• SonicOS and SonicOSX 7 IPSec VPN
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

Configuring VPN AP Server Settings on General

To configure VPN AP server settings on the General screen

1. In the Name field, type in a descriptive name for the VPN policy.

2. For Authentication Method, select either:

   • Preshared Secret – Uses the VPN Auto Provisioning client ID and shared secret that you enter next. This option is selected by default. Proceed to Step 3.

   • Certificate – Uses the X.509 certificate that you select next (the certificate must have been previously stored on the appliance). Skip to Step 9.

     If VPN AP Server policies are to be shared (as in hub-and-spoke deployments), SonicWall recommends using X.509 certificates to provide true authentication and prevent man-in-the-middle attacks.

3. If you selected Preshared Secret for the Authentication Method, then under SonicWall Settings, type the VPN Auto Provisioning client ID into the VPN AP Client ID field.This field is automatically populated with the value you entered into the Name field, but it can be changed.

   This VPN policy value has to match at both the AP Server and AP Client side. A single AP Server policy can also be used to terminate multiple AP Clients.

4. Check the box for Use Default Provisioning Key to allow VPN AP Clients to use the default key known to all SonicWall appliances for the initial Security Association. After the SA is established, the Preshared Secret configured on the VPN AP Server is provisioned to the VPN AP Client for future use.

   If this checkbox is cleared, VPN AP Clients must use the configured Shared Secret. This allows the administrator to modify the configured Shared Secret on the VPN AP Server only and then briefly allow Default Provisioning Key use to update the VPN AP Clients with the new Shared Secret value.

   For best security, SonicWall recommends that the Default Provisioning Key option is only enabled for a short time during which the VPN AP Client can be provisioned with the Shared Secret while under administrative scrutiny.

5. If you want, clear the Mask Shared Secret checkbox before typing anything into the Shared Secret field. This checkbox is selected by default, which hides typed characters. If this checkbox is reselected, then the values from the Shared Secret field are automatically copied to the Confirm Shared Secret field.

6. In the Shared Secret field, type in the shared secret key. A minimum of four characters is required.

   If Use Default Provisioning Key is checked, the Preshared Secret configured on the VPN AP Server is provisioned to the VPN AP Clients. If Use Default Provisioning Key is cleared, then this shared secret must also be configured on the VPN AP Clients.

7. In the Confirm Shared Secret field, type in the shared secret again. It must match the value entered in the Shared Secret field.
8. Go to Step 12.

9. If you selected Certificate for the Authentication Method, then under SonicWall Settings select the desired certificate from the Local Certificate drop-down menu.

   

10. Select one of the following from the VPN AP Client ID Type drop-down menu:

    • Distinguished name (DN)
    • E-Mail ID (UserFQDN)
    • Domain name (FQDN)

    • IP Address (IPV4)

11. In the VPN AP Client ID Filter, type in a matching string or filter to be applied to the Certificate ID presented during IKE negotiation.

12. Continue to Configuring VPN AP Server Settings on Network.