SonicWALL Internet Security Appliances Route all internet traffic through this SA, Enable Perfect Forward Secrecy, Phase 2 DH Group , Default LAN Gateway

SonicWALL VPN Page 189

Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via

the corporate office.

Route all internet traffic through this SA

Selecting this box allows a network administrator to force all WAN-destined traffic to go through a

VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions

for all Security Associations (SA). If a match is d etected, the pack et is t hen route d to the app ropriate

destination. If no match is detected, the SonicWALL checks for the presence of a SA using this

configuration. If an SA is detected, the packet is sent using that SA. If there is no SA with th is option

enabled, and if the destination does not match any other SA, the packet goes unencrypted to the

WAN.

Enable Perfect Forward Secrecy

The Enable Perfect Forward Secrecy check box increases the renegotiation time of the VPN tunnel.

By enabling Perfect Forward Secrecy, a hacker using brute force to brea k encryp tion keys is not able

to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL

appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable

Perfect Forward Secrecy adds incremental security between gateways.

Phase 2 DH Group

If Enable Perfect Forward Secrecy is enabled, select the type of Diff ie-Hellman (DH) Key Exchange (a

key agreement protocol) to be used during phase 2 of the authentication process to establish pre-

shared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed

below:

If network connection s peed i s a n iss ue, se lect Gr oup 1. If net wor k se cur ity i s an i ssu e, sele ct Group

5. To compromise between speed and security, select Group 2.

Default LAN Gateway

A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all

internet traffic through this SA check box. The Default LAN Gateway field allows the network

administrator to specify the IP address of the default LAN route for incoming IPSec packets for this

SA.

Incoming packets are decoded by the SonicWALL and compared to static routes configured in the

SonicWALL. Since packets can ha ve any IP address destination, it is impossible to conf igure enough

static routes to handle the traffic. For packets received via an IPSec tunn el, the Soni cWALL looks up

Group Descriptor Prime Size (bits)

1768

2 1024

51536