en-US
search-icon

Global VPN Client 4.10 Admin Guide

Making VPN Connections

Overview

Making a VPN connection from the Global VPN Client is easy because the configuration information is managed by the SonicWall VPN gateway. The SonicOS (VPN gateway) administrator sets the parameters for what is allowed and not allowed with the VPN connection. For example, for security reasons, the administrator may not allow multiple VPN connections or the ability to access the Internet or local network while the VPN connection is enabled.

The Global VPN Client supports two IPsec authentication modes:

IKE using Preshared Secret
IKE using 3rd Party Certificates.

Preshared Secret is the most common form of the IPsec authentication modes. If your VPN connection policy uses 3rd party certificates, you use the Certificate Manager to configure the Global VPN Client to use digital certificates.

A Pre-Shared Key (also called a Shared Secret) is a predefined password that the two endpoints of a VPN tunnel use to set up an IKE (Internet Key Exchange) Security Association. This field can be any combination of alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Your Pre-Shared Key is typically configured as part of your Global VPN Client provisioning. If it is not, you are prompted to enter it before you log on to the remote network.

Accessing Redundant VPN Gateways

The Global VPN Client supports redundant VPN gateways by manually adding the peer in the Peers page of the VPN connection Properties window. The Global VPN Client adds automatic support for redundant VPN gateways if the IPsec gateway’s domain name resolves to multiple IP addresses. For example, if gateway.yourcompany.com resolves to 67.115.118.7, 67.115.118.8, and 67.115.118.9, the Global VPN Client cycles through these resolved IP addresses until it finds a gateway that responds, allowing multiple IP addresses to be used as failover gateways. If all the resolved IP addresses fail to respond, Global VPN Client switches to the next peer, if another peer is specified in the Peers page of the VPN connection Properties dialog. See Connection Properties Peers Settings for more information.

* 
NOTE: When configuring redundant VPN gateways, the Group VPN policy attributes (such as pre-shared keys and the attributes on the Peer Information page) must be the same for every gateway if the gateway’s FQDN resolves to multiple IP addresses. However, if you set up multiple peers on the Peers page, then each peer gateway can have its own settings.

Enabling a VPN Connection

Enabling a VPN connection with the SonicWall Global VPN Client is a transparent two phase process. Phase 1 enables the connection, which completes the ISAKMP (Internet Security Association and Key Management Protocol) negotiation. Phase 2 is IKE (Internet Key Exchange) negotiation, which establishes the VPN tunnel for sending and receiving data.

When you enable a VPN connection, the following information is displayed in the Status column of the Global VPN Client window:

Disabled changes to Connecting.
Connecting changes to Authenticating when the Enter Username/Password dialog displays.
Authenticating changes to Connecting when the user enters the username and password.
Connecting changes to Provisioning.
Provisioning changes to Connected once the VPN connection is fully established. A green checkmark is displayed on the VPN connection icon.

When the VPN connection is established, a pop-up notification from the Global VPN Client system tray icon displays: Connection Name, Connected to IP address, and Virtual IP Address.

If an error occurs during the VPN connection, Error appears in the Status column, and an error mark (a red X) appears on the VPN Connection icon. A VPN connection that does not successfully complete all phase 2 connections displays a yellow warning symbol on the Connection icon.

*I
NOTE: f the Global VPN Client does not establish the VPN connection, you can use the Log Viewer to view the error messages to troubleshoot the problem. See Understanding the Global VPN Client Log for more information.
To establish a VPN connection using the Global VPN Client:
1
Enable a VPN connection using one of the following methods:
If you selected Enable this connection when the program is launched in the New Connection Wizard, the VPN connection is automatically established when you launch the SonicWall Global VPN Client.
If your VPN connection is not automatically established when you launch the Global VPN
Client, choose one of the following methods to enable a VPN connection:
Double-click the VPN connection.
Right-click the VPN connection icon and select Enable from the menu.
Select the VPN connection and press Ctrl+B.
Select the VPN connection, and click the Enable button on the toolbar
Select the VPN connection, and then choose File > Enable.
If the Global VPN Client icon is displayed in the system tray, right-click the icon and then select Enable > connection name. Global VPN Client enables the VPN connection without opening the Global VPN Client window.
2
Depending on how the VPN connection is configured, these dialogs may be displayed:
Cannot Enable Connection – see Establishing Multiple Connections
Enter Pre-Shared Secret – see Entering a Pre-Shared Key
Enter Username and Password – see Providing Username and Password Authentication
Connection Warning – see Connection Warning

Establishing Multiple Connections

You can have more than one connection enabled at a time but it depends on the connection parameters established at the VPN gateway. If you attempt to enable a subsequent VPN connection with a currently enabled VPN connection policy that does not allow multiple VPN connections, the Cannot Enable Connection message appears informing you the VPN connection cannot be made because the currently active VPN policy does not allow multiple active VPN connections. The currently enabled VPN connection must be disabled before enabling the new VPN connection.

 

Entering a Pre-Shared Key

Depending on the attributes for the VPN connection, if no default Pre-Shared Key is used, you must have a Pre-Shared Key provided by the gateway administrator to make your VPN connection. If the default Pre-Shared Key is not included as part of the connection policy download or file, the Enter Pre-Shared Key dialog appears to prompt you for the Pre-Shared key before establishing the VPN connection.

To enter a Pre-Shared Key:
1
Type your Pre-Shared Key in the Pre-shared Key field. The Pre-Shared Key is masked for security.
2
Optionally, if you want to make sure you are entering the correct Pre-Shared Key, select Don’t hide the pre-shared key. The Pre-Shared Key you enter appears unmasked in the Pre-shared Key field.
* 
TIP: If you select this option, be sure to unselect it when you’ve verified the Pre-Shared Key.
3
Click OK.

Selecting a Certificate

If the SonicWall VPN Gateway requires a Digital Certificate to establish your identity for the VPN connection, the Select Certificate dialog appears. This dialog lists all the available certificates installed on your Global VPN Client.

* 
NOTE: For more information on using the Certificate Manager, see Managing Certificates.
To select a certificate:
1
Do one of the following:
Select the certificate from the menu.
If you have a certificate that has not been imported into the Global VPN Client using Certificate Manager, click Import Certificate.
2
Click OK.

Providing Username and Password Authentication

The VPN gateway typically specifies the use of XAUTH for determining GroupVPN policy membership by requiring a username and password either for authentication against the gateway’s internal user database or via an external RADIUS service.

If the SonicWall VPN gateway is provisioned to prompt you for the username and password to enter the remote network, the Enter Username and Password dialog appears.

To enter a username and password:
1
Type your username and password.
2
Optionally, if permitted by the gateway, select Remember Username and Password to cache your username and password to automatically log in for future VPN connections.
3
Click OK to continue with establishing your VPN connection.

Creating a Connection Shortcut

* 
TIP: Create a Desktop shortcut for the SonicWall Global VPN Client program for easy access to all your connections.

To streamline enabling a VPN connection, you can place a VPN connection on the desktop, taskbar, or Start menu. You can also place the connection at any other location on your system.

To create a shortcut:
1
Select the VPN connection for which to create a shortcut in the Global VPN Client window.
2
Choose File > Create Shortcut.
3
Select the shortcut option you want: On the Desktop, On the Task Bar, In the Start Menu, or Select a Location.

You can also right-click the VPN connection and then choose Create Shortcut > shortcut option.

Connection Warning

If the VPN connection policy allows only traffic to the gateway, the Connection Warning message appears, warning you that only network traffic destined for the remote network at the other end of the VPN tunnel is allowed. Any network traffic destined for local network interfaces and the Internet is blocked.

You can disable the Connection Warning message from displaying every time you enable the VPN connection by checking If yes, don’t show this dialog again.

Click Yes to continue with establishing your VPN connection.