SonicWALL manual Configuring GroupVPN with IKE 3rd Party Certificates

CHAPTER 36: Configuring VPN Settings

Configuring GroupVPN with IKE 3rd Party Certificates

To configure your GroupVPN policy with IKE 3rd Party Certificates, follow these steps:

SAlert: Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the SonicWALL.

2In the Security Policy section, select IKE using 3rd Party Certificates from the IPSec Keying Mode menu. The SA name is Group VPN by default and cannot be changed.

3Select a certificate for the SonicWALL from the Gateway Certificate menu.

4Select one of the following Peer ID types from the Peer ID Type menu and enter the Peer ID filter information in the Peer ID Filter field.

E-Mail ID and Domain Name - The Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter will not work. The certificate verification process did not actually verify my email address or domain name, just that the certificate I selected to use, had this matching entry contained in the Alternative Subject Name field. The E-Mail ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@sonicwall.com when E-Mail ID is selected, would allow anyone with an email address that ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is selected, would allow anyone with a domain name that ended in sv.us.sonicwall.com to have access.

Distinguished Name - based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. Valid entries for this field are based on country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, i.e. c=us.

5Check All Only Peer Certificates Signed by Gateway Issuer to specify that peer certificates must be signed by the issuer specified in the Gateway Certificate menu.