• SonicOS and SonicOSX 7 IPSec VPN
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

Configuring with a Manual Key

You can manually define encryption keys for establishing an IPsec VPN tunnel. You define manual keys when you need to specify what the encryption or authentication key is (for example, when one of the VPN peers requires a specific key) or when you need to disable encryption and authentication.

To configure a VPN policy using Manual Key

1. Navigate to NETWORK | IPSec VPN > Rules and Settings.
2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy.

3. In the Authentication Method field, select Manual Key from drop-down menu. The window shows only the Manual Key options.

   

4. Enter a name for the policy in the Name field.

5. Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address field.

6. Click Network.

   

7. Under Local Networks, select one of these options:

   • If a specific local network can access the VPN tunnel, select a that local network from the Choose local network from list drop-down menu.
   • If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.

8. Under Destination Networks, select one of these:

   • If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.

     You can only configure one SA to use this setting.

   • Alternatively, select Choose Destination network from list, and select the address object or group.

9. Click Proposals.

   

10. Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal and can range from 3 to 8 characters in length.

    Each Security Association (SA) must have unique SPIs; no two SAs can share the same SPIs. However, each SA Incoming SPI can be the same as the Outgoing SPI.

11. The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations; otherwise, select values from the drop-down menu.

    The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.

    • If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:
      • DES
      • 3DES
      • AES-128 (default)
      • AES-192
      • AES-256

      • None

    • If you selected AH in the Protocol field, the Encryption field is grayed out, and you cannot select any options.

12. In the Encryption Key field, enter a 48-character hexadecimal encryption key or use the default value. This encryption key is used to configure the remote SonicWall encryption key, so write it down to use when configuring the remote firewall.

    Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption or authentication key, an error message is displayed at the bottom of the browser window.

13. In the Authentication Key field, enter a 40-character hexadecimal authentication key or use the default value. Write down the key to use while configuring the firewall settings.

14. Click Advanced.

    

15. Select any of the following optional settings you want to apply to your VPN policy.

    Option	Definition
    Suppress automatic Access Rules creation for VPN Policy	When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information.
    Enable Windows Networking (NetBIOS) Broadcast	Select to allow access to remote network resources by browsing the Windows Network Neighborhood.
    WXA Group	Select None (default) or Group One.
    Apply NAT Policies	Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus. Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both side of a tunnel use either the same or overlapping subnets. Informational videos with interface configuration examples are available online. For example, see How to Configure NAT over VPN in a Site to Site VPN with Overlapping Networks. Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
    Management via this SA	Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.
    User login via this SA	Select HTTP, HTTPS, or both to allow users to log in using the SA. HTTP user login is not allowed with remote authentication.
    Default LAN Gateway (optional)	If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network screen under Remote Networks) enter the router address.
    VPN Policy bound to	Select an interface or zone from the drop-down menu. Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.

16. Click OK.

17. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.