SonicWALL 6.2.0.0
Addendum
A Supplement to the SonicWALL Internet
Security Appliance User's Guide
Contents
SonicWALL Addendum 6.2.0.0 ......................................................................................... 3
New Network Features ................................................................................................... 3
NAT with L2TP Client ....................................................................................................... 3
New Tools Features ........................................................................................................ 5
Tech Support Report Features ................................................................................... 5
New VPN Features .......................................................................................................... 6
Security Policy................................................................................................................. 6
Phase 1 DH Group .................................................................................................... 6
Phase 1 Encryption/Authentication ............................................................................. 7
Phase 2 Encryption/Authentication ............................................................................. 7
VPN Advanced Settings.................................................................................................... 8
Use Aggressive Mode ................................................................................................ 8
Enable Keep Alive ..................................................................................................... 9
Require XAUTH/RADIUS (only allows VPN Clients) ...................................................... 9
Enable Windows Networking (NetBIOS) broadcast ...................................................... 9
Apply NAT and firewall rules ...................................................................................... 9
Forward Packets to Remote VPNs .............................................................................. 9
Route all internet traffic through this SA ................................................................... 10
Enable Perfect Forward Secrecy ............................................................................... 10
Phase 2 DH Group .................................................................................................. 10
Default LAN Gateway .............................................................................................. 11
VPN Advanced Settings Matrix....................................................................................... 12
New RADIUS Settings .................................................................................................... 13
RADIUS Global Settings .......................................................................................... 13
Primary and Secondary Server Configuration ............................................................ 13
RADIUS Client Test ................................................................................................. 13
High Availability and Digital Certificates........................................................................... 14
SonicWALL Firmware Addendum 6.2.0.0 Page 1
Page 2 SonicWALL Firmware Addendum 6.2.0.0
SonicWALL Addendum 6.2.0.0
SonicWALL firmware version 6.2.0.0 includes several features and enhancements not
documented in the SonicWALL Internet Security Appliance User’s Guide.The new firmware
features are documented in the 6.2.0.0 Addendum. You should also download and review
the Release Notes associated with firmware version 6.2.0.0.
New Network Features
NAT with L2TP Client
L2TP is a standard tunneling protocol that is used to encapsulate Point-to-Point Protocol
(PPP) frames for transmission over TCP/IP, X.25, frame relay, or Asynchronous Transfer
Mode (ATM) networks. It can be used to create virtual private networks (VPN) over public
networks such as the Internet. It also provides interoperability between different VPN
vendors which other protocols do not provide.
PPP provides the connection over which L2TP sends packets through a tunnel. The tunnel
can be initiated by either a dial-up client used by the customer, or by the network access
server (NAS) located at the L2TP service provider such as an ISP. When the client initiates
the connection to the NAS, the NAS is referred to as an L2TP access concentrator (LAC).
The LAC forwards its L2TP traffic to a remote node called an L2TP network server (LNS).
The NAS performs the server-side function of PPP termination and acts as the receiver of
incoming connections. If the NAS initiates the L2TP tunnel to the customer premises, the
client PC acts as the LNS.
A VPN tunnel using L2TP can be initiated two ways:
• Client-initiated tunnel - The client initiates a tunnel in a way similar to PPTP tun-
nels.
• NAS-initiated tunnel - If the tunnel is initiated by the NAS, it enables telephone
companies and ISPs to provide corporate customers with VPN solutions.
To configure the SonicWALL for NAT with L2TP Client, follow these steps:
1. Select NAT with L2TP Client from the Network Addressing Mode menu on
the Network tab.
Page 3 SonicWALL 6.2.0.0 Firmware Addendum
2. Configure the LAN Settings by typing in the IP addresses for the SonicWALL LAN and
the LAN Subnet Mask.
3. Type the IP address for the WAN in the WAN Gateway (Router) Address field. Then
enter the IP address for the SonicWALL WAN IP (NAT Public) Address, and the
WAN/DMZ Subnet Mask.
4. Configure the DNS Settings by typing the DNS Server IP address into the DNS
Server field.
SonicWALL 6.2.0.0 Firmware Addendum Page 4
5. Enter the IP address of the L2TP Server into the L2TP Server IP Address field. Also,
enter the User Name and User Password into the User Name and User Password
fields.
6. You can select the Disconnect after __ minutes of inactivity check box, and also
enter a value in minutes to disconnect an inactive user. The default value is 10 minutes.
7. Click Update to add the settings to the SonicWALL. The L2TP Gateway Address,
L2TP SonicWALL IP Address, and the L2TP DNS Server addresses are configured
once the connection is established between the SonicWALL and the L2TP server.
New Tools Features
Tech Support Report Features
In the Tools section, click the Diagnostic tab, and then select Tech Support Report
from the Choose a diagnostic tool menu. In the Tech Support Report section, there
are four Report Options that can be selected:
• VPN Keys - saves shared secrets, encryption, and authentication keys to the report.
• ARP Cache - saves a table relating IP addresses to the corresponding MAC or
physical addresses.
• DHCP Bindings - saves entries from the SonicWALL DHCP server.
• IKE Info - saves current information about active IKE configurations.
Page 5 SonicWALL 6.2.0.0 Firmware Addendum
Click Save Report to save the file to your system. Attach the report to your Tech Support
Request E-mail. When you click Save Report, a warning message is displayed.
The report contains all of the information about your SonicWALL configuration in plaintext.
New VPN Features
Security Policy
Phase 1 DH Group
Diffie-Hellman (DH) Key Exchange (a key agreement protocol) is used during phase 1 of
the authentication process to establish pre-shared keys. You can now select from three
well-known DH groups:
• Group 1 - less secure
• Group 2 - more secure
• Group 5 - most secure
Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group Prime Size
Descriptor (bits)
1 768
2 1024
5 1536
If network connection speed is preferred, select Group 1. If network security is preferred,
select Group 5. To compromise between speed and security, select Group 2.
SonicWALL 6.2.0.0 Firmware Addendum Page 6
Phase 1 Encryption/Authentication
This field defines the type of encryption and authentication methods used to secure Phase
1 exchange using Internet Key Exchange (IKE). There are four methods that can be
selected from the menu (listed in order from least secure to most secure):
• DES & MD5
• DES & SHA1
• 3DES & MD5
• 3DES & SHA1
Data Encryption Standard (DES) is a U.S. government standard for encrypting
information. It is a symmetric encryption scheme that requires the sender and the receiver
to know the secret key in order to communicate securely. DES is based on a 56-bit key that
allows for 7.2 x 1016 possible keys. This makes DES fairly secure, but when it was cracked
in 1997, a more secure variant was developed called 3DES. Triple DES encrypts each
message using three different 56-bit keys in succession.
MD5 (Message Digest) is derived from a group of hashing algorithms used in cryptography.
Message Digest refers to a hash value of fixed length that is computed from a longer
variable message that is hashed by the algorithm. MD5 produces a 128-bit hash value. MDs
are commonly used to generate a digital signature from a message. MD5 uses four rounds
of hashing and is fairly difficult to crack.
SHA1 (Secure Hashing Algorithm) is a hashing algorithm developed by National Institute of
Standards and Technology (NIST).
If network speed is preferred, select DES & MD5. If network security is preferred, then
select 3DES & SHA1.
Phase 2 Encryption/Authentication
The list of encryption/authentication methods has not changed from previous versions of
SonicWALL firmware, except for the Group VPN Security Association. The VPN Client
software does not support ArcFour encryption methods and you cannot disable
authentication in the VPN Client software. The following encryption/authentication
methods are available for the Group VPN Security Association (listed from most secure
to least secure):
• Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1)
• Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
• Encrypt and Authenticate (ESP DES HMAC SHA1)
• Encrypt and Authenticate (ESP DES HMAC MD5)
If network connection speed is preferred, select Encrypt and Authenticate (ESP DES
HMAC MD5) from the menu. If network security is preferred, select Strong Encrypt and
Authenticate (ESP 3DES HMAC SHA1).
Page 7 SonicWALL 6.2.0.0 Firmware Addendum
VPN Advanced Settings
Two new check boxes, Use Aggressive Mode and Phase 2 DH, are available in the Edit
Advanced Settings for VPN connections. The following settings are available in the Edit
Advanced Settings window:
• Use Aggressive Mode
• Enable Keep Alive
• Require XAUTH/RADIUS (only allows VPN clients)
• Enable Windows Networking (NetBIOS) broadcast
• Apply NAT and firewall rules
• Forward packets to remote VPNs
• Route all internet traffic through this SA
• Enable Perfect Forward Secrecy
• Phase 2 DH Group
• Default LAN Gateway
Use Aggressive Mode
Selecting the Use Aggressive Mode check box forces the SonicWALL appliance to use
Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address.
Aggressive Mode requires half of the main mode messages to be exchanged in Phase One
of the SA exchange. Use Aggressive Mode is useful when the SonicWALL is located
behind another NAT device. The check box is only available if IKE using Pre-shared
Secret or IKE using certificates (SonicWALL to SonicWALL) is selected as the IPSec
Keying Mode.
SonicWALL 6.2.0.0 Firmware Addendum Page 8
Enable Keep Alive
Selecting the Enable Keep Alive checkbox allows the VPN tunnel to remain active or
maintain its current connection by listening for traffic on the network segment between the
two connections. Interruption of the signal forces the tunnel to renegotiate the connection.
Require XAUTH/RADIUS (only allows VPN Clients)
An IKE Security Association may be configured to require RADIUS authentication before
allowing VPN clients to access LAN resources. XAUTH/RADIUS authentication provides an
additional layer of VPN security while simplifying and centralizing management. RADIUS
authentication allows many VPN clients to share the same VPN configuration, but requires
each client to authenticate with a unique user name and password. And because a RADIUS
server controls network access, all employee privileges may be created and modified from
one location.
Enable Windows Networking (NetBIOS) broadcast
Computers running Microsoft Windows® communicate with one another through NetBIOS
broadcast packets. Select the Enable Windows Networking (NetBIOS) broadcast
checkbox to access remote network resources by browsing the Windows ® Network
Neighborhood.
Apply NAT and firewall rules
This feature allows the remote site’s LAN subnet to be hidden from the corporate site, and
is most useful when a remote office’s network traffic is initiated to the corporate office. The
IPSec tunnel is located between the SonicWALL WAN interface and the LAN segment of the
corporation. To protect the traffic, NAT (Network Address Translation) is performed on the
outbound packet before it is sent through the tunnel, and in turn, NAT is performed on
inbound packets when they are received. By using NAT for a VPN connection, computers on
the remote LAN are viewed as one address (the SonicWALL public address) from the
corporate LAN.
If the SonicWALL uses the Standard network configuration, using this checkbox applies
the firewall access rules and checks for attacks. It does not apply NAT as the SonicWALL is
not configured for it. If the SonicWALL uses NAT network configuration, then using this
checkbox performs normal firewall checks, access rules, and applies NAT.
Note: You cannot use this feature if you have Route all internet traffic through this
SA enabled.
Forward Packets to Remote VPNs
Checking the Forward Packets to Remote VPNs checkbox for a Security Association
allows the remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic
is decrypted and can now be forwarded to a remote site via another VPN tunnel. Normally,
inbound traffic is decrypted and only forwarded to the SonicWALL local LAN or a specific
route on the LAN specified on the Routes tab located under the Advanced section.
Enabling this feature allows a network administrator to create a “hub and spoke” network
configuration by forwarding inbound traffic to a remote site via a VPN security association.
Page 9 SonicWALL 6.2.0.0 Firmware Addendum
To create a “hub and spoke” network, enable the Forward Packets to Remote VPNs
checkbox for each Security Association in your SonicWALL. Traffic is now able to go from
branch office to branch office via the corporate office.
Note: It is strongly recommended not to select this feature if you are configuring a Group
VPN SA or a Manual Key SA for a VPN Client.
Route all internet traffic through this SA
Checking this box allows a network administrator to force all network traffic to the WAN to
go through a VPN tunnel to a central site. Outgoing packets are checked against the remote
network definitions for all Security Associations (SA). If a match is detected, the packet is
then routed to the appropriate destination. If no match is detected, the SonicWALL checks
for the presence of a SA using this checkbox. If an SA is detected, the packet is sent using
that SA. If there is no SA with this option enabled, and if the destination does not match any
other SA, the packet goes unencrypted to the WAN.
Note: Only one SA may have this checkbox enabled.
Enable Perfect Forward Secrecy
The Enable Perfect Forward Secrecy checkbox increases the renegotiation time of the
VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break
encryption keys is not able to obtain other or future IPSec keys. During the phase 2
renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-
Hellman key exchange is performed. Enable Perfect Forward Secrecy adds incremental
security between gateways.
Phase 2 DH Group
Diffie-Hellmen (DH) Key Exchange (a key agreement protocol) is used during phase 2 of
the authentication process if Enable Perfect Forward Secrecy is selected. You can now
select from three well-known DH groups:
• Group 1 - less secure
• Group 2 - more secure
• Group 5 - most secure
Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
Group Prime Size
Descriptor (bits)
1 768
2 1024
5 1536
If network connection speed is an issue, select Group 1. If network security is an issue,
select Group 5. To compromise between speed and security, select Group 2.
SonicWALL 6.2.0.0 Firmware Addendum Page 10
Default LAN Gateway
A Default LAN Gateway is used at a central site in conjunction with a remote site using
the Route all internet traffic through this SA checkbox. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets may have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
Page 11 SonicWALL 6.2.0.0 Firmware Addendum
VPN Advanced Settings Matrix
IKE
Group VPN
Group VPN using
using IKE/ Manual IKE using
using IKE/ Pre-
Pre-shared Key* Certificates
Certificates shared
Secret
Secret
Use Aggressive
Mode
Enable Keep Alive
Require XAUTH/
RADIUS
Enable Perfect
Forward Secrecy
Phase 2 DH Group
Enable Windows
Networking (Net-
BIOS) broadcast
Apply NAT and
Firewall Settings
Forward Packets
to Remote VPNs
Route all internet
traffic through
this SA
Default LAN Gate-
way
*Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections
using Manual Key Exchange.
SonicWALL 6.2.0.0 Firmware Addendum Page 12
New RADIUS Settings
RADIUS Global Settings
• RADIUS Server Retries - There is now a default value of 3, an allowable range
of 1-10, and recommended value of 3.
• RADIUS Server Timeout in Seconds - There is now a default value of 5, an
allowable range of 1-60 seconds, and recommended value of 5 seconds.
Primary and Secondary Server Configuration
A Primary and Secondary Radius Server can be configured on the Radius tab in the
VPN section of the SonicWALL Management interface. To configure the RADIUS servers,
follow the instructions below:
1. Enter the IP address of the primary server in the IP Address field.
2. Enter the Port Number in the Port Number field. The default value is 1812.
3. Enter the Shared Secret in the Shared Secret field. Click Update to update the
SonicWALL settings.
RADIUS Client Test
To test the RADIUS server configuration, type in a valid RADIUS user name and password.
Click Update to validate that the client is a valid account with the RADIUS Server. If the
validation is successful, Success appears in the Status line at the bottom of the
RADUIUS tab. If the connection is unsuccessful, Failure appears in the Status line at the
bottom of the RADIUS tab.
Page 13 SonicWALL 6.2.0.0 Firmware Addendum
High Availability and Digital Certificates
If a digital certificate is used to identify the primary SonicWALL, then the digital certificate
must also be imported into the secondary (backup) SonicWALL. Typically, all primary
SonicWALL settings are exchanged with the backup SonicWALL during the synchronization
phase of High Availability setup. This feature is supported by the GX series, the PRO, and
the PRO-VX models of the SonicWALL Internet Security appliance.
To import the digital certificate into the backup SonicWALL, click VPN, then Certificates.
Click Import to import the certificate into the backup SonicWALL.
SonicWALL 6.2.0.0 Firmware Addendum Page 14
SonicWALL, Inc.
1160 Bordeaux Dr.
Sunnyvale, CA 94089-1209
Phone: 408-745-9600
Fax: 408-745-9300 Part # 232-000045-07
Email: sales@sonicwall.com Rev A 10/01
Web: http://www.sonicwall.com