VPN > Settings
558
SonicOS Enhanced 4.0 Administrator Guide
–
Distinguished Name - based on the certificates Subject Distinguished Name field,
which is contained in all certificates by default. Valid entries for this field are based on
country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=).
Up to three organizational units can be specified. The usage is
c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon.
You must enter at least one entry, i.e. c=us.
Step 5 Enter the Peer ID filter in the Peer ID Filter field.
Step 6 Check Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer
certificates must be signed by the issuer specified in the Gateway Certificate menu.
Step 7 Click on the Proposals tab.
Step 8 In the IKE (Phase 1) Proposal section, select the following settings:
–
Select the DH Group from the DH Group menu.
Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH
Group 2. They are incompatible with DH Groups 1 and 5.
–
Select 3DES, AES-128, or AES-256 from the Encryption menu.
–
Select the desired authentication method from the Authentication menu.
–
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the
tunnel to renegotiate and exchange keys every 8 hours.
Step 9 In the IPsec (Phase 2) Proposal section, select the following settings:
–
Select the desired protocol from the Protocol menu.
–
Select 3DES, AES-128, or AES-256 from the Encryption menu.
–
Select the desired authentication method from the Authentication menu.
–
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key
exchange as an added layer of security. Select Group 2 from the DH Group menu.
Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH
Group 2. They are incompatible with DH Groups 1 and 5.
–
Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the
tunnel to renegotiate and exchange keys every 8 hours.
Step 10 Click on the Advanced tab and select any of the following optional settings that you want to
apply to your GroupVPN Policy:
–
Enable Windows Networking (NetBIOS) broadcast - Allows access to remote
network resources by browsing the Windows Network Neighborhood.
–
Enable Multicast - Enables IP multicasting traffic, such as streaming audio (including
VoIP) and video applications, to pass through the VPN tunnel.
–
Management via this SA - If using the VPN policy to manage the SonicWALL security
appliance, select the management method, either HTTP or HTTPS.
–
Default Gateway - Used at a central site in conjunction with a remote site using the
Route all Internet traffic through this SA check box. Default LAN Gateway allows the
network administrator to specify the IP address of the default LAN route for incoming
IPsec packets for this SA. Incoming packets are decoded by the SonicWALL and
compared to static routes configured in the SonicWALL. Since packets can have any
IP address destination, it is impossible to configure enough static routes to handle the