SonicOS 7.1 IPSec VPN

Site to Site VPNs > Managing GroupVPN Policies > Configuring IKE Using a Preshared Secret Key
Table of Contents

Configuring IKE Using a Preshared Secret Key

To configure the WAN GroupVPN using a preshared secret key

  1. Navigate to NETWORK | IPSec VPN > Rules and Settings.

  2. Click the Edit icon for the WAN GroupVPN policy.

    On the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A shared secret code is automatically generated by the firewall and written in the Shared Secret field. You can generate your own shared secret. A self-defined shared secret code must be a minimum of four characters.

    You cannot change the name of any GroupVPN policy.

  3. Click Proposals to continue the configuration process.

  4. In the IKE (Phase 1) Proposal section, select the following settings:

    • Select Group 2 (default) from the DH Group drop-down menu.

      The Windows XP L2TP client only works with DH Group 2.

    • In the Encryption drop-down menu, select DES, 3DES (default), AES-128, AES-192, or AES-256.

    • From the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, or SHA512.

    • In the Life Time (seconds) field, enter a value. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

  5. In the IPsec (Phase 2) Proposal section, select the following settings:

    • From the Protocol drop-down menu, select ESP (default).
    • In the Encryption drop-down menu, select 3DES (default), AES-128, AES-192, or AES-256.
    • In the Authentication drop-down menu, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBC, or None.
    • Check Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.
    • Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

  6. Click Advanced.

  7. Select any of the following optional settings you want to apply to your GroupVPN policy:

    Advanced Settings  
    Disable IPsec Anti-Replay Stops packets with duplicate sequence numbers from being dropped.
    Enable Multicast Enables IP multicasting traffic, such as streaming audio (including VoIP) and video applications, to pass through the VPN tunnel.
    Accept Multiple Proposals for Clients Allows multiple proposals for clients, such as the IKE (Phase 1) Proposal or the IKE (Phase 2) Proposal, to be accepted.
    Enable IKE Mode Configuration Allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients, like iOS devices or Avaya IP phones.
    Management via this SA: If using the VPN policy to manage the firewall, select the management method, either HTTP, SSH, or HTTPS.
    NOTE: SSH is valid for IPv4 only.
    Default Gateway Allows you to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the firewall and compared to static routes configured in the firewall. As packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPsec tunnel, the firewall looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
    Client Authentication  
    Require Authentication of VPN Clients via XAUTH Requires that all inbound traffic on this VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel. The Trusted users group is selected by default. You can select another user group or Everyone from User Group for XAUTH users from the User group for XAUTH users menu.
    Allow Unauthenticated VPN Client Access Allows you to enable unauthenticated VPN client access. If you clear Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.

  8. Click Client.

  9. Select any of the following settings you want to apply to your GroupVPN policy.

    User Name and Password Caching
    Cache XAUTH User Name and Password on Client

    Allows the Global VPN Client to cache the user name and password:

    • If Never is selected, the Global VPN Client is not allowed to cache the username and password. The user is prompted for a username and password when the connection is enabled and also every time there is an IKE Phase 1 rekey. This is the default.
    • If Single Session is selected, the Global VPN Client user is prompted for username and password each time the connection is enabled and is valid until the connection is disabled. The username and password is used through IKE Phase 1 rekey.
    • If Always is selected Global VPN Client user prompted for username and password only once when the connection is enabled. When prompted, the user is given the option of caching the username and password.
    Client Connections
    Virtual Adapter Settings

    The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter. In instances where predictable addressing is a requirement, obtain the MAC address of the Virtual Adapter and to create a DHCP lease reservation. To reduce the administrative burden of providing predictable Virtual Adapter addressing, you can configure the GroupVPN to accept static addressing of the Virtual Adapter's IP configuration.

    This feature requires the use of SonicWall GVC.

    Select one of the following:

    Choose None if a Virtual Adapter is not used by this GroupVPN connection. This is the default.

    Choose DHCP Lease if the Virtual Adapter obtains its IP configuration from the DHCP Server only, as configured in the VPN > DHCP over VPN page.

    Choose DHCP Lease or Manual Configuration when the GVC connects to the firewall, the policy from the firewall instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured. The configured value is recorded by the firewall so it can proxy ARP for the manually assigned IP address. By design, the Virtual Adapter currently has no limitations on IP address assignments. Only duplicate static addresses are not permitted.
    Allow Connections to

    Client network traffic that matches the destination networks of each gateway is sent through the VPN tunnel of that specific gateway. Select one of the following:

    • This Gateway Only allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.

    • All Secured Gateways allows one or more connections to be enabled at the same time. Traffic matching the destination networks of each gateway is sent through the VPN tunnel of that specific gateway.

      If this option is selected along with Set Default Route as this Gateway, Internet traffic is also sent through the VPN tunnel.

    • If this option is selected along without Set Default Route as this Gateway, the Internet traffic is blocked. Only one of the multiple gateways can have Set Default Route as this Gateway enabled.
    • Split Tunnels allows the VPN user to have both local Internet connectivity and VPN connectivity. This is the default.
    Set Default Route as this Gateway Select this checkbox if all remote VPN connections access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting. By default, this option is not enabled.
    Apply VPN Access Control List Select this checkbox to apply the VPN access control list. When this option is enabled, specified users can access only those networks configured for them. This option is not enabled by default.
    Client Initial Provisioning
    Use Default Key for Simple Client Provisioning Uses Aggressive mode for the initial exchange with the gateway, and VPN clients uses a default Preshared Key for authentication. This option is not enabled by default.

  10. Click OK.

  11. Click ACCEPT on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.