Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I configure Advanced VPN settings?

09/28/2022 201 People found this article helpful 214,026 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    SonicWall VPN Advanced Page includes optional settings that affect all VPN Policies and hence, an understanding of the same is required before they are configured. This article lists the options and the requirement of these options.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    1. Navigate to the Network Tab.

    2. Click IPSec VPN | Advanced Settings Page.

    Image

    A list of options is available that can be mainly enabled or disabled. These are options that have an impact on all the VPNs that are configured on the SonicWall. The options that are available are:

    1. Enable IKE Dead Peer Detection: Select if you want inactive VPN tunnels to be dropped by the  SonicWall.

      • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
      • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the Dell SonicWall security appliance. The  SonicWall security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
      • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
    2. Enable Fragmented Packet Handling: If the VPN log report shows the log message “Fragmented IPSec packet dropped”, select this feature. Do not select it until the VPN tunnel is established and in operation.

      • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless.
    3. Enable NAT Traversal: Select this setting if a NAT device is located between your VPN endpoints. IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.

    4. Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address: Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.

    5. Preserve IKE Port for Pass-Through Connections: Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.

    6. Enable OCSP Checking and OCSP Responder URL: Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.

    7. Send VPN Tunnel Traps only when tunnel status changes: Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.

    8. Send IKEv2 Cookie Notify: Sends cookies to IKEv2 peers as an authentication tool.

    9. Use RADIUS in  When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. Also if this is set and LDAP is selected as the Authentication method for login on the Users | Settings page, but LDAP is not configured in a way that will allow password updates, then password updates for VPN client users will be done using MSCHAP-mode RADIUS after using LDAP to authenticate the user (Note: Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory).

    10. DNS and WINS Server Settings for VPN Client:  Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client.

      • Inherit DNS Settings Dynamically using  SonicWall’s DNS Settings automatically populates the DNS and WINS settings with the settings on the Network | DNS page. This option is selected by default.
      • If you do not want to use the  SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
    11. IKEv2 Dynamic Client Proposal: SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings
    • DH Group: 1, 2, 5, or 14
    • Encryption: DES, 3DES, AES-128, AES-192, AES-256
    • Authentication: MD5, SHA1

    However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings.

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    1. Navigate to the Manage tab.
    2. Click VPN | Advanced Settings page.
      Image

    A list of options are available that can be mainly enabled or disabled. These are options that have impact on all the VPNs that are configured on the SonicWall. The options that are available are:

    1. Enable IKE Dead Peer Detection : Select if you want inactive VPN tunnels to be dropped by the  SonicWall.

      • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
      • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the Dell SonicWall security appliance. The  SonicWall security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
      • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
    2. Enable Fragmented Packet Handling : If the VPN log report shows the log message “Fragmented IPSec packet dropped”, select this feature. Do not select it until the VPN tunnel is established and in operation.

      • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless.
    3. Enable NAT Traversal : Select this setting if a NAT device is located between your VPN endpoints. IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.

    4. Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address : Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.

    5. Preserve IKE Port for Pass-Through Connections : Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.

    6. Enable OCSP Checking and OCSP Responder URL : Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.

    7. Send VPN Tunnel Traps only when tunnel status changes : Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.

    8. Send IKEv2 Cookie Notify : Sends cookies to IKEv2 peers as an authentication tool.

    9. Use RADIUS in : When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. Also if this is set and LDAP is selected as the Authentication method for login on the Users | Settings page, but LDAP is not configured in a way that will allow password updates, then password updates for VPN client users will be done using MSCHAP-mode RADIUS after using LDAP to authenticate the user (Note: Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory).

    10. DNS and WINS Server Settings for VPN Client:  Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client.

      • Inherit DNS Settings Dynamically using  SonicWall’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network | DNS page. This option is selected by default.
      • If you do not want to use the  SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
    11. IKEv2 Dynamic Client Proposal : SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings
    • DH Group: 1, 2, 5, or 14
    • Encryption: DES, 3DES, AES-128, AES-192, AES-256
    • Authentication: MD5, SHA1

    However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings.

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

    On Navigating to the VPN | Advanced Page, a list of options are available that can be mainly enabled or disabled.

    Image

    These are options that have impact on all the VPNs that are configured on the SonicWall. The options that are available are:

    1. Enable IKE Dead Peer Detection : Select if you want inactive VPN tunnels to be dropped by the  SonicWall.

      • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
      • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the Dell SonicWall security appliance. The  SonicWall security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
      • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
    2. Enable Fragmented Packet Handling : If the VPN log report shows the log message “Fragmented IPSec packet dropped”, select this feature. Do not select it until the VPN tunnel is established and in operation.

      • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless.
    3. Enable NAT Traversal : Select this setting if a NAT device is located between your VPN endpoints. IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.

    4. Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address : Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.

    5. Preserve IKE Port for Pass-Through Connections : Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.

    6. Enable OCSP Checking and OCSP Responder URL : Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.

    7. Send VPN Tunnel Traps only when tunnel status changes : Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.

    8. Send IKEv2 Cookie Notify : Sends cookies to IKEv2 peers as an authentication tool.

    9. Use RADIUS in : When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. Also if this is set and LDAP is selected as the Authentication method for login on the Users | Settings page, but LDAP is not configured in a way that will allow password updates, then password updates for VPN client users will be done using MSCHAP-mode RADIUS after using LDAP to authenticate the user (Note: Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory).

    10. DNS and WINS Server Settings for VPN Client:  Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client.

      • Inherit DNS Settings Dynamically using  SonicWall’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network | DNS page. This option is selected by default.
      • If you do not want to use the  SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
    11. IKEv2 Dynamic Client Proposal : SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings
    • DH Group: 1, 2, 5, or 14
    • Encryption: DES, 3DES, AES-128, AES-192, AES-256
    • Authentication: MD5, SHA1

    However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings.

    Related Articles

    • How to Setup the SonicWave 600 series
    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course

    Categories

    • Firewalls > TZ Series > VPN
    • Firewalls > NSa Series > VPN
    • Firewalls > NSv Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top