S

Site to Site VPN Configurations

Qualified Domain Name of the remote destination in the IPSec Gateway Name or Address field. Click Next.

4Enter the IP address of the network protected by the remote SonicWALL in the Remote Network field. This is a private IP address on the remote network. Enter the subnet mask in the Remote Netmask field. Click Next.

Note: You can add additional networks by editing the VPN policy after it is created in the VPN Policy Wizard.

5Select Manual Key from the IPSec Keying Modes list. Click Next.

6Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Or use the default values.

Alert: Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.

ESP is selected by default from the Protocol menu. ESP is more secure than AH, but AH requires less processing overhead.

3DES is selected by default from the Encryption Method menu. Enter a 48-character hexadecimal key if you are using 3DES encryption.Enter a 16-character hexadecimal key in the Encryption Key field if you are using DES or ARCFour encryption. This encryption key must match the remote SonicWALL's encryption key.

The default 48-character key is a unique key generated every time a VPN Policy is created.

AH is selected by default from the Authentication Key field. When a new SA is created, a 32- character key is automatically generated in the Authentication Key field. This key can be used as a valid key. If this key is used, it must also be entered in the Authentication Key field in the remote SonicWALL. If authentication is not used, this field is ignored.

Click Next.

7To enable the VPN policy immediately, click Apply. If you prefer to disable the policy initially, select Create this Policy Disabled, and then click Apply.

Configuring IKE 3rd Party Certificates with the VPN Policy Wizard

SAlert: You must have a valid certificate from a third party Certificate Authority installed on your SonicWALL before you can configure your VPN policy with IKE using a third party certificate. See Chapter 40, Managing Certificates for more information.

1Click VPN Policy Wizard to launch the wizard. Click Next to continue.

2Select Custom, and click Next.

3Enter a name for the policy in the Policy Name field. You may want to use the name of a remote office or other identifying feature so that it is easily identified. Enter the IP address or Fully Qualified Domain Name of the remote destination in the IPSec Gateway Name or Address field. Click Next.

4Enter the IP address of the network protected by the remote SonicWALL in the Remote Network field. This is a private IP address on the remote network. Enter the subnet mask in the Remote Netmask field. Click Next.

5Select IKE using 3rd Party Certificates from the IPSec Keying Modes list. Click Next.

6Select your third party certificate from the Third Party Certificate menu. Select the ID type from the Peer Certificate’s ID Type, and enter the ID string in the ID string to match field. Click Next.

7Select from the DH Group menu. Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during phase 1 of the authentication process to establish pre-shared keys. To compromise between network speed and network security, select Group 2.

SONICWALL SONICOS STANDARD 3.0 ADMINISTRATORS GUIDE

219

Page 237 Page 239
Page 238
Image 238
SonicWALL 3 manual 219
Page 237 Page 239
Top Page Image Contents