Configuring IKE Using 3rd Party Certificates

Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the firewall.

To configure GroupVPN with IKE using 3rd Party Certificates

1. Navigate to NETWORK | IPSec VPN > Rules and Settings.

2. Click the Edit icon for the WAN GroupVPN policy.

   

3. In the Security Policy section, select IKE using 3rd Party Certificates from the Authentication Method drop-down menu.

   The VPN policy name is GroupVPN by default and cannot be changed.

4. Select a certificate for the firewall from the Gateway Certificate drop-down menu.

   If you did not download your third-party certificates before starting this procedure, the Gateway Certificates field shows - No verified third-party certs.

5. In the Peer Certificates section, select one of the following from the Peer ID Type drop-down menu:

   Distinguished Name	Based on the certificate’s Subject Distinguished Name field, which is contained on all certificates by default and is set by the issuing Certificate Authority. The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub. Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, for example, c=us.
   E-mail ID	E-mail ID and Domain ID are based on the certificate’s Subject Alternative Name field, which is not contained on all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter does not work.
   Domain ID

6. Enter the Peer ID filter in the Peer ID Filter field.

   The Email ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and? (for a single character). For example, when Email ID is selected, the string *@SonicWall.com allows anyone with an email address that ended in @SonicWall.com to have access; when Domain Name is selected, the string *sv.us.SonicWall.com allows anyone with a domain name that ended in sv.us.SonicWall.com to have access.

7. Select Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu.

8. Click Proposals.

   

9. In the IKE (Phase 1) section, select the following settings:

   1. For DH Group, select Group 1, Group 2 (default), Group 5, or Group 14.

      The Windows XP L2TP client only works with DH Group 2.

   2. For Encryption, select DES, 3DES (default), AES-128, AES-192, or AES-256.

   3. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384,SHA512, AES-XCBC, or None.

   4. In the Life Time (seconds) field, enter a value. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

10. In the IPsec (Phase 2) section, select the following settings:

    1. For Protocol, select ESP (default).

    2. For Encryption, select 3DES (default), AES-128, AES-192, or AES-256.

    3. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384,SHA512, AES-XCBC, or None

    4. Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.

    5. Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

11. Click Advanced.

    

12. Select any of the following optional settings that you want to apply to your GroupVPN Policy:

    Disable IPsec Anti-Replay	Anti-Replay is a form of partial sequence integrity and it detects arrival of duplicated I datagrams (within a constrained window).
    Enable Multicast	Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
    Accept Multiple Proposal fro Clients	Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
    Enable IKE Mode Configuration	Allows SonicOS/X to assign internal IP address, DNS Server or WINS Server to Third-Party Clients like iOS devices or Avaya IP Phones.
    Management via this SA	If using the VPN policy to manage the firewall, select one or more management methods, HTTP, SSH, or HTTPS. SSH is valid for IPv4 only.
    Default Gateway	Used at a central site in conjunction with a remote site using the Route all Internet traffic through this SA checkbox. Default LAN Gateway allows you to specify the IP address of the default LAN route for incoming IPsec packets for this SA. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPsec tunnel, the firewall looks up a route for the LAN. If no route is found, the firewall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
    Enable OCSP Checking and OCSP Responder URL	Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
    Require Authentication of VPN Clients via XAUTH	Requires that all inbound traffic on this VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
    User group for XAUTH users	Allows you to select a defined user group for authentication.
    Allow Unauthenticated VPN Client Access	Allows you to specify network segments for unauthenticated Global VPN Client access.

13. Click Client.

    

14. Select any of the following boxes that you want to apply to Global VPN Client provisioning:

    Cache XAUTH User Name and Password	Allows the Global VPN Client to cache the user name and password: Choose Never to prohibit the Global VPN Client from caching the username and password. The user is prompted for a username and password when the connection is enabled and also every time there is an IKE phase 1 rekey. Choose Single Session to prompt the user for username and password each time the connection is enabled, which is valid until the connection is disabled. This username and password is used through IKE phase 1 rekey. Choose Always to prompt the user for username and password only once when the connection is enabled. When prompted, the user is given the option of caching the username and password.
    Virtual Adapter Settings	The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS/X or a specified external DHCP server, to allocate addresses to the Virtual Adapter. In instances where predictable addressing is a requirement, obtain the MAC address of the Virtual Adapter, and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration. This feature requires the use of SonicWall GVC. Choose None to not use the Virtual Adapter by this GroupVPN connection. Choose DHCP Lease to have the Virtual Adapter obtain its IP configuration from the DHCP Server only, as configured in the VPN > DHCP over VPN page. Choose DHCP Lease or Manual Configuration and when the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so that it can proxy ARP for the manually assigned IP address. By design, IP address assignments currently has no limitations on for the Virtual Adapter. Only duplicate static addresses are not permitted.
    Allow Connections to	Client network traffic that matches the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. Select one of the following options: This Gateway Only allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked. All Secured Gateways allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, Internet traffic is also sent through the VPN tunnel. If this option is selected along without Set Default Route as this Gateway, the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled. Only one of the multiple gateways can have Set Default Route as this Gateway enabled. Split Tunnels allows the VPN user to have both local Internet connectivity and VPN connectivity. This is the default.
    Set Default Route as this Gateway	Enable this checkbox if all remote VPN connections access the Internet through this SA. You can only configure one SA to use this setting.
    Apply VPN Access Control List	Enable this option to control client connections with an access control list.
    Use Default Key for Simple Client Provisioning	Uses Aggressive mode for the initial exchange with the gateway and VPN clients uses a default Preshared Key for authentication.

15. Click Ok.

16. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.