Configuring Advanced VPN Settings

Advanced VPN Settings globally affect all VPN policies. This section also provides solutions for Online Certificate Status Protocol (OCSP). OCSP allows you to check VPN certificate status without Certificate Revocation Lists (CRLs). This allows timely updates regarding the status of the certificates used on your firewall.

• Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the firewall.
  • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
  • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the firewall. The firewall uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
  • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the firewall after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
• Enable Fragmented Packet Handling - If the VPN log report shows the log message Fragmented IPsec packet dropped, select this feature. Do not select it until the VPN tunnel is established and in operation.
  • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the firewall to ignore the option and fragment the packet regardless.
• Enable NAT Traversal - Select this setting if a NAT device is located between your VPN endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPsec peer.
• Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address - Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
• Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. See Using OCSP with SonicWall Network Security Appliances.
• Send VPN Tunnel Traps only when tunnel status changes - Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
  • Use RADIUS in - The primary reason for choosing this option is so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. When using RADUIS to authenticate VPN client users, select whether RADIUS is used in one of these modes:
    • MSCHAP

    • MSCHAPv2 mode for XAUTH (allows users to change expired passwords)

    Also, if this is set and LDAP is selected as the Authentication method for login on the DEVICE | Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for VPN client users are done using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

    Password updates can only be done by LDAP when using either:

    • Active Directory with TLS and binding to it using an administrative account
      
    • Novell eDirectory.

• DNS and WINS Server Settings for VPN Client – To configure DNS and WINS server settings for Client, such as a third-party VPN Client through GroupVPN, or a Mobile IKEv2 Client, click Configure. The Add VPN DNS And WINS Server dialog displays.

  

  • DNS Servers – Select whether to specify the DNS servers dynamically or manually:

    • Inherit DNS Settings Dynamically from the SonicWall’s DNS settings – The SonicWall appliance obtains the DNS server IP addresses automatically.

    • Specify Manually – Enter up to three DNS server IP addresses in the DNS Server 1/3 fields.

  • WINS Servers – Enter up to two WINS server IP address in the WINS Server 1/2 fields.