Global VPN Client Administrator's Guide PROTECTION AT THE SPEED OF BUSINESS™
Table of Contents SonicWALL Global VPN Client ......................................... 5 SonicWALL Global VPN Client Features .............................................. 5 New Features in SonicWALL Global VPN Client 4.0 ............................ 6 Global VPN Client Enterprise/Global Security Client ............................ 7 About this Guide.............................................................. 7 Using the Right Administrator’s Guides.................................................
Creating a VPN Policy Shortcut ..................................... 22 Specifying Global VPN Client Launch Options ............... 23 Managing the Global VPN Client System Tray Icon ........ 23 Managing VPN Connection Policy Properties................. 24 General................................................................................................ 24 User Authentication ............................................................................. 25 Peers .........................................
SOFTWARE LICENSE AGREEMENT FOR THE SONICWALL GLOBAL VPN CLIENT ............................... 37 LICENSE ............................................................................................. 37 EXPORTS LICENSE........................................................................... 38 SUPPORT SERVICES........................................................................ 38 UPGRADES ........................................................................................ 38 COPYRIGHT ............
Appendix D - Installing the Global VPN Client with a Ghost Application.......................................................... 50 Appendix E- Log Viewer Messages ................................ 50 SonicWALL Global VPN Client 4.
SonicWALL Global VPN Client The SonicWALL Global VPN Client creates a Virtual Private Network (VPN) connection between your computer and the corporate network to maintain the confidentiality of private data. The Global VPN Client provides an easy-to-use solution for secure, encrypted access through the Internet or corporate dial-up facilities for remote users as well as secure wireless networking for SonicWALL Secure Wireless appliance clients using SonicWALL’s WiFiSec technology.
• • • • • • • • • • Automatic Reconnect When Error Occurs - Allows the Global VPN Client to keep retrying a connection if it encounters a problem connecting to a peer. This feature allows the Global VPN Client to automatically make a connection to a SonicWALL VPN gateway that is temporarily disabled, without manual intervention.
Global VPN Client Enterprise/Global Security Client SonicWALL Global Security Client combines gateway enforcement, central management, configuration flexibility and software deployment to deliver comprehensive desktop security to mobile workers and corporate networks.
SonicWALL Pocket Global VPN Client Use the SonicWALL Pocket Global VPN Client Administrator’s Guide for complete instructions on installing, configuring and managing the Pocket Global VPN Client. For configuring your SonicWALL security appliance to support Pocket Global VPN Clients using SonicWALL’s GroupVPN, see the Administrator’s Guide for the firmware or SonicOS version running on your SonicWALL wireless security appliance. SonicWALL Global VPN Client If you’re using SonicWALL Global VPN Client 4.
Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product.
Tip! For information on the number of SonicWALL Global VPN Client connections supported by your SonicWALL and Global VPN Client licensing for your SonicWALL, see “SonicWALL Global VPN Client Licenses” on page 35. You can upgrade the SonicWALL Global VPN Client from an earlier version to 4.0 without uninstalling the earlier version. Alert! If you are upgrading SonicWALL Global VPN Client from an earlier version to 4.
4. Close all applications and disable any disk protection and personal firewall software running on your computer. Click Next. 5. Select I accept the terms of the license agreement. Click Next. 6. Click Next to accept the default location and continue installation or click Browse to specify a different location. 7. Click Install. The Setup Wizard installs the Global VPN Client files on your computer. After the Setup Wizard installs the Global VPN Client, the Setup Complete page is displayed.
8. Select Start program automatically when users log in to automatically launch the VPN Global Client when you log onto the computer, if desired. 9. Select Launch program now to automatically launch the Global VPN Client after finishing the installation, if desired. 10. Click Finish.
Understanding Digital Certificates If digital certificates are required as part of your VPN connection policy, your gateway administrator must provide you with the required information to import the certificate. You then need to import the certificate in the Global VPN Client using the Certificate Manager. Alert! If digital certificates are required as part of your VPN connection policy, your VPN gateway administrator must provide you with the required certificates.
3. In the Choose Scenario page, you can click on View Scenario to view a diagram of each type of VPN connection. Clicking on the Remote Access View Scenario links displays the diagram for this type of VPN connection. Clicking on the Office Gateway View Scenario link displays the diagram for this type of VPN connection. 4. Select Remote Access or Office Gateway and then click Next. Page 14 SonicWALL Global VPN Client 4.
5. If you selected Remote Access in the Choose Scenario page, the Remote Access page is displayed. Type the IP address or FQDN of the gateway in the IP Address or Domain Name field. The information you type in the IP Address or Domain Name field appears in the Connection Name field. If you want a different name for your connection, type the new name for your VPN connection policy in the Connection Name field. Click Next. The Completing the New Connection Wizard page is displayed. 6.
Alert! If your .rcf file is encrypted, you must have the password to import the configuration file into the Global VPN Client. The following instructions explain how to add VPN connection policy by importing a connection policy file provided by your gateway administrator. 1. Choose Start>Programs>SonicWALL Global VPN Client. 2. Select File>Import Connection. The Import Connection dialog box is displayed. 3.
Launching the SonicWALL Global VPN Client To launch the SonicWALL Global VPN Client, choose Start>Programs>SonicWALL Global VPN Client. The default setting for the SonicWALL Global VPN Client window is Hide the window (reopen it from the tray icon). If you click Close, press Alt+F4 or choose File>Close, the SonicWALL Global VPN Client window closes but your established VPN connections remain active.
The Global VPN Client support two IPSec Keying modes: IKE using Preshared Secret and IKE using 3rd Party Certificates. Preshared Secret is the most common form of the IPSec Keying modes. If your VPN connection policy uses 3rd party certificates, you use the Certificate Manager to configure the Global VPN Client to use digital certificates.
To establish a VPN connection using a VPN connection policy you created in the Global VPN Client, follow these instructions. 1. Enable a VPN connection policy using one of the following methods: • • If you selected Enable this connection when the program is launched in the New Connection Wizard, the VPN connection is automatically established when you launch the SonicWALL Global VPN Client.
Entering a Pre-Shared Key Depending on the attributes for the VPN connection policy, if no default Pre-Shared Key is used, you must have a Pre-Shared Key provided by the gateway administrator in order to make your VPN connection. If the default Pre-Shared Key is not included as part of the connection policy download or file, the Enter Pre-Shared Key dialog box appears to prompt you for the Pre-Shared key before establishing the VPN connection. 1. Type your Pre-Shared Key in the Pre-shared Key field.
If the SonicWALL VPN gateway is provisioned to prompt you for the username and password to enter the remote network, the Enter Username and Password dialog box appears. Type your username and password. If permitted by the gatewa y, check Remember Username and Password to cache your username and password to automatically log in for future VPN connections. Click OK to continue with establishing your VPN connection.
• • • A VPN policy that cannot be successfully connected displays an error mark (red x) on the policy icon. The SonicWALL Global VPN Client icon in the system tray displays a visual indicator of data passing between the Global VPN Client and the gateway. The Status page in the Properties dialog box displays more detailed information about the status of an active VPN connection.
Specifying Global VPN Client Launch Options You can specify how the SonicWALL Global VPN Client launches and what notification windows appear using the controls in the General tab of the Options dialog box. Choose View>Options to display the Options dialog box. The General page includes the following settings to control the launch of the Global VPN Client: • • • • Start this program when I log in - Launches the SonicWALL Global VPN Client when you log into your computer.
• • Disable - Allows you to disable active VPN connections. Open Log Viewer - Opens the Log Viewer to view informational and error messages. See page 31 for more information on the Log Viewer. • Open Certificate Manager - Opens the Certificate Manager. See page 30 for more information on the Certificate Manager. • Exit - Exits the SonicWALL Global VPN Client window and disables any active VPN connections.
• Attributes - Defines the status of Tunnel All support. These settings are controlled at the SonicWALL VPN gateway. Other traffic allowed - If enabled, your computer can access the local network or Internet connection while the VPN connection is active. Default traffic tunneled to peer - If activated, all network traffic not routed to the SonicWALL VPN gateway is blocked. When you enable the VPN connection with this feature active, the Connection Warning message appears.
• • Username - Enter the username provided by your gateway administrator. Password - Enter the password provided by your gateway administrator. Peers The Peers page allows you to specify an ordered list of VPN gateway peers that this connection policy can use (multiple entries allow a VPN connection to be established through multiple VPN gateways). An attempt is made to establish a VPN connection to the given VPN gateway peers in the order they appear in the list. • • • To add a peer, click Add.
• DPD Settings - Displays the Dead Peer Detection Settings dialog box. Check for dead peer every - choose from 5, 10, 15, 20, 25, or 30 seconds. Assume peer is dead after - choose from 3, 4, or 5 Failed Checks. Specify the conditions under which DPD packets will be sent - Choose either Only when no traffic is received from the peer or whether or not traffic is received from the peer.
Status The Status page shows the current status of the connection. • Connection Status - Indicates whether VPN connection policy is enabled or disabled. Peer IP Address - Displays the IP address of the VPN connection peer. Duration - Displays connection time. Details - Displays the Connection Status Details dialog box, which specifies the negotiated phase 1 and phase 2 parameters as well as the status of all individual phase 2 SAs.
Managing VPN Connection Policies The SonicWALL Global VPN Client supports as many VPN connection policies as you need. To help you manage these connection policies, the Global VPN Client provides the following connection policy management tools. Arranging Connection Policies Over time, as the number of VPN connection policies can increase in the SonicWALL Global VPN Client window, you may want to arrange them for quicker access.
Managing Certificates The Certificate Manager allows you to manage digital certificates used by the SonicWALL Global VPN Client for VPN connections. If your VPN gateway uses digital certificates, you must import the CA and Local Certificates into the Certificate Manager. To open the Certificate Manager, click the Certificate Manager button on the SonicWALL Global VPN Client window toolbar, choose View>Certificate Manager, or press Ctrl+M.
Understanding the Global VPN Client Log The SonicWALL Global VPN Client Log window displays messages about Global VPN Client activities. To open the Log Viewer window, click the Log Viewer button on the Global VPN Client window toolbar, or choose View>Log Viewer, or press Ctrl+L. Peer - The IP address or FQDN of the peer. Message - Text of the message describing the event. Type - The type of message (Information, Error, or Warning). Timestamp - Date and time the message was generated.
• • • To remove redundant messages from displaying, choose View>Ignore Redundant Messages or press Ctrl+I. To hide the toolbar in the Log Viewer window, choose View>Toolbar. To hide the status bar in the Log Viewer window, choose View>Status Bar. Configuring the Log The Logging page in the Options dialog box specifies the settings for configuring the GLobal VPN Client Log behavior. Maximum number of log messages to keep - Specifies the maximum number of log messages kept in the log file.
Maximum auto-log file size - Specifies the maximum file size in KB or MB. When auto-log size limit is reached - Instructs Auto-logging what to do when log file size is reached. Ask me what to do - Prompts you when the log file reaches maximum size to choose either Stop auto-logging or Overwrite auto-log file. Stop auto-logging - Stops auto-logging when maximum file size is reached. Overwrite auto-log file - overwrites existing auto-log file after maximum file size is reached.
Accessing Technical Support Selecting Help>Technical Support accesses the SonicWALL Support site at http://www.sonicwall.com/support/ The SonicWALL Support site offer a full range of support services including extensive online resources and information on SonicWALL’s enhanced support programs. Viewing Help Topics Selecting Help>Help Topics displays SonicWALL Global VPN Client help system window.
Note! For information on configuring GroupVPN on the SonicWALL to support SonicWALL Global VPN Client, refer to the Administrator’s Guide for your SonicWALL. All SonicWALL product documentation is available at http://www.sonicwall.com/support/documentation.html SonicWALL Global VPN Client Licenses Global VPN Client Licensing is based on the number of simultaneous Global VPN Client connections to a SonicWALL.
Table 1: Global VPN Client License Support by SonicWALL Model PRO 2040 Includes unrestricted WLAN Global VPN Client Licenses (Enhanced). Includes 10 WAN Global VPN Client Licenses. PRO 3060 Includes unrestricted WLAN Global VPN Client Licenses (Enhanced). Includes 25 WAN Global VPN Client Licenses. PRO 4060 Includes unrestricted WLAN Global VPN Client Licenses (Enhanced). Includes 1,000 WAN Global VPN Client Licenses. PRO 4100 Includes unrestricted WLAN Global VPN Client Licenses (Enhanced).
SOFTWARE LICENSE AGREEMENT FOR THE SONICWALL GLOBAL VPN CLIENT This Software License Agreement (SLA) is a legal agreement between you and SonicWALL, Inc. (SonicWALL) for the SonicWALL software product identified above, which includes computer software and any and all associated media, printed materials, and online or electronic documentation (SOFTWARE PRODUCT). By opening the sealed package(s), installing, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this SLA.
EXPORTS LICENSE Licensee will comply with, and will, at SonicWALL's request, demonstrate such compliance with all applicable export laws, restrictions, and regulations of the U.S. Department of Commerce, the U.S. Department of Treasury and any other any U.S. or foreign agency or authority.
MISCELLANEOUS This SLA represents the entire agreement concerning the subject matter hereof between the parties and supersedes all prior agreements and representations between them. It may be amended only in writing executed by both parties. This SLA shall be governed by and construed under the laws of the State of California as if entirely performed within the State and without regard for conflicts of laws.
SonicWALL has been advised of the possibility of such damages. In any case, SonicWALL's entire liability under any provision of this SLA shall be limited to the greater of the amount actually paid by you for the SOFTWARE PRODUCT or U.S. $10.00; provided, however, if you have entered into a SonicWALL Support Services Agreement, SonicWALL's entire liability regarding Support Services shall be governed by the terms of that agreement.
Include the default.rcf File with the Global VPN Client Software After you create the default.rcf file, you can include it with the SonicWALL Global VPN Client software. When the user installs the Global VPN Client program, the SonicWALL Global VPN Client.rcf file is automatically created in the C:\Documents and Settings\\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory based on the settings defined in the default.rcf file. This is the easiest method for Global VPN Client users.
Creating the default.rcf File You can create your custom default.rcf file from any text editor, such as Windows Notepad. default.rcf File Tag Descriptions Tag that you do not explicitly list in the default.rcf are set to the default setting (which is the same behavior as when you configure a New VPN Connection within the Global VPN Client manually). The default setting for each tag is highlighted in bracketed bold text, like [default].
Defines the peer settings for a VPN connection. A VPN connection can support up to 5 peers. Alert! A special case of Host Name is for an Office Gateway scenario. If you want to use the Default Gateway as the host name use the exact text, <Default Gateway> including the semicolons and &s. In this case, you must also set the tag, =1. IP Address/Domain Name The IP address or Domain name of the SonicWALL gateway.
[[5]-30] Specifies the duration of time (in seconds) to wait before declaring a peer as dead. The interval times listed are incremented by 5, and the allowed values are 5, 10, 15, 20, 25 and 30 seconds. [3-[5]] Specifies number of unsuccessful attempts to contact a peer before declaring it as dead. The allowed values are 3, 4 or 5 times.
0 0 0 1 c:\program files\aol\aol.exe text 0 5 3 0 1.2.3.
1 0 <Default Gateway> 1 0 0 0.0.0.
Troubleshooting the deafult.rcf File . Table 2: Troubleshooting the default.rcf File Issue Solution If there are any incorrect entries or typos in your default.rcf file, the settings in the default.rcf file will not be incorporated into the Global VPN Client, and no connection profiles will appear in the Global VPN Client window.
Playing Back the Silent Installation After you have created the installation and the response file, you are ready to run the Global VPN Client installation in silent mode. When running an installation in silent mode, be aware that no messages are displayed. Instead, a log file Setup.log captures installation information, including whether the installation was successful. You can review the log file and determine the result of the installation.
-11 Unknown error during setup -12 Dialogs are out of order -51 Cannot create the specified folder -52 Cannot access the specified file or folder -53 Invalid option selected Appendix C - Running the Global VPN Client from the Command Line Interface The SonicWALL Global VPN Client can run from the Command Line Interface (CLI).
Appendix D - Installing the Global VPN Client with a Ghost Application During the normal, non-Ghost installation of the Global VPN Client, a MAC address for the virtual adapter is generated and assigned during the installation process. However, when the Global VPN Client is installed with CmdLine=/g (Ghost) option, a default MAC address is assigned to the SonicWALL VPN Adapter.
Table 3: Log Viewer Messages ERROR Diffie-Hellman group generator length has not been set. ERROR Diffie-Hellman group prime length has not been set. ERROR DSS signature processing failed - signature is not valid. ERROR Encryption algorithm is not supported. ERROR ESP transform algorithm is not supported. ERROR Failed to add a new AH entry to the phase 2 SA list. ERROR Failed to add a new ESP entry to the phase 2 SA list. ERROR Failed to add IPSEC encapsulation mode into the payload.
Table 3: Log Viewer Messages ERROR Failed to build dead peer detection packet. ERROR Failed to build dead peer detection reply message. ERROR Failed to build dead peer detection request message. ERROR Failed to build phase 1 delete message. ERROR Failed to calculate DES mode from ESP transfer. ERROR Failed to calculate policy configuration attributes length. ERROR Failed to calculate XAuth attributes length. ERROR Failed to compute IV for connection entry.
Table 3: Log Viewer Messages ERROR Failed to construct quick mode hash payload. ERROR Failed to construct quick mode packet. ERROR Failed to construct responder lifetime payload. ERROR Failed to construct RSA signature. ERROR Failed to construct signature payload. ERROR Failed to construct source proxy ID payload. ERROR Failed to construct XAuth payload. ERROR Failed to convert the peer name to an IP address. ERROR Failed to create a new connection entry: an entry already exists with ID.
Table 3: Log Viewer Messages ERROR Failed to find OAKLEY group specified in the SA payload. ERROR Failed to find private key for certificate with ID. ERROR Failed to find protocol ID in the SA list. ERROR Failed to find route to reach. ERROR Failed to find sequence number. ERROR Failed to find source IP address to reach. ERROR Failed to flush the system ARP cache. ERROR Failed to generate Diffie-Hellman parameters. ERROR Failed to generate quick mode initiator key.
Table 3: Log Viewer Messages ERROR Failed to set the IPSEC ESP attributes into the phase 2 SA. ERROR Failed to set the OAKLEY attributes into the phase 1 SA. ERROR Failed to set vendor ID into packet payload. ERROR Failed to set XAuth attributes into payload. ERROR Failed to sign hash. ERROR Failed to verify certificate signature. ERROR Failed to verify informational message hash payload. ERROR Failed to verify mode config message hash payload. ERROR Hash algorithm is not supported.
Table 3: Log Viewer Messages ERROR is not a valid XAuth status. ERROR ISAKMP SA delete msg for a different SA! ERROR No certificate for CERT authentication. ERROR No entry in the system IP address table was found with index. ERROR No KE payload while PFS configured mess_id. ERROR Out of memory. ERROR Phase 1 authentication algorithm is not supported. ERROR Phase 1 encryption algorithm is not supported. ERROR Protocol ID has already been added to the SA list.
Table 3: Log Viewer Messages ERROR XAuth CHAP requests are not supported at this time. ERROR XAuth failed. ERROR XAuth has requested a password but one has not yet been specified. INFO "The connection """" has been disabled." INFO A certificate is needed to complete phase 1. INFO A phase 2 SA can not be established with until a phase 1 SA is established. INFO A pre-shared key is needed to complete phase 1. INFO AG failed. SA state unknown.
Table 3: Log Viewer Messages INFO peer certificate missing key value. INFO Phase 1 has completed. INFO Phase 1 SA lifetime set to. INFO Phase 2 negotiation has failed. INFO Phase 2 SA lifetime set to. INFO Phase 2 with has completed. INFO Proposal not acceptable: not authentication algorithm specified. INFO Proposal not acceptable: not Diffie-Hellman group specified. INFO Proposal not acceptable: not encryption algorithm specified.
Table 3: Log Viewer Messages INFO Received invalid message ID notify. INFO Received invalid minor version notify. INFO Received invalid payload notify. INFO Received invalid protocol ID notify. INFO Received invalid signature notify. INFO Received invalid SPI notify. INFO Received invalid transform ID notify. INFO Received malformed payload notify. INFO Received no proposal chosen notify. INFO Received notify SA lifetime notify. INFO Received phase 1 delete message.
Table 3: Log Viewer Messages INFO Sending phase 2 delete for. INFO Sending policy provisioning acknowledgement. INFO Sending policy provisioning version reply. INFO Sending XAuth acknowledgement. INFO Sending XAuth reply. INFO Signature Verified! INFO SonicWALL Global VPN Client version. INFO SonicWALL VPN Client. INFO Starting aggressive mode phase 1 exchange. INFO Starting authentication negotiation. INFO Starting configuration negotiation. INFO Starting ISAKMP phase 1 negotiation.
Table 3: Log Viewer Messages INFO The SA lifetime for phase 2 is seconds. INFO The soft lifetime has expired for phase 1. INFO The soft lifetime has expired for phase 2 with. INFO The system ARP cache has been flushed. INFO Unable to encrypt payload! INFO User authentication has failed. INFO User authentication has succeeded. INFO User authentication information is needed to complete the connection. INFO XAuth has requested a username but one has not yet been specified.
Table 3: Log Viewer Messages WARNING Received an unencrypted packet when crypto active! WARNING Responder lifetime protocol is not supported. WARNING The password is incorrect. Please re-enter the password. WARNING The pre-shared key dialog box was cancelled by the user. The connection will be disabled. WARNING The select certificate dialog box was cancelled by the user. The connection will be disabled. WARNING The username/password dialog box was cancelled by the user.
A Adding VPN Connection Policies 12 Default.rcf File 12 Import Connection Policy 12 New Connection Wizard 12 C Certificate Manager 30 Import Certificate 30 Command Line Interface 49 Configuring Program Launch Options 23 Connection Policies Deleting 29 Renaming 29 Connection Properties 24 General 24 Peer Peer Information 26 Peers 26 Status 28 User Authentication 25 Connection Status 21, 28 Connection Warning 21 D Default.
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 Sunnyvale CA 94089-1306 F +1 408.745.9300 P/N: 232-000xxx-00 Rev A, 08/07 www.sonicwall.com PROTECTION AT THE SPEED OF BUSINESS™ ©2007 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 Sunnyvale CA 94089-1306 F +1 408.745.9300 P/N: 232-001144-00 Rev C, 10/07 www.sonicwall.com PROTECTION AT THE SPEED OF BUSINESS™ ©2007 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
