What VPN settings have been automated or simplified?
03/26/2020 8 13223
DESCRIPTION: What VPN settings have been automated or simplified?
A single field defines the policy lifetime for Phase 1 and Phase 2 in 6.6.x and older firmware; the maximum policy lifetime for a SonicWall is 9,999,999 seconds, and the minimum policy lifetime is 120 seconds. Older manuals and docs regarding SA lifetime may be incorrect (they state 2,500,000 as the max).
SonicWall uses time-based policy lifetimes. Other Firewall/VPN vendors implement data-based SA lifetimes as well as time-based policy lifetimes.
The lifetime negotiation may differ depending on the value the remote peer gateway proposes. If the lifetime proposed by the remote peer gateway is lower than what the SonicWall policy is set to, the SonicWall will negotiate the VPN tunnel with the lower of the two values.
IKE Identity is automatically set depending upon the mode in 6.6.x and SonicOS Standard. Sonic OS Enhanced firmware gives the user the option of setting the IKE Identity. Please refer to the next page for a full explanation of this topic.
SonicWall Firmware 6.6.x and SonicOS Standard do not have a configuration option for setting the
Phase 2 ID type – it’s automatically set to ‘subnet’. For interoperability, the peer VPN gateway must also be configured to use subnet ID as the Phase 2 ID type.
Using "Apply NAT & Firewall rules" will cause SonicWall security appliances running firmware 6.x to send the SonicWall’s WAN IP address with a 32-bit subnet mask as Phase 2 ID for the SonicWall security appliance.
As IKE Responder, SonicWall can accept Diffie-Hellman 1, 2, or 5 (DH1, DH2, and DH5) - this is critical to remember when setting up a tunnel with a third-party security appliance.
SonicWalls support only ‘tunnel' mode and not ‘transport’ mode for site-to-site VPN connections - ‘tunnel’ mode is used for both ESP and for AH – although ‘transport’ mode is used for L2TP client connections.
Replay Detection is automatically on for all IPsec traffic that uses IKE. Each IPsec packet has a Sequence Number that increases monotonically. The SonicWall keeps a counter for IPsec packets on each VPN tunnel, and if it detects a packet that it has seen before, it is discarded. When a replayed packet is detected, the following message will appear in the log: "IPSEC Replay Detected". If attacks are checked under the ‘Alerts’ section in the log settings page, the SonicWall will not do anything besides discarding the packet and incrementing an error counter that is usable for debugging.
In firmware 220.127.116.11 and older, the mode (Aggressive or Main) is automatically negotiated by the
SonicWall security appliance during a VPN tunnel negotiation, depending on whether the peer gateway is explicitly specified or is absent (will negotiate in Aggressive if absent).
In firmware 18.104.22.168 and newer, and in all versions of SonicOS Standard and SonicOS Enhanced, the administrator can explicitly set the mode (Aggressive or Main) for each policy.