SonicWALL Internet Security Appliances Network Router User Manual


 
Page 194 SonicWALL Internet Security Appliance Administrator’s Guide
8. Create and enter a Shared Secret in the Shared Secret field or use the Shared Secret
automatically generated by the SonicWALL. The Shared Secret should consist of a combination
of letters and numbers rather than the name of a family member, pet, etc. It is also case-
sensitive.
9. Click Advanced Settings to open the window. Select any of the following boxes that apply to your
SA:
Require authentication of VPN clients via XAUTH - requires VPN client authentication via a
RADIUS server.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network.
Enable Perfect Forward Secrecy - if adding an additional layer of security using a second Diffie-
Hellman key exchange.
Phase 2 DH Group - generates a additional key exchange.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to
specify the IP address of the default LAN route for incoming IPSec packets for this SA.
Tip It is not necessary to configure the Advanced Settings to get the VPN connection working
between the SonicWALL and the VPN client. You can configure the Advanced Settings later, and
then re-import the SA into the VPN Client.
10. Click Update to enable the changes.
To export the Group VPN settings to remote VPN clients, click on Export next to VPN Client
Configuration File. The security file can be saved to a floppy disk or e-mailed to a remote VPN client.
The Shared Secret, however, is not exported, and must be entered manually by the remote VPN
client. Also, the SA must be enabled to export the configuration file.
Alert You must use the Group VPN Security Association even if you have only one VPN client to
deploy, and you want to use IKE using Pre-shared Secret for your SA. The Group VPN Security
Association defaults to the Simple Configuration previously available in firmware version 5.1.1.