SonicOS 7.1 IPSec VPN
- SonicOS 7.1
- About SonicOS
- IPSec VPN Overview
- Site to Site VPNs
- VPN Auto Provisioning
- Rules and Settings
- Advanced
- DHCP over VPN
- L2TP Servers and VPN Client Access
- AWS VPN
- SonicWall Support
Configuring with a Preshared Secret Key
To configure a VPN Policy using Internet Key Exchange (IKE) with a preshared secret key
- Navigate to NETWORK | IPSec VPN > Rules and Settings.
-
Click +Add to create a new policy or click the Edit icon if you are updating an existing policy.
-
From Policy Type on the General screen, select Site to Site.
-
From Authentication Method, select IKE using Preshared Secret.
-
Enter a name for the policy in the Name field.
-
Enter the host name or IP address of the remote connection in the IPsec Primary Gateway Name or Address field.
-
If the Remote VPN device supports more than one endpoint, enter a second host name or IP address of the remote connection in the IPsec Secondary Gateway Name or Address field (optional).
-
In the IKE Authentication section, in the Shared Secret and Confirm Shared Secret fields, enter a Shared Secret password. This is used to set up the SA (Security Association). The Shared Secret password must be at least four characters long, and should include both numbers and letters.
-
To see the shared secret key in both fields, clear the checkbox for Mask Shared Secret. By default, Mask Shared Secret is selected, which causes the shared secret key to be displayed as black circles.
-
Optionally, specify a Local IKE ID and Peer IKE ID for this Policy.
You can select from the following IDs from the drop-down menu:
- IPv4 Address
- Domain Name
- E-mail Address
- Firewall Identifier
- Key Identifier
By default, the IP Address (
ID_IPv4_ADDR
) is used for Main Mode negotiations, and the firewall Identifier (ID_USER_FQDN
) is used for Aggressive Mode. -
Enter the address, name, or ID in the Local IKE ID and Peer IKE ID fields.
-
Click Network.
-
Under Local Networks, select one of the following:
Choose local network from list Select a local network from the drop-down menu if a specific network can access the VPN tunnel. Any address Use this option if traffic can originate from any local network or if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.
DHCP over VPN is not supported with IKEv2.
-
Under Remote Networks, select one of the following:
Use this VPN Tunnel as default route for all Internet traffic Select this option if traffic from any local user cannot leave the firewall unless it is encrypted.
You can only configure one SA to use this setting.
Destination network obtains IP addresses using DHCP through this VPN Tunnel Select this option if the remote network requests IP addresses from a DHCP Server in the local network.
This option is only available if Main Mode or Aggressive Mode is selected on the Proposals tab.
Choose Destination network from list Select a remote network from the drop-down menu. Use IKEv2 IP Pool Select this option to support IKEv2 Config Payload.
This option is only available if IKEv2 Mode is selected on the Proposals tab.
-
Click Proposals.
-
Under IKE (Phase 1) Proposal, choose one of the following options from the Exchange drop-down menu:
Main Mode Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings. Aggressive Mode Generally used when WAN addressing is dynamically assigned. Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings. IKEv2 Mode Causes all negotiation to happen through IKEv2 protocols, rather than using IKEv1 phase 1.
If you select IKE v2 Mode, both ends of the VPN tunnel must use IKE v2. When selected, the DH Group, Encryption, and Authentication fields are dimmed and cannot be defined.
-
Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.
If IKEv2 Mode is selected for the Exchange field, the DH Group, Encryption, and Authentication fields are dimmed and no selection can be made for those options.
Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.
-
For the DH Group, when in Main Mode or Aggressive Mode, you can select from several Diffie-Hellman exchanges:
Diffie-Hellman Groups Included in Suite B Cryptography Other Diffie-Hellman Options 256-bit Random ECP Group Group 1 384-bit Random ECP Group Group 2 521-bit Random ECP Group Group 5 192-bit Random ECP Group Group 14 224-bit Random ECP Group -
For the Encryption field, if Main Mode or Aggressive Mode was selected, choose 3DES, DES, AES-128 (default), AES-192, or AES-256 from the drop-down menu.
-
For the Authentication field, if Main Mode or Aggressive Mode was selected, choose SHA-1 (default), MD5, SHA256, SHA384, or SHA512 for enhanced authentication security.
-
For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
-
-
Set the options in the IPsec (Phase 2) Proposal section. The default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations.
Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.
-
If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:
Suite B Cryptography Options Other Options AESGCM16-128 DES AESGCM16-192 3DES AESGCM16-256 AES-128 AESGMAC-128 AES-192 AESGMAC-192 AES-256 AESGMAC-256 None -
If you selected AH in the Protocol field, the Encryption field is dimmed and you cannot select any options.
Click Advanced.
Select any of the optional settings you want to apply to your VPN policy. The options change depending on options you selected in the Proposals screen.
Options | Main Mode or Aggressive Mode (See figure Advanced Settings for Main and Aggressive Modes below) | KEv2 Mode (See figure Advanced Settings for IKEv2 Mode below) |
---|---|---|
Advanced Settings | ||
Enable Keep Alive |
Select to use heartbeat messages between peers on this VPN tunnel if one end of the tunnel fails, using a keep-alive heartbeat allows automatic renegotiation of the tunnel after both sides are available again without having to wait for the proposed Life Time to expire. The Keep Alive option is disabled when the VPN policy is configured as a central gateway for DHCP over VPN or with a primary gateway name or address 0.0.0.0. |
Cannot be selected for IKEv2 mode. |
Suppress automatic Access Rules creation for VPN Policy | When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information. | When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information. |
Disable IPsec Anti-Replay | Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window). | Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window). |
Require authentication of VPN clients by XAUTH | Requires that all inbound traffic on this VPN policy is from a user authenticated by XAUTH/RADIUS. Unauthenticated traffic is not allowed on the VPN tunnel. | Not available in IKEv2 Mode. |
Enable Windows Networking (NetBIOS) Broadcast | Select to allow access to remote network resources by browsing the Windows Network Neighborhood. | Select to allow access to remote network resources by browsing the Windows Network Neighborhood. |
Enable Multicast | Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel. | Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel. |
WXA Group | Select None (default) or Group One. | Select None (default) or Group One. |
Display Suite B Compliant Algorithms Only | Select if you want to show only the Suite B compliant algorithms. | Select if you want to show only the Suite B compliant algorithms. |
Apply NAT Policies |
Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus. Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets. |
Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus. Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets. |
Management via this SA | Select any of HTTPS, SSH, or SNMP for this option to manage the local SonicWall firewall through the VPN tunnel. | Select any of HTTPS, SSH, or SNMP for this option to manage the local SonicWall firewall through the VPN tunnel. |
User login via this SA | Select HTTP, HTTPS, or both to allow users to login using the SA. HTTP user login is not allowed with remote authentication. | Select HTTP, HTTPS, or both to allow users to login using the SA. HTTP user login is not allowed with remote authentication. |
Default LAN Gateway (optional) | f you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network screen, under Remote Networks) enter the router address. | If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network screen, under Remote Networks) enter the router addr |
VPN Policy bound to | Select an interface or zone from the drop-down menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Important: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both. | Select an interface or zone from the drop-down menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Important: Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both. |
Preempt Secondary Gateway | To preempt a second gateway after a specified time, select this checkbox and configure the desired time in the Primary Gateway Detection Interval (seconds) option. The default time is 28800 seconds, or 8 hours. | To preempt a second gateway after a specified time, select this checkbox and configure the desired time in the Primary Gateway Detection Interval (seconds) option. The default time is 28800 seconds, or 8 hours. |
IKEv2 Settings | ||
Do not send trigger packet during IKE SA negotiation | Not available in Main or Aggressive modes. | Is not selected (default). Should only be selected when required for interoperability if the peer cannot handle trigger packets. The recommended practice is to include trigger packets to help the IKEv2 Responder select the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it might be appropriate to disable the inclusion of trigger packets to some IKE peers. |
Accept Hash & URL Certificate Type | Not available in Main or Aggressive modes. | Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, sends a message to the peer device saying that HTTP certification look-up is supported. |
Send Hash & URL Certificate Type | Not available in Main or Aggressive modes. | Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, responds to the message from the peer device and confirms HTTP certification look-up is supported. |
Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.
Was This Article Helpful?
Help us to improve our support portal