208
SONICWALL SONICOS STANDARD 3.0 ADMINISTRATORS GUIDE
C
HAPTER
36:
Configuring VPN Settings

Configuring GroupVPN with IKE 3rd Party Certificates

To configure your GroupVPN policy with IKE 3rd Party Certificates, follow these steps:
SAlert: Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be
installed on the SonicWALL.
1
In the VPN > Settings page click the edit icon under Configure for the GroupVPN entry.
The VPN Policy window is displayed.
2
In the Security Policy section, select IKE using 3rd Party Certificates from the IPSec Keying
Mode menu. The SA name is Group VPN by default and cannot be changed.
3
Select a certificate for the SonicWALL from the Gateway Certificate menu.
4
Select one of the following Peer ID types from the Peer ID Type menu and enter the Peer ID filter
information in the Peer ID Filter field.
E-Mail ID and Domain Name - The Email ID and Domain Name types are based on the
certificate's Subject Alternative Name field, which is not contained in all certificates by default. If
the certificate does not contain a Subject Alternative Name field, this filter will not work. The
certificate verification process did not actually verify my email address or domain name, just that
the certificate I selected to use, had this matching entry contained in the Alternative Subject Name
field. The E-Mail ID and Domain Name filters can contain a string or partial string identifying the
acceptable range required. The strings entered are not case sensitive and can contain the wild
card characters * (for more than 1 character) and ? (for a single character). For example, the string
*@sonicwall.com when E-Mail ID is selected, would allow anyone with an email address that
ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is
selected, would allow anyone with a domain name that ended in sv.us.sonicwall.com to have
access.
Distinguished Name - based on the certificates Subject Distinguished Name field, which is
contained in all certificates by default. Valid entries for this field are based on country (c=),
organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational
units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to
contain a semi-colon. You must enter at least one entry, i.e. c=us.
5
Check All Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates
must be signed by the issuer specified in the Gateway Certificate menu.