"Enable IKE Mode Configuration" option for GroupVPN Policies
07/27/2020 27 14992
This KB article describes the feature the option "Enable IKE Mode Configuration" available under Global VPN Client advanced settings.
It allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients such as iOS devices or Avaya IP phones.
IKE Mode Configuration is to allow IPSec VPN end-points to negotiate and exchange parameter settings (like IP Address, Network Mask, DNS Servers, etc) during SA setup through IKE protocol, it is useful for IPSec Client need to have an internal (private) IP address assigned from the IPSec VPN Gateway, to access the internal network behind the Gateway.
This enables the SonicWall firewall to reply to IPSec Client that may request the additional parameters for the IKE Mode Configuration after Phase1 and before Phase2.
SonicOS will provide the following configuration information to IPSec Clients though IKE Mode Configuration:
- IP Address
- Expiry time for the allocated IP address
- DNS Server
- WINS Server
- Network mask (always be 24 bit mask - 255.255.255.0)
The configuration of IKE Mode is possible using the following:
- Under Advanced Tab of GroupVPN policy
- Under the VPN | Advanced Page
- Click "Configure" on "DNS and WINS Server Settings for VPN Client" to specify DNS and WINS Servers
EXAMPLE: Third-part client IPSec VPN configuration (iPad)
- Launch Settings from your Home screen.
- Click General.
- Select VPN and click Add VPN Configuration.
- Under Type select IPSec.
- Enter the VPN Settings Information.
- Click Done.
- Toggle the Status switch on. IPSec VPN shows Connected with address from the range used under IP Pool for Clients on SonicWall.
TIP: For an example related to third-part client configuration (Avaya IP Phones), please follow:How To Configure WAN GroupVPN For Avaya Phones.