background image

SonicWALL, Inc.

1143 Borregas Avenue 

T +1 408.745.9600 

www.sonicwall.com   

Sunnyvale  CA  94089-1306 

F +1 408.745.9300

P/N: 232-00

0xxx

-00

Rev A, 08/07

©2007 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and 
descriptions subject to change without notice. 07/07 SW 145

PROTECTION AT THE SPEED OF BUSINESS

Summary of Contents for none

Page 1: ...PROTECTION AT THE SPEED OF BUSINESS Global VPN Client Administrator s Guide ...

Page 2: ... 9 Using the Setup Wizard 10 Adding VPN Connection Policies 12 Understanding VPN Connection Policies 12 Understanding Digital Certificates 13 Using the New Connection Wizard 13 Creating a VPN Connection Policy 13 Importing a VPN Configuration File 15 Configuring a Dial Up VPN Connection 16 Launching the SonicWALL Global VPN Client 17 Making VPN Connections 17 Accessing Redundant VPN Gateways 18 En...

Page 3: ...ion Policy 29 Selecting All Connection Policies 29 Managing Certificates 30 Troubleshooting the SonicWALL Global VPN Client 30 Understanding the Global VPN Client Log 31 Configuring the Log 32 Generating a Help Report 33 Accessing Technical Support 34 Viewing Help Topics 34 Uninstalling the SonicWALL Global VPN Client Windows 98 SE 34 Configuring SonicWALL Security Appliances for Global VPN Client...

Page 4: ...ndix A Creating and Deploying the Default rcf File for Global VPN Clients 40 How the Global VPN Client uses the default rcf File 40 Deploying the default rcf File 40 Creating the default rcf File 42 Sample default rcf File 44 Troubleshooting the deafult rcf File 47 Appendix B SonicWALL Global VPN Client Installation Using the InstallShield Silent Response File 47 Creating the Silent Installation 4...

Page 5: ...SonicWALL Global VPN Client 4 0 Administrator s Guide Page 5 Appendix D Installing the Global VPN Client with a Ghost Application 50 Appendix E Log Viewer Messages 50 ...

Page 6: ...tion with RADIUS Provides added security with user authentication after the client has been authenticated via a RADIUS server VPN Session Reliability Allows automatic redirect in case of a SonicWALL VPN gateway failure If a SonicWALL VPN gateway is down then the Global VPN Client can go through another SonicWALL VPN gateway Multiple Subnet Support Allows Global VPN Client connections to more than ...

Page 7: ...r third party dial up applications either as an automatic backup to a broadband connection or as the primary connection Single VPN Connection to any SonicWALL Secure Wireless Appliance for Roaming Allows users to use a single VPN connection policy to access the networks of multiple SonicWALL Secure Wireless appliances Automatic Configuration of Redundant Gateways from DNS When an IPSec gateway dom...

Page 8: ...lient 4 0 Enterprise which is included as part of the SonicWALL Global Security Client The SonicWALL Global VPN Client as part of the SonicWALL Global Security Client operates on Windows 2000 SP3 Windows XP Home SP1 and Windows XP Professional SP1 operating systems for clients The Global VPN Client as part of the SonicWALL Global Security Client is supported by the following SonicWALL security app...

Page 9: ... SonicWALL Note Related information to the topic Copyright Notice 2007 SonicWALL Inc All rights reserved Under the copyright laws this manual or the software described within can not be copied in whole or part without the written consent of the manufacturer except in the normal use of the software to make a backup copy The same proprietary and copyright notices must be affixed to any permitted cop...

Page 10: ...GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose DISCLAIMER OF LIABILITY SONICWALL S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY IN NO EVENT SHALL SONICWALL OR ITS ...

Page 11: ...sion before installing Global VPN Client 4 0 Using the Setup Wizard The following steps explain how to install the SonicWALL Global VPN Client program using the Setup Wizard You use the Setup Wizard for a new Global VPN Client installation or upgrading a previous version of the SonicWALL Global VPN Client If you re upgrading your Global VPN Client software the Setup Wizard doesn t display all the ...

Page 12: ...ick Next 5 Select I accept the terms of the license agreement Click Next 6 Click Next to accept the default location and continue installation or click Browse to specify a different location 7 Click Install The Setup Wizard installs the Global VPN Client files on your computer After the Setup Wizard installs the Global VPN Client the Setup Complete page is displayed ...

Page 13: ...ns are automatically created Note Creating a Default rcf file and distributing it with the Global VPN Client software allows the SonicWALL VPN Gateway administrator to streamline VPN client deployment and allow users to quickly establish VPN connections When the Global VPN Client software is installed the VPN policy created by the SonicWALL VPN Gateway administrator is automatically created For mo...

Page 14: ...iguring the Global VPN Client for Remote Access make sure you have the IP address or FQDN gateway yourcompany com of the remote SonicWALL VPN gateway and an active Internet connection before using the New Connection Wizard Office Gateway You choose this scenario if you want secure access to a local SonicWALL Secure Wireless appliance network When you create an Office Gateway VPN connection it appe...

Page 15: ...ario to view a diagram of each type of VPN connection Clicking on the Remote Access View Scenario links displays the diagram for this type of VPN connection Clicking on the Office Gateway View Scenario link displays the diagram for this type of VPN connection 4 Select Remote Access or Office Gateway and then click Next ...

Page 16: ... shortcut to this connection on the desktop if you want to create a shortcut icon on your desktop for this VPN connection 8 Click Finish The new VPN connection policy appears in the SonicWALL Global VPN Client window Note You can change the default name by right clicking the Office Gateway entry and selecting Properties from the menu In the General tab of the Properties dialog box enter the new na...

Page 17: ...working or your third party dial up application before configuring your dial up VPN connection policy 1 Create a VPN connection policy using the New Connection Wizard or use an existing VPN connection policy 2 Right click the VPN connection policy and select Properties from the menu The Properties dialog box is displayed 3 Click the Peers tab 4 Click Edit The Peer Information dialog box is display...

Page 18: ...t Alert Exiting the SonicWALL Global VPN Client from the system tray icon menu disables any active VPN connections Tip You can change the default launch setting for SonicWALL Global VPN Client see Specifying Global VPN Client Launch Options on page 23 for more information Tip You can create a shortcut to automatically launch the SonicWALL Global VPN Client window and make the VPN connection from t...

Page 19: ...PN connection Properties dialog box See Peers on page 26 for more information Note When configuring redundant VPN gateways the Group VPN policy attributes such as pre shared keys and the attributes on the Peer Information window must be the same for every gateway Enabling a VPN Connection Enabling a VPN connection with the SonicWALL Global VPN Client is a transparent two phase process Phase 1 enab...

Page 20: ...le If the Global VPN Client icon is displayed in the system tray right click the icon and then select Enable connection policy name The Global VPN Client enables the VPN connection without opening the SonicWALL Global VPN Client window 2 Depending on how the VPN connection policy is configured the Cannot Enable Connection Enter Pre Shared Secret Enter Username and Password and Connection Warning d...

Page 21: ...red key The Pre Shared Key you enter appears unmasked in the Pre shared Key field 3 Click OK Selecting a Certificate If the SonicWALL VPN Gateway requires a Digital Certificate to establish your identity for the VPN connection the Select Certificate dialog box appears This dialog box lists all the available certificates installed on your Global VPN Client Select the certificate from the menu then ...

Page 22: ...s don t show this dialog box again Click Yes to continue with establishing your VPN connection Disabling a VPN Connection Disabling a VPN connection terminates the VPN tunnel You can disable a VPN connection using any of the following methods Right click the SonicWALL Global VPN Client icon on the system tray and choose Disable connection policy Right click the VPN connection policy in the SonicWA...

Page 23: ...ight clicking on the VPN connection policy then selecting Status from the pop up menu Selecting the VPN connection policy then press Ctrl T Selecting the VPN connection policy then click the Status button on the toolbar Tip For more information on the Status page see Status on page 28 Creating a VPN Policy Shortcut To streamline enabling a VPN connection you can place a VPN connection policy on th...

Page 24: ...sing The three options include Minimize the window restore it from the task bar Minimizes the window to taskbar and restores it from the taskbar Hide the window re open it from the tray icon The default setting that hides the SonicWALL Global VPN Client window when you close it You can open the Global VPN Client from the program icon in the system tray Enabling this setting also displays the Show ...

Page 25: ...Global VPN Client and the SonicWALL gateway Managing VPN Connection Policy Properties The Connection Properties dialog box includes the controls for configuring a specific VPN connection profile To open the Connection Properties dialog box choose one of the following methods Select the connection policy and choose File Properties Right click the connection policy and select Properties Select the c...

Page 26: ...ervention If the connection error is due to an incorrect configuration such as the DNS or IP address of the peer gateway then the connection must be manually corrected Check the Log Viewer to determine the problem and then edit the connection This option is enabled by default If an error occurs with this option disabled during an attempted connection the Global VPN Client logs the error displays a...

Page 27: ...click Edit In the Peer Information dialog box make your changes then click OK To delete a peer entry select the peer entry and click Remove Peer Information Dialog Box The Peer Information dialog box allows you to add or edit peer information Note When configuring redundant VPN gateways the Group VPN policy attributes such as pre shared keys and the attributes on the Peer Information window must b...

Page 28: ...y Defaults to the LAN interface only Dial Up Only Defaults to the Dial Up interface only LAN Settings Displays LAN Settings dialog box for specifying the setting used when this connection is enabled over the LAN Type the IP address in the Next Hop IP Address field to specify the IP address of a different route than the default route Leaving the setting as zeros instructs the Global VPN Client to u...

Page 29: ...ys the Connection Status Details dialog box which specifies the negotiated phase 1 and phase 2 parameters as well as the status of all individual phase 2 SAs Activity Packets Displays number of packets sent and received through VPN tunnel Bytes Displays number of bytes sent and received through VPN tunnel Reset Resets the status information Virtual IP Configuration IP Address The IP address assign...

Page 30: ... IP address Status Sorts connection policies by connection status Ascending Sorts Name Gateway or Status arrangements in ascending order If unchecked policy arrangements are sorted in descending order The default arrangement is by Name in Ascending order Renaming a Connection Policy To rename a connection policy select the policy and click on the Rename button on the toolbar or choose File Rename ...

Page 31: ...l certificates used to validate the user certificates Click on the certificate in the left pane to display the certificate information in the right pane Click the Import button on the toolbar press Ctrl I or choose File Import Certificate from the to display the Import Certificate window to import a certificate file Click the Delete button on the toolbar press Del or choose File Delete Certificate...

Page 32: ...es the following features to help you manage log messages To save a current log to a txt file click the Save button on the toolbar press Ctrl S or choose File Save When you save a Log Viewer file the Global VPN Client automatically adds a report containing useful information regarding the condition of the SonicWALL Global VPN Client as well as the system it s running on To enable or disable messag...

Page 33: ...tion packets Log NAT keep alive packets Enables the logging of NAT keep alive packets Enable automatic logging of messages to file Enables automatic logging of messages to a file as specified in the Auto Logging window Settings Clicking on Settings displays the Auto Logging window Configuring Auto Logging Clicking on Settings displays the Auto Logging window for specifying settings for auto loggin...

Page 34: ...port Choosing Help Generate Report in the SonicWALL Global VPN Client window displays the SonicWALL Global VPN Client Report dialog box Generate Report creates a report containing useful information for getting help in solving any problems you may be experiencing The report contains information regarding the condition of the SonicWALL Global VPN Client as well as the system it s running on Informa...

Page 35: ... to confirm the removal of the SonicWALL Global VPN Client 5 Choose Delete all individual user profiles if you want to delete all you existing VPN connection profiles If you leave this setting unchecked the VPN connection profiles are saved and appear again when you install the SonicWALL Global VPN Client at another time 6 Choose Retain MAC Address if you want to retain the same SonicWALL VPN Adap...

Page 36: ...om SonicWALL your reseller or online at mysonicwall com For more information on purchasing the Global VPN Client visit http www sonicwall com products vpnglobal html Table 1 Global VPN Client License Support by SonicWALL Model SonicWALL Model Global VPN Clients TELE3 TELE3 TZ TELE3 TZX TELE3 SP SOHO3 Requires Global VPN Client License PRO 100 Includes 1 Global VPN Client License Additional License...

Page 37: ...ce record the Serial Number of the SonicWALL product Your license activation is now complete Downloading Global VPN Client Software and Documentation 1 In the My Products page click the name of your SonicWALL on which the Global VPN Client license is activated 2 Select Software Download If this service is not already activated click on Agree to activate it 3 Download the SonicWALL Global VPN Clien...

Page 38: ...computer You may install and use one copy of the SOFTWARE PRODUCT or any prior version for the same operating system on a single computer You may also store or install a copy of the SOFTWARE PRODUCT on a storage device such as a network server used only to install or run the SOFTWARE PRODUCT on your other computers over an internal network However you must acquire and dedicate a license for each s...

Page 39: ...se a product identified by SonicWALL as being eligible for the upgrade in order to use the SOFTWARE PRODUCT A SOFTWARE PRODUCT labeled as an upgrade replaces and or supplements the product that formed the basis for your eligibility for the upgrade You may use the resulting upgraded product only in accordance with the terms of this SLA If the SOFTWARE PRODUCT is an upgrade of a component of a packa...

Page 40: ...imited to ninety 90 days Some states and jurisdictions do not allow limitations on duration of an implied warranty so the above limitation may not apply to you CUSTOMER REMEDIES SonicWALL s and its suppliers entire liability and your exclusive remedy shall be at SonicWALL s option either a return of the price paid or b repair or replacement of the SOFTWARE PRODUCT that does not meet SonicWALL s Li...

Page 41: ...t rcf file allows the SonicWALL VPN Gateway administrator to create and distribute preconfigured VPN connections for SonicWALL Global VPN Clients The SonicWALL VPN Gateway administrator can distribute the default rcf file with the Global VPN Client software to automatically create preconfigured VPN connections for streamlined deployment The VPN connections created from the default rcf file appear ...

Page 42: ...unches the Global VPN Client the SonicWALL Global VPN Client rcf file is created in the C Documents and Settings user Application Data SonicWALL SonicWALL Global VPN Client directory based on the default rcf file settings Replace the Existing SonicWALL Global VPN Client rcf File If the Global VPN Client is installed with VPN connections the user can remove the SonicWALL Global VPN Client rcf file ...

Page 43: ...ection that appears in the Global VPN Client window Description description text Description Provides a description for each connection profile that appears when the user moves the mouse pointer over the VPN Policy in the Global VPN Client window The maximum number of characters for the Description tag is 1023 Flags AutoConnect Off 0 On 1 AutoConnect Enables this connection when program is launche...

Page 44: ...ersal even without a NAT device in the middle Normally NAT devices in the middle are automatically detected and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete NextHop IP Address NextHop The IP Address of the next hop for this connection This is ONLY used if there is a need to use a next hop that is different from the default gateway Timeout 3 Timeout Defines timeout va...

Page 45: ...ile The following is an example of a default rcf file This file includes two VPN connections Corporate Firewall and Office Gateway The Corporate Firewall connection configuration includes two peer entries for redundant VPN connectivity Alert If you attempt to directly copy this sample file to an ASCII text editor you may have to remove all of the paragraph marks at the end of each line before savi...

Page 46: ...etection ForceNATTraversal 0 ForceNATTraversal DisableNATTraversal 0 DisableNATTraversal NextHop 0 0 0 0 NextHop Timeout 3 Timeout Retries 3 Retries UseDefaultGWAsPeerIP 0 UseDefaultGWAsPeerIP InterfaceSelection 0 InterfaceSelection WaitForSourceIP 0 WaitForSourceIP DialupUseMicrosoftDUN 1 DialupUseMicrosoftDUN DialupApp c program files aol aol exe DialupApp DialupPhonebook text DialupPhonebook Di...

Page 47: ... DisableNATTraversal NextHop 0 0 0 0 NextHop Timeout 3 Timeout Retries 3 Retries UseDefaultGWAsPeerIP 1 UseDefaultGWAsPeerIP InterfaceSelection 0 InterfaceSelection WaitForSourceIP 0 WaitForSourceIP DialupUseMicrosoftDUN 1 DialupUseMicrosoftDUN DialupApp c program files aol aol exe DialupApp DialupPhonebook text DialupPhonebook DialupLeaveConnected 0 DialupLeaveConnected DPDInterval 5 DPDInterval ...

Page 48: ...his response file in a normal installation copy it into the default install location normally Disk1 or the same folder as Setup ins Table 2 Troubleshooting the default rcf File Issue Solution If there are any incorrect entries or typos in your default rcf file the settings in the default rcf file will not be incorporated into the Global VPN Client and no connection profiles will appear in the Glob...

Page 49: ...g to Check for Errors Setup log is the default name for the silent installation log file and its default location is Disk1 in the same folder as Setup ins You can specify a different name and location for the setup log file using the f2 command line parameter Setup exe s f2 path LogFile The Setup log file contains three sections The first section InstallShield Silent identifies the version of Inst...

Page 50: ...the program Ignored if program is not already running A filename Starts the program and sends all messages to the specified log file If no log file is specified the default file name is gvcauto log If the program is already running this option is ignored U Username Username to pass to XAUTH Must be used in conjunction with E P Password Password to pass to XAUTH Must be used in conjunction with E C...

Page 51: ... you receive the same MAC address for the SonicWALL VPN Adapter resulting in network conflicts Appendix E Log Viewer Messages The following table lists the Info Error and Warning messages that can appear in the Global VPN Client Log Viewer Table 3 Log Viewer Messages ERROR Invalid DOI in notify message ERROR called with invalid parameters ERROR A phase 2 IV has already been created ERROR An error ...

Page 52: ...led to add OAKLEY encryption algorithm into the payload ERROR Failed to add OAKLEY generator G1 into the payload ERROR Failed to add OAKLEY group description into the payload ERROR Failed to add OAKLEY group type into the payload ERROR Failed to add OAKLEY hash algorithm into the payload ERROR Failed to add OAKLEY life duration into the payload ERROR Failed to add OAKLEY life type into the payload...

Page 53: ...truct hash payload ERROR Failed to construct IPSEC nonce payload ERROR Failed to construct IPSEC SA payload ERROR Failed to construct ISAKMP blank hash payload ERROR Failed to construct ISAKMP delete hash payload ERROR Failed to construct ISAKMP DPD notify payload ERROR Failed to construct ISAKMP ID payload ERROR Failed to construct ISAKMP info hash payload ERROR Failed to construct ISAKMP key exc...

Page 54: ...d to decrypt packet ERROR Failed to decrypt quick mode payload ERROR Failed to encrypt mode config payload ERROR Failed to encrypt notify payload ERROR Failed to encrypt packet ERROR Failed to encrypt quick mode payload ERROR Failed to expand packet to size bytes ERROR Failed to find an SA list for PROTO_IPSEC_AH ERROR Failed to find an SA list for PROTO_IPSEC_ESP ERROR Failed to find an SA list g...

Page 55: ...system interface table ERROR Failed to get the system IP address table ERROR Failed to get transforms from SA list ERROR Failed to match initiator cookie ERROR Failed to match responder cookie ERROR Failed to parse certificate data ERROR Failed to parse configuration file ERROR Failed to read the size of an incoming ISAKMP packet ERROR Failed to re allocate bytes ERROR Failed to receive an incomin...

Page 56: ... not correct ERROR Invalid certificate payload length is too small ERROR Invalid hash payload ERROR Invalid payload Possible overrun attack ERROR Invalid SA state ERROR Invalid signature payload ERROR Invalid SPI size ERROR is not a supported Diffie Hellman group type ERROR is not a supported DOI ERROR is not a supported exchange type ERROR is not a supported ID payload type ERROR is not a support...

Page 57: ...lid ERROR SA hash function has not been set in ERROR Signature Algorithm mismatch is X 509 certificate ERROR Signature verification failed ERROR The certificate is not valid at this time ERROR The current state is not valid for processing mode config payload ERROR The current state is not valid for processing signature payload ERROR The first payload is not a hash payload ERROR The following error...

Page 58: ...tered for INFO Failed to negotiate configuration information with INFO Found CA certificate in CA certificate list INFO Ignoring unsupported payload INFO Ignoring unsupported vendor ID INFO ISAKMP phase 1 proposal is not acceptable INFO ISAKMP phase 2 proposal is not acceptable INFO MM failed Payload processing failed OAK_MM_KEY_EXCH Peer INFO MM failed Payload processing failed OAK_MM_NO_STATE Pe...

Page 59: ...FO Ready to negotiate phase 2 with INFO Received address notification notify INFO Received attributes not supported notify INFO Received authentication failed notify INFO Received bad syntax notify INFO Received certificate unavailable notify INFO Received dead peer detection acknowledgement INFO Received dead peer detection request INFO Received initial contact notify INFO Received invalid certif...

Page 60: ...provisioning OK INFO Received policy provisioning update INFO Received policy provisioning version reply INFO Received policy provisioning version request INFO Received responder lifetime notify INFO Received situation not supported notify INFO Received unequal payload length notify INFO Received unknown notify INFO Received unsupported DOI notify INFO Received unsupported exchange type notify INF...

Page 61: ...hange INFO The configuration for the connection has been updated INFO The configuration for the connection is up to date INFO The configuration has been updated and must be reloaded INFO The connection has entered an unknown state INFO The connection is idle INFO The hard lifetime has expired for phase 1 INFO The hard lifetime has expired for phase 2 with INFO The IP address for the virtual interf...

Page 62: ...AG_INIT_EXCH is invalid when responder Peer WARNING AG failed State OAK_AG_NO_STATE is invalid when initiator Peer WARNING Failed to process aggressive mode packet WARNING Failed to process final quick mode packet WARNING Failed to process informational exchange packet WARNING Failed to process main mode packet WARNING Failed to process mode configuration packet WARNING Failed to process packet pa...

Page 63: ...s incorrect Please re enter the password WARNING The pre shared key dialog box was cancelled by the user The connection will be disabled WARNING The select certificate dialog box was cancelled by the user The connection will be disabled WARNING The username password dialog box was cancelled by the user The connection will be disabled WARNING Unable to decrypt payload Table 3 Log Viewer Messages ...

Page 64: ...ns Configuration 16 Digital Certificates 13 Disabling a VPN Connection 21 E Enabling VPN Connections 18 G Global Security Client 7 Global VPN Client Enterprise 7 I Importing a VPN Policy 15 Installation 9 Setup Wizard 10 L Launching Global VPN Client 17 Hide Window 17 Licensing 35 Log Viewer 31 Messages 50 M Multiple VPN Connections 19 N New Connection Wizard 13 Office Gateway 13 Remote Access 13 ...

Page 65: ... 232 000xxx 00 Rev A 08 07 2007 SonicWALL Inc is a registered trademark of SonicWALL Inc Other product names mentioned herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change without notice 07 07 SW 145 PROTECTION AT THE SPEED OF BUSINESS ...

Page 66: ... 232 001144 00 Rev C 10 07 2007 SonicWALL Inc is a registered trademark of SonicWALL Inc Other product names mentioned herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change without notice 07 07 SW 145 PROTECTION AT THE SPEED OF BUSINESS ...

Reviews: