Filter
Top Products
226
SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE
C
HAPTER
36:
Configuring VPN Settings
3
Type a Name for the Security Association in the Name field.
4
Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in
the IPSec Primary Gateway Name or Address field. If you have a secondary remote
SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPSec
Secondary Gateway Name or Address field.
5
Select a certificate from the Third Party Certificate menu.
6
Select one of the following Peer ID types from the Peer ID Type menu and enter an ID string in the
ID string to match field.
E-Mail ID and Domain Name - The Email ID and Domain Name types are based on the
certificate's Subject Alternative Name field, which is not contained in all certificates by default. If
the certificate does not contain a Subject Alternative Name field, this filter will not work. The
certificate verification process did not actually verify my email address or domain name, just that
the certificate I selected to use, had this matching entry contained in the Alternative Subject Name
field. The E-Mail ID and Domain Name filters can contain a string or partial string identifying the
acceptable range required. The strings entered are not case sensitive and can contain the wild
card characters * (for more than 1 character) and ? (for a single character). For example, the string
*@sonicwall.com when E-Mail ID is selected, would allow anyone with an email address that
ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is
selected, would allow anyone with a domain name that ended in sv.us.sonicwall.com to have
access.
Distinguished Name - based on the certificates Subject Distinguished Name field, which is
contained in all certificates by default. Valid entries for this field are based on country (c=),
organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational
units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to
contain a
semi-colon. You must enter at least one entry, i.e. c=us.
7
In the Destination Network section, select one of the following options:
Use this VPN Tunnel as default route for all Internet traffic - select this option if you don’t want
any local user to leave the SonicWALL security appliance unless the traffic goes through a VPN
tunnel.
Destination network obtains IP addresses using DHCP through this VPN Tunnel - Select this
setting if you want the remote network to obtain IP addresses from your DHCP server.
Specify destination networks below - allows you to add the destination network or networks. To
add a destination network, click Add. The Edit VPN Destination Network window is displayed.
Enter the IP address in the Network field and the subnet in the Subnet Mask field, then click OK.
8
Click the Proposals tab.
9
In the IKE (Phase 1) Proposal section, select the following settings:
Select Aggressive Mode from the Exchange menu.
Select Group 2 from the DH Group menu.
Select 3DES from the Encryption menu.
Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange
keys in the Life Time field. The default settings is 28800 seconds (8 hours).
10
In the Ipsec (Phase 2) Proposal section, select the following settings:
Select ESP from the Protocol menu.
Select 3DES from the Encryption menu.
Select SHA1 from the Authentication menu.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange
as an added layer of security, then select Group 2 from the DH Group menu.
Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange
keys in the Life Time field. The default settings is 28800 seconds (8 hours).