|
|
All the advanced settings for VPN connections are available in the VPN Advanced Settings window. The settings in the VPN Advanced Settings window changes depending on the IPSec keying mode you select in the IPSec Keying Mode menu.
All the advanced settings for VPN connections are configured in the Advanced Settings window. To configure advanced settings:
Click Advanced Settings in the Configure page to open the VPN Advanced Settings window.
Select any of the following boxes in the Advanced Settings window that apply to your Security Association.
Click OK.
Click Update to enable the changes.
Require authentication of VPN clients via XAUTH - All Global VPN Client users will be authenticated via XAUTH using the authentication service specified on the Access>Users page. The setting is enabled by default.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group - Prime Size (bits)
Group 1 - 768
Group 2 - 1024
Group 5 - 1536
Tip!
If network connection speed is an issue, select Group 1. If network security
is an issue, select Group 5. To compromise between speed and security, select
Group 2.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of VPN clients - All VPN clients will be authenticated via XAUTH using the authentication service specified on the Access>Users page.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Try to bring up all possible SAs - If multiple SAs are configured on the SonicWALL, select this feature to have the SonicWALL renegotiate the tunnels if they lose communication with the SonicWALL.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of remote users - requires that all inbound traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Remote users behind VPN gateway - Select this feature if remote users have a VPN tunnel terminating on the VPN gateway.
Remote VPN clients with XAUTH - Select this feature if remote users require authentication using XAUTH and are accessing the SonicWALL via a VPN client.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group - Prime Size (bits)
Group 1 - 768
Group 2 - 1024
Group 5 - 1536
Tip!
If network connection speed is an issue, select Group 1. If network security
is an issue, select Group 5. To compromise between speed and security, select
Group 2.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Try to bring up all possible SAs - If multiple SAs are configured on the SonicWALL, select this feature to have the SonicWALL renegotiate the tunnels if they lose communication with the SonicWALL.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of remote users - requires that all inbound traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group - Prime Size (bits)
Group 1 - 768
Group 2 - 1024
Group 5 - 1536
Tip!
If network connection speed is an issue, select Group 1. If network security
is an issue, select Group 5. To compromise between speed and security, select
Group 2.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Try to bring up all possible SAs - If multiple SAs are configured on the SonicWALL, select this feature to have the SonicWALL renegotiate the tunnels if they lose communication with the SonicWALL.
Require authentication of local users - Requires that all outbound VPN traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of remote users - requires that all inbound traffic on this SA is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group - Prime Size (bits)
Group 1 - 768
Group 2 - 1024
Group 5 - 1536
Tip!
If network connection speed is an issue, select Group 1. If network security
is an issue, select Group 5. To compromise between speed and security, select
Group 2.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.