en-US
search-icon

Global VPN Client 4.10 Admin Guide

Using the default.rcf File

About the default.rcf File

The default.rcf file allows you to create and distribute preconfigured VPN connections for SonicWall Global VPN Client. You can distribute the default.rcf file with the Global VPN Client software to automatically create preconfigured VPN connections for streamlined deployment.

The VPN connections created from the default.rcf file appear in the Global VPN Client window. The Global VPN Client user simply enables the VPN connection and after XAUTH authentication with a username and password, the policy download is automatically completed.

How Global VPN Client Uses default.rcf

When the Global VPN Client starts up, the program always looks for the configuration file, Connections.rcf, in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory. If this file does not exist, the Global VPN Client looks for the default.rcf file in the program install directory, C:\Program Files\SonicWall\Global VPN Client\.

The Global VPN Client reads the default.rcf file, if it exists, and creates the configuration file, Connections.rcf, in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory. The Connections.rcf file contains all the VPN connection configuration information for the SonicWall Global VPN Client, with sensitive data (user names and passwords) encrypted.

Deploying the default.rcf File

There are three ways to deploy the default.rcf file for your SonicWall Global VPN Clients:

Include the default.rcf file along with the installer software GVCInstallXX.MSI, where XX is either 32, for 32-bit Windows platforms or 64, for 64-bit Windows platforms, before running the installer. See Including the default.rcf File with the MSI Installer.
Add the default.rcf file to the program install directory before opening the SonicWall Global VPN Client application for the first time. See Adding the default.rcf File to the Installation Directory.
If the Connections.rcf configuration file exists in the user’s configuration file folder, replace it using settings from the default.rcf file in the program install directory. See Replacing an Existing .rcf File with the default.rcf File.

Including the default.rcf File with the MSI Installer

After you create the default.rcf file, you can include it in the same folder as the MSI installer (GVCInstallXX.MSI where XX is either 32, for 32-bit Windows platforms, or 64, for 64-bit Windows platforms) before running the installer. The installation process now copies the default.rcf to the program install directory. After this installation, when the user launches the Global VPN Client program, the connection(s) defined in default.rcf are used to create the configuration file Connections.rcf in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory. This is the easiest method for Global VPN Client users.

To get the same profile (from default.rcf) to all the users during installation:
1
Export the WAN groupVPN configuration from your SonicWall network security appliance (the VPN Gateway) or create default.rcf if you want multiple connections.
2
Rename the exported configuration file to default.rcf.
3
Extract the GVCInstallXX.MSI from GVCSetupXX.exe (where XX is either 32 for 32-bit Windows platforms or 64 for 64-bit Windows platforms) by typing this command line:

GVCSetupXX.exe /T:<Path where you want MSI to be extracted> /C

4
Copy the default.rcf file to same directory where you have the GVCInstallXX.MSI (installer file).
5
Launch the installer (GVCInstallXX.MSI). The installation process copies default.rcf to the GVC Install directory.
6
After the install is complete and you start the Global VPN Client, it reads the default.rcf and creates the defined connections from it.
* 
CAUTION: The default.rcf file must be included in the Global VPN Client installation directory C:\Program Files\SonicWall\Global VPN Client\ for the program to write the Connections.rcf file based on the settings defined in the default.rcf file.

Adding the default.rcf File to the Installation Directory

After the Global VPN Client software is installed and prior to running the program, the user can add the default.rcf file to the Global VPN Client installation directory C:\Program Files\SonicWall\Global VPN Client\.

When the user launches the Global VPN Client program, the configuration file Global VPN Client.rcf is created in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory based on the default.rcf file settings.

Replacing an Existing .rcf File with the default.rcf File

If the configuration file, Connections.rcf, already exists in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory, the user can remove this file and add the default.rcf file to the Global VPN Client installation directory C:\Program Files\SonicWall\Global VPN Client\. The next time the user launches the Global VPN Client, the Connections.rcf file is created in the C:\Users\<user>\AppData\Roaming\SonicWall\Global VPN Client\ directory based on the default.rcf file settings.

* 
CAUTION: The Connections.rcf file is user-specific and in most cases will not work for another user running the SonicWall Global VPN Client, even on the same machine.
* 
CAUTION: Removing an existing Connections.rcf file removes the VPN connections created in the Global VPN Client. These VPN connections can be added again from the Global VPN Client into the new Connections.rcf file.

Creating the default.rcf File

You can create your custom default.rcf file with any text editor, such as Windows Notepad.

default.rcf File Tag Descriptions

Tags that you do not explicitly list in default.rcf are set to the default setting (which is the same behavior as when you configure a new VPN connection within the Global VPN Client manually). The default setting for each tag is highlighted in bracketed bold text, for example: [default].

<SW_Client_Policy version =”9.0”>

<Connections> – Defines the connection profiles in the default.rcf configuration file. There is no hard limit defined on the number of connection profiles allowed.

<Connection name = connection name> – Provides a name for the VPN connection that appears in the Global VPN Client window.

<Description> description text</Description> – Provides a description for each connection profile that appears when the user moves the mouse pointer over the VPN Policy in the Global VPN Client window. The maximum number of characters for the <Description> tag is 1023.

<Flags>

<AutoConnect>[Off=0]/On=1</AutoConnect> – Enables this connection when program is launched.

<ForceIsakmp>Off=0/[On=1]</ForceIsakmp> – Starts IKE negotiation as soon as the connection is enabled without waiting for network traffic. If disabled, then only traffic to the destination network(s) initiates IKE negotiations.

<ReEnableOnWake>[Off=0]/On=1</ReEnableOnWake> – Enables the connection when computer is coming out of sleep or hibernation.

<ReconnectOnError>Off=0/[On=1]</ReconnectOnError> – Automatically keeps trying to enable the connection when an error occurs.

<ExecuteLogonScript>[Disable=0]/Enable=1</ExecuteLogonScript> – Forces launch login script.

</Flags>

<Peer> – Defines the peer settings for a VPN connection. A VPN connection can support up to 5 peers.

<HostName>IP Address/Domain Name</HostName> – The IP address or domain name of the SonicWall gateway.

<EnableDeadPeerDetection>Off=0/On=1</EnableDeadPeerDetection>Enables detection if the Peer stops responding to traffic. This sends Vendor ID to the SonicWall appliance during IKE negotiation to enable Dead peer-detection heart beat traffic.

* 
NOTE: NAT Traversal - There is a drop down selection list containing the following three items:
Automatic - Detects if NAT Traversal is on or off.
Forced On - Forces NAT Traversal On.
Disabled - Forces NAT Traversal Off.

To specify Automatic in a custom default.rcf file, set ForceNATTraversal and DisableNATTraversal to 0, or do not list these tags at all.

<ForceNATTraversal>[Off=0]/On=1</ForceNATTraversal> – Forces NAT traversal even without a NAT device in the middle. Normally, NAT devices in the middle are detected automatically, and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete.

<DisableNATTraversal>[Off=0]/On=1</DisableNATTraversal> – Disables NAT traversal even without a NAT device in the middle. Normally, NAT devices in the middle are detected automatically, and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete.

<NextHop>IP Address</NextHop> – The IP Address of the next hop for this connection.

* 
IMPORTANT: <NextHop> is ONLY used if there is a need to use a next hop that is different from the default gateway.

<Timeout>[3]<Timeout>Defines timeout value in seconds for packet retransmissions. The minimum <Timeout> value is 1 second, and the maximum value is 10 seconds.

<Retries>[3]<Retries> – Number of times to retry packet retransmissions before the connection is considered as dead. The minimum <Retries>value is 1, and the maximum value is 10.

<UseDefaultGWAsPeerIP>[Off=0]/On=1</UseDefaultGWAsPeerIP> – Specifies that the PC’s Default Gateway IP Address is used as the Peer IP Address.

<WaitForSourceIP>Off=0/[On=1]</WaitForSourceIP> – Specifies that packets are to be sent when a local source IP address is available.

<DPDInterval>[[3]-30]</DPDInterval> – Specifies the duration of time (in seconds) to wait before declaring a peer as dead. The allowed values for the interval times are 3, 5, 10, 15, 20, 25 and 30 seconds.

<DPDAttempts>[3-[5]]</DPDAttempts> – Specifies number of unsuccessful attempts to contact a peer before declaring it as dead. The allowed values are 3, 4, or 5 times.

<DPDAlwaysSend>[Off=0]/On=1</DPDAlwaysSend> – Instructs the Global VPN Client to send a DPD packet based on network traffic received from the peer.

</Peer> – For redundant gateways on this connection, repeat all the tags under <Peer>. There can be up to 5 redundant gateways for each connection.

</Connection>Defines the end of each connection profile in the configuration file.

</Connections> – Defines the end of all connection profiles in the Default.rcf file.

</SW_Client_Policy>

Sample default.rcf File

The following is an example of a default.rcf file. This file includes two VPN connections: Corporate Firewall and Overseas Office. The Corporate Firewall connection configuration includes two peer entries for redundant VPN connectivity.

* 
CAUTION: If you attempt to directly copy this sample file to an ASCII text editor, you may have to remove all of the paragraph marks at the end of each line before saving it. Verify the file can be imported into the Global VPN Application before distributing it.

<?xml version="1.0" standalone="yes"?>

<SW_Client_Policy version="9.0">

<Connections>

<Connection name="Corporate Firewall">

<Description>This is the corporate firewall. Call 1-800-fix-today for connection problems.</Description>

<Flags>

<AutoConnect>0</AutoConnect>

<ForceIsakmp>1</ForceIsakmp>

<ReEnableOnWake>0</ReEnableOnWake>

<ReconnectOnError>1</ReconnectOnError>

<ExecuteLogonScript>0</ExecuteLogonScript>

</Flags>

<Peer>

<HostName>CorporateFW</HostName>

<EnableDeadPeerDetection>1</EnableDeadPeerDetection>

<ForceNATTraversal>0</ForceNATTraversal>

<DisableNATTraversal>0</DisableNATTraversal>

<NextHop>0.0.0.0</NextHop>

<Timeout>3</Timeout>

<Retries>3</Retries>

<UseDefaultGWAsPeerIP>0</UseDefaultGWAsPeerIP>

<InterfaceSelection>0</InterfaceSelection>

<WaitForSourceIP>0</WaitForSourceIP>

<DPDInterval>3</DPDInterval>

<DPDAttempts>3</DPDAttempts>

<DPDAlwaysSend>0</DPDAlwaysSend>

</Peer>

<Peer>

<HostName>1.2.3.4</HostName>

<EnableDeadPeerDetection>1</EnableDeadPeerDetection>

<ForceNATTraversal>0</ForceNATTraversal>

<DisableNATTraversal>0</DisableNATTraversal>

<NextHop>0.0.0.0</NextHop>

<Timeout>3</Timeout>

<Retries>3</Retries>

<UseDefaultGWAsPeerIP>0</UseDefaultGWAsPeerIP>

<InterfaceSelection>0</InterfaceSelection>

<WaitForSourceIP>0</WaitForSourceIP>

<DPDInterval>3</DPDInterval>

<DPDAttempts>3</DPDAttempts>

<DPDAlwaysSend>0</DPDAlwaysSend>

</Peer>

</Connection>

<Connection name="Overseas Gateway">

<Description>This is the firewall to connect when traveling overseas.</Description>

<Flags>

<AutoConnect>0</AutoConnect>

<ForceIsakmp>1</ForceIsakmp>

<ReEnableOnWake>0</ReEnableOnWake>

<ReconnectOnError>1</ReconnectOnError>

<ExecuteLogonScript>0</ExecuteLogonScript>

</Flags>

<Peer>

<HostName>&lt;Default Gateway&gt;</HostName>

<EnableDeadPeerDetection>1</EnableDeadPeerDetection>

<ForceNATTraversal>0</ForceNATTraversal>

<DisableNATTraversal>0</DisableNATTraversal>

<NextHop>0.0.0.0</NextHop>

<Timeout>3</Timeout>

<Retries>3</Retries>

<UseDefaultGWAsPeerIP>1</UseDefaultGWAsPeerIP>

<InterfaceSelection>0</InterfaceSelection>

<WaitForSourceIP>0</WaitForSourceIP>

<DPDInterval>3</DPDInterval>

<DPDAttempts>3</DPDAttempts>

<DPDAlwaysSend>0</DPDAlwaysSend>

</Peer>

</Connection>

</Connections>

</SW_Client_Policy>

Troubleshooting the default.rcf File

 

Issue

Solution

If there are any incorrect entries or typos in your default.rcf file, the settings in the default.rcf file are not incorporated into the Global VPN Client, and no connection profiles appear in the Global VPN Client window. Either the error message:

Failed to parse configuration <file>, appears in the Global VPN Client Log Viewer.
Could not import the specified configuration file. The file appears to be corrupt, is displayed when attempting to import the file.

Ensure that the file does not contain any non-ASCII characters. The Connections.rcf file created by the default.rcf file must be deleted from the \ directory and the default.rcf file edited to correct the errors.

The default.rcf file cannot have an attribute of Read Only.

The Connections.rcf file created by the default.rcf file must be deleted from the \ directory and the default.rcf file Read Only attribute removed to correct the error.

The Peer Name, <Default Gateway>, displays the following error message when attempting to connect: Failed to convert the Peer name <Default Gateway> to an IP address.

When setting the Peer Name to the special case of <Default Gateway>, the tag for <UseDefaultGWAsPeerIP> must be set to 1. The Connections.rcf file created by the default.rcf file must be deleted from the \ directory.