User's Manual Part 4
Page 44 SonicWALL SonicOS Standard Administrator’s Guide
• Default LAN Gateway - used at a central site in conjunction with a remote site using the Use this
VPN Tunnel as the default route for all internet traffic. Default LAN Gateway allows the network
administrator to specify the IP address of the default LAN route for incoming IPSec packets for this
VPN Policy. Incoming packets are decoded by the SonicWALL and compared to static routes config-
ured in the SonicWALL. Since packets can have any IP address destination, it is impossible to con-
figure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the
SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default
LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Oth-
erwise, the packet is dropped.
• VPN Terminated at the LAN, OPT/DMZ, or LAN/OPT/DMZ - Selecting this option allows you to ter-
minate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the
entire SonicWALL network. By terminating the VPN tunnel to a specific destination, the VPN tunnel
has access to a specific portion of the destination LAN or OPT/DMZ network.
12. Click OK to add the Manual Key VPN Policy to the SonicWALL.
Configuring a VPN Policy with IKE using a Third Party Certificate
Alert!
You must have a valid certificate from a third party Certificate Authority installed on your SonicWALL
before you can configure your VPN policy with IKE using a third party certificate. See “Digital
Certificates” on page 55 for more information.
To create a VPN SA using IKE and third party certificates, follow these steps:
1. In the VPN>Settings page, click Add. The VPN Policy window is displayed.
2. In General tab, select IKE using 3rd Party Certificates.
3. Type a Name for the Security Association in the Name field.
4. Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in
the IPSec Primary Gateway Name or Address field. If you have a secondary remote SonicWALL,
enter the IP address or Fully Qualified Domain Name (FQDN) in the IPSec Secondary Gateway
Name or Address field.
5. Select a certificate from the Third Party Certificate menu.
6. Select Distinguished name, E-Mail ID, or Domain name from the Peer Certificate’s ID Type menu.
7. Type an ID string in the ID string to match field.
8. In the Destination Network section, select one of the following options:
Use this VPN Tunnel as default route for all Internet traffic - select this option if you don’t want
from any local user to leave the SonicWALL unless it is through a VPN tunnel.
Destination network obtains IP addresses using DHCP through this VPN Tunnel - Select this
setting if you want the remote network to obtain IP addresses from your DHCP server.
Specify destination networks below - allows you to add the destination network or networks. To
add a destination network, click Add. The Edit VPN Destination Network window is displayed. Enter
the IP address in the Network field and the subnet in the Subnet Mask field, then click OK.
9. Click the Proposals tab.
10. In the IKE (Phase 1) Proposal section, select the following settings:
Select Aggressive Mode from the Exchange menu.
Select Group 2 from the DH Group menu.
Select 3DES from the Encryption menu.
Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange keys
in the Life Time field. The default settings is 28800 seconds (8 hours).