Table of Contents
Advertisement
4. Select one of the following Peer ID types from the Peer ID Type menu.
E-Mail ID
Distinguished name
Domain name
5. Enter the Peer ID filter in the Peer ID Filter field.
6. Check Allow Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates
must be signed by the issuer specified in the Gateway Certificate menu.
Proposals
7. Click on the Proposals tab.
8. In the IKE (Phase 1) Proposal section, select the following settings:
Group 2 from the DH Group menu.
3DES from the Encryption menu.
SHA1 from the Authentication menu.
Leave the default setting, 28800, in the Life Time (seconds) field. This setting forces the tunnel to
renegotiate and exchange keys every 8 hours.
9. In the IPSec (Phase 2) Proposal section, select the following settings:
ESP from the Protocol menu.
3DES from the Encryption menu.
MD5 from the Authentication menu.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as
an added layer of security. Then select Group 2 from the DH Group menu.
Leave the default setting, 28800, in the Life Time (seconds) field. This setting forces the tunnel to
renegotiate and exchange keys every 8 hours.
Advanced
10. Click on the Advanced tab and select any of the following optional settings that you want to apply to
your GroupVPN Policy:
Enable Windows Networking (NetBIOS) broadcast - allows access to remote network resources
by browsing the Windows Network Neighborhood.
Management via this SA - select HTTP and/or HTTPS.
Default LAN Gateway - used at a central site in conjunction with a remote site using the Route all
Internet traffic through this SA check box. Default LAN Gateway allows the network administrator to
specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming
packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL.
Since packets can have any IP address destination, it is impossible to configure enough static routes
to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for
the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN
Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
Require Authentication of VPN Clients via XAUTH - requires that all inbound traffic on this SA is
from an authenticated user. Unauthenticated traffic is not allowed on the VPN tunnel.
User group for XAUTH users - allows you to select a defined user group for authentication.
All Unauthenticated VPN Client Access - allows you to specify network segments for
unauthenticated Global VPN Client access.
Page 102 SonicWALL SonicOS Standard Administrator's Guide
Advertisement
Table of Contents
