SonicOS/X 7 IPSec VPN
- SonicOS and SonicOSX 7 IPSec VPN
- IPSec VPN Overview
- Site to Site VPNs
- VPN Auto Provisioning
- Rules and Settings
- Advanced
- DHCP over VPN
- L2TP Servers and VPN Client Access
- AWS VPN
- SonicWall Support
How VPN Auto Provisioning Works
There are two steps involved in VPN Auto Provisioning:
- SonicWall Auto Provisioning Server configuration for the central gateway, or VPN AP Server
- SonicWall Auto Provisioning Client configuration for the remote firewall, or VPN AP Client
Both are configured by adding a VPN policy on the NETWORK | IPSec VPN > Rules and Settings page.
In Server mode, you configure the Security Association (SA), Protected Networks, and other configuration fields as in a classic site-to-site VPN policy. In Client mode, limited configuration is needed. In most cases the remote firewall administrator simply needs to configure the IP address to connect to the peer server (central gateway), and then the VPN can be established.
SonicWall does not recommend configuring a single appliance as both an AP Server and an AP Client at the same time.
VPN Auto Provisioning is simple on the client side while still providing the essential elements of IP security:
| Access Control | Network access control is provided by the VPN AP Server. From the VPN AP Client perspective, destination networks are entirely under the control of the VPN AP Server administrator. However, a mechanism is provided to control access to VPN AP Client local networks. |
|---|---|
| Authentication | Authentication is provided with machine authentication credentials. In Phase 1 of the IPsec proposal, the Internet Key Exchange (IKE) protocol provides machine-level authentication with preshared keys or digital signatures. You can select one of these authentication methods when configuring the VPN policy. |
| For the preshared key authentication method, the administrator enters the VPN Auto Provisioning client ID and the key, or secret. For the digital signatures authentication method, the administrator selects the X.509 certificate which contains the client ID from the firewall’s local certificate store. The certificate must have been previously stored on the firewall. | |
| To increase security, user level credentials through XAUTH are supported. The user credentials are entered when adding the VPN policy. XAUTH extracts them as authorization records by using a key or magic cookie, rather than using a challenge/response mechanism in which a user dynamically enters a username and password. Besides providing additional authentication, the user credentials provide further access control to remote resources and/or a local proxy address used by the VPN AP Client. User credentials allow sharing of a single VPN AP Server policy among multiple VPN AP Client devices by differentiating the subsequent network provisioning. | |
| Data confidentiality and integrity | Data confidentiality and integrity are provided by Encapsulated Security Payload (ESP) crypto suite in Phase 2 of the IPsec proposal. |
When policy changes occur at the VPN AP Server that affect a VPN AP Client configuration, the VPN AP Server uses IKE re-key mechanisms to ensure that a new Security Association with the appropriate parameters is established.
Was This Article Helpful?
Help us to improve our support portal