Table of Contents
Advertisement
Enable Perfect Forward Secrecy
A new checkbox is available for the Security Association "IKE using Pre-shared
Secret" between two SonicWALL appliances. The Enable Perfect Forward Secrecy
checkbox increases the renegotiation time of the VPN tunnel. By enabling Perfect
Forward Secrecy, a hacker using brute force to break encryption keys is not able to
obtain other or future ipsec keys. During the phase 2 renegotiation between the two
appliances, an additional Diffie-Hellmen key exchange is performed. Perfect Forward
Secrecy adds incremental security between gateway.
Enable Windows Networking (NetBIOS) broadcast
®
Computers running Microsoft Windows
communicate with one another through
NetBIOS broadcast packets. Check the Enable Windows Networking (NetBIOS)
broadcast checkbox to access remote network resources by browsing the Windows
Network Neighborhood
Apply NAT and firewall rules
This feature allows the remote site's LAN subnet to be hidden from the corporate site,
and is most useful when a remote office's network traffic is initiated to the corporate
office. The IPSec tunnel is located between the SonicWALL WAN interface and the LAN
segment of the corporation. To protect the traffic, NAT (Network Address Translation)
is performed on the outbound packet before it is sent through the tunnel, and in turn,
NAT is performed on inbound packets when they are received. By using NAT for the
VPN connection, computers on the remote LAN are viewed as one address (the
SonicWALL's public address) from the corporate LAN.
If the SonicWALL uses the Standard network configuration, using this checkbox
applies the firewall access rules and checks for attacks. It does not apply NAT as the
SonicWALL is not configured for it. If the SonicWALL uses NAT network configuration,
then checking the Apply NAT and firewall rules checkbox performs normal firewall
checks, access rules, and applies NAT.
Forward Packets to Remote VPNs
Checking the Forward Packets to Remote VPNs checkbox for a Security
Association allows the remote VPN tunnel to participate in the SonicWALL routing
table. Inbound traffic is decrypted and can now be forwarded to a remote site via
another VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the
SonicWALL's local LAN or a specific route on the LAN specified on the Routes tab
located under the Advanced section.
Enabling this feature allows a network administrator to create a "hub and spoke"
network configuration by forwarding inbound traffic to a remote site via a VPN security
association. To create a "hub and spoke" network, enable the Forward Packets to
Remote VPNs checkbox for each Security Association, including the remote SAs, in
your SonicWALL. Additionally, destination networks must be configured the same in
Page 118 SONICWALL VPN
Advertisement
Table of Contents
