Manualshelf

User's Manual Part 4

ManualsBrandsSonicwall ManualsElectronicsTA 170
11121314151617181920
VPN Page 37
Note:
You can add additional networks by editing the VPN policy after it is created in the VPN Policy Wizard.
5. Select Manual Key from the IPSec Keying Modes list. Click Next.
6. Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and
can range from 3 to 8 characters in length. Or use the default values.
Alert!
Each Security Association must have unique SPIs; no two Security Associations can share the same
SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
ESP is selected by default from the Protocol menu. ESP is more secure than AH, but AH requires
less processing overhead.
3DES is selected by default from the Encryption Method menu. Enter a 48-character hexadecimal
key if you are using 3DES encryption.Enter a 16-character hexadecimal key in the Encryption Key
field if you are using DES or ARCFour encryption. This encryption key must match the remote
SonicWALL's encryption key.
The default 48-character key is a unique key generated every time a VPN Policy is created.
AH is selected by default from the Authentication Key field. When a new SA is created, a 32-
character key is automatically generated in the Authentication Key field. This key can be used as a
valid key. If this key is used, it must also be entered in the Authentication Key field in the remote
SonicWALL. If authentication is not used, this field is ignored.
Click Next.
7. To enable the VPN policy immediately, click Apply. If you prefer to disable the policy initially, select
Create this Policy Disabled, and then click Apply.
Configuring IKE using 3rd Party Certificates with the VPN Policy Wizard
Alert!
You must have a valid certificate from a third party Certificate Authority installed on your SonicWALL
before you can configure your VPN policy with IKE using a third party certificate. See “Digital
Certificates” on page 55 for more information.
1. Click VPN Policy Wizard to launch the wizard. Click Next to continue.
2. Select Custom, and click Next.
3. Enter a name for the policy in the Policy Name field. You may want to use the name of a remote office
or other identifying feature so that it is easily identified. Enter the IP address or Fully Qualified Domain
Name of the remote destination in the IPSec Gateway Name or Address field. Click Next.
4. Enter the IP address of the network protected by the remote SonicWALL in the Remote Network
field. This is a private IP address on the remote network. Enter the subnet mask in the Remote
Netmask field. Click Next.
5. Select IKE using 3rd Party Certificates from the IPSec Keying Modes list. Click Next.
6. Select your third party certificate from the Third Party Certificate menu. Select the ID type from the
Peer Certificate’s ID Type, and enter the ID string in the ID string to match field. Click Next.
7. Select from the DH Group menu. Diffie-Hellman (DH) key exchange (a key agreement protocol) is
used during phase 1 of the authentication process to establish pre-shared keys. To compromise
between network speed and network security, select Group 2.