SonicWALL Internet Security Appliances Network Router User Manual


 
SonicWALL VPN Page 189
Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via
the corporate office.
Route all internet traffic through this SA
Selecting this box allows a network administrator to force all WAN-destined traffic to go through a
VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions
for all Security Associations (SA). If a match is detected, the packet is then routed to the appropriate
destination. If no match is detected, the SonicWALL checks for the presence of a SA using this
configuration. If an SA is detected, the packet is sent using that SA. If there is no SA with this option
enabled, and if the destination does not match any other SA, the packet goes unencrypted to the
WAN.
Enable Perfect Forward Secrecy
The Enable Perfect Forward Secrecy check box increases the renegotiation time of the VPN tunnel.
By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able
to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL
appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable
Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group
If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a
key agreement protocol) to be used during phase 2 of the authentication process to establish pre-
shared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed
below:
If network connection speed is an issue, select Group 1. If network security is an issue, select Group
5. To compromise between speed and security, select Group 2.
Default LAN Gateway
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all
internet traffic through this SA check box. The Default LAN Gateway field allows the network
administrator to specify the IP address of the default LAN route for incoming IPSec packets for this
SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured in the
SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough
static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up
Group Descriptor Prime Size (bits)
1768
2 1024
51536