CHAPTER 36: Configuring VPN Settings
VPNs check box.Traffic can travel from a branch office to a branch office via the corporate office.
Default LAN Gateway - used at a central site in conjunction with a remote site using the Route all internet traffic through this SA check box. Default LAN Gateway allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
VPN Terminated at the LAN, OPT/DMZ/WLAN, or LAN/OPT/DMZ/WLAN - Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the entire SonicWALL network. By terminating the VPN tunnel to a specific destination, the VPN tunnel has access to a specific portion of the destination LAN or OPT/DMZ/WLAN network.
12Click OK. Your new VPN policy is displayed in the VPN Policies table.
Configuring a VPN Policy using Manual Key
9
S
To manually configure a VPN Policy in the VPN Policy window using Manual Key, follow the steps below:
1In the VPN > Settings page, click Add. The VPN Policy window is displayed.
2Select Manual Key from the IPSec Keying Mode menu.
Tip: Use the VPN worksheet at the beginning of this chapter to record your settings. These settings are necessary to configure the remote SonicWALL and create a successful VPN connection.
3In the Security Policy section, enter a name for the VPN Policy in the Name field.
4Enter the IP address or gateway name of the REMOTE SonicWALL in the IPSec Gateway Name or Address field.
5In the Destination Networks section, one of the following options:
Use this VPN Tunnel as the default route for all Internet traffic - select this option if all local users access the Internet through this tunnel. You can only configure one SA to use this option.
Specify destination networks below - configure the remote destination network for your SA. Click Add to add the IP address and subnet mask. You can modify existing destination networks by click Edit, and delete networks by selecting the network and clicking Delete.
6Click on the Proposals tab.
7In the Ipsec SA section, define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Or use the default values.
Alert: Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
8ESP is selected by default from the Protocol menu. ESP is more secure than AH, but AH requires less processing overhead.
93DES is selected by default from the Phase 2 Encryption menu. Enter a
The default
10SHA1 is selected by default from the Phase 2 Authentication menu. When a new Policy is created, a
224 | SONICWALL SONICOS STANDARD 3.0 ADMINISTRATOR’S GUIDE |