HELP TABLE OF CONTENTS

VPN>Configure>GroupVPN with IKE using Preshared Secret

GroupVPN allows for easy deployment of Global VPN Clients or Global Security Clients making it unnecessary to individually configure remote VPN clients.You must use the GroupVPN SA even if you have only one VPN client to deploy. SonicWALL GroupVPN SA supports three IPSec keying modes: IKE using shared secret, IKE using SonicWALL Certificates, and IKE using 3rd Party Certificates. The following steps explain how to create the GroupVPN SA using IKE using shared secret.

Once you create the GroupVPN SA, you configure GroupVPN to automatically provision SonicWALL Global VPN Clients by downloading the policy, or exporting the policy file for manual installation in the SonicWALL Global VPN Client.

The following instructions explain how to configure SonicWALL GroupVPN with IKE using Preshared Secret.

Configuring GroupVPN with IKE using Preshared Secret

1. In the VPN>Configure page, select GroupVPN from the Security Association menu.

2. Select IKE using pre-shared secret from the IPSec Keying Mode menu.

3. If the Disable This SA box is checked, uncheck it.

Security Policy

4. Select Group 2 from the Phase 1 DH Group menu.

5. Type the SA time value in seconds in the SA Life time (sec) field. The default value of 28800 seconds (8 hours) is recommended.

6. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu.

7. Select Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) from the Phase 2 Encryption/Authentication menu.

8. Type a Shared Secret in the Shared Secret box or use the Shared Secret automatically generated by the SonicWALL. If you enter a Shared Secret, the value should consist of a combination of letters and numbers. A Shared Secret is case-sensitive.

9. Click Update to enable the changes.

Advanced Settings (Optional)

All the advanced settings for GroupVPN connections are configured in the Advanced Settings window. To configure advanced settings:

1. Click Advanced Settings to open the VPN Advanced Settings window.

2. Select any of the following options in the Advanced Settings window that apply to your GroupVPN SA:

• Require authentication of VPN clients via XAUTH - All Global VPN Client users will be authenticated via XAUTH using the authentication service specified on the Access>Users page. The setting is enabled by default.

• Enable Windows Networking (NetBIOS) broadcast - Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote network resources by browsing the Windows® Network Neighborhood.

• Apply NAT and firewall rules - This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the SonicWALL public address) from the corporate LAN. If the SonicWALL uses the Standard network configuration, using this check box applies the firewall access rules and checks for attacks, but not NAT.

• Forward packets to remote VPNs - Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section. Enabling this feature allows a network administrator to create a “hub and spoke” network configuration by forwarding inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office.

• Enable Perfect Forward Secrecy - This setting increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental security between gateways.

• Phase 2 DH Group - If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a key agreement protocol) to be used during phase 2 of the authentication process to establish preshared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:

  Group - Prime Size (bits)

  Group 1 - 768

  Group 2 - 1024

  Group 5 - 1536

Tip! If network connection speed is an issue, select Group 1. If network security is an issue, select Group 5. To compromise between speed and security, select Group 2.

• Default LAN Gateway - The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

• VPN Terminated at - Select the LAN, DMZ, or LAN/DMZ option to terminate a VPN tunnel at a specific destination rather than the entire network. By terminating the VPN tunnel to a specific destination, the tunnel has access only to specified resources.

3. Click OK.
   
4. Click Update to enable the changes.

Client Settings

Clicking the Client Settings button in the Configure tab displays the VPN Client Settings window. The controls in this window allows configuration of Global VPN Client authentication requirements, username and password caching, use of DHCP Relay, and multi-connection behavior.

1. Click Client Settings. The VPN Client Settings window appears.

2. Select any of the following boxes that you want to apply to Global VPN Client provisioning:

• Cache XAUTH User Name and Password - Allows Global VPN Client to cache any username and password required for XAUTH user authentication. The drop-down list provides the following options:

• Never - Global VPN Client is not allowed to cache username and password. The user will be prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey.

• Single Session - The user will be prompted for username and password each time the connection is enabled and will be valid until the connection is disabled. This username and password is used through IKE phase 1 rekey.

• Always - The user will be prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password.

• Allow Traffic to - Specifies single or multiple VPN connections. The drop-down list provides the following options:

• This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of this gateway is sent through the VPN tunnel. All other traffic is blocked. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.

• All Secured Gateways - Allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, then Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.

• Any Destination - Same as the All Secured Gateways option but Internet traffic is sent through the VPN tunnel when the Set Default Route as this Gateway is not enabled.

• Set Default Route as this Connection - If checked, Global VPN Client traffic that does not match selectors for the gateway’s protected subnets must also be tunneled. In effect, this changes the Global VPN Client’s default gateway to the gateway tunnel endpoint. If unchecked, the Global VPN Client must drop all non-matching traffic if Allow traffic to This Gateway Only or All Secured Gateways is selected.

• Use DHCP to Obtain Virtual IP for this Connection - If set, this allows the Global VPN Client to obtain the IP address and other attributes like DNS and WINS from an external DHCP server on the LAN side of the gateway.

• Use Default Key for Simple Client Provisioning - If set, authentication of initial Aggressive mode exchange uses a default Preshared Key by gateway and all Global VPN Clients. This allows for the control of the use of the default registration key. If not set, then Preshared Key must be distributed out of band.

• Require Distributed Security Client for this Connection - Allows a VPN connection from the remote Global Security Client only if the remote computer is running the SonicWALL Distributed Security Client, which provides policy enforced firewall protection.

3. Click OK.

4. Click Update to enable the changes.

Export Settings

To export the GroupVPN settings to a file, click on the Export Settings button in the Configure tab to display the Export Security Association window. The controls in this window allow you to export the SA to a file. SonicWALL Global VPN Client users import this file using the New Connection Wizard.

To export the GroupVPN SA to a file,

1. Click the Export Settings button in the Configure tab to display the Export Security Association window.

2. Select rcf format is required for SonicWALL Global VPN Clients. Files saved in the rcf format can be password encrypted.

3. Click Yes. The VPN Policy Export window appears.

4. Type a password in the Password box and reenter it in the Confirm Password box, if you want to encrypt the exported file. If you choose not to enter a password, the exported file is not encrypted.

5. Click Submit. If you did not enter a password, a message window appears confirming your choice.

6. Click OK. The File Download window appears showing the default filename.

7. Save the file.

8. Click Close.

The security file can be saved to a floppy disk or e-mailed to a remote VPN client. The SA must be enabled on the SonicWALL to export the configuration file.

Table of Contents