"Enable IKE Mode Configuration" option for GroupVPN Policies

07/27/2020 28 16509

DESCRIPTION:

This KB article describes the feature the option "Enable IKE Mode Configuration" available under Global VPN Client advanced settings.
It allows SonicOS to assign internal IP address, DNS Server, or WINS Server to third-party clients such as iOS devices or Avaya IP phones.

IKE Mode Configuration is to allow IPSec VPN end-points to negotiate and exchange parameter settings (like IP Address, Network Mask, DNS Servers, etc) during SA setup through IKE protocol, it is useful for IPSec Client need to have an internal (private) IP address assigned from the IPSec VPN Gateway, to access the internal network behind the Gateway.
 
This enables the SonicWall firewall to reply to IPSec Client that may request the additional parameters for the IKE Mode Configuration after Phase1 and before Phase2.
SonicOS will provide the following configuration information to IPSec Clients though IKE Mode Configuration:

1. IP Address
2. Expiry time for the allocated IP address
3. DNS Server
4. WINS Server
5. Network mask (always be 24 bit mask - 255.255.255.0)

RESOLUTION:

The configuration of IKE Mode is possible using the following:

1. Under Advanced Tab of GroupVPN policy
   • Select IKE Mode Configuration and use a Custom Address Object as IP pool, for allocation of IP address for client thought the IKE Mode Configuration. For each IPSec client, one IP address will be assigned.
   • Adjust the Address Expiry Time(seconds) value if needed
     
     
     
   • VPN- Clients _ DHCP_POOL is the address object used with Zone as VPN and Type as range, the range used here in the example is not being used anywhere else on private network. 
     
     

     NOTE: Please use the Zone as VPN for the address object, we can use both Network or Range as Type.
      

2. Under the VPN | Advanced Page
   • Click "Configure" on "DNS and WINS Server Settings for VPN Client" to specify DNS and WINS Servers

EXAMPLE: Third-part client IPSec VPN configuration (iPad)

• Launch Settings from your Home screen.
• Click General.
• Select VPN and click Add VPN Configuration.
• Under Type select IPSec.
• Enter the VPN Settings Information.
  
  
  
  
• Click Done.
• Toggle the Status switch on. IPSec VPN shows Connected with address from the range used under IP Pool for Clients on SonicWall.
  
  
  

TIP: For an example related to third-part client configuration (Avaya IP Phones), please follow:How To Configure WAN GroupVPN For Avaya Phones.