"Enable IKE Mode Configuration" option for GroupVPN Policies
07/27/2020 28 16517
This KB article describes the feature the option "Enable IKE Mode Configuration" available under Global VPN Client advanced settings. It allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients such as iOS devices or Avaya IP phones.
IKE Mode Configuration is to allow IPSec VPN end-points to negotiate and exchange parameter settings (like IP Address, Network Mask, DNS Servers, etc) during SA setup through IKE protocol, it is useful for IPSec Client need to have an internal (private) IP address assigned from the IPSec VPN Gateway, to access the internal network behind the Gateway.
This enables the SonicWall firewall to reply to IPSec Client that may request the additional parameters for the IKE Mode Configuration after Phase1 and before Phase2. SonicOS will provide the following configuration information to IPSec Clients though IKE Mode Configuration:
Expiry time for the allocated IP address
Network mask (always be 24 bit mask - 255.255.255.0)
The configuration of IKE Mode is possible using the following:
Under Advanced Tab of GroupVPN policy
Select IKE Mode Configuration and use a Custom Address Object as IP pool, for allocation of IP address for client thought the IKE Mode Configuration. For each IPSec client, one IP address will be assigned.
Adjust the Address Expiry Time(seconds) value if needed
VPN- Clients _ DHCP_POOL is the address object used with Zone as VPN and Type as range, the range used here in the example is not being used anywhere else on private network.
NOTE: Please use the Zone as VPN for the address object, we can use both Network or Range as Type.
Under the VPN | Advanced Page
Click "Configure" on "DNS and WINS Server Settings for VPN Client" to specify DNS and WINS Servers