- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
"Enable IKE Mode Configuration" option for GroupVPN Policies
07/27/2020 
30 People found this article helpful
102,712 Views
Description
This KB article describes the feature the option "Enable IKE Mode Configuration" available under Global VPN Client advanced settings.
It allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients such as iOS devices or Avaya IP phones.
IKE Mode Configuration is to allow IPSec VPN end-points to negotiate and exchange parameter settings (like IP Address, Network Mask, DNS Servers, etc) during SA setup through IKE protocol, it is useful for IPSec Client need to have an internal (private) IP address assigned from the IPSec VPN Gateway, to access the internal network behind the Gateway.
This enables the SonicWall firewall to reply to IPSec Client that may request the additional parameters for the IKE Mode Configuration after Phase1 and before Phase2.
SonicOS will provide the following configuration information to IPSec Clients though IKE Mode Configuration:
- IP Address
- Expiry time for the allocated IP address
- DNS Server
- WINS Server
- Network mask (always be 24 bit mask - 255.255.255.0)
Resolution
The configuration of IKE Mode is possible using the following:
- Under Advanced Tab of GroupVPN policy
- Select IKE Mode Configuration and use a Custom Address Object as IP pool, for allocation of IP address for client thought the IKE Mode Configuration. For each IPSec client, one IP address will be assigned.
- Adjust the Address Expiry Time(seconds) value if needed
- VPN- Clients _ DHCP_POOL is the address object used with Zone as VPN and Type as range, the range used here in the example is not being used anywhere else on private network.
NOTE: Please use the Zone as VPN for the address object, we can use both Network or Range as Type.
- Under the VPN | Advanced Page
- Click "Configure" on "DNS and WINS Server Settings for VPN Client" to specify DNS and WINS Servers
EXAMPLE: Third-part client IPSec VPN configuration (iPad)
- Launch Settings from your Home screen.
- Click General.
- Select VPN and click Add VPN Configuration.
- Under Type select IPSec.
- Enter the VPN Settings Information.
- Click Done.
- Toggle the Status switch on. IPSec VPN shows Connected with address from the range used under IP Pool for Clients on SonicWall.
TIP: For an example related to third-part client configuration (Avaya IP Phones), please follow:How To Configure WAN GroupVPN For Avaya Phones.
Related Articles
- Parserror on Event logs.
- Switch from the Policy mode to classic mode on Gen 7 appliances
- Analyzing TCP reset(RST)packets
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO