, the Encryption field is grayed out, and you cannot select any options.
12. In the Encryption Key field, enter a 48-character hexadecimal encryption key or use the default value. This encryption key is used to configure the remote SonicWall encryption key, so write it down to use when configuring the remote firewall.
SonicOS 7.1 IPSec VPN Administration Guide 53 Site to Site VPNs

TIP: Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption or authentication key, an error message is displayed at the bottom of the browser window.
13. In the Authentication Key field, enter a 40-character hexadecimal authentication key or use the default value. Write down the key to use while configuring the firewall settings.
14. Click Advanced.

15. Select any of the following optional settings you want to apply to your VPN policy.

Option

Definition

Suppress automatic

When not selected (default), accompanying Access Rules are created

Access Rules creation for automatically. See VPN Auto-Added Access Rule Control for more

VPN Policy

information.

Enable Windows Networking (NetBIOS) Broadcast

Select to allow access to remote network resources by browsing the Windows Network Neighborhood.

WXA Group

Select None (default) or Group One.

SonicOS 7.1 IPSec VPN Administration Guide 54 Site to Site VPNs

Option Apply NAT Policies

Management via this SA User login via this SA Default LAN Gateway (optional) VPN Policy bound to

Definition
Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.
NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both side of a tunnel use either the same or overlapping subnets.
TIP: Informational videos with interface configuration examples are available online. For example, see How to Configure NAT over VPN in a Site to Site VPN with Overlapping Networks. Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.
Select HTTP, HTTPS, or both to allow users to log in using the SA.
NOTE: HTTP user login is not allowed with remote authentication.
If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network screen under Remote Networks) enter the router address.
Select an interface or zone from the drop-down menu.
IMPORTANT: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

16. Click OK. 17. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.

Configuring with a Third-Party Certificate
NOTE: You must have a valid certificate from a third-party certificate authority installed on your SonicWall firewall before you can configure your VPN policy using a third-party IKE certificate.
With SonicWall firewalls, you can opt to use third-party certificates for authentication instead of the SonicWall Authentication Service. Using certificates from a third-party provider or using local certificates is a more manual process; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates.
SonicWall supports the following two certificate providers:

SonicOS 7.1 IPSec VPN Administration Guide 55 Site to Site VPNs

l VeriSign l Entrust To create a VPN SA using IKE and third-party certificates: 1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy. 3. In the Authentication Method field, select IKE using 3rd Party Certificates. The VPN Policy window
displays the third-party certificate options in the IKE Authentication section.
4. Type a name for the Security Association in the Name field. 5. Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWall in the
IPsec Primary Gateway Name or Address field. 6. If you have a secondary remote SonicWall, enter the IP address or Fully Qualified Domain Name (FQDN)
in the IPsec Secondary Gateway Name or Address field. 7. Under IKE Authentication, select a third-party certificate from the Local Certificate list. You must have
imported local certificates before selecting this option. 8. For Local IKE ID Type, the default is Default ID from Certificate. Or, choose one of the following:
l Distinguished Name (DN) l Email ID (UserFQDN) l Domain Name (FQDN) l IP Address (IPV4) These alternate selections are the same as those for Peer IKE ID Type, described in the next step.
SonicOS 7.1 IPSec VPN Administration Guide 56 Site to Site VPNs

9. From the Peer IKE ID Type drop-down menu, select one of the following Peer ID types:

Peer IKE ID Type Option

Definition

Default ID from Certificate

Authentication is taken from the default ID on the certificate.

Distinguished Name (DN)

Authentication is based on the certificate’s Subject Distinguished Name field, which is contained in all certificates by default. The entire Distinguished Name field must be entered for site to site VPNs. Wild card characters are not supported. The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub.

Email ID (UserFQDN) Authentication based on the Email ID (UserFQDN) types are based on the certificate’s Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site to site VPNs, wild card characters cannot be used. The full value of the Email ID must be entered. This is because site to site VPNs are expected to connect to a single peer, whereas Group VPNs expect to connect to multiple peers.

Domain Name (FQDN) Authentication based on the Domain Name (FQDN) types are based on the certificate’s Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site to site VPNs, wild card characters cannot be used. The full value of the Domain Name must be entered because site to site VPNs are expected to connect to a single peer, whereas Group VPNs expect to connect to multiple peers.

IP Address (IPV4) Based on the IPv4 IP address.

NOTE: To find the certificate details (Subject Alternative Name, Distinguished Name, and so on), navigate to the DEVICE | Settings > Certificates page.

10. Type an ID string in the Peer IKE ID field.

11. Click Network.

SonicOS 7.1 IPSec VPN Administration Guide 57 Site to Site VPNs

12. Under Local Networks, select one of these options: l Select a local network from the Choose local network from list drop-down menu if a specific local network can access the VPN tunnel. l Select Any Address if traffic can originate from any local network. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
13. Under Remote Networks, select one of these options: l Select Use this VPN Tunnel as default route for all Internet traffic if traffic from any local user cannot leave the firewall unless it is encrypted. NOTE: You can only configure one SA to use this setting. l Alternatively, select Choose Destination network from list, and select the address object or group from the drop-down menu. l Select Use IKEv2 IP Pool if you want to support IKEv2 Config payload, and select the address object or IP Pool Network from the drop-down menu.
14. Click Proposals.
SonicOS 7.1 IPSec VPN Administration Guide 58 Site to Site VPNs

15. In the IKE (Phase 1) Proposal section, select the following settings:

Main Mode Aggressive Mode IKEv2 Mode

Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
Generally used when WAN addressing is dynamically assigned. Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
Causes all negotiation to happen through IKEv2 protocols, rather than using IKEv1 phases.
NOTE: If you select IKE v2 Mode, both ends of the VPN tunnel must use IKE v2. When selected, the DH Group, Encryption, and Authentication fields are dimmed and cannot be defined.

16. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations. NOTE: If IKEv2 Mode is selected for the Exchange field, the DH Group, Encryption, and Authentication fields are dimmed and no selection can be made for those options. NOTE: Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.
a. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several DiffieHellman exchanges:

SonicOS 7.1 IPSec VPN Administration Guide 59 Site to Site VPNs

Diffie-Hellman Groups Included in Suite B Cryptography
256-bit Random ECP Group 384-bit Random ECP Group 521-bit Random ECP Group 192-bit Random ECP Group 224-bit Random ECP Group

Other Diffie-Hellman Options Group 1 Group 2 Group 5 Group 14

b. For the Encryption field, if Main Mode or Aggressive Mode was selected, choose DES, 3DES, AES-128 (default), AES-192, or AES-256 from the drop-down menu.
c. For the Authentication field, if Main Mode or Aggressive Mode was selected, choose MD5, SHA-1 (default), SHA256, SHA384, or SHA512 for enhanced authentication security.
17. For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
18. Set the options in the IPsec (Phase 2) Proposal section. The default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations. NOTE: Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.
a. Select the desired protocol for Protocol. If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:

Suite B Cryptography Options

Other Options

AESGCM16-128

DES

AESGCM16-192

3DES

AESGCM16-256 AESGMAC-128

AES-128 AES-192

AESGMAC-192

AES-256

AESGMAC-256

None

If you selected AH in the Protocol field, the Encryption field is dimmed and you cannot select any options.

b. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBC, or None.

c. Select Enable Perfect Forward Secrecy if you want an additional Diffie- Hellman key exchange as an added layer of security and select Group 2 from the DH Group menu.

d. Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

19. Click Advanced.

SonicOS 7.1 IPSec VPN Administration Guide 60 Site to Site VPNs

20. Select any configuration options you want to apply to your VPN policy:
SonicOS 7.1 IPSec VPN Administration Guide 61 Site to Site VPNs

ADVANCED SETTINGS

Options

Main Mode or Aggressive Mode IKEv2 Mode

Enable Keep Alive Select to use heartbeat messages Cannot be selected for IKEv2 mode. between peers on this VPN tunnel if one end of the tunnel fails, using a keep-alive heartbeat allows automatic renegotiation of the tunnel after both sides are available again without having to wait for the proposed Life Time to expire.
NOTE: The Keep Alive option is disabled when the VPN policy is configured as a central gateway for DHCP over VPN or with a primary gateway name or address 0.0.0.0.

Suppress automatic Access Rules creation for VPN Policy

When not selected (default),

When not selected (default),

accompanying Access Rules are accompanying Access Rules are

created automatically. See VPN

created automatically. See VPN Auto-

Auto-Added Access Rule Control for Added Access Rule Control for more

more information.

information.

Disable IPsec Anti- Anti-replay is a form of partial

Replay

sequence integrity and it detects

arrival of duplicate IP datagrams

(within a constrained window).

Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window).

Require authentication of VPN clients by XAUTH

Requires that all inbound traffic on Not available in IKEv2 Mode. this VPN policy is from a user authenticated by XAUTH/RADIUS. Unauthenticated traffic is not allowed on the VPN tunnel.

Enable Windows Networking (NetBIOS) Broadcast

Select to allow access to remote network resources by browsing the Windows Network Neighborhood.

Select to allow access to remote network resources by browsing the Windows Network Neighborhood.

Enable Multicast

Select to allow multicasting traffic, Select to allow multicasting traffic, such

such as streaming audio (including as streaming audio (including VoIP) and

VoIP) and video application, to pass video application, to pass through the

through the VPN tunnel.

VPN tunnel.

WXA Group

Select None (default) or Group One.

Select None (default) or Group One.

Display Suite B Compliant Algorithms Only

Select if you want to show only the Suite B compliant algorithms.

Select if you want to show only the Suite B compliant algorithms.

SonicOS 7.1 IPSec VPN Administration Guide 62 Site to Site VPNs

Options

Main Mode or Aggressive Mode IKEv2 Mode

Apply NAT Policies Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.

Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.

NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.

Enable OCSP Checking

Select if you want to check VPN certificate status and provide the OCSP Responder URL in the field provided.

Select if you want to check VPN certificate status and provide the OCSP Responder URL in the field provided.

Management via this SA

Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.

Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.

User login via this Select HTTP, HTTPS, or both to

SA

allow users to log in using the SA.

NOTE: HTTP user login is not allowed with remote

authentication.

Select HTTP, HTTPS, or both to allow users to log in using the SA.
NOTE: HTTP user login is not allowed with remote authentication.

Default LAN

If you want to route traffic that is

If you want to route traffic that is

Gateway (optional) destined for an unknown subnet

destined for an unknown subnet

through a LAN before entering this through a LAN before entering this

tunnel, select this option. For

tunnel, select this option. For example,

example, if you selected Use this if you selected Use this VPN Tunnel

VPN Tunnel as a default route for as a default route for all Internet

all Internet traffic (on the Network traffic (on the Network view of this

view of this page, under Remote page, under Remote Networks) enter

Networks) enter the router address. the router address.

SonicOS 7.1 IPSec VPN Administration Guide 63 Site to Site VPNs

Options

Main Mode or Aggressive Mode IKEv2 Mode

VPN Policy bound Select an interface or zone from the Select an interface or zone from the

to

drop-down menu. Zone WAN is the drop-down menu. Zone WAN is the

preferred setting if you are using preferred setting if you are using WAN

WAN load balancing and you want load balancing and you want the VPN to

the VPN to use either WAN interface. use either WAN interface.

IMPORTANT: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

IMPORTANT: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

Preempt Secondary Gateway

To preempt a second gateway after To preempt a second gateway after a

a specified time, select this checkbox specified time, select this checkbox and

and configure the desired time in the configure the desired time in the

Primary Gateway Detection

Primary Gateway Detection Interval

Interval (seconds) option. The

(seconds) option. The default time is

default time is 28800 seconds, or 8 28800 seconds, or 8 hours.

hours.

IKEv2 Settings

Do not send trigger packet during IKE SA negotiation

Not available in Main or Aggressive modes.

Is not selected (default). Should only be selected when required for interoperability if the peer cannot handle trigger packets. The recommended practice is to include trigger packets to help the IKEv2 Responder select the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it might be appropriate to disable the inclusion of trigger packets to some IKE peers.

Accept Hash & URL Certificate Type

Not available in Main or Aggressive modes.

Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, sends a message to the peer device saying that HTTP certification look-up is supported.

Send Hash & URL Certificate Type

Not available in Main or Aggressive modes.

Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, responds to the message from the peer device and confirms HTTP certification look-up is supported.

21. Click OK.

SonicOS 7.1 IPSec VPN Administration Guide 64 Site to Site VPNs

22. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.
Configuring the Remote SonicWall Network Security Appliance
1. Navigate to NETWORK | IPSec VPN > Rules and Settings. 2. Click +Add. The VPN Policy dialog displays. 3. On the General screen, select Manual Key from the Authentication Method drop-down menu. 4. Enter a name for the appliance in the Name field. 5. Enter the host name or IP address of the local connection in the IPsec Gateway Name or Address field. 6. Click Network. 7. Under Local Networks, select one of these:
l If a specific local network can access the VPN tunnel, select a local network from the Choose local network from list drop-down menu.
l If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
8. Under Remote Networks, select one of these: l If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic. NOTE: You can only configure one SA to use this setting. l Alternatively, select Choose Destination network from list, and select the address object or group.
9. Click Proposals. 10. Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can
range from 3 to 8 characters in length. NOTE: Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
11. The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations. NOTE: The values for Protocol, Encryption, and Authentication must match the values on the opposite side of the tunnel.
12. Enter a 48-character hexadecimal encryption key in the Encryption Key field. Use the same value as used on the firewall on the opposite side of the tunnel.
13. Enter a 40-character hexadecimal authentication key in the Authentication Key field. Use the same value as used on the firewall on the opposite side of the tunnel.
SonicOS 7.1 IPSec VPN Administration Guide 65 Site to Site VPNs

TIP: Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window. 14. Click Advanced. 15. Select any of the following optional settings you want to apply to your VPN policy: l The Suppress automatic Access Rules creation for VPN Policy setting is not enabled by
default to allow the VPN traffic to traverse the appropriate zones. l Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network
resources by browsing the Windows® Network Neighborhood. l For WXA Group, select None or Group One. l Select Apply NAT Policies if you want the firewall to translate the Local, Remote or both networks
communicating through this VPN tunnel. Two drop-down menus display: l To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu. l To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down menu. NOTE: Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
l To manage the remote SonicWall through the VPN tunnel, select HTTP, SSH, SNMP, or any combination of these three from Management via this SA.
l Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA. NOTE: HTTP user login is not allowed with remote authentication.
l If you have an IP address for a gateway, enter it into the Default LAN Gateway (optional) field. l Select an interface from the VPN Policy bound to menu.
IMPORTANT: Two different WAN interfaces cannot be selected from the VPN Policy bound to drop-down menu if the VPN Gateway IP address is the same for both. 16. Click OK. 17. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.
TIP: If Window Networking (NetBIOS) has been enabled, users can view remote computers in their Windows Network Neighborhood. Users can also access resources on the remote LAN by entering servers’ or workstations’ remote IP addresses.
Configuring VPN Failover to a Static Route
You can configure a static route as a secondary route in case the VPN tunnel goes down. When defining the route policies, the Allow VPN path to take precedence option allows you to create a secondary route for a VPN tunnel and gives precedence to VPN traffic having the same destination address object. This results in the following behavior:
SonicOS 7.1 IPSec VPN Administration Guide 66 Site to Site VPNs

l When a VPN tunnel is active: static routes matching the destination address object of the VPN tunnel are automatically disabled if the Allow VPN path to take precedence option is enabled. All traffic is routed over the VPN tunnel to the destination address object.
l When a VPN tunnel goes down: static routes matching the destination address object of the VPN tunnel are automatically enabled. All traffic to the destination address object is routed over the static routes.
To configure a static route as a VPN failover: 1. Navigate to POLICY | Rules and Policies > Routing Rules. 2. Click + Add.
3. Type a descriptive name for the policy into the Name field. Type up to three Tags to help you locate your policy rule. Use commas as separators.
4. Select the appropriate Source, Destination, Service, Gateway, and Interface. 5. Define Metric as 1. 6. Select Allow VPN path to take precedence. 7. Click Save.
SonicOS 7.1 IPSec VPN Administration Guide 67 Site to Site VPNs

4
VPN Auto Provisioning
You can configure various types of IPsec VPN policies, such as site-to-site policies, including GroupVPN, and route-based policies. For specific details on the setting for these kinds of policies, go to the following sections:
l Site to Site VPNs l Tunnel Interface Route-based VPN Topics in this section include: l About VPN Auto Provisioning l Configuring a VPN AP Server l Configuring a VPN AP Client
About VPN Auto Provisioning
The SonicOS VPN Auto Provisioning feature simplifies the provisioning of site to site VPNs between two SonicWall firewalls. This section provides conceptual information and describes how to configure and use the VPN Auto Provisioning feature.
l Defining VPN Auto Provisioning l Benefits of VPN Auto Provisioning l How VPN Auto Provisioning Works
Defining VPN Auto Provisioning
The VPN Auto Provisioning feature simplifies the VPN provisioning of SonicWall firewalls. This is especially useful in large scale VPN deployments. In a classic hub-and-spoke site-to-site VPN configuration, there are many complex configuration tasks needed on the spoke side, such as configuring the Security Association and configuring the Protected Networks. In a large deployment with many remote gateways, or spokes, this can be a challenge. VPN Auto Provisioning provides a simplified configuration process to eliminate many configuration steps on the remote VPN peers.
SonicOS 7.1 IPSec VPN Administration Guide 68 VPN Auto Provisioning

NOTE: The Hub in a hub-and-spoke site-to-site VPN configuration can be referred to using various names, such as Server, Hub Gateway, Primary Gateway, Central Gateway. In the context of the VPN Auto Provisioning feature, the term VPN AP Server is used for the Hub. Similarly, the term VPN AP Client is used to refer to a Spoke, Client, Remote Gateway, Remote Firewall, or Peer Firewall.
Benefits of VPN Auto Provisioning
The obvious benefit of the VPN Auto Provisioning feature is ease of use. This is accomplished by hiding the complexity of initial configuration from the SonicOS administrator, similar to the provisioning process of the SonicWall Global VPN Client (GVC). When using SonicWall GVC, a user merely points the GVC at a gateway; security and connection configuration occur automatically. VPN Auto Provisioning provides a similar solution for provisioning site-to- site hub-and-spoke configurations, simplifying large scale deployment to a trivial effort. An added advantage is that after the initial VPN auto- provisioning, policy changes can be controlled at the central gateway and automatically updated at the spoke end. This solution is especially appealing in Enterprise and Managed Service deployments where central management is a top priority.
How VPN Auto Provisioning Works
There are two steps involved in VPN Auto Provisioning: l SonicWall Auto Provisioning Server configuration for the central gateway, or VPN AP Server l SonicWall Auto Provisioning Client configuration for the remote firewall, or VPN AP Client
Both are configured by adding a VPN policy on the NETWORK | IPSec VPN > Rules and Settings page. In Server mode, you configure the Security Association (SA), Protected Networks, and other configuration fields as in a classic site- to-site VPN policy. In Client mode, limited configuration is needed. In most cases the remote firewall administrator simply needs to configure the IP address to connect to the peer server (central gateway), and then the VPN can be established.
NOTE: SonicWall does not recommend configuring a single appliance as both an AP Server and an AP Client at the same time. VPN Auto Provisioning is simple on the client side while still providing the essential elements of IP security:
Network access control is provided by the VPN AP Server. From the VPN AP Client perspective, destination networks are entirely under the control of the VPN AP Server administrator. However, a mechanism is provided to control access to VPN AP Client Access Control local networks. Authentication is provided with machine authentication credentials. In Phase 1 of the IPsec proposal, the Internet Key Exchange (IKE) protocol provides machine-level authentication with preshared keys or digital signatures. You can select one of these Authentication authentication methods when configuring the VPN policy.
SonicOS 7.1 IPSec VPN Administration Guide 69 VPN Auto Provisioning

For the preshared key authentication method, the administrator enters the VPN Auto Provisioning client ID and the key, or secret. For the digital signatures authentication method, the administrator selects the X.509 certificate which contains the client ID from the firewall’s local certificate store. The certificate must have been previously stored on the firewall.

To increase security, user level credentials through XAUTH are supported. The user credentials are entered when adding the VPN policy. XAUTH extracts them as authorization records by using a key or magic cookie, rather than using a challenge/response mechanism in which a user dynamically enters a username and password. Besides providing additional authentication, the user credentials provide further access control to remote resources and/or a local proxy address used by the VPN AP Client. User credentials allow sharing of a single VPN AP Server policy among multiple VPN AP Client devices by differentiating the subsequent network provisioning.

Data

Data confidentiality and integrity are provided by Encapsulated Security Payload (ESP)

confidentiality crypto suite in Phase 2 of the IPsec proposal.

and integrity

When policy changes occur at the VPN AP Server that affect a VPN AP Client configuration, the VPN AP Server uses IKE re-key mechanisms to ensure that a new Security Association with the appropriate parameters is established.

About Establishing the IKE Phase 1 Security Association
Because the goal of the VPN AP Client is ease of use, many IKE and IPsec parameters are defaulted or autonegotiated. The VPN AP Client initiates Security Association establishment, but does not know the configuration of the VPN AP Server at initiation.
To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes multiple transforms (combined security parameters) from which the VPN AP Server can select its configured values. A Phase 1 transform contains the following parameters:
l Authentication ­ One of the following: l PRESHRD ­ Uses the preshared secret.
l RSA_SIG ­ Use an X.509 certificate.
l SW_DEFAULT_PSK ­ Uses the Default Provisioning Key.
l XAUTH_INIT_PRESHARED ­ Uses the preshared secret combined with XAUTH user credentials.
l XAUTH_INIT_RSA ­ Uses an X.509 certificate combined with XAUTH user credentials.
l SW_XAUTH_DEFAULT_PSK ­ Uses the Default Provisioning Key combined with XAUTH user credentials.
All the previously mentioned transforms contain the restricted or default values for the Phase 1 proposal settings:
l Exchange – Aggressive Mode
l Encryption ­ AES-256

SonicOS 7.1 IPSec VPN Administration Guide 70 VPN Auto Provisioning

l Hash ­ SHA1 l DH Group ­ Diffie-Hellman Group 5 l Life Time (seconds) ­ 28800 The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client proposal. If the VPN AP Server selects a transform which uses an XAUTH Authentication Method, the VPN AP Client awaits an XAUTH challenge following Phase 1 completion. If a non-XAUTH transform is chosen, the provisioning phase begins. The VPN AP Server provisions the VPN AP Client with the appropriate policy values including the Shared Secret, if one was configured on the VPN AP Server, and the VPN AP Client ID that was configured on the VPN AP Server. After the Phase 1 SA is established and policy provisioning has completed, the Destination Networks appear in the VPN Policies section of the NETWORK | IPSec VPN > Rules and Settings page.
About Establishing IKE Phase 2 using a Provisioned Policy
The values received during the VPN AP provisioning transaction are used to establish any subsequent Phase 2 Security Associations. A separate Phase 2 SA is initiated for each Destination Network. Traffic must be initiated from behind the remote side in order to trigger the Phase 2 SA negotiation. The SA is built based on the address object specified when configuring the VPN AP server policy settings on the Network screen (see Configuring VPN AP Server Settings on Network).
NOTE: If the same VPN policy on the AP Server is shared with multiple remote AP Clients, each remote network must be specifically listed as a unique address object. The individual address objects can be summarized in an Address Group when added to the Remote Networks section during configuration of the VPN AP server policy settings on the Network screen. A single address object cannot be used to summarize multiple remote networks as the SA is built based on the specific address object. Upon success, the resulting tunnel appears in the Active Tunnels list.
A NAT rule is also added to the POLICY | Rules and Policies > NAT Rules table.
SonicOS 7.1 IPSec VPN Administration Guide 71 VPN Auto Provisioning

As Phase 2 parameters are provisioned by the VPN AP Server, there is no chance of a configuration mismatch. If Phase 2 parameters change at the VPN AP Server, all Phase 1 and Phase 2 Security Associations are deleted and renegotiated, ensuring policy synchronization.
SonicOS 7.1 IPSec VPN Administration Guide 72 VPN Auto Provisioning

Configuring a VPN AP Server
VPN AP Server settings are configured on the server (hub) firewall by adding a VPN policy on the NETWORK | IPSec VPN > Rules and Settings page in SonicOS. Because of the number of settings being described, the configuration is presented in multiple sections:
l Starting the VPN AP Server Configuration l Configuring VPN AP Server Settings on General l Configuring VPN AP Server Settings on Network l Configuring Advanced Settings on Proposals l Configuring Advanced Settings on Advanced
Starting the VPN AP Server Configuration
To begin configuration of VPN AP Server firewall settings using VPN Auto Provisioning: 1. Navigate to the NETWORK | IPSec VPN > Rules and Settings page. 2. Select IPv4 for View IP Version. 3. Click +Add. The VPN Policy dialog displays. 4. In the Authentication Method drop-down menu, select SonicWall Auto Provisioning Server. The
SonicOS 7.1 IPSec VPN Administration Guide 73 VPN Auto Provisioning

display changes.
Configuring VPN AP Server Settings on General
To configure VPN AP server settings on the General screen: 1. In the Name field, type in a descriptive name for the VPN policy. 2. For Authentication Method, select either: l Preshared Secret ­ Uses the VPN Auto Provisioning client ID and shared secret that you enter next. This option is selected by default. Proceed to Step 3. l Certificate ­ Uses the X.509 certificate that you select next (the certificate must have been previously stored on the appliance). Skip to Step 9. NOTE: If VPN AP Server policies are to be shared (as in hub-and-spoke deployments), SonicWall recommends using X.509 certificates to provide true authentication and prevent man-in-the-middle attacks. 3. If you selected Preshared Secret for the Authentication Method, then under SonicWall Settings, type the VPN Auto Provisioning client ID into the VPN AP Client ID field.This field is automatically populated with the value you entered into the Name field, but it can be changed. NOTE: This VPN policy value has to match at both the AP Server and AP Client side. A single AP Server policy can also be used to terminate multiple AP Clients.
SonicOS 7.1 IPSec VPN Administration Guide 74 VPN Auto Provisioning

4. Check the box for Use Default Provisioning Key to allow VPN AP Clients to use the default key known to all SonicWall appliances for the initial Security Association. After the SA is established, the Preshared Secret configured on the VPN AP Server is provisioned to the VPN AP Client for future use. If this checkbox is cleared, VPN AP Clients must use the configured Shared Secret. This allows the administrator to modify the configured Shared Secret on the VPN AP Server only and then briefly allow Default Provisioning Key use to update the VPN AP Clients with the new Shared Secret value. NOTE: For best security, SonicWall recommends that the Default Provisioning Key option is only enabled for a short time during which the VPN AP Client can be provisioned with the Shared Secret while under administrative scrutiny.
5. If you want, clear the Mask Shared Secret checkbox before typing anything into the Shared Secret field. This checkbox is selected by default, which hides typed characters. If this checkbox is reselected, then the values from the Shared Secret field are automatically copied to the Confirm Shared Secret field.
6. In the Shared Secret field, type in the shared secret key. A minimum of four characters is required. If Use Default Provisioning Key is checked, the Preshared Secret configured on the VPN AP Server is provisioned to the VPN AP Clients. If Use Default Provisioning Key is cleared, then this shared secret must also be configured on the VPN AP Clients.
7. In the Confirm Shared Secret field, type in the shared secret again. It must match the value entered in the Shared Secret field.
8. Go to Step 12. 9. If you selected Certificate for the Authentication Method, then under SonicWall Settings select the
desired certificate from the Local Certificate drop-down menu.
10. Select one of the following from the VPN AP Client ID Type drop-down menu:
SonicOS 7.1 IPSec VPN Administration Guide 75 VPN Auto Provisioning

l Distinguished name (DN) l E-Mail ID (UserFQDN) l Domain name (FQDN) l IP Address (IPV4) 11. In the VPN AP Client ID Filter, type in a matching string or filter to be applied to the Certificate ID presented during IKE negotiation. 12. Continue to Configuring VPN AP Server Settings on Network.
Configuring VPN AP Server Settings on Network
To configure VPN AP server settings on the Network screen: 1. Navigate to the NETWORK | IPSec VPN > Rules and Settings page. 2. Select IPv4 for the IP Version. 3. Click +Add. The VPN Policy dialog displays. 4. On the General tab, select SonicWall Auto Provisioning Server for the Authentication Method. 5. Click the Network tab.
6. Under Local Networks, select Require Authentication of VPN AP Clients via XAUTH to force the use of user credentials for added security when establishing the SA.
7. If the XAUTH option is enabled, select the user group for the allowed users from the User Group for XAUTH Users drop-down menu. You can select an existing group such as Trusted Users or another
SonicOS 7.1 IPSec VPN Administration Guide 76 VPN Auto Provisioning

standard group, or select Create a new user group to create a custom group. For each authenticated user, the authentication service returns one or more network addresses which are sent to the VPN AP Client during the provisioning exchange. If XAUTH is enabled and a user group is selected, the user on the VPN AP Client side must meet the following conditions for authentication to succeed:
l The user must belong to the selected user group. l The user can pass the authentication method configured in DEVICE | Users > Settings | User
Authentication Method. l The user has VPN access privileges. 8. If the XAUTH option is disabled, select a network address object or group from the Allow Unauthenticated VPN AP Client Access drop-down menu, or select Create a new address object/group to create a custom object or group. The selected object defines the list of addresses and domains that can be accessed through this VPN connection. It is sent to the VPN AP Client during the provisioning exchange and then used as the VPN AP Client’s remote proxy ID. 9. Under Remote Networks, select one of the following radio buttons and choose from the associated list, if applicable: l Choose destination network from list ­ Select a network object from the drop-down menu of
remote address objects that are actual routable networks at the VPN AP Client side, or create a custom object. NOTE: VPN Auto Provisioning does not support using a “super network” that includes all the AP Clients’ protected subnets. To allow multiple AP Clients with different protected subnets to connect to the same AP Server, configure an Address Group that includes all of the AP Clients’ protected subnets and use that in the Choose destination network from list field. This Address Group must be kept up to date as new AP Clients are added. l Obtain NAT Proxy via Authentication Service ­ Select this option to have the RADIUS server return a Framed-IP Address attribute for the user, which is used by the VPN AP Client to NAT its internal addresses before sending traffic down the IPsec tunnel. l Choose NAT Pool ­ Select a network object from the drop-down menu, or create a custom object. The chosen object specifies a pool of addresses to be assigned to the VPN AP Client for use with NAT. The client translates its internal address to an address in the NAT pool before sending traffic down the IPsec tunnel.
NOTE: When deploying VPN Auto Provisioning, you should allocate a large enough NAT IP address pool for all the existing and expected VPN AP Clients. Otherwise, additional VPN AP Clients cannot work properly if all the IP addresses in the pool have already been allocated. NOTE: Configuring a large IP pool does not consume more memory than a small pool, so it is safe and a best practice to allocate a large enough pool to provide redundancy. 10. Continue to Configuring Advanced Settings on Proposals.
SonicOS 7.1 IPSec VPN Administration Guide 77 VPN Auto Provisioning

Configuring Advanced Settings on Proposals
The configured parameters are automatically provisioned to the VPN AP Client prior to Phase 2 establishment, so there is no chance of configuration discrepancies between the VPN AP Server and VPN AP Client. To configure VPN AP Server settings on the Proposals screen:
1. On the General or Network tab, click Proposals.
2. Under IKE (Phase 1) Proposal, enter the phase 1 proposal lifetime in seconds. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. To simplify auto-provisioning, the other fields in this section are dimmed and preset to: l Exchange: Aggressive Mode l DH Group: Group 5 l Encryption: AES-256 l Authentication: SHA1
3. Under Ipsec (Phase 2) Proposal, select the desired encryption algorithm from the Encryption dropdown menu. The default is AES-128. The Protocol field is dimmed and preset to ESP to use the Encapsulated Security Payload (ESP) crypto suite.
SonicOS 7.1 IPSec VPN Administration Guide 78 VPN Auto Provisioning

4. Select the desired authentication encryption method from the Authentication drop-down menu. The default is SHA1.
5. Select Enable Perfect Forward Secrecy if you want an additional Diffie- Hellman key exchange as an

References

• RFC 2407 - The Internet IP Security Domain of Interpretation for (RFC2407)
• RFC 2408 - Internet Security Association and Key Management Prot (RFC2408)
• RFC 2409 - The Internet Key Exchange (IKE) (RFC2409)
• ietf.org/rfc/rfc4306.txt
• OpenCA Research Labs - Home Page
• OpenCA Research Labs - Home Page
• Private Cloud - Amazon Virtual Private Cloud (VPC) - AWS
• SonicWall Community | Technology and Support
• MySonicWall
• support.sonicwall.com/kb/sw7411
• MySonicWall
• sonicwall.com/en-us/support/knowledge-base/170505702411896
• sonicwall.com/en-us/support/video-tutorials/5420351419001
• sonicwall.com/en-us/support/video-tutorials/5420371469001
• sonicwall.com/legal
• sonicwall.com/legal/end-user-product-agreements/
• sonicwall.com/products/remote-access/remote-access-appliances
• sonicwall.com/support
• sonicwall.com/support/contact-support
• sonicwall.com/support/technical-documentation/
• sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Administration%20Guide&version=7.1
• sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Getting%20Started%20Guide
• sonicwall.com/support/technical-documentation/?q=sonicos%20api&language=English
• sonicwall.com/support/technical-documentation/sonicos-7-1-api
• sonicwall.com/support/technical-documentation/sonicos-7-1-monitor
• sonicwall.com/support/video-tutorials

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>