SonicWALL Internet Security Appliances Network Router User Manual


 
Page 212 SonicWALL Internet Security Appliance Administrator’s Guide
7. Define the length of time before an IKE Security Association automatically renegotiates in the
SA Life Time (secs) field. The SA Life Time can range from 120 to 2,500,000 seconds.
Tip A short SA Life Time increases security by forcing the two VPN gateways to update the encryption
and authentication keys. However, every time the VPN tunnel renegotiates, users accessing remote
resources are disconnected. Therefore, the default SA Life Time of 28,800 seconds (8 hours) is
recommended.
8. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu.
9. Select Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) from the Phase 2 Encryption/
Authentication menu. Enter an alphanumeric “secret” in the Shared Secret field. The Shared
Secret must match the corresponding field in the remote SonicWALL. This field can range from
4 to 128 characters in length and is case sensitive.
10. Click Add New Network... to define the destination network addresses. Clicking Add New
Network... updates the VPN configuration and opens the VPN Destination Network window.
11. Enter the IP address of the remote network in the Network field. This address is a private
address if the remote LAN has enabled NAT.
12. Enter the subnet mask of the remote network in the Subnet mask field.
13. Click Update to add the remote network and close the VPN Destination Network window. Once
the SonicWALL has been updated, a message confirming the update is displayed at the bottom
of the browser window.
14. Click Advanced Settings and select the boxes that apply to your SA:
Enable Keep Alive - if you want to maintain the current connection by listening for traffic on the
network segment between the two connections.
Enable Windows Networking (NetBIOS) broadcast - if remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network configuration
Enable Perfect Forward Secrecy - if you want to add another layer of security by adding an
additional Diffie-Hellman key exchange.
Phase 2 DH Group - select the level of Phase 2 DH key exchange if Perfect Forward Secrecy is
enabled.
Default LAN Gateway - if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
15. Click OK to close the Advanced Settings window. Click Update to apply the changes to the
SonicWALL.