• SonicOS and SonicOSX 7 IPSec VPN
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

Configuring IKE Using a Preshared Secret Key

To configure the WAN GroupVPN using a preshared secret key

1. Navigate to NETWORK | IPSec VPN > Rules and Settings.

2. Click the Edit icon for the WAN GroupVPN policy.

   

   On the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A shared secret code is automatically generated by the firewall and written in the Shared Secret field. You can generate your own shared secret. A self-defined shared secret code must be a minimum of four characters.

   You cannot change the name of any GroupVPN policy.

3. Click Proposals to continue the configuration process.

   

4. In the IKE (Phase 1) Proposal section, select the following settings:

   • Select Group 2 (default) from the DH Group drop-down menu.

     The Windows XP L2TP client only works with DH Group 2.

   • In the Encryption drop-down menu, select DES, 3DES (default), AES-128, AES-192, or AES-256.

   • From the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, or SHA512.

   • In the Life Time (seconds) field, enter a value. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

5. In the IPsec (Phase 2) Proposal section, select the following settings:

   • From the Protocol drop-down menu, select ESP (default).
   • In the Encryption drop-down menu, select 3DES (default), AES-128, AES-192, or AES-256.
   • In the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBC, or None.
   • Check Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
   • Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

6. Click Advanced.

   

7. Select any of the following optional settings you want to apply to your GroupVPN policy:

   Advanced Settings
   Disable IPsec Anti-Replay	Stops packets with duplicate sequence numbers from being dropped.
   Enable Multicast	Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
   Accept Multiple Proposals for Clients	Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
   Enable IKE Mode Configuration	Allows SonicOS/X to assign internal IP address, DNS Server, or WINS Server to third-party clients, like iOS devices or Avaya IP phones.
   Management via this SA:	If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS. NOTE: SSH is valid for IPv4 only.
   Default Gateway	Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. As packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPsec tunnel, the firewall looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
   Client Authentication
   Require Authentication of VPN Clients via XAUTH	Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.
   Allow Unauthenticated VPN Client Access	Allows you to enable unauthenticated VPN client access. If you clear Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.

8. Click Client.

   

9. Select any of the following settings you want to apply to your GroupVPN policy.

   User Name and Password Caching

   Cache XAUTH User Name and Password on Client

   Allows the Global VPN Client to cache the user name and password: If Never is selected, the Global VPN Client is not allowed to cache the username and password. The user is prompted for a username and password when the connection is enabled and also every time there is an IKE Phase 1 rekey. This is the default. If Single Session is selected, the Global VPN Client user is prompted for username and password each time the connection is enabled and is valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey. If Always is selected Global VPN Client user prompted for username and password only once when the connection is enabled. When prompted, the user is given the option of caching the username and password.

   Client Connections

   Virtual Adapter Settings	The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS/X or a specified external DHCP server, to allocate addresses to the Virtual Adapter. In instances where predictable addressing is a requirement, obtain the MAC address of the Virtual Adapter and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration. This feature requires the use of SonicWall GVC. Select one of the following: Choose None if a Virtual Adapter is not used by this GroupVPN connection. This is the default. Choose DHCP Lease if the Virtual Adapter obtains its IP configuration from the DHCP Server only, as configured in the VPN > DHCP over VPN page. Choose DHCP Lease or Manual Configuration when the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so it can proxy ARP for the manually assigned IP address. By design, the Virtual Adapter currently has no limitations on IP address assignments. Only duplicate static addresses are not permitted.
   Allow Connections to	Client network traffic that matches the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. Select one of the following: This Gateway Only allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked. All Secured Gateways allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. If this option is selected along with Set Default Route as this Gateway, Internet traffic is also sent through the VPN tunnel. If this option is selected along without Set Default Route as this Gateway, the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled. Split Tunnels allows the VPN user to have both local Internet connectivity and VPN connectivity. This is the default.
   Set Default Route as this Gateway	Select this checkbox if all remote VPN connections access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting. By default, this option is not enabled.
   Apply VPN Access Control List	Select this checkbox to apply the VPN access control list. When this option is enabled, specified users can access only those networks configured for them. This option is not enabled by default.

   Client Initial Provisioning

   Use Default Key for Simple Client Provisioning

   Uses Aggressive mode for the initial exchange with the gateway, and VPN clients uses a default Preshared Key for authentication. This option is not enabled by default.

10. Click OK.

11. Click ACCEPT on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.