Table of Contents SonicWALL Global VPN Client ... 5 SonicWALL Global VPN Client Features ... 5 New Features in SonicWALL Global VPN Client 4.0 ... 6 Global VPN Client Enterprise/Global Security Client ... 7 About this Guide... 7 Using the Right Administrator’s Guides... 7 Conventions Used in this Guide ...
Page 3
Generating a Help Report ... 33 Accessing Technical Support ... 34 Viewing Help Topics... 34 Uninstalling the SonicWALL Global VPN Client (Windows 98 SE) ... 34 Configuring SonicWALL Security Appliances for Global VPN Clients ... 34 SonicWALL Global VPN Client Licenses ... 35 Group VPN Connections Supported by Each SonicWALL Model...
Page 4
Creating the default.rcf File ... 42 Sample default.rcf File... 44 Troubleshooting the deafult.rcf File ... 47 Appendix B - SonicWALL Global VPN Client Installation Using the InstallShield Silent Response File ... 47 Creating the Silent Installation... 47 Playing Back the Silent Installation ... 48 Using Setup.log to Check for Errors...
Page 5
Appendix D - Installing the Global VPN Client with a Ghost Application... 50 Appendix E- Log Viewer Messages ... 50 SonicWALL Global VPN Client 4.0 Administrator’s Guide Page 5...
Client Policy Provisioning - Using only the IP address or Fully Qualified Domain Name (FQDN) of the SonicWALL VPN gateway, the VPN configuration data is automatically downloaded from the SonicWALL VPN gateway via a secure IPSec tunnel, removing the burden from the remote user of provisioning VPN connections.
• Single VPN Connection to any SonicWALL Secure Wireless Appliance for Roaming - Allows users to use a single VPN connection policy to access the networks of multiple SonicWALL Secure Wireless appliances. • Automatic Configuration of Redundant Gateways from DNS - When an IPSec gateway domain name resolves to multiple IP addresses, the Global VPN Client (version 2.1.0.0 or higher) uses the...
The SonicWALL Global VPN Client as part of the SonicWALL Global Security Client operates on Windows 2000 (SP3), Windows XP Home (SP1), and Windows XP Professional (SP1) operating systems for clients. The Global VPN Client as part of the SonicWALL Global Security Client is supported by the following SonicWALL security appliances and firmware versions: •...
SonicWALL’s GroupVPN, see the Administrator’s Guide for the firmware or SonicOS version running on your SonicWALL wireless security appliance. SonicWALL Global VPN Client If you’re using SonicWALL Global VPN Client 4.0 on Windows 98 SE, use only the SonicWALL Global VPN Client 4.0 Administrator’s Guide. Tip! Always check http://www.sonicwall.com/support/VPN_documentation.html...
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose.
You can upgrade the SonicWALL Global VPN Client from an earlier version to 4.0 without uninstalling the earlier version. Alert! If you are upgrading SonicWALL Global VPN Client from an earlier version to 4.0 and want to use the Retain MAC Address uninstall feature of the SonicWALL Virtual Adapter, you must uninstall the earlier version before installing Global VPN Client 4.0.
Page 12
6. Click Next to accept the default location and continue installation or click Browse to specify a different location. 7. Click Install. The Setup Wizard installs the Global VPN Client files on your computer. After the Setup Wizard installs the Global VPN Client, the Setup Complete page is displayed. Installing the SonicWALL Global VPN Client Page 11...
IPSec VPN tunnel. • Import a VPN policy file into the SonicWALL Global VPN Client. The VPN policy is sent to you as a file, which you install using the Import Connection dialog box. •...
Internet connection before using the New Connection Wizard. • Office Gateway - You choose this scenario if you want secure access to a local SonicWALL Secure Wireless appliance network. When you create an Office Gateway VPN connection, it appears as the Peer entry of <Default Gateway>...
Page 15
Clicking on the Remote Access View Scenario links displays the diagram for this type of VPN connection. Clicking on the Office Gateway View Scenario link displays the diagram for this type of VPN connection. 4. Select Remote Access or Office Gateway and then click Next. Page 14 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
Name field. Importing a VPN Configuration File A VPN connection policy can be created as a file and sent to you by the SonicWALL VPN gateway administrator. This VPN configuration file has the filename extension .rcf. If you received a VPN connection policy file from your administrator, you can install it using the Import Connection dialog box.
Application field or click browse ... to locate the program. 9. Click OK three times to return to the SonicWALL Global VPN Client window. Page 16 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
To launch the SonicWALL Global VPN Client, choose Start>Programs>SonicWALL Global VPN Client. The default setting for the SonicWALL Global VPN Client window is Hide the window (reopen it from the tray icon). If you click Close, press Alt+F4 or choose File>Close, the SonicWALL Global VPN Client window closes but your established VPN connections remain active.
Peer Information window) must be the same for every gateway. Enabling a VPN Connection Enabling a VPN connection with the SonicWALL Global VPN Client is a transparent two phase process. Phase 1 enables the connection, which completes the ISAKMP (Internet Security Association and Key Management Protocol) negotiation.
1. Enable a VPN connection policy using one of the following methods: • If you selected Enable this connection when the program is launched in the New Connection Wizard, the VPN connection is automatically established when you launch the SonicWALL Global VPN Client. •...
3. Click OK. Selecting a Certificate If the SonicWALL VPN Gateway requires a Digital Certificate to establish your identity for the VPN connection, the Select Certificate dialog box appears. This dialog box lists all the available certificates installed on your Global VPN Client. Select the certificate from the menu, then click OK. If you have a certificate that has not been imported into the Global VPN Client using Certificate Manager, click Import Certificate.
If the SonicWALL VPN gateway is provisioned to prompt you for the username and password to enter the remote network, the Enter Username and Password dialog box appears. Type your username and password. If permitted by the gatewa y, check Remember Username and Password to cache your username and password to automatically log in for future VPN connections.
Start menu. You can also place the connection policy at any other location on your system. To create a shortcut: 1. Select the VPN connection policy you want to create a shortcut for in the SonicWALL Global VPN Client window.
Options dialog box. The General page includes the following settings to control the launch of the Global VPN Client: • Start this program when I log in - Launches the SonicWALL Global VPN Client when you log into your computer. •...
• Exit - Exits the SonicWALL Global VPN Client window and disables any active VPN connections. Moving the mouse pointer over the SonicWALL Global VPN Client icon in the system tray displays the number of enabled VPN connections. The Global VPN Client icon in the system tray also acts as a visual indicator of data passing between the Global VPN Client and the SonicWALL gateway.
Other traffic allowed - If enabled, your computer can access the local network or Internet connection while the VPN connection is active. Default traffic tunneled to peer - If activated, all network traffic not routed to the SonicWALL VPN gateway is blocked. When you enable the VPN connection with this feature active, the Connection Warning message appears.
VPN gateway does not respond for three consecutive heart beats. The Global VPN Client exchanges “heart beat” packets to detect if the peer gateway is alive. This setting is enabled by default. Page 26 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
Page 28
• DPD Settings - Displays the Dead Peer Detection Settings dialog box. Check for dead peer every - choose from 5, 10, 15, 20, 25, or 30 seconds. Assume peer is dead after - choose from 3, 4, or 5 Failed Checks. Specify the conditions under which DPD packets will be sent - Choose either Only when no traffic is received from the peer or whether or not traffic is received from the peer.
IP Address - The IP address assigned via DHCP through the VPN tunnel from the VPN gateway. Subnet Mask - The subnet of the peer. Renew - Renews DHCP lease information. Page 28 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
Managing VPN Connection Policies The SonicWALL Global VPN Client supports as many VPN connection policies as you need. To help you manage these connection policies, the Global VPN Client provides the following connection policy management tools. Arranging Connection Policies Over time, as the number of VPN connection policies can increase in the SonicWALL Global VPN Client window, you may want to arrange them for quicker access.
Choose View>Toolbar to hide the toolbar. • Choose View>Status Bar to hide the status bar. Tip! For more information on using certificates for your VPN on the SonicWALL, see the SonicWALL Administrator’s Guide. Troubleshooting the SonicWALL Global VPN Client The SonicWALL Global VPN Client provides tools for troubleshooting your VPN connections. This section explains using Log Viewer, generating a Help Report, accessing SonicWALL’s Support site, using...
Understanding the Global VPN Client Log The SonicWALL Global VPN Client Log window displays messages about Global VPN Client activities. To open the Log Viewer window, click the Log Viewer button on the Global VPN Client window toolbar, or choose View>Log Viewer, or press Ctrl+L.
Overwrite existing file when auto-logging starts - Overwrites existing auto-log file after maximum file size is reached. Set size limit on auto-log file - Activates a maximum size limit for the log file. Page 32 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
Generate Report creates a report containing useful information for getting help in solving any problems you may be experiencing. The report contains information regarding the condition of the SonicWALL Global VPN Client as well as the system it’s running on.
Global VPN Client. Click Next. Alert! If you are upgrading SonicWALL Global VPN Client from an earlier version to 4.0 and want to use the Retain MAC Address uninstall feature of the SonicWALL Virtual Adapter, you must uninstall the earlier version before installing Global VPN Client 4.0.
Group VPN Connections Supported by Each SonicWALL Model Tabe 1 describes the Global VPN Client License support of each SonicWALL model. You can purchase Global VPN Client software and Global VPN Client Licenses from SonicWALL, your reseller, or online at mysonicwall.com.
Serial Number of the SonicWALL product. Your license activation is now complete. Downloading Global VPN Client Software and Documentation 1. In the My Products page, click the name of your SonicWALL on which the Global VPN Client license is activated.
SonicWALL grants you a non-exclusive license to use the SOFTWARE PRODUCT for SonicWALL Internet Security Appliances. OEM - If the SOFTWARE PRODUCT is modified and enhanced for a SonicWALL OEM partner, you must adhere to the software license agreement of the SonicWALL OEM partner.
If the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to use a product identified by SonicWALL as being eligible for the upgrade in order to use the SOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade.
SOFTWARE PRODUCT, and shall continue until terminated. Without prejudice to any other rights, SonicWALL may terminate this SLA if you fail to comply with the terms and conditions of this SLA. In such event, you agree to return or destroy the SOFTWARE PRODUCT (including all related documents and components items as defined above) and any and all copies of same.
SonicWALL Global VPN Client Support SonicWALL’s comprehensive support services protect your network security investment and offer the support you need - when you need it. SonicWALL Global VPN Client support is included as part of the support program of your SonicWALL Internet Security Appliance.
Page 42
Include the default.rcf File with the Global VPN Client Software After you create the default.rcf file, you can include it with the SonicWALL Global VPN Client software. When the user installs the Global VPN Client program, the SonicWALL Global VPN Client.rcf file is automatically created in the C:\Documents and Settings\<user>\Application...
<ReEnableOnWake>[Off=0]/On=1</ReEnableOnWake> Enables the connection when computer is coming out of sleep or hibernation. <ReconnectOnError>Off=0/[On=1]</ReconnectOnError> Automatically keeps trying to enable the connection when an error occurs. <ExecuteLogonScript>[Disable=0]/Enable=1</ExecuteLogonScript> Forces launch login script. </Flags> Page 42 SonicWALL Global VPN Client 4.0 Administrator’s Guide...
Page 44
SonicWALL gateway. <EnableDeadPeerDetection>Off=0/On=1</EnableDeadPeerDetection> Enables detection if the Peer stops responding to traffic. This will send Vendor ID to the SonicWALL during IKE negotiation to enable Dead peer detection heart beat traffic. Alert! NAT Traversal - The implementation options for NAT Traversal were changed in Global VPN Client 2.x.
(normally Disk1 or the same folder as Setup.ins). Appendix B - SonicWALL Global VPN Client Installation Using the InstallShield Silent Response File Page 47 Table 2: Troubleshooting the default.rcf File Ensure that the file does not contain any non-ASCII characters.
An integer value is assigned to the ResultCode keyname in the [ResponseResult] section. The silent setup places one of the following return values after the ResultCode keyname: Page 48 SonicWALL Global VPN Client 4.0 Administrator’s Guide Success General error...
Appendix C - Running the Global VPN Client from the Command Line Interface The SonicWALL Global VPN Client can run from the Command Line Interface (CLI). This interface allows for the programmatic or script-based initiation of certain Global VPN Client functions without requiring the user to directly act in the Global VPN Client application.
CmdLine=/g (Ghost) option, a default MAC address is assigned to the SonicWALL VPN Adapter. After the installation when the Global VPN Client is started for the first time, this default MAC address is detected, which in turn generates a new MAC address and assigns it to the SonicWALL VPN Adapter.
Page 52
Table 3: Log Viewer Messages ERROR Diffie-Hellman group generator length has not been set. ERROR Diffie-Hellman group prime length has not been set. ERROR DSS signature processing failed - signature is not valid. ERROR Encryption algorithm is not supported. ERROR ESP transform algorithm is not supported.
Page 53
Failed to construct mode config hash payload. ERROR Failed to construct NAT discovery payload. ERROR Failed to construct PFS key exchange payload. ERROR Failed to construct policy provisioning payload. Page 52 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...
Page 54
Table 3: Log Viewer Messages ERROR Failed to construct quick mode hash payload. ERROR Failed to construct quick mode packet. ERROR Failed to construct responder lifetime payload. ERROR Failed to construct RSA signature. ERROR Failed to construct signature payload. ERROR Failed to construct source proxy ID payload.
Page 55
Failed to set the ESP attributes from the SA payload into the SA. ERROR Failed to set the IPSEC AH attributes into the phase 2 SA. Page 54 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...
Page 56
Table 3: Log Viewer Messages ERROR Failed to set the IPSEC ESP attributes into the phase 2 SA. ERROR Failed to set the OAKLEY attributes into the phase 1 SA. ERROR Failed to set vendor ID into packet payload. ERROR Failed to set XAuth attributes into payload.
Page 57
Unable to compute hash! ERROR Unable to compute shared secret for PFS in phase 2! ERROR Unable to read configuration file. ERROR User did not enter XAuth next pin. Page 56 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...
Page 58
Table 3: Log Viewer Messages ERROR XAuth CHAP requests are not supported at this time. ERROR XAuth failed. ERROR XAuth has requested a password but one has not yet been specified. INFO "The connection """" has been disabled." INFO A certificate is needed to complete phase 1. INFO A phase 2 SA can not be established with until a phase 1 SA is established.
Page 59
Received invalid exchange type notify. INFO Received invalid flags notify. INFO Received invalid ID information notify. INFO Received invalid key info notify. INFO Received invalid major version notify. Page 58 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...
Page 60
Table 3: Log Viewer Messages INFO Received invalid message ID notify. INFO Received invalid minor version notify. INFO Received invalid payload notify. INFO Received invalid protocol ID notify. INFO Received invalid signature notify. INFO Received invalid SPI notify. INFO Received invalid transform ID notify. INFO Received malformed payload notify.
Page 61
The phase 1 SA has died. INFO The phase 2 SA has been deleted. INFO The phase 2 SA has died. INFO The SA lifetime for phase 1 is seconds. Page 60 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...
Page 62
Table 3: Log Viewer Messages INFO The SA lifetime for phase 2 is seconds. INFO The soft lifetime has expired for phase 1. INFO The soft lifetime has expired for phase 2 with. INFO The system ARP cache has been flushed. INFO Unable to encrypt payload! INFO...
Page 63
The select certificate dialog box was cancelled by the user. The connection will be disabled. WARNING The username/password dialog box was cancelled by the user. The connection will be disabled. WARNING Unable to decrypt payload! Page 62 SonicWALL Global VPN Client 4.0 Administrator’s Guide Table 3: Log Viewer Messages...