Manualshelf

User Guide

ManualsBrandsSonicWALL ManualsOtherINTERNET SECURITY APPLIANCE
121122123124125126127128129130
SonicWALL VPN Page 121
check box for each Security Association in your SonicWALL. Traffic can travel from a branch
office to a branch office via the corporate office.
Route all internet traffic through this SA
Selecting this box allows a network administrator to force all WAN-destined traffic to go
through a VPN tunnel to a central site. Outgoing packets are checked against the remote
network definitions for all Security Associations (SA). If a match is detected, the packet is
then routed to the appropriate destination. If no match is detected, the SonicWALL checks
for the presence of a SA using this configuration. If an SA is detected, the packet is sent
using that SA. If there is no SA with this option enabled, and if the destination does not
match any other SA, the packet goes unencrypted to the WAN.
Note: Only one SA can have this check box enabled.
Enable Perfect Forward Secrecy
The Enable Perfect Forward Secrecy check box increases the renegotiation time of the
VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break
encryption keys is not able to obtain other or future IPSec keys. During the phase 2
renegotiation between two SonicWALL appliances or a Group VPN SA, an additional Diffie-
Hellmen key exchange is performed. Enable Perfect Forward Secrecy adds incremental
security between gateways.
Phase 2 DH Group
If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellmen (DH) Key
Exchange (a key agreement protocol) to be used during phase 2 of the authentication
process to establish pre-shared keys. You can now select from three well-known DH
groups:
Group 1 - less secure
Group 2 - more secure
Group 5 - most secure
Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed below:
If network connection speed is an issue, select Group 1. If network security is an issue,
select Group 5. To compromise between speed and security, select Group 2.
Group
Descriptor
Prime Size
(bits)
1768
21024
51536
integrated_manual.book Page 121 Friday, October 12, 2001 2:56 PM