Return to Blogs

Configuring IPSecuritas with a Sonicwall Pro Series

This was a fun little project that had me scouring the web in an effort to find an alternative to the expensive VPN Tracker.

To start out, you need to have management/administrative privileges on the SonicWall. In my case, we use a Pro4060. Our Pro4060 is setup with three different networks; LAN, DMZ and a secondary DMZ at our datacenter connected through a private link from our office. Just to let you know, the Windows only Global VPN client provided by SonicWall does allow the client to connect to any of the three networks. I was unsuccessful in trying to get the IPSecuritas to do NAT Traversal. I could only get connection to our primary LAN.

Referencing settings already in place on our Pro4060, I got started configuring IPSecuritas. The followings steps are all made in IPSecuritas.

1. Create a new connection. Easy!
2. On the General Tab....
   Remote IPSec Device: Enter the public IP address assigned to the WAN port of your Pro series.
   Local Side Endpoint Mode: Set to Host
   Remote Side Endpoint Mode: Set to Network. Network Address set to the LAN network ID, i.e. 10.1.0.0 for a B subclass, which then requires the Network Mask (CIDR) to be set to 16.
3. The Phase 1 Tab...
   Lifetime: Set to 28800, (this matches my Pro4060 setting)
   DH Group: Set to 1024 (2), (again matching Pro4060)
   Encryption: 3DES (matching Pro4060)
   Authentication: SHA-1 (Pro4060 match)
   Exchange Mode: Aggressive
   Proposal Check: Claim
   Nonce Size: 16
4. The Phase 2 Tab...
   Lifetime: 86400 (Pro4060 match)
   PFS Group: 1024 (2) (Pro4060 match)
   Encryption: 3DES (I am only using the one, Pro4060 match)
   Authentication: HMAC SHA-1 (only using one, you could use more, Pro4060 match)
5. The ID Tab...
   Local Identifier: Address
   Remote Identifier: Key ID (enter your unique device ID here, you can find this under VPN->Settings->Unique Firewall Identifier: in the Pro series management tool)
   Authentication Method: XAuth PSK (We are configured for User Accounts with each account configured for different types/areas of access)
   Preshared Key: Speaks for itself
   Username & Store Password are left blank, I let the IPSecuritas client prompt me for this when I connect)
6. The DNS Tab...
   I have opted to enable DNS servers to take advantage of the convenience of short host names. With that in mind, I put in the LAN Domain name and the Name Server Address contains the IP address of my LAN DNS server that is authoritative for that local domain.
7. The Options Tab...
   I have these boxes/options checked: IPSec DOI, Generate Policy, SIT_IDENTITY_ONLY, Request Certificate, Initial Contact, Send Certificate, Unique SAs, IKE Fragmentation.
   NAT-T: Disabled, when I had this enabled I could not connect. Bummer.
   Action after connection timeout: Give Up

Did this help? Let us know.
I hope that helps all of you looking for a great solution to the OS X VPN problem.