• SonicOS and SonicOSX 7 IPSec VPN
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

Configuring with a Third-Party Certificate

You must have a valid certificate from a third-party certificate authority installed on your SonicWall firewall before you can configure your VPN policy using a third-party IKE certificate.

With SonicWall firewalls, you can opt to use third-party certificates for authentication instead of the SonicWall Authentication Service. Using certificates from a third-party provider or using local certificates is a more manual process; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates.

SonicWall supports the following two certificate providers:

• VeriSign
• Entrust

To create a VPN SA using IKE and third-party certificates

1. Navigate to NETWORK | IPSec VPN > Rules and Settings.
2. Click +Add to create a new policy or click the Edit icon if you are updating an existing policy.

3. In the Authentication Method field, select IKE using 3rd Party Certificates. The VPN Policy window displays the third-party certificate options in the IKE Authentication section.

   

4. Type a name for the Security Association in the Name field.

5. Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWall in the IPsec Primary Gateway Name or Address field.

6. If you have a secondary remote SonicWall, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPsec Secondary Gateway Name or Address field.

7. Under IKE Authentication, select a third-party certificate from the Local Certificate list. You must have imported local certificates before selecting this option.

8. For Local IKE ID Type, the default is Default ID from Certificate. Or, choose one of the following:

   • Distinguished Name (DN)
   • Email ID (UserFQDN)
   • Domain Name (FQDN)
   • IP Address (IPV4)

   These alternate selections are the same as those for Peer IKE ID Type, described in the next step.

9. From the Peer IKE ID Type drop-down menu, select one of the following Peer ID types:

   Peer IKE ID Type Option	Definition
   Default ID from Certificate	Authentication is taken from the default ID on the certificate.
   Distinguished Name (DN)	Authentication is based on the certificate’s Subject Distinguished Name field, which is contained in all certificates by default. The entire Distinguished Name field must be entered for site to site VPNs. Wild card characters are not supported. The format of any Subject Distinguished Name is determined by the issuing Certificate Authority. Common fields are Country (C=), Organization (O=), Organizational Unit (OU=), Common Name (CN=), Locality (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWall, Inc./OU=TechPubs/CN=Joe Pub.
   Email ID (UserFQDN)	Authentication based on the Email ID (UserFQDN) types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site to site VPNs, wild card characters cannot be used. The full value of the Email ID must be entered. This is because site to site VPNs are expected to connect to a single peer, whereas Group VPNs expect to connect to multiple peers.
   Domain Name (FQDN)	Authentication based on the Domain Name (FQDN) types are based on the certificate's Subject Alternative Name field, which is not contained in all certificates by default. If the certificate contains a Subject Alternative Name, that value must be used. For site to site VPNs, wild card characters cannot be used. The full value of the Domain Name must be entered because site to site VPNs are expected to connect to a single peer, whereas Group VPNs expect to connect to multiple peers.
   IP Address (IPV4)	Based on the IPv4 IP address.

   To find the certificate details (Subject Alternative Name, Distinguished Name, and so on), navigate to the DEVICE | Settings > Certificates page.

10. Type an ID string in the Peer IKE ID field.

11. Click Network.

    

12. Under Local Networks, select one of these options:

    • Select a local network from the Choose local network from list drop-down menu if a specific local network can access the VPN tunnel.
    • Select Any Address if traffic can originate from any local network. Use this option if a peer has Use this VPN tunnel as default route for all Internet traffic selected. Auto-added rules are created between Trusted Zones and the VPN Zone.

13. Under Remote Networks, select one of these options:

    • Select Use this VPN Tunnel as default route for all Internet traffic if traffic from any local user cannot leave the firewall unless it is encrypted.

      You can only configure one SA to use this setting.

    • Alternatively, select Choose Destination network from list, and select the address object or group from the drop-down menu.
    • Select Use IKEv2 IP Pool if you want to support IKEv2 Config payload, and select the address object or IP Pool Network from the drop-down menu.

14. Click Proposals.

    

15. In the IKE (Phase 1) Proposal section, select the following settings:

    Main Mode	Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
    Aggressive Mode	Generally used when WAN addressing is dynamically assigned. Uses IKEv1 Phase 1 proposals with IPsec Phase 2 proposals. Suite B cryptography options are available for the DH Group in IKE Phase 1 settings, and for Encryption in the IPsec Phase 2 settings.
    IKEv2 Mode	Causes all negotiation to happen through IKEv2 protocols, rather than using IKEv1 phases. If you select IKE v2 Mode, both ends of the VPN tunnel must use IKE v2. When selected, the DH Group, Encryption, and Authentication fields are dimmed and cannot be defined.

16. Under IKE (Phase 1) Proposal, set the values for the remaining options. The default values for DH Group, Encryption, Authentication, and Life Time are acceptable for most VPN configurations.

    If IKEv2 Mode is selected for the Exchange field, the DH Group, Encryption, and Authentication fields are dimmed and no selection can be made for those options.

    Be sure the Phase 1 values on the opposite side of the tunnel are configured to match.

    1. For the DH Group, when in Main Mode or Aggressive Mode, you can select from several Diffie-Hellman exchanges:

       Diffie-Hellman Groups Included in Suite B Cryptography	Other Diffie-Hellman Options
       256-bit Random ECP Group	Group 1
       384-bit Random ECP Group	Group 2
       521-bit Random ECP Group	Group 5
       192-bit Random ECP Group	Group 14
       224-bit Random ECP Group

    2. For the Encryption field, if Main Mode or Aggressive Mode was selected, choose DES, 3DES, AES-128 (default), AES-192, or AES-256 from the drop-down menu.

    3. For the Authentication field, if Main Mode or Aggressive Mode was selected, choose MD5, SHA-1 (default), SHA256, SHA384, or SHA512 for enhanced authentication security.

17. For all Exchange modes, enter a value for Life Time (seconds). The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

18. Set the options in the IPsec (Phase 2) Proposal section. The default values for Protocol, Encryption, Authentication, Enable Perfect Forward Secrecy, and Life Time (seconds) are acceptable for most VPN SA configurations.

    Be sure the Phase 2 values on the opposite side of the tunnel are configured to match.

    1. Select the desired protocol for Protocol.

       If you selected ESP in the Protocol field, then in the Encryption field you can select from six encryption algorithms that are included in Suite B cryptography:

       Suite B Cryptography Options	Other Options
       AESGCM16-128	DES
       AESGCM16-192	3DES
       AESGCM16-256	AES-128
       AESGMAC-128	AES-192
       AESGMAC-192	AES-256
       AESGMAC-256	None

       If you selected AH in the Protocol field, the Encryption field is dimmed and you cannot select any options.

    2. For Authentication, select the desired authentication method: MD5, SHA1 (default), SHA256, SHA384, SHA512, AES-XCBC, or None.

    3. Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security and select Group 2 from the DH Group menu.

    4. Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.

19. Click Advanced.

    

20. Select any configuration options you want to apply to your VPN policy:

    Advanced Settings

    Options	Main Mode or Aggressive Mode	IKEv2 Mode
    Enable Keep Alive	Select to use heartbeat messages between peers on this VPN tunnel if one end of the tunnel fails, using a keep-alive heartbeat allows automatic renegotiation of the tunnel after both sides are available again without having to wait for the proposed Life Time to expire. The Keep Alive option is disabled when the VPN policy is configured as a central gateway for DHCP over VPN or with a primary gateway name or address 0.0.0.0.	Cannot be selected for IKEv2 mode.
    Suppress automatic Access Rules creation for VPN Policy	When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information.	When not selected (default), accompanying Access Rules are created automatically. See VPN Auto-Added Access Rule Control for more information.
    Disable IPsec Anti-Replay	Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window).	Anti-replay is a form of partial sequence integrity and it detects arrival of duplicate IP datagrams (within a constrained window).
    Require authentication of VPN clients by XAUTH	Requires that all inbound traffic on this VPN policy is from a user authenticated by XAUTH/RADIUS. Unauthenticated traffic is not allowed on the VPN tunnel.	Not available in IKEv2 Mode.
    Enable Windows Networking (NetBIOS) Broadcast	Select to allow access to remote network resources by browsing the Windows Network Neighborhood.	Select to allow access to remote network resources by browsing the Windows Network Neighborhood.
    Enable Multicast	Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel.	Select to allow multicasting traffic, such as streaming audio (including VoIP) and video application, to pass through the VPN tunnel.
    WXA Group	Select None (default) or Group One.	Select None (default) or Group One.
    Display Suite B Compliant Algorithms Only	Select if you want to show only the Suite B compliant algorithms.	Select if you want to show only the Suite B compliant algorithms.
    Apply NAT Policies	Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus. Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.	Select if you want the firewall to translate traffic going over the Local network, Remote network, or both networks that are communicating through the VPN tunnel. When selected, choose a Translated Local Network or a Translated Remote Network or one of each from the two drop-down menus. Generally, if NAT is required on a tunnel, either Local or Remote should be translated, but not both. Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets.
    Enable OCSP Checking	Select if you want to check VPN certificate status and provide the OCSP Responder URL in the field provided.	Select if you want to check VPN certificate status and provide the OCSP Responder URL in the field provided.
    Management via this SA	Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.	Select HTTPS, SSH, SNMP or any combination of these three to manage the local SonicWall firewall through the VPN tunnel.
    User login via this SA	Select HTTP, HTTPS, or both to allow users to log in using the SA. HTTP user login is not allowed with remote authentication.	Select HTTP, HTTPS, or both to allow users to log in using the SA. HTTP user login is not allowed with remote authentication.
    Default LAN Gateway (optional)	If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network view of this page, under Remote Networks) enter the router address.	If you want to route traffic that is destined for an unknown subnet through a LAN before entering this tunnel, select this option. For example, if you selected Use this VPN Tunnel as a default route for all Internet traffic (on the Network view of this page, under Remote Networks) enter the router address.
    VPN Policy bound to	Select an interface or zone from the drop-down menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.	Select an interface or zone from the drop-down menu. Zone WAN is the preferred setting if you are using WAN load balancing and you want the VPN to use either WAN interface. Two different WAN interfaces cannot be selected from the drop-down menu if the VPN Gateway IP address is the same for both.
    Preempt Secondary Gateway	To preempt a second gateway after a specified time, select this checkbox and configure the desired time in the Primary Gateway Detection Interval (seconds) option. The default time is 28800 seconds, or 8 hours.	To preempt a second gateway after a specified time, select this checkbox and configure the desired time in the Primary Gateway Detection Interval (seconds) option. The default time is 28800 seconds, or 8 hours.
    IKEv2 Settings
    Do not send trigger packet during IKE SA negotiation	Not available in Main or Aggressive modes.	Is not selected (default). Should only be selected when required for interoperability if the peer cannot handle trigger packets. The recommended practice is to include trigger packets to help the IKEv2 Responder select the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it might be appropriate to disable the inclusion of trigger packets to some IKE peers.
    Accept Hash & URL Certificate Type	Not available in Main or Aggressive modes.	Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, sends a message to the peer device saying that HTTP certification look-up is supported.
    Send Hash & URL Certificate Type	Not available in Main or Aggressive modes.	Select if your devices can send and process hash and certificate URLs instead of the certificate itself. If selected, responds to the message from the peer device and confirms HTTP certification look-up is supported.

21. Click OK.

22. Click Accept on the NETWORK | IPSec VPN > Rules and Settings page to update the VPN Policies.