Filter
Top Products
SONICWALL SONICOS ENHANCED 2.5 ADMINISTRATOR’S GUIDE
167
Configuring GroupVPN Policies
SHA1 from the Authentication menu.
Leave the default setting, 28800, in the Life Time (seconds) field. This setting forces the tunnel to
renegotiate and exchange keys every 8 hours.
9
In the IPSec (Phase 2) Proposal section, select the following settings:
ESP from the Protocol menu.
3DES from the Encryption menu.
MD5 from the Authentication menu.
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange
as an added layer of security. Then select Group 2 from the DH Group menu.
Leave the default setting, 28800, in the Life Time (seconds) field. This setting forces the tunnel to
renegotiate and exchange keys every 8 hours.
10
Click on the Advanced tab and select any of the following optional settings that you want to apply
to your GroupVPN Policy:
Enable Windows Networking (NetBIOS) broadcast - allows access to remote network
resources by browsing the Windows Network Neighborhood.
Management via this SA - select HTTP and/or HTTPS.
Default LAN Gateway - used at a central site in conjunction with a remote site using the Route
all Internet traffic through this SA check box. Default LAN Gateway allows the network
administrator to specify the IP address of the default LAN route for incoming IPSec packets for
this SA. Incoming packets are decoded by the SonicWALL and compared to static routes
configured in the SonicWALL. Since packets can have any IP address destination, it is
impossible to configure enough static routes to handle the traffic. For packets received via an
IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed
through the gateway. Otherwise, the packet is dropped.
Require Authentication of VPN Clients via XAUTH - requires that all inbound traffic on this
VPN policy is from an authenticated user. Unauthenticated traffic is not allowed on the VPN
tunnel.
User group for XAUTH users - allows you to select a defined user group for authentication.
All Unauthenticated VPN Client Access - allows you to specify network segments for
unauthenticated Global VPN Client access.
11
Click on the Client tab and select any of the following boxes that you want to apply to Global VPN
Client provisioning:
Cache XAUTH User Name and Password - allows the Global VPN Client to cache the user
name and password. Select from:
à Never - Global VPN Client is not allowed to cache username and password. The user will
be prompted for a username and password when the connection is enabled and also every
time there is an IKE phase 1 rekey.
à Single Session - The user will be prompted for username and password each time the
connection is enabled and will be valid until the connection is disabled. This username and
password is used through IKE phase 1 rekey.
à Always - The user will be prompted for username and password only once when
connection is enabled. When prompted, the user will be given the option of caching the
username and password.
Allow Connection to - Client network traffic matching destination networks of each gateway is
sent through the VPN tunnel of that specific gateway. Select from Split Tunnels, This
Gateway Only, or All Secured Gateways.
Set Default Route as this Gateway - Enable this check box if all remote VPN connections
access the Internet through this SA. You can only configure one SA to use this setting.