User's Manual Part 4
VPN Page 45
11. In the Ipsec (Phase 2) Proposal section, select the following settings:
Select ESP from the Protocol menu.
Select 3DES from the Encryption menu.
Select SHA1 from the Authentication menu.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as
an added layer of security, then select Group 2 from the DH Group menu.
Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange keys
in the Life Time field. The default settings is 28800 seconds (8 hours).
12. Click the Advanced tab. Select any optional configuration options you want to apply to your VPN
policy in the Advanced Settings section.
• Enable Keep Alive - Select this setting if you want to maintain the current connection by listening for
traffic on the network segment between the two connections. If multiple VPN tunnels are configured
on the SonicWALL, select Try to bring up all possible tunnels to have the SonicWALL renegotiate
the tunnels if they lose communication with the
SonicWALL.
• Require authentication of local users - requires all outbound VPN traffic from this SA is from an
authenticated source.
• Require authentication of remote users - requires all inbound VPN traffic for this SA is from an au-
thenticated user. Select Remote users behind VPN gateway if remote users have a VPN tunnel that
terminates on the VPN gateway. Select Remote VPN clients with XAUTH if remote users require
authentication using XAUTH and are access the SonicWALL via a VPN clients.
• Enable Windows Networking (NetBIOS) broadcast - to allow access to remote
network resources by browsing the Windows
®
Network Neighborhood.
• Apply NAT and Firewall Rules - This feature allows a remote site’s LAN subnet to be hidden from
the corporate site, and is most useful when a remote office’s network traffic is initiated to the corporate
office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of
the corporation. To protect the traffic, NAT
(Network Address Translation) is performed on the outbound packet before it is sent through the tun-
nel, and in turn, NAT is performed on inbound packets when they are
received. By using NAT for a VPN connection, computers on the remote LAN are viewed as one ad-
dress (the SonicWALL public address) from the corporate LAN.
• Forward Packets to Remote VPNs - allows the remote VPN tunnel to participate in the SonicWALL
routing table. Inbound traffic is decrypted and can be forwarded to a remote site via another VPN tun-
nel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific
route on the LAN configured on the Routing page located in the Network section. Enabling this fea-
ture allows a network administrator to create a “hub and spoke” network configuration by forwarding
inbound traffic to a remote site via a VPN security association. To create a “hub and spoke” network,
select the Forward Packets to Remote VPNs check box.Traffic can travel from a branch office to a
branch office via the corporate office.
• Default LAN Gateway - used at a central site in conjunction with a remote site using the Route all
internet traffic through this SA check box. Default LAN Gateway allows the network administrator to
specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming pack-
ets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL.
Since packets can have any IP address destination, it is impossible to configure enough static routes
to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for
the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN
Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
• VPN Terminated at the LAN, OPT/DMZ, or LAN/OPT/DMZ - Selecting this option allows you to ter-
minate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the
entire SonicWALL network. By terminating the VPN tunnel to a specific destination, the VPN tunnel
has access to a specific portion of the destination LAN or OPT/DMZ network.