Revision of SonicWALL VPN from November 28, 2010 - 7:03am

  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.

The revisions let you track differences between multiple versions of a post.

Your rating: None (2 votes)

Introduction

SonicWALL is a manufacturer of firewalls, VPN concentrators, SSLVPN devices, and the like. The following was created on my NSA 3500 running SonicOS Enhanced 5.6.0.3-40o.

The built-in SonicWALL GroupVPN policy may be set up to allow connections from iOS devices. Unlike Cisco VPN and Juniper VPN devices, however, these cannot be configured to use certificate authentication, and cannot be configured for on-demand VPN access. However, for customers with existing SonicWALL infrastructure, this can be useful information.

To configure, we need to do the following steps:

  1. Set up the L2TP server
  2. Create a group with VPN access
  3. Assign users to this group
  4. Modify the built-in GroupVPN policy for iOS

L2TP

Under VPN > L2TP Server, enable the L2TP Server.

Then configure it with your DNS settings, and a new subnet for the address pool. Note that the SonicWALL will take care of routing this subnet to the VPN users. You should make sure this range does NOT overlap with any subnet currently in use on your network.

Group

In Users > Local Groups, create a new group for the VPN users.

The "VPN Access" tab is where you define local networks that GroupVPN clients may reach. By default these are blank. You must assign something here for VPN clients to reach something. "Firewalled Subnets" is a good choice, but you can be more specific if you like.

Users

In Users > Local Users, create one or more Local Users that will connect. If your SonicWALL is connected to a directory system you may duplicate usernames here in order to assign group memberships. Note that your authentication server must support CHAP authentication, and some don't.

Assign these users to the group you created above.

VPN

In the VPN menu, choose "Settings". Enable and edit the "WAN GroupVPN" policy.

Create a relatively secure Shared Secret for your users. As the name implies, all devices will use the same secret as a preliminary password.

In the "Proposals" tab, configure the VPN with the following settings. This is required by the relatively non-configurable iOS VPN client.

In the "Advanced" tab, tick "Require authentication of VPN clients by XAUTH."

Finally, in the "Client" tab, set up your settings as follows:

iOS Configuration

Create a VPN configuration like the following:

Share your ideas

mattz's picture

This is super helpful -

Your rating: None

This is super helpful - thanks aaron!

Top
Scott.Morabito's picture

Scott.Morabito

Joined: Nov 19, 2010
WWW

Sonicwall 4.2.1.3

Your rating: None

Some older devices may need the 11/10/2010 4.2.1.3 update

Products Affected
-SonicWALL TZ 180
-SonicWALL TZ 180 Wireless
-SonicWALL TZ 190
-SonicWALL TZ 190 Wireless
-SonicWALL PRO 2040
-SonicWALL PRO 3060
-SonicWALL PRO 4060
-SonicWALL PRO 4100
-SonicWALL PRO 5060

Apple Mac iOS4 devices fail to create phase 2 Security Association (SA) and the VPN tunnel negotiation is unsuccessful.

The following SonicOS log event message may also display:
Warning – VPN IKE – IKE Responder: ESP encryption algorithm does not match
Occurs when the default WAN group policy is modified for phase 2 proposal from ESP/SHA1/3DES to ESP/SHA1/AES 256. This is a specific Apple interoperability issue.

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Thanks, Scott. Perhaps you

Your rating: None

Thanks, Scott. Perhaps you can add this to the wiki article in the appropriate place?

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top

Backlinks

Recent Activity