|
|
GroupVPN allows for easy deployment of Global VPN Clients or Global Security Clients making it unnecessary to individually configure remote VPN clients.You must use the GroupVPN SA even if you have only one VPN client to deploy. SonicWALL GroupVPN SA supports three IPSec keying modes: IKE using shared secret, IKE using SonicWALL Certificates, and IKE using 3rd Party Certificates. The following steps explain how to create the GroupVPN SA using IKE using shared secret.
Once you create the GroupVPN SA, you configure GroupVPN to automatically provision SonicWALL Global VPN Clients by downloading the policy, or exporting the policy file for manual installation in the SonicWALL Global VPN Client.
The following instructions explain how to configure SonicWALL GroupVPN with IKE using 3rd Party Digital Certificates.
Alert! Before
configuring GroupVPN with IKE using 3rd Party Certificates, your certificates
must be installed on the SonicWALL.
In the VPN>Configure page, select GroupVPN from the Security Association menu.
Select IKE using 3rd Party Certificates from the IPSec Keying Mode menu.
Select a certificate for the SonicWALL from the Select Certificate menu.
If the Disable This SA box is checked, uncheck it.
Select Group 2 from the Phase1 DH Group menu.
Leave the default setting, 28800, in the SA Life time (secs) field. This setting forces the tunnel to renegotiate and exchange keys every 8 hours.
Select 3DES & SHA1 from the Phase1 Encryption/Authentication menu.
Select Distinguished Name, E-Mail ID, or Domain Name from the Peer ID Type menu:
Enter the peer ID filter in the Peer ID Filter field.
Check All Only Peer Certificates Signed by Gateway Issuer, if
Click Advanced Settings to open the VPN Advanced Settings window.
Require authentication of VPN clients via XAUTH - All Global VPN Client users will be authenticated via XAUTH using the authentication service specified on the Access>Users page. The setting is enabled by default.
Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.
Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.
Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group - Prime Size (bits)
Group 1 - 768
Group 2 - 1024
Group 5 - 1536
Tip! If
network connection speed is an issue, select Group 1. If network security
is an issue, select Group 5. To compromise between speed and security, select
Group 2.
Default LAN Gateway - This setting allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Click OK.
Click Update to enable the changes.
Clicking the Client Settings button in the Configure tab displays the VPN Client Settings window. The controls in this window allows configuration of Global VPN Client authentication requirements, username and password caching, use of DHCP Relay, and multi-connection behavior.
Click Client Settings. The VPN Client Settings window appears.
Select any of the following boxes that you want to apply to Global VPN Client provisioning:
Cache XAUTH User Name and Password - Allows Global VPN Client to cache any username and password required for XAUTH user authentication. The drop-down list provides the following options:
Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.
Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.
This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of this gateway is sent through the VPN tunnel. All other traffic is blocked. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
Any Destination - Same as the All Secured Gateways option but Internet traffic is sent through the VPN tunnel when the Set Default Route as this Gateway is not enabled.
Set Default Route as this Gateway - If checked, Global VPN Client traffic that does not match selectors for the gateway’s protected subnets must also be tunneled. In effect, this changes the Global VPN Client’s default gateway to the gateway tunnel endpoint. If unchecked, the Global VPN Client must drop all non-matching traffic if Allow traffic to This Gateway Only or All Secured Gateways is selected.
Use Default Key for Simple Client Provisioning - If set, authentication of initial Aggressive mode exchange uses a default Preshared Key by gateway and all Global VPN Clients. This allows for the control of the use of the default registration key. If not set, then Preshared Key must be distributed out of band.
Click OK.
To export the GroupVPN settings to a file, click on the Export Settings button in the Configure tab to display the Export Security Association window. The controls in this window allow you to export the SA to a file. SonicWALL Global VPN Client users import this file using the New Connection Wizard.
To export the GroupVPN SA to a file,
Click the Export Settings button in the Configure tab to display the Export Security Association window.
Select rcf format is required for SonicWALL Global VPN Clients. Files saved in the rcf format can be password encrypted.
Click Yes. The VPN Policy Export window appears.
Type a password in the Password box and reenter it in the Confirm Password box, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.
Click Submit. If you did not enter a password, a message window appears confirming your choice.
Click OK. The File Download window appears showing the default filename.
Save the file.
Click Close.
The security file can be saved to a floppy disk or e-mailed to a remote VPN client. The SA must be enabled on the SonicWALL to export the configuration file.