Transcription
SonicWALL VPN W/ PGP ClientTesting environmentHardware/Software:SonicWALL Pro firmware version 6.0.0.0PGP Client version 7.0.1Configurations testedPGP set as follows:1. Main Mode – 3DES,MD5,DH Group 22. Main Mode – 3DES,MD5,DH Group 53. Aggressive Mode – 3DES,MD5, DH Group 24. Aggressive Mode – 3DES,MD5, DH Group 5SW Pro set as follows:1. Group VPN, Shared Secret, (ESP 3DES HMAC MD5)2. New SA, Shared Secret, (ESP 3DES HMAC MD5)Note: This document assumes that the SonicWALL Pro has been through initialconfiguration, and the PGP client has been installed.Page 1 of 15
SonicWALL VPN W/ PGP ClientConfigure the SonicWALL VPNVPN Configuration #1Click on the VPN tab Configure TabFill in the fields as follows:Security Association: GroupVPNIPSec Keying Mode: IKE using pre-shared secretDisable This SA: Make sure there is not a check mark in the boxRequire XAUTH/RADIUS: Make sure there is not a check mark in the boxSA Life time: Anything you choose. Default is fineEncryption Method: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)Shared Secret: Anything you choose. Needs to be the same on the PGP ClientClick Update TabORPage 2 of 15
SonicWALL VPN W/ PGP ClientVPN Configuration #2Click on the VPN tab Configure TabFill in the fields as follows:Security Association: Add New SAIPSec Keying Mode: IKE using pre-shared secretName: Enter a descriptive name for the SADisable This SA: Make sure there is not a check mark in the boxIPSec Gateway Address: Leave BlankRequire XAUTH/RADIUS: Make sure there is not a check mark in the boxEnable Windows Networking: Does not matterSA Life time: Anything you choose. Default is fineEncryption Method: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)Shared Secret: Anything you choose. Needs to be the same on the PGP ClientAdd New Network: Do not add any networksClick Update TabPage 3 of 15
SonicWALL VPN W/ PGP ClientConfigure the PGP ClientRight click on the PGP icon (looks like a lock) in the system tray:Select PGPNet VPNSelect View OptionsPage 4 of 15
SonicWALL VPN W/ PGP ClientSelect VPN tab from the PGP options screenFill in the fields as follows:Enable VPN connections: Make sure this is checkedDynamic VPN: Does not matterAutomatic Key Renewal: Default Values are fine, or choose the settings you want.Page 5 of 15
SonicWALL VPN W/ PGP ClientClick Advanced tab on the PGP Options screenMake sure that TripleDES is checked in the allowed algorithms section.Page 6 of 15
SonicWALL VPN W/ PGP ClientClick VPN Advanced tab on the PGP Options screenFill the fields in the following way:Allowed Remote Proposals section:Make sure that TripleDES, and MD5 are checked, andOne of the following 1024 bits(DH Group 2), or 1536 bits(DH Group 5)must be checked. You can check both of them.LZS and Deflate are not checked.Proposals sections:IKE Section: You must have one entry in this section.Select New IKE ProposalChoose the following parameters for your proposal. Shared Secret, MD5, TripleDES,1024 or 1536 need to select the same one you selected above. If you selected both 1024and 1536 you can create another IKE proposal for the other one.Click OKPage 7 of 15
SonicWALL VPN W/ PGP ClientIPSec Section: You must have one entry in this sectionSelect New IPSec ProposalChoose the following parameters for your proposal.AH and IPPCP boxes are not checked.ESP box is checked.Hash: MD5Cipher: TripleDESClick OK OK when finished.If the shield in the upper right hand corner by PGPNet is grayed out, left click on it onceto enable PGPNet. It should turn it GOLD.Click AddPage 8 of 15
SonicWALL VPN W/ PGP ClientIf this screen pops up after clicking Add, then click Use Expert Mode. Otherwise skipthis step.Page 9 of 15
SonicWALL VPN W/ PGP ClientConfigure the secure Gateway(SonicWALL)Fill the fields in the following way:Name: Descriptive name for the SonicWALLIP Address: The IP address of the SonicWALLMake sure Secure Gateway is selected from the drop down menuSelect Connect automatically or require manual connectionAggressive Mode: Can check (aggressive) or leave unchecked (main mode)If you check aggressive mode, authentication type is normal.Remote Authentication: Any valid keyShared Secret: Click Set Shared PassphrasePage 10 of 15
SonicWALL VPN W/ PGP ClientIf this screen pops up after clicking Set Shared Passphrase, Click OK. Otherwise skipthis step.Enter your shared secret. Note: This should be the same as the shared secret you enteredon the SonicWALL.Click OK OK.Page 11 of 15
SonicWALL VPN W/ PGP ClientHighlight the entry you just created.Click AddClick YESPage 12 of 15
SonicWALL VPN W/ PGP ClientEnter information for the insecure subnet: (subnet behind SonicWALL)Select Insecure Subnet from the drop down menu where it says secure host.Page 13 of 15
SonicWALL VPN W/ PGP ClientFill in the fields the following way:Enter a descriptive name for the subnet behind the SonicWALLEnter the IP address of the networkEnter the Subnet Mask for the networkClick OKInitiate the tunnelHighlight the secure gateway you created. You can then click connect at the bottom ofthe screen, or you can right click on the gateway and select connect. When the tunnelcomes up you will see Green Dots under the SA field.Page 14 of 15
SonicWALL VPN W/ PGP ClientYou can now send secure traffic over the VPN.Page 15 of 15
SonicWALL VPN W/ PGP Client VPN Configuration #2 Click on the VPN tab Configure Tab Fill in the fields as follows: Security Association: Add New SA IPSec Keying Mode: IKE using pre-shared secret Name: Enter a descriptive name for the SA Disable This SA: Make sure there is not a check mark in the box IPSec Gateway Address: Leave Blank
