
Configuring VPN Policies
In the IPSec (Phase 2) Proposal section, select the following default settings:
ESP from the Protocol menu
3DES from the Encryption menu
SHA1 from the Authentication menu
Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange
as an added layer of security. Select Group 2 from the DH Group menu.
Leave the default setting, 28800, in the Life Time (secs) field. This setting forces the tunnel to
renegotiate and exchange keys every 8 hours.
Click the Advanced tab.
Select any of the following optional settings you want to apply to your GroupVPN policy:
Enable Windows Networking (NetBIOS) broadcast - allows access to remote network
resources by browsing the Windows® Network Neighborhood.
Enable Multicast - enables IP multicasting traffic, such as streaming audio (including VoIP)
and video applications, to pass through the VPN tunnel.
Management via this SA: - If using the VPN policy to manage the SonicWALL security
appliance, select the management method, either HTTP or HTTPS.
Default Gateway - allows the network administrator to specify the IP address of the default
network route for incoming IPSec packets for this VPN policy. Incoming packets are decoded
by the SonicWALL and compared to static routes configured in the SonicWALL security
appliance. Since packets can have any IP address destination, it is impossible to configure
enough static routes to handle the traffic. For packets received via an IPSec tunnel, the
SonicWALL looks up a route. If no route is found, the security appliance checks for a Default
Gateway. If a Default Gateway is detected, the packet is routed through the gateway.
Otherwise, the packet is dropped.
Require Authentication of VPN Clients via XAUTH - requires that all inbound traffic on this
VPN tunnel is from an authenticated user. Unauthenticated traffic is not allowed on the VPN
tunnel. he Trusted users group is selected by default. You can select another user group or
Everyone from User Group for XAUTH users.
Allow Unauthenticated VPN Client Access - allows you to enable unauthenticated VPN
client access. If you uncheck Require Authentication of VPN Clients via XAUTH, the Allow
Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address
Group from menu of predefined options, or select Create new addess object or Create new
address group to create a new one.