SonicWALL Internet Security Appliances User Manual

SonicWALL VPN Page 207

6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing

SPI field.SPIs should range from 3 to 8 characters in length and include only hexadecimal
characters.

Alert Each Security Association must have unique SPIs; no two Security Associations can share the
same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
7. Select an encryption algorithm from the Encryption Method menu. Enter a 16-character

hexadecimal key in the Encryption Key field if you are using DES or ARCFour encryption. Enter
a 48-character hexadecimal key if you are using Triple DES encryption. This encryption key must
match the remote SonicWALL's encryption key.
When a new SA is created, a 48-character key is automatically generated in the Encryption Key
field. This can be used as a valid key for Triple DES. If this key is used, it must also be entered
in the Encryption Key field in the remote SonicWALL. If Tunnel Only (ESP NULL) or Authenticate
(AH MD5) is used, the Encryption Key field is ignored.

8. Enter a 32-character, hexadecimal key in the Authentication Key field.

When a new SA is created, a 32-character key is automatically generated in the Authentication
Key field. This key can be used as a valid key. If this key is used, it must also be entered in the
Authentication Key field in the remote SonicWALL. If authentication is not used, this field is
ignored.

9. Click Add New Network... to enter the destination network addresses. Clicking Add New

Network... automatically updates the VPN configuration and opens the VPN Destination
Network window.

10. Enter the beginning IP address of the remote network address range in the Range Start field. If

NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to
accept all remote SonicWALLs with matching encryption and authentication keys.

11. Enter the ending IP address of the remote network's address range in the Range End field. If

NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to
accept all remote SonicWALLs with matching encryption and authentication keys.

12. Enter the remote network subnet mask in the Destination Subnet Mask for NetBIOS broadcast

field if Enable Windows Networking (NetBIOS) Broadcast is selected. Otherwise, enter "0.0.0.0"
in the field.

13. Click Update to add the remote network and close the VPN Destination Network window. Once

the SonicWALL has been updated, a message confirming the update is displayed at the bottom
of the browser window.

14. Click Advanced Settings and check the boxes that apply to your SA:

Enable Windows Networking (NetBIOS) broadcast - if the remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Route all internet traffic through this SA - if forcing internet traffic from the WAN to use this SA
to access a remote site.