• SonicOS and SonicOSX 7 IPSec VPN
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

Configuring Advanced VPN Settings

Advanced VPN Settings globally affect all VPN policies. This section also provides solutions for Online Certificate Status Protocol (OCSP). OCSP allows you to check VPN certificate status without Certificate Revocation Lists (CRLs). This allows timely updates regarding the status of the certificates used on your firewall.

• Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the firewall.
  • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds.
  • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the firewall. The firewall uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
  • Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want idle VPN connections to be dropped by the firewall after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. The default value is 600 seconds (10 minutes).
• Enable Fragmented Packet Handling - If the VPN log report shows the log message Fragmented IPsec packet dropped, select this feature. Do not select it until the VPN tunnel is established and in operation.
  • Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a packet, which tells all security appliances to not fragment the packet. This option, when enabled, causes the firewall to ignore the option and fragment the packet regardless.
• Enable NAT Traversal - Select this setting if a NAT device is located between your VPN endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by the IPsec peer.
• Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP address - Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
• Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. See Using OCSP with SonicWall Network Security Appliances.
• Send VPN Tunnel Traps only when tunnel status changes - Reduces the number of VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
  • Use RADIUS in - The primary reason for choosing this option is so that VPN client users can make use of the MSCHAP feature to allow them to change expired passwords at login time. When using RADUIS to authenticate VPN client users, select whether RADIUS is used in one of these modes:
    • MSCHAP

    • MSCHAPv2 mode for XAUTH (allows users to change expired passwords)

    Also, if this is set and LDAP is selected as the Authentication method for login on the DEVICE | Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for VPN client users are done using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

    Password updates can only be done by LDAP when using either:

    • Active Directory with TLS and binding to it using an administrative account
      
    • Novell eDirectory.

• DNS and WINS Server Settings for VPN Client – To configure DNS and WINS server settings for Client, such as a third-party VPN Client through GroupVPN, or a Mobile IKEv2 Client, click Configure. The Add VPN DNS And WINS Server dialog displays.

  

  • DNS Servers – Select whether to specify the DNS servers dynamically or manually:

    • Inherit DNS Settings Dynamically from the SonicWall’s DNS settings – The SonicWall appliance obtains the DNS server IP addresses automatically.

    • Specify Manually – Enter up to three DNS server IP addresses in the DNS Server 1/3 fields.

  • WINS Servers – Enter up to two WINS server IP address in the WINS Server 1/2 fields.