How can I configure Advanced VPN settings?

12/20/2019 153 24822

DESCRIPTION:

SonicWall VPN Advanced Page includes optional settings that affect all VPN Policies and hence, an understanding of the same is required before they are configured. This article lists the options and the requirement of these options.

RESOLUTION:

1. Navigate to  Manage tab.
2. Click VPN | Advanced Settings page.
   

A list of options are available that can be mainly enabled or disabled. These are options that have impact on all the VPNs that are configured on the SonicWall. The options that are available are:

1. Enable IKE Dead Peer Detection : Select if you want inactive VPN tunnels to be dropped by the  SonicWall.
   
   
   • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
   • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the Dell SonicWall security appliance. The  SonicWall security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
   • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
2. Enable Fragmented Packet Handling : If the VPN log report shows the log message “Fragmented IPSec packet dropped”, select this feature. Do not select it until the VPN tunnel is established and in operation.
   
   
   • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless.
3. Enable NAT Traversal : Select this setting if a NAT device is located between your VPN endpoints. IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.
   
   
4. Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address : Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
   
   
5. Preserve IKE Port for Pass-Through Connections : Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.
   
   
6. Enable OCSP Checking and OCSP Responder URL : Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
   
   
7. Send VPN Tunnel Traps only when tunnel status changes : Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
   
   
8. Send IKEv2 Cookie Notify : Sends cookies to IKEv2 peers as an authentication tool.
   
   
9. Use RADIUS in : When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. Also if this is set and LDAP is selected as the Authentication method for login on the Users | Settings page, but LDAP is not configured in a way that will allow password updates, then password updates for VPN client users will be done using MSCHAP-mode RADIUS after using LDAP to authenticate the user (Note: Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory).
   
   
10. DNS and WINS Server Settings for VPN Client:  Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client.
    
    
    • Inherit DNS Settings Dynamically using  SonicWall’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network | DNS page. This option is selected by default.
    • If you do not want to use the  SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
11. IKEv2 Dynamic Client Proposal : SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings

• DH Group: 1, 2, 5, or 14
• Encryption: DES, 3DES, AES-128, AES-192, AES-256
• Authentication: MD5, SHA1

However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

On Navigating to the VPN | Advanced Page, a list of options are available that can be mainly enabled or disabled.

These are options that have impact on all the VPNs that are configured on the SonicWall. The options that are available are:

1. Enable IKE Dead Peer Detection : Select if you want inactive VPN tunnels to be dropped by the  SonicWall.
   
   
   • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
   • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the Dell SonicWall security appliance. The  SonicWall security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
   • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
2. Enable Fragmented Packet Handling : If the VPN log report shows the log message “Fragmented IPSec packet dropped”, select this feature. Do not select it until the VPN tunnel is established and in operation.
   
   
   • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the SonicWall to ignore the option and fragment the packet regardless.
3. Enable NAT Traversal : Select this setting if a NAT device is located between your VPN endpoints. IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPSec peer.
   
   
4. Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address : Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
   
   
5. Preserve IKE Port for Pass-Through Connections : Preserves UDP 500/4500 source port and IP address information for pass-through VPN connections.
   
   
6. Enable OCSP Checking and OCSP Responder URL : Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
   
   
7. Send VPN Tunnel Traps only when tunnel status changes : Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
   
   
8. Send IKEv2 Cookie Notify : Sends cookies to IKEv2 peers as an authentication tool.
   
   
9. Use RADIUS in : When using RADIUS to authenticate VPN client users, RADIUS will be used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this would be so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. Also if this is set and LDAP is selected as the Authentication method for login on the Users | Settings page, but LDAP is not configured in a way that will allow password updates, then password updates for VPN client users will be done using MSCHAP-mode RADIUS after using LDAP to authenticate the user (Note: Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory).
   
   
10. DNS and WINS Server Settings for VPN Client:  Configure the DNS and WINS server settings for clients (such as third-party VPN clients) through GroupVPN or Mobile IKEv2 client.
    
    
    • Inherit DNS Settings Dynamically using  SonicWall’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network | DNS page. This option is selected by default.
    • If you do not want to use the  SonicWall security appliance network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
11. IKEv2 Dynamic Client Proposal : SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the following IKE Proposal settings

• DH Group: 1, 2, 5, or 14
• Encryption: DES, 3DES, AES-128, AES-192, AES-256
• Authentication: MD5, SHA1

However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings.