SonicOS 7.1 IPSec VPN
- SonicOS 7.1
- About SonicOS
- IPSec VPN Overview
- Site to Site VPNs
- VPN Auto Provisioning
- Rules and Settings
- Advanced
- DHCP over VPN
- L2TP Servers and VPN Client Access
- AWS VPN
- SonicWall Support
Configuring VPN AP Server Settings on Network
To configure VPN AP server settings on the Network screen
- Navigate to the NETWORK | IPSec VPN > Rules and Settings page.
- Select IPv4 for the IP Version.
- Click +Add. The VPN Policy dialog displays.
- On the General tab, select SonicWall Auto Provisioning Server for the Authentication Method.
-
Click the Network tab.
-
Under Local Networks, select Require Authentication of VPN AP Clients via XAUTH to force the use of user credentials for added security when establishing the SA.
-
If the XAUTH option is enabled, select the user group for the allowed users from the User Group for XAUTH Users drop-down menu. You can select an existing group such as Trusted Users or another standard group, or select Create a new user group to create a custom group.
For each authenticated user, the authentication service returns one or more network addresses which are sent to the VPN AP Client during the provisioning exchange.
If XAUTH is enabled and a user group is selected, the user on the VPN AP Client side must meet the following conditions for authentication to succeed:
-
The user must belong to the selected user group.
-
The user can pass the authentication method configured in DEVICE | Users > Settings | User Authentication Method.
-
The user has VPN access privileges.
-
-
If the XAUTH option is disabled, select a network address object or group from the Allow Unauthenticated VPN AP Client Access drop-down menu, or select Create a new address object/group to create a custom object or group. The selected object defines the list of addresses and domains that can be accessed through this VPN connection. It is sent to the VPN AP Client during the provisioning exchange and then used as the VPN AP Client's remote proxy ID.
-
Under Remote Networks, select one of the following radio buttons and choose from the associated list, if applicable:
- Choose destination network from list – Select a network object from the drop-down menu of remote address objects that are actual routable networks at the VPN AP Client side, or create a custom object.
VPN Auto Provisioning does not support using a “super network” that includes all the AP Clients’ protected subnets. To allow multiple AP Clients with different protected subnets to connect to the same AP Server, configure an Address Group that includes all of the AP Clients’ protected subnets and use that in the Choose destination network from list field. This Address Group must be kept up to date as new AP Clients are added.
-
Obtain NAT Proxy via Authentication Service – Select this option to have the RADIUS server return a Framed-IP Address attribute for the user, which is used by the VPN AP Client to NAT its internal addresses before sending traffic down the IPsec tunnel.
-
Choose NAT Pool – Select a network object from the drop-down menu, or create a custom object. The chosen object specifies a pool of addresses to be assigned to the VPN AP Client for use with NAT. The client translates its internal address to an address in the NAT pool before sending traffic down the IPsec tunnel.
When deploying VPN Auto Provisioning, you should allocate a large enough NAT IP address pool for all the existing and expected VPN AP Clients. Otherwise, additional VPN AP Clients cannot work properly if all the IP addresses in the pool have already been allocated.
Configuring a large IP pool does not consume more memory than a small pool, so it is safe and a best practice to allocate a large enough pool to provide redundancy.
-
Continue to Configuring Advanced Settings on Proposals.
Was This Article Helpful?
Help us to improve our support portal