SonicWALL 3 manual 226

CHAPTER 36: Configuring VPN Settings

3Type a Name for the Security Association in the Name field.

4Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in the IPSec Primary Gateway Name or Address field. If you have a secondary remote SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPSec Secondary Gateway Name or Address field.

5Select a certificate from the Third Party Certificate menu.

6Select one of the following Peer ID types from the Peer ID Type menu and enter an ID string in the ID string to match field.

E-Mail ID and Domain Name - The Email ID and Domain Name types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate does not contain a Subject Alternative Name field, this filter will not work. The certificate verification process did not actually verify my email address or domain name, just that the certificate I selected to use, had this matching entry contained in the Alternative Subject Name field. The E-Mail ID and Domain Name filters can contain a string or partial string identifying the acceptable range required. The strings entered are not case sensitive and can contain the wild card characters * (for more than 1 character) and ? (for a single character). For example, the string *@sonicwall.com when E-Mail ID is selected, would allow anyone with an email address that ended in sonicwall.com to have access; the string *sv.us.sonicwall.com when Domain Name is selected, would allow anyone with a domain name that ended in sv.us.sonicwall.com to have access.

Distinguished Name - based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. Valid entries for this field are based on country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a

semi-colon. You must enter at least one entry, i.e. c=us.

7In the Destination Network section, select one of the following options:

Use this VPN Tunnel as default route for all Internet traffic - select this option if you don’t want any local user to leave the SonicWALL security appliance unless the traffic goes through a VPN tunnel.

Destination network obtains IP addresses using DHCP through this VPN Tunnel - Select this setting if you want the remote network to obtain IP addresses from your DHCP server.

Specify destination networks below - allows you to add the destination network or networks. To add a destination network, click Add. The Edit VPN Destination Network window is displayed. Enter the IP address in the Network field and the subnet in the Subnet Mask field, then click OK.

8Click the Proposals tab.

9In the IKE (Phase 1) Proposal section, select the following settings: Select Aggressive Mode from the Exchange menu.

Select Group 2 from the DH Group menu. Select 3DES from the Encryption menu.

Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange keys in the Life Time field. The default settings is 28800 seconds (8 hours).

10In the Ipsec (Phase 2) Proposal section, select the following settings: Select ESP from the Protocol menu.

Select 3DES from the Encryption menu. Select SHA1 from the Authentication menu.

Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security, then select Group 2 from the DH Group menu.

Enter a maximum time in seconds allowed before forcing the policy to renegotiate and exchange keys in the Life Time field. The default settings is 28800 seconds (8 hours).