SonicOS 7.1 IPSec VPN

Site to Site VPNs > Creating Site to Site VPN Policies > Configuring with a Manual Key
Table of Contents

Configuring with a Manual Key

You can manually define encryption keys for establishing an IPsec VPN tunnel. You define manual keys when you need to specify what the encryption or authentication key is (for example, when one of the VPN peers requires a specific key) or when you need to disable encryption and authentication.

To configure a VPN policy using Manual Key

  1. Navigate to NETWORK | IPSec VPN > Rules and Settings.
  2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy.

  3. In the Authentication Method field, select Manual Key from drop-down menu. The window shows only the Manual Key options.

  4. Enter a name for the policy in the Name field.

  5. Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address field.

  6. Click Network.

  7. Under Local Networks, select one of these options:

    • If a specific local network can access the VPN tunnel, select a that local network from the Choose local network from list drop-down menu.
    • If traffic can originate from any local network, select Any Address. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.

  8. Under Destination Networks, select one of these:

    • If traffic from any local user cannot leave the firewall unless it is encrypted, select Use this VPN Tunnel as default route for all Internet traffic.

      You can only configure one SA to use this setting.

    • Alternatively, select Choose Destination network from list, and select the address object or group.

  9. Click Proposals.

  10. Define an Incoming SPI and an Outgoing SPI. A Security Parameter Index (SPI) is hexadecimal and can range from 3 to 8 characters in length.

    Each Security Association (SA) must have unique SPIs; no two SAs can share the same SPIs. However, each SA Incoming SPI can be the same as the Outgoing SPI.

  11. The default values for Protocol, Encryption, and Authentication are acceptable for most VPN SA configurations; otherwise, select values from the drop-down menu.

    The values for Protocol, Encryption, and Authentication must match the values on the remote firewall.

    • If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:
      • DES
      • 3DES
      • AES-128 (default)
      • AES-192
      • AES-256

      • None

    • If you selected AH in the Protocol field, the Encryption field is grayed out, and you cannot select any options.

  12. In the Encryption Key field, enter a 48-character hexadecimal encryption key or use the default value. This encryption key is used to configure the remote SonicWall encryption key, so write it down to use when configuring the remote firewall.

    Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption or authentication key, an error message is displayed at the bottom of the browser window.

  13. In the Authentication Key field, enter a 40-character hexadecimal authentication key or use the default value. Write down the key to use while configuring the firewall settings.

  14. Click Advanced.

  15. Select any of the following optional settings you want to apply to your VPN policy.

    Option Definition
    Suppress automatic Access Rules creation for VPN Policy When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information.
    Enable Windows Networking (NetBIOS) Broadcast Select to allow access to remote network resources by browsing the Windows Network Neighborhood.
    WXA Group Select None (default) or Group One.
    Apply NAT Policies

    Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus.

    Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both side of a tunnel use either the same or overlapping subnets.

    Informational videos with interface configuration examples are available online. For example, see How to Configure NAT over VPN in a Site to Site VPN with Overlapping Networks. Additional videos are available at: https://www.sonicwall.com/support/video-tutorials.
    Management via this SA Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.
    User login via this SA

    Select HTTP, HTTPS, or both to allow users to log in using the SA.

    HTTP user login is not allowed with remote authentication.
    Default LAN Gateway (optional) If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network screen under Remote Networks) enter the router address.
    VPN Policy bound to

    Select an interface or zone from the drop-down menu.

    Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.
  16. Click OK.

  17. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.