SonicWALL Global VPN Client

DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF AREPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NOEVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGESWHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSSARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL,INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVERCAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USEOF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITSSUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no eventshall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (includingnegligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shallapply even if the above-stated warranty fails of its essential purpose. BECAUSE SOMESTATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OFCONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOTAPPLY TO YOU.Page 6 SonicWALL Global VPN Client 2.1 Administrator’s Guide

4. Close all applications and disable any disk protection and personal firewall softwarerunning on your computer. Click Next.5. Select I accept the terms of the license agreement. Click Next.6. Click Next to accept the default location and continue installation or click Browse to specifya different location.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 9

7. Click Install. The Setup Wizard installs the Global VPN Client files on your computer. Afterthe Setup Wizard installs the Global VPN Client, the Setup Complete page is displayed.8. Select Start program automatically when users log in to automatically launch the VPNGlobal Client when you log onto the computer, if desired.9. Select Launch program now to automatically launch the Global VPN Client after finishingthe installation, if desired.10. Click Finish.Page 10 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Adding VPN Connection PoliciesAdding a new VPN connection policy is easy because SonicWALL’s Client Policy Provisioningautomatically provides all the necessary configuration information to make a secure connectionto the local or remote network. The burden of configuring the VPN connection parameters isremoved from the Global VPN Client user. VPN connection policies can be created using threemethods:• Download the VPN policy from the SonicWALL VPN Gateway to the Global VPN Clientusing the New Connection Wizard. This wizard walks you through the process of locatingthe source of your configuration information and automatically downloads the VPNconfiguration information over a secure IPSec VPN tunnel.• Import a VPN policy file into the SonicWALL Global VPN Client. The VPN policy is sent toyou as a file, which you install using the Import Connection dialog box.• Install the default.rcf file as part of the Global VPN Client software installation or add it afterinstalling the Global VPN Client. If the SonicWALL VPN Gateway administrator includedthe default.rcf file as part of the Global VPN Client software, when the program is installed,one or more preconfigured VPN connections are automatically created.Note! Creating a Default.rcf file and distributing it with the Global VPN Client software allowsthe SonicWALL VPN Gateway administrator to streamline VPN client deployment and allowusers to quickly establish VPN connections. When the Global VPN Client software is installed,the VPN policy created by the SonicWALL VPN Gateway administrator is automaticallycreated. For more information on creating the Default.rcf file, see “Appendix A - Creating andDeploying the Default.rcf File for Global VPN Clients” on page 52.Alert! Your SonicWALL must be configured with GroupVPN to facilitate the automaticprovisioning of Global VPN Clients. For instructions on configuring your SonicWALL withGroupVPN, see your SonicWALL Administrator’s Guide.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 11

VPN Connection PoliciesThe Global VPN Client allows multiple connection policies to be configured at the same time,whether they are provisioned from multiple gateways or imported from one or more files.Because connection policies may be provisioned from multiple gateways, each connectionpolicy explicitly states allowed behavior in the presence of any connection policy conflicts. Youmay have VPN connections that don’t allow other VPN connections or Internet and networkconnections while the VPN policy is enabled.The VPN connection policy includes all the parameters necessary to establish secure IPSectunnels to the gateway. A connection policy includes Phase 1 and Phase 2 SecurityAssociations (SA) parameters including:• Encryption and authentication proposals• Phase 1 identity payload type• Phase 2 proxy IDs (traffic selectors)• Client Phase 1 credential• Allowed behavior of connection in presence of other active connections• Client caching behaviorDigital CertificatesIf digital certificates are required as part of your VPN connection policy, your gatewayadministrator must provide you with the required information to import the certificate. You thenneed to import the certificate in the Global VPN Client using the Certificate Manager.Alert! If digital certificates are required as part of your VPN connection policy, your VPNgateway administrator must provide you with the required certificates.Note! For instructions on importing a certificate into the Global VPN Client, see “ManagingCertificates” on page 38.Page 12 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Using the New Connection WizardThe New Connection Wizard provides easy configuration for the following VPN connectionscenarios:• Remote Access - You choose this scenario if you want secure access to a remote VPNgateway from any wired or wireless network. The most common use of this scenario iswhen you are at home or on the road and want access to the corporate network. You enterthe IP address or FQDN (gateway.yourcompany.com) of the VPN gateway and the GlobalVPN Client automatically downloads the VPN connection policy from the remoteSonicWALL VPN gateway.Alert! If you are configuring the Global VPN Client for Remote Access, make sure you havethe IP address or FQDN (gateway.yourcompany.com) of the remote SonicWALL VPN gatewayand an active Internet connection before using the New Connection Wizard.• Office Gateway - You choose this scenario if you want secure access to a localSonicWALL SOHO TZW wireless network. When you create an Office Gateway VPNconnection, it appears as the Peer entry of in the SonicWALL GlobalVPN Client window. You can use this single Office Gateway VPN connection policy toroam securely across SOHO TZW wireless networks.Alert! If you are configuring the Global VPN Client for Office Gateway, make sure yourwireless card is configured with the correct SSID information to access the SonicWALL SOHOTZW before using the New Connection Wizard.Creating a VPN Connection PolicyThe following instructions explain how to use the New Connection Wizard to automaticallydownload VPN connection policies for the Global VPN Client from a local or remote SonicWALLVPN gateway.1. Choose Start>Programs>SonicWALL Global VPN Client. The first time you open theSonicWALL Global VPN Client, the New Connection Wizard automatically launches.2. If the New Connection Wizard does not display, click the New Connection Wizard iconon the far left side of the toolbar to launch the New Connection Wizard. Click Next.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 13

3. In the Choose Scenario page, select Remote Access or Office Gateway and then clickNext. Click on View Scenario to view a diagram of each type of VPN connection.4. If you selected Remote Access in the Choose Scenario page, the Remote Access pageis displayed. Type the IP address or FQDN of the gateway in the IP Address or DomainName field. The information you type in the IP Address or Domain Name field appears inthe Connection Name field. If you want a different name for your connection, type the newname for your VPN connection policy in the Connection Name field. Click Next. TheCompleting the New Connection Wizard page is displayed.Page 14 SonicWALL Global VPN Client 2.1 Administrator’s Guide

5. If you selected Office Gateway in the Choose Scenario page, the Completing the NewConnection Wizard page is displayed.6. In the Completing the New Connection Wizard page select any of the following options:Select Enable this connection when the program is launched, if you want toautomatically establish this VPN connection when you launch the SonicWALL GlobalVPN Client.Select Create a shortcut to this connection on the desktop, if you want to create ashortcut icon on your desktop for this VPN connection.7. Click Finish. The new VPN connection policy appears in the SonicWALL Global VPN Clientwindow.Note! You can change the default name by right-clicking the Office Gateway entry andselecting Properties from the menu. In the General tab of the Properties dialog box, enter thenew name in the Name field.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 15

Importing a VPN Configuration FileA VPN connection policy can be created as a file and sent to you by the SonicWALL VPNgateway administrator. This VPN configuration file has the filename extension .rcf. If youreceived a VPN connection policy file from your administrator, you can install it using the ImportConnection dialog box.The VPN policy file is in the XML format to provide more efficient encoding of policy information.Because the file can be encrypted, pre-shared keys can also be exported in the file. Theencryption method is specified in the PKCS#5 Password-Based Cryptography Standard fromRSA Laboratories and uses Triple-DES encryption and SHA-1 message digest algorithms.Alert! If your .rcf file is encrypted, you must have the password to import the configuration fileinto the Global VPN Client.The following instructions explain how to add VPN connection policy by importing a connectionpolicy file provided by your gateway administrator.1. Choose Start>Programs>SonicWALL Global VPN Client.2. Select File>Import Connection. The Import Connection dialog box is displayed.3. Type the file path for the configuration file in the Specify the name of the configurationfile to import field or click the browse ... button to locate the file. If the file is encrypted,enter the password in the If the file is encrypted, specify the password field.4. Click OK.Page 16 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Configuring a Dial-Up VPN ConnectionYou can use a dial-up Internet connection to establish your VPN connection. You can create aRemote Access VPN connection policy using the Make New Connection wizard or use anexisting VPN connection policy, and then configure the VPN connection policy to use aMicrosoft Dial-Up Networking phone book entry or a third-party dial-up application. You canalso use a dial-up connection as an automatic backup for your VPN connection in the eventyour broadband Internet connection is disabled.Alert! Make sure you create your dial-up connection profile using Microsoft Dial-up Networkingor your third-party dial-up application before configuring your dial-up VPN connection policy.1. Create a VPN connection policy using the New Connection Wizard or use an existing VPNconnection policy.2. Right-click the VPN connection policy and select Properties from the menu. TheProperties dialog box is displayed.3. Click the Peers tab.4. Click Edit. The Peer Information dialog box is displayed.5. Use the default Automatic option in the Interface Selection menu, if you want the GlobalVPN Client to automatically determine whether to use the LAN or Dial-Up interface basedon availability. If the LAN interface is active, the Global VPN Client uses this interface first.If the LAN interface is not available, the Global VPN Client uses the dial-up connection. Ifyou want this VPN connection policy to use a dial-up connection, select Dial-Up Only fromthe Interface Selection menu.6. Click Dial-Up Settings. The Dial-Up Settings dialog box is displayed.7. If you’re using Microsoft Dial-Up Networking, check Use Microsoft dial-up networkingand select the dial-up networking profile from the Phonebook Entry list. Select Do nothang up the modem when disabling this connection, if you want to remain connectedto the Internet after disabling the Global VPN Client connection.8. If you’re using a third-party dial-up application, select Use a third-party dial-upapplication, and then enter the path for the program in the Application field or clickbrowse ... to locate the program.9. Click OK three times to return to the SonicWALL Global VPN Client window.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 17

You can open the SonicWALL Global VPN Client window by double-clicking the SonicWALLGlobal VPN Client icon in the system tray or right-clicking the icon, and selecting OpenSonicWALL Global VPN Client.Alert! Exiting the SonicWALL Global VPN Client from the system tray icon menu disables anyactive VPN connections.Tip! You can change the default launch setting for SonicWALL Global VPN Client, see“Specifying Global VPN Client Launch Options” on page 27 for more information.Tip! You can create a shortcut to automatically launch the SonicWALL Global VPN Clientwindow and make the VPN connection from the desktop, taskbar, or Start menu. See “Creatinga VPN Policy Shortcut” on page 26 for more information.Tip! You can launch the SonicWALL Global VPN Client from the command line, See “AppendixC - Running the Global VPN Client from the Command Line Interface” on page 61 for moreinformation.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 19

Making VPN ConnectionsMaking a VPN connection from the Global VPN Client is easy because the configurationinformation is managed by the SonicWALL VPN gateway. The SonicWALL administrator setsthe parameters for what is allowed and not allowed with the VPN connection policy. Forexample, for security reasons, the SonicWALL VPN Gateway administrator may not allowmultiple VPN connections or the ability to access the Internet or local network while the VPNconnection is enabled.The Global VPN Client support two IPSec Keying modes: IKE using Preshared Secret and IKEusing 3rd Party Certificates. Preshared Secret is the most common form of the IPSec Keyingmodes. If your VPN connection policy uses 3rd party certificates, you use the CertificateManager to configure the Global VPN Client to use digital certificates.A Pre-Shared Key (also called a Shared Secret) is a predefined field that the two endpoints ofa VPN tunnel use to set up an IKE (Internet Key Exchange) Security Association. This field canbe any combination of Alphanumeric characters with a minimum length of 4 characters and amaximum of 128 characters. Your Pre-Shared Key is typically configured as part of your GlobalVPN Client provisioning. If it is not, you are prompted to enter it before you log on to the remotenetwork.Accessing Redundant VPN GatewaysThe Global VPN Client supports redundant VPN gateways by manually adding the peer in thePeers page of the VPN connection Properties dialog box. See “Peers” on page 32 for moreinformation. The Global VPN Client version 2.1.0.0 (or higher) adds automatic support forredundant VPN gateways if the IPSec gateway’s domain name resolves to multiple IP address.For example, if gateway.yourcompany.com resolves to 67.115.118.7, 67.115.118.8 and67.115.118.9, the Global VPN Client cycles through these resolved IP addresses until it findsa gateway that responds, allowing multiple IP addresses to be used as failover gateways. If allthe resolved IP addresses fail to respond, Global VPN Client switches to the next peer, ifanother peer is specified in the Peers page of the VPN connection Properties dialog box. See“Peers” on page 32 for more information.Page 20 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Enabling a VPN ConnectionEnabling a VPN connection with the SonicWALL Global VPN Client is a transparent two phaseprocess. Phase 1 enables the connection, which completes the ISAKMP (Internet SecurityAssociation and Key Management Protocol) negotiation. Phase 2 is IKE (Internet KeyExchange) negotiation, which establishes the VPN connection for sending and receiving data.When you enable a VPN connection policy, Enabled appears in the Status column of theSonicWALL Global VPN Client window. When phase 1 completes, Connected appears in theStatus column. After phase 2 is completed, a green checkmark is displayed on the VPNconnection policy icon. If an error occurs during the VPN connection, Error appears in theStatus column.Note! If the Global VPN Client doesn’t establish the VPN connection, you can use the LogViewer to view the error messages to troubleshoot the problem. See “Log Viewer” on page 39for more information.To establish a VPN connection using a VPN connection policy you created in the Global VPNClient, follow these instructions.1. Enable a VPN connection policy using one of the following methods:• If you selected Enable this connection when the program is launched in the New ConnectionWizard, the VPN connection is automatically established when you launch theSonicWALL Global VPN Client.• If your VPN connection isn’t automatically established when you launch the Global VPNClient, choose one of the following methods to enable a VPN connection:Double-click the VPN connection policy.Right-click the VPN connection policy icon and select Enable from the menu.Select the VPN connection policy and press Ctrl+B.Select the VPN connection policy, and click the Enable button on the toolbarSelect the VPN connection policy, and then choose File>Enable.• If the Global VPN Client icon is displayed in the system tray, right-click the icon and thenselect Enable>connection policy name. The Global VPN Client enables the VPN connectionwithout opening the SonicWALL Global VPN Client window.2. Depending on how the VPN connection policy is configured, the Cannot EnableConnection, Enter Pre-Shared Secret, Enter Username and Password, andConnection Warning dialog boxes may be displayed, which are explained in the followingsections.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 21

Establishing Multiple ConnectionsYou can have more than one connection enabled at a time but it depends on the connectionpolicy parameters established at the VPN gateway. If you attempt to enable a subsequent VPNconnection with a currently enabled VPN connection policy that does not allow multiple VPNconnections, the Cannot Enable Connection message appears informing you the VPNconnection cannot be made because the currently active VPN policy does not allow multipleactive VPN connection. The currently enabled VPN connection policy must be disabled beforeenabling the new VPN connection.Page 22 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Entering a Pre-Shared KeyDepending on the attributes for the VPN connection policy, if no default Pre-Shared Key isused, you must have a Pre-Shared Key provided by the gateway administrator in order to makeyour VPN connection. If the default Pre-Shared Key is not included as part of the connectionpolicy download or file, the Enter Pre-Shared Key dialog box appears to prompt you for thePre-Shared key before establishing the VPN connection.1. Type your Pre-Shared Key in the Pre-shared Key field. The Pre-Shared Key is masked forsecurity purposes.2. If you want to make sure you’re entering the correct Pre-Shared Key, check Don’t hide thepre-shared key. The Pre-Shared Key you enter appears unmasked in the Pre-shared Keyfield.3. By default, the Remember this Pre-shared Key setting is checked allowing the GlobalVPN Client to save the key in an encrypted file to automatically send when enabling theVPN connection. Unchecking this setting displays the Enter Pre-Shared Key dialog boxevery time you enable the VPN connection to enter the Pre-Shared Key.4. Click OK.Selecting a CertificateIf the SonicWALL VPN Gateway requires a Digital Certificate to establish your identity for theVPN connection, the Select Certificate dialog box appears. This dialog box lists all theavailable certificates installed on your Global VPN Client. Select the certificate from the menu,then click OK. If you have a certificate that has not been imported into the Global VPN Clientusing Certificate Manager, click Import Certificate.Note! See “Managing Certificates” on page 38 for more information on using the CertificateManager.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 23

Username and Password AuthenticationThe VPN gateway typically specifies the use of XAUTH for determining GroupVPN policymembership by requiring a username and password either for authentication against thegateway’s internal user database or via an external RADIUS service.If the SonicWALL VPN gateway is provisioned to prompt you for the username and passwordto enter the remote network, the Enter Username and Password dialog box appears. Typeyour username and password. If permitted by the gateway, check Remember Username andPassword to cache your username and password to automatically log in for future VPNconnections. Click OK to continue with establishing your VPN connection.Connection WarningIf the VPN connection policy allows only traffic to the gateway, the Connection Warningmessage appears, warning you that only network traffic destined for the remote network at theother end of the VPN tunnel is allowed. Any network traffic destined for local network interfaceand Internet is blocked.You can disable the Connection Warning message from displaying every time you enable theVPN connection by checking If yes, don’t show this dialog box again. Click Yes to continuewith establishing your VPN connection.Page 24 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Disabling a VPN ConnectionDisabling a VPN connection terminates the VPN tunnel. You can disable a VPN connectionusing any of the following methods:• Right-click the SonicWALL Global VPN Client icon on the system tray, and chooseDisable>connection policy.• Right-click the VPN connection policy in the SonicWALL Global VPN Client window, andselect Disable.• Select the connection policy, then press Ctrl+B.• Select the connection policy, and click the Disable button on the toolbar in the SonicWALLGlobal VPN Client window.Checking the Status of a VPN ConnectionThe SonicWALL Global VPN Client includes a variety of indicators to determine the status ofyour VPN connections. The default Details view lists your VPN connection policies and theirrespective status: Disabled, Enabled, Connected, or Error.• A successfully connected VPN policy is indicated by a green check mark on the policy icon.• A VPN policy that doesn’t successfully complete all phase 2 connections displays a yellowwarning on the policy icon.• A VPN policy that cannot be successfully connected displays an error mark (red x) on thepolicy icon.• The SonicWALL Global VPN Client icon in the system tray displays a visual indicator ofdata passing between the Global VPN Client and the gateway.• The Status page in the Properties dialog box displays more detailed information about thestatus of an active VPN connection. To display the Status tab for any VPN connection, useone of the following methods:Double-click the active VPN connection policy.Select the VPN connection policy, then press Ctrl+T.Select the VPN connection policy, then click the Status button on the toolbar.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 25

Right-click the VPN connection policy in the SonicWALL Global VPN Client window andselect Status.Tip! For more information on the Status page, see “Status” on page 35.Creating a VPN Policy ShortcutTo streamline enabling a VPN connection, you can place a VPN connection policy on thedesktop, taskbar, or Start menu. You can also place the connection policy at any other locationon your system.To create a shortcut:1. Select the VPN connection policy you want to create a shortcut for in the SonicWALLGlobal VPN Client window.2. Choose File>Create Shortcut and select the shortcut option you want.You can also right-click the VPN connection policy and then chooseCreate Shortcut>shortcut option.Tip! You can also create a Desktop shortcut for the SonicWALL Global VPN Client program foreasy access to all your VPN policies.Page 26 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Specifying Global VPN Client Launch OptionsYou can specify how the SonicWALL Global VPN Client launches and what notificationwindows appear using the controls in the General tab of the Options dialog box. ChooseView>Options to display the Options dialog box.The General page includes the following settings to control the launch of the Global VPN Client:• Start this program when I log in - Launches the SonicWALL Global VPN Client when youlog into your computer.• Warn me before enabling a connection that will block my Internet traffic. ActivatesConnection Warning message notifying you that the VPN connection will block local Internetand network traffic.• Remember the last window state (closed or open) the next time the program isstarted - Allows the Global VPN Client to remember the last window state (open or closed)the next time the program is started. For example, a user can launch the Global VPN Clientfrom the system tray without opening a window on the desktop.• Enable logging of all ISAKMP messages - Enables the Global VPN Client to log anddisplay all ISAKMP activities in the Log Viewer.• When closing the connections window - Specifies how the Global VPN Client windowbehaves after closing. The three options includeMinimize the window (restore it from the task bar) - Minimizes the window to taskbarand restores it from the taskbar.Hide the window (re-open it from the tray icon) - The default setting that hides theSonicWALL Global VPN Client window when you close it. You can open the Global VPNClient from the program icon in the system tray. Enabling this setting also displays theShow the notification when I hide the connections window checkbox.Show the notification when I hide the connections window - Checking this boxactivates the SonicWALL Global VPN Client Hide Notification window whenever youclose the Global VPN Client window while the program is still running. The message tellsyou that the Global VPN Client program continues to run after you close (hide) thewindow.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 27

SonicWALL Global VPN Client System Tray IconWhen you launch the SonicWALL Global VPN Client window, the program icon appears in thesystem tray on the taskbar.This icon provides program and VPN connection status indicators as well as a menu forcommon SonicWALL Global VPN Client commands. Right clicking on the SonicWALL GlobalVPN Client icon in the system tray displays a menu of options for managing the program.• Open SonicWALL Global VPN Client - Opens the program window.• Enable - Displays a menu of VPN connection policies.• Disable - Allows you to disable active VPN connections.• Open Log Viewer - Opens the Log Viewer to view informational and error messages. Seepage 39 for more information on the Log Viewer.• Open Certificate Manager - Opens the Certificate Manager. See page 38 for more informationon the Certificate Manager.• Exit - Exits the SonicWALL Global VPN Client window and disables any active VPN connections.Moving the mouse pointer over the SonicWALL Global VPN Client icon in the system traydisplays the number of enabled VPN connections.Managing VPN Connection Policy PropertiesThe Connection Properties dialog box includes the controls for configuring a specific VPNconnection profile. To open the Connection Properties dialog box, choose one of the followingmethods:• Select the connection policy and choose File>Properties.• Right click the connection policy and select Properties.• Select the connection policy and click the Properties button on the SonicWALL GlobalVPN Client window toolbar.The Connection Properties dialog box includes the General, User Authentication, Peersand Status tabs.Page 28 SonicWALL Global VPN Client 2.1 Administrator’s Guide

GeneralThe General page in the Connection Properties dialog box includes the following settings:Name - Displays the name of your VPN connection policy.Description - Displays a pop-up text about the connection policy. The text appears when yourmouse pointer moves over the VPN connection policy.Attributes - Defines the status of Tunnel All support. These settings are controlled at theSonicWALL VPN gateway.Other traffic allowed - If enabled, your computer can access the local network or Internetconnection while the VPN connection is active.Default traffic tunneled to peer - If activated, all network traffic not routed to theSonicWALL VPN gateway is blocked. When you enable the VPN connection with thisfeature active, the Connection Warning message appears.Use virtual IP address - Allows the VPN Client to get its IP address via DHCP through theVPN tunnel from the gateway.Enable this connection when the program is launched - Establishes the VPN connectionpolicy as the default VPN connection when you launch the SonicWALL Global VPN Client.Immediately establish security when connection is enabled - Negotiates the first phase ofIKE as soon as the connection is enabled instead of waiting for network traffic transmission tobegin. This setting is enabled by default.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 29

Automatically reconnect when an error occurs - With this feature enabled, if the Global VPNClient encounters a problem connecting to the peer, it keeps retrying to make the connection.This feature allows a Global VPN Client to make a connection to a VPN connection that istemporarily disabled, without manual intervention. If the connection error is due to an incorrectconfiguration, such as the DNS or IP address of the peer gateway, then the connection mustbe manually corrected. Check the Log Viewer to determine the problem and then edit theconnection. This option is enabled by default. If an error occurs with this option disabled duringan attempted connection, the Global VPN Client logs the error, displays an error messagedialog box, and stops the connection attempt.Automatically reconnect when waking from sleep or hibernation - Automatically reenablesthe VPN connection policy after the computer wakes from a sleep or hibernation state.This setting is disabled by default.Execute logon script when connected - allows the Global VPN Client to perform domainauthentication after logging into the SonicWALL VPN Gateway and establishing a securetunnel.Page 30 SonicWALL Global VPN Client 2.1 Administrator’s Guide

User AuthenticationThe User Authentication page allows you to specify a username and password when userauthentication is required by the gateway. If the SonicWALL VPN gateway does not support thesaving (caching) of a username and password, the settings in this page are not active and themessage The peer does not allow saving of username and password appears at thebottom of the page.• Remember my username and password - Enables the saving of your username andpassword for connecting to the SonicWALL VPN gateway.• Username - Enter the username provided by your gateway administrator.• Password - Enter the password provided by your gateway administrator.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 31

PeersThe Peers page allows you to specify an ordered list of VPN gateway peers that this connectionpolicy can use (multiple entries allow a VPN connection to be established through multiple VPNgateways). An attempt is made to establish a VPN connection to the given VPN gateway peersin the order they appear in the list.• To add a peer, click Add. In the Peer Information dialog box, enter the IP address or DNSName in the IP Address or DNS Name box, then click OK.• To edit a peer entry, select the peer name and click Edit. In the Peer Information dialogbox, make your changes, then click OK.• To delete a peer entry, select the peer entry and click Remove.Page 32 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Peer Information Dialog BoxThe Peer Information dialog box allows you to add or edit peer information.• IP Address or DNS Name - Specifies the peer VPN gateway IP address or DNS name.• Use the default gateway as the peer IP address - Specifies the default gateway as thepeer IP address.• Detect when this peer stops responding - Automatically initiates VPN connection againif the VPN gateway does not respond for three consecutive heart beats. The Global VPNClient exchanges “heart beat” packets to detect if the peer gateway is alive. This setting isenabled by default.• DPD Settings - Displays the Dead Peer Detection Settings dialog box.Check for dead peer every - choose from 5, 10, 15, 20, 25, or 30 seconds.Assume peer is dead after - choose from 3, 4, or 5 Failed Checks.Specify the conditions under which DPD packets will be sent - Choose either Onlywhen no traffic is received from the peer or whether or not traffic is received fromthe peer.• NAT Traversal - Choose one of the following three menu options:Automatic - Automatically determines whether NAT traversal is forced on or disabled.Forced On - Forces the use of UDP encapsulation of IPSec packets even when there isno NAPT/NAT device in between the peers.Disabled - Disables use of UDP encapsulation of IPSec packets between the peers.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 33

• Interface Selection - Defines the interface used by this VPN connection policy.Automatic - Automatically determines the availability of each interface beginning withthe LAN interface. If the LAN interface is not available, the Global VPN Client uses theDial-Up interface.LAN Only - Defaults to the LAN interface only.Dial-Up Only - Defaults to the Dial-Up interface only.• LAN Settings - Displays LAN Settings dialog box for specifying the setting used when thisconnection is enabled over the LAN. Type the IP address in the Next Hop IP Address fieldto specify the IP address of a different route than the default route. Leaving the setting aszeros instructs the Global VPN Client to use the default route.• Dial-Up Settings - Displays the Dial-Up Settings dialog box, which allows you to selectthe dial-up profile to use making a dial-up VPN connection.Use Microsoft dial-up networking - Uses the Microsoft dial-up networking profile youspecify for making the VPN connection. Select the Dial-up networking profile from thePhonebook Entry list. Check the Do not hang up the modem when disabling thisconnection to keep the dial-up network connection active after disabling the VPNconnection.Use a third-party dial-up application - Select this option to use a third party dial-upprogram. Type the path in the Application field or use the browse ... button to locate theprogram.Page 34 SonicWALL Global VPN Client 2.1 Administrator’s Guide

• Advanced Packet Transmission Settings - Allows manual configuration of the timeoutvalue and retries for IKE negotiations.Don’t send packets until a local IP address is available - Delays sending packets untila local IP address becomes available.Response Timeout (in seconds) - Specifies a timeout value for the VPN connectionattempt.Maximum Send Attempts - Specifies the number of IKE negotiation retries.StatusThe Status page shows the current status of the connection.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 35

• ConnectionStatus - Indicates whether VPN connection policy is enabled or disabled.Peer IP Address - Displays the IP address of the VPN connection peer.Duration - Displays connection time.Details - Displays the Connection Status Details dialog box, which specifies thenegotiated phase 1 and phase 2 parameters as well as the status of all individual phase 2SAs.• ActivityPackets - Displays number of packets sent and received through VPN tunnel.Bytes - Displays number of bytes sent and received through VPN tunnel.Reset - Resets the status information.• Virtual IP ConfigurationIP Address - The IP address assigned via DHCP through the VPN tunnel from the VPNgateway.Subnet Mask - The subnet of the peer.Renew - Renews DHCP lease information.Page 36 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Managing VPN Connection PoliciesThe SonicWALL Global VPN Client supports as many VPN connection policies as you need.To help you manage these connection policies, the Global VPN Client provides the followingconnection policy management tools.Displaying Connection PoliciesYou can display VPN connection policy icons using standard Windows icon display modes bychoosing Large Icons, Small Icons, List, or Details from the View menu in the SonicWALLGlobal VPN Client window.The default Details view provides a handy view of your VPN connection profiles including theirgateway IP addresses or FQDNs as well as the status of the connection policies (Disabled,Enabled, Connected, or Error).Arranging Connection PoliciesOver time, as the number of VPN connection policies can increase in the SonicWALL GlobalVPN Client window, you may want to arrange them for quicker access. You can arrange yourVPN connection policies in the SonicWALL Global VPN Client window by choosingView>Arrange Icons by. You can arrange VPN connection profiles by:Name - Sorts connection policies by name.Peer - Sorts connection policies by gateway IP address.Status - Sorts connection policies by connection status.Ascending - Sorts Name, Gateway, or Status arrangements in ascending order. Ifunchecked, policy arrangements are sorted in descending order.The default arrangement is by Name in Ascending order.Renaming a Connection PolicyTo rename a connection policy, select the policy and click on the Rename button on the toolbaror choose File>Rename, then type in the new name. You can also right-click the connectionpolicy and choose Rename from the menu.Deleting a Connection PolicyTo delete a connection policy, select the policy, press Del or choose File>Delete. You can alsoright-click the policy name and choose Delete. You cannot delete an active VPN connection.Disable the VPN connection, then delete it.Selecting All Connection PoliciesChoosing View>Select All or pressing Ctrl+A selects all the connection policies in theSonicWALL Global VPN Client window.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 37

Managing CertificatesThe Certificate Manager allows you to manage digital certificates used by the SonicWALLGlobal VPN Client for VPN connections. If your VPN gateway uses digital certificates, you mustimport the CA and Local Certificates into the Certificate Manager.To open the Certificate Manager, click the Certificate Manager button on the SonicWALLGlobal VPN Client window toolbar, choose View>Certificate Manager, or press Ctrl+M.The left pane of the Certificate Manager window lists the active Local and CA certificatescurrently used by your VPN policies. User Certificates list the local digital certificates used toestablish the VPN Security Association. CA Certificates list the digital certificates used tovalidate the user certificates.• Click on the certificate in the left pane to display the certificate information in the right pane.• Click the Import button on the toolbar, press Ctrl+I, or choose File>Import Certificatefrom the to display the Import Certificate window to import a certificate file.• Click the Delete button on the toolbar, press Del, or choose File>Delete Certificate to deletethe selected certificate.• Choose View>Toolbar to hide the toolbar.• Choose View>Status Bar to hide the status bar.Tip! For more information on using certificates for your VPN on the SonicWALL, see theSonicWALL Administrator’s Guide.Page 38 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Troubleshooting SonicWALL Global VPN ClientThe SonicWALL Global VPN Client provides tools for troubleshooting your VPN connections.This section explains using Log Viewer, generating a Help Report, accessing SonicWALL’sSupport site, using SonicWALL Global VPN Client help system, and uninstalling the GlobalVPN Client.Log ViewerThe SonicWALL Global VPN Client Log Viewer window displays messages about GlobalVPN Client activities. The Log Viewer window displays the type of message (Information,Error, or Warning) the peer IP address or FQDN, and the date and time the message wasgenerated.Note! You can enabled the logging of all ISAKMP messages in the Log Viewer by selectingView>Options, and then on the General page, selecting Enable logging of all ISAKMPmessages.You can save a current log to a .txt file. When you save the current log to a file, the Global VPNClient automatically adds a Help Report containing useful information regarding the conditionof the SonicWALL Global VPN Client as well as the system it’s running on for troubleshooting.The Help Report information is inserted at the beginning of the log file. See “Generating a HelpReport” on page 42 for more information.Tip! See “Appendix E- Log Viewer Messages” on page 63 for complete listing of Log Viewermessages.To open the Log Viewer window, click the Log Viewer button on the Global VPN Client windowtoolbar, or choose View>Log Viewer, or press Ctrl+L.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 39

The Log Viewer provides the following features to help you manage log messages:• To save a current log to a .txt file, click the Save button on the toolbar, press Ctrl+S, orchoose File>Save. When you save a Log Viewer file, the Global VPN Client automaticallyadds a report containing useful information regarding the condition of the SonicWALLGlobal VPN Client as well as the system it’s running on.• To enable or disable message capturing, click the Capture button on the toolbar, pressCtrl+M, or choose View>Stop Capturing Messages or View>Start Capturing Messages.• To start or stop automatic scrolling of messages to the latest message, click the AutoScroll button on the toolbar, press Ctrl+T, or choose View>Start Auto Scroll orView>Stop Auto Scroll.• To select all messages, press Ctrl+A or choose Edit>Select All.• To copy log contents for pasting into another application, select the messages you want tocopy, then click the Copy button on the toolbar, press Ctrl+C, or choose Edit>Copy.• To clear current log information, click the Clear button on the toolbar, press Crtl+X, orchoose Edit>Clear.• To specify the message display level from All Messages to Filtered Messages, click theFiltered Messages button on the toolbar. You can also choose View>Show All Messageor View>Show Filtered Messages.• To remove redundant messages from displaying, choose View>Ignore Redundant Messagesor press Ctrl+I.• To hide the toolbar in the Log Viewer window, choose View>Toolbar.• To hide the status bar in the Log Viewer window, choose View>Status Bar.Page 40 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Setting Up Log FilesThe Auto-Logging tab in the Options dialog box specifies the settings to use whenautomatically logging messages to a file. Log files are saved as text files (.txt). To access Auto-Logging from the SonicWALL Global VPN Client window, choose View>Options, then click theAuto-Logging tab.Enable auto-logging - Enables auto-logging to a file.Enter the name of the auto-log file - Specifies the file to save the logging messages. Clickingon the ... button allows you to specify the location of your auto-log file.View Auto-Log File - Displays the entire log file up to 71,000 lines.Set size limit on auto-log file - Activates a maximum size limit for the log file.Maximum auto-log file size - Specifies the maximum file size in KB or MB.When auto-log size limit is reached - Instructs Auto-logging what to do when log file size isreached.Ask me what to do - Prompts you when the log file reaches maximum size to choose eitherStop auto-logging or Overwrite auto-log file.Stop auto-logging - Stops auto-logging when maximum file size is reached.Overwrite auto-log file - Overwrites existing auto-log file after maximum file size isreached.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 41

Generating a Help ReportChoosing Help>Generate Report in the SonicWALL Global VPN Client window displays theSonicWALL Global VPN Client Report dialog box.Generate Report creates a report containing useful information for getting help in solving anyproblems you may be experiencing. The report contains information regarding the condition ofthe SonicWALL Global VPN Client as well as the system it’s running on.Information in this report includes:• Version information• Drivers• System information• IP addresses• route table• Current log messages.To view the report in the default text editor window, click View.To save the report to a text file, click Save As.To send the report via e-mail, click Send.To close the report window without taking any action, click Don’t Send.Page 42 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Technical SupportSelecting Help>Technical Support accesses the SonicWALL Support site(www.sonicwall.com/support). The SonicWALL Support site offer a full range of supportservices including extensive online resources and information on SonicWALL’s enhancedsupport programs.Help TopicsSelecting Help>Help Topics displays SonicWALL Global VPN Client help system window. Youcan access help topics using the following options:• Contents - displays help in a table of contents view.• Index - displays help in an alphabetical topic view.• Search - allows you to search the help system using keywords.Uninstalling the SonicWALL Global VPN ClientYou can easily uninstall the SonicWALL Global VPN Client and choose to save or delete yourVPN connection policies as part of the uninstall process.To uninstall the SonicWALL Global VPN Client:Alert! You must exit the SonicWALL Global VPN Client before uninstalling the program.1. Launch the Windows Control Panel2. Double-click Add/Remove Programs.3. Select SonicWALL Global VPN Client and then click Change/Remove. The SonicWALLGlobal VPN Client Setup Wizard appears.4. In the Confirm File Deletion dialog box, click OK to confirm the removal of theSonicWALL Global VPN Client.5. Choose Delete all individual user profiles if you want to delete all you existing VPNconnection profiles. If you leave this setting unchecked, the VPN connection profiles aresaved and appear again when you install the SonicWALL Global VPN Client at anothertime.6. Choose Retain MAC Address if you want to retain the same SonicWALL VPN AdapterMAC address the next time you install the Global VPN Client. Click Next.Alert! If you upgraded SonicWALL Global VPN Client from 1.0 to 2.0 by installing Global VPNClient 2.0 over Global VPN Client 1.0, selecting the Retain MAC Address checkbox does notretain the MAC address of the SonicWALL Virtual Adapter.7. After the Global VPN Client is removed, select Yes, I want to restart my computer now,and then click Finish.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 43

Configuring SonicWALL VPN Gatewaysfor Global VPN ClientsSonicWALL’s GroupVPN Security Association (SA) provides the automatic provisioning ofSonicWALL Global VPN Client from the SonicWALL Internet Security Appliance. TheGroupVPN security association (SA) is only available for SonicWALL Global VPN Clients.SonicWALL GroupVPN supports two IPSec keying modes: IKE using shared secret and IKEusing 3rd Party Certificates.Once you create the GroupVPN SA, you configure GroupVPN to automatically provisionSonicWALL Global VPN Clients by downloading the policy, or exporting the policy file formanual installation in the SonicWALL Global VPN Client.Note! For information on configuring GroupVPN on the SonicWALL to support SonicWALLGlobal VPN Client, refer to the Administrator’s Guide for your SonicWALL. All SonicWALLproduct documentation is available at www.sonicwall.com.SonicWALL Global VPN Client LicensesGlobal VPN Client Licensing is based on the number of simultaneous Global VPN Clientconnections to a SonicWALL. If the number of simultaneous Global VPN Client connections isexceeded, the SonicWALL does not allow any additional Global VPN Client connections. Oncethe number of simultaneous Global VPN Client drops below the license limit, new Global VPNconnections can be established.VPN Connections Supported by Each SonicWALL ModelThe number of Security Associations each SonicWALL model supports. An SA refers to all thesettings needed to create a single VPN tunnel. A VPN tunnel can be a Global VPN Client toSonicWALL VPN connection or a SonicWALL to SonicWALL connection for LAN to LANconnections. The SAs supported by each SonicWALL Internet Security Appliance model arethe maximum number of simultaneous VPN connections that can be supported at any one time.You can purchase Global VPN Client software from SonicWALL, your reseller, or online atmysonicwall.com. For more information on purchasing the Global VPN Clientwww.sonicwall.com/products/vpnglobal.html.Page 44 SonicWALL Global VPN Client 2.1 Administrator’s Guide

.Table 1: IPSec VPN and Global VPN Client Support by SonicWALL ModelSonicWALL Model SAs Supported IPSec VPN andGlobal VPN ClientsTELE3TELE3 TZTELE TZX5 Includes IPSec VPNRequires Global VPNClient license.TELE3 SP 10 Includes IPSec VPNRequires Global VPNClient license.TZ 170 (10 Node)TZ 170 (25 Nodes)TZ 170 (UnrestrictedNodes)55050Requires IPSec VPNUpgrade( TZ 170 10 NodeOnly).Requires Global VPNClient license.SOHO3/10SOHO3/25SOHO3/5010 Requires IPSec VPNUpgrade (SOHO 3/10Only)Requires Global VPNClient license.SOHO TZW 50 Includes IPSec VPN andGlobal VPN Clients forWLAN. Requires GlobalVPN Client license forWAN VPN access.PRO 100 50 Includes IPSec VPN and 1Global VPN Client license.PRO200/230 500 Includes IPSec VPN and10 Global VPN Clientlicenses.PRO 300/330 1,000 Includes IPSec VPN and200 Global VPN Clientlicenses.PRO 2040 50 Includes IPSec VPN and10 Global VPN Clientlicenses.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 45

Table 1: IPSec VPN and Global VPN Client Support by SonicWALL ModelPRO 3060 1,000 Includes IPSec VPN and25 Global VPN ClientLicenses.PRO 4060 3,000 Includes IPSec VPN and1,000 Global VPN ClientLicenses.GX250 5,000 Includes IPSec VPN and5,000 Global VPN Clientlicenses.GX650 10,000 Includes IPSec VPN and10,000 Global VPN Clientlicenses.Activating Your SonicWALL Global VPN ClientsIn order to activate and download your SonicWALL Global VPN Client software, you must havea valid mysonicwall.com account and your SonicWALL product must be registered to youraccount. If you do not have a mysonicwall.com account, or if you have not registered yourproduct to your account, create an account and then follow the registration instructions athttp://www.mysonicwall.com.To activate your Global VPN Client license,1. Log in to your mysonicwall.com account:2. Select the registered SonicWALL Internet Security Appliance.3. Select Global VPN Client from the Applicable Services menu.4. Select Activate.5. Type in your activation key in the Activation Key field.6. Click Submit.Upon successful activation, a confirmation message will be displayed. For future reference,record the Serial Number of the SonicWALL product. Your license activation is now complete.Downloading Global VPN Client Software and Documentation1. In the My Products page, click the name of your SonicWALL on which the Global VPNClient license is activated.2. Select Software Download. If this service is not already activated, click on Agree toactivate it.3. Download the SonicWALL Global VPN Client software and documentation.Page 46 SonicWALL Global VPN Client 2.1 Administrator’s Guide

SOFTWARE LICENSE AGREEMENT FORSONICWALL GLOBAL VPN CLIENTThis Software License Agreement (SLA) is a legal agreement between you and SonicWALL,Inc. (SonicWALL) for the SonicWALL software product identified above, which includescomputer software and any and all associated media, printed materials, and online or electronicdocumentation (SOFTWARE PRODUCT). By opening the sealed package(s), installing, orotherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this SLA.If you do not agree to the terms of this SLA, do not open the sealed package(s), install or usethe SOFTWARE PRODUCT. You may however return the unopened SOFTWARE PRODUCTto your place of purchase for a full refund.• The SOFTWARE PRODUCT is protected by copyright laws and international copyrighttreaties, as well as by other intellectual property laws and treaties. The SOFTWAREPRODUCT is licensed, not sold.• Title to the SOFTWARE PRODUCT licensed to you and all copies thereof are retained bySonicWALL or third parties from whom SonicWALL has obtained a licensing right. You acknowledgeand agree that all right, title, and interest in and to the SOFTWARE PRODUCT,including all associated intellectual property rights, are and shall remain with SonicWALL.This SLA does not convey to you an interest in or to the SOFTWARE PRODUCT, but onlya limited right of use revocable in accordance with the terms of this SLA.• The SOFTWARE PRODUCT is licensed as a single product. Its component parts may notbe separated for use on more than one computer.• You may install and use one copy of the SOFTWARE PRODUCT, or any prior version forthe same operating system, on a single computer.• You may also store or install a copy of the SOFTWARE PRODUCT on a storage device,such as a network server, used only to install or run the SOFTWARE PRODUCT on yourother computers over an internal network. However, you must acquire and dedicate a licensefor each separate computer on which the SOFTWARE PRODUCT is installed or runfrom the storage device. A license for the SOFTWARE PRODUCT may not be shared orused concurrently on different computers.• You may not resell, or otherwise transfer for value, the SOFTWARE PRODUCT.• You may not rent, lease, or lend the SOFTWARE PRODUCT.• You may permanently transfer all of your rights under this SLA, provided you retain no copies,you transfer all of the SOFTWARE PRODUCT (including all component parts, the mediaand printed materials, any upgrades, and this SLA); the recipient agrees to the terms ofthis SLA; and you obtain prior written consent from SonicWALL. If the SOFTWARE PROD-UCT is an upgrade, any transfer must include all prior versions of the SOFTWARE PROD-UCT.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 47

• The SOFTWARE PRODUCT is trade secret or confidential information of SonicWALL or itslicensors. You shall take appropriate action to protect the confidentiality of the SOFTWAREPRODUCT. You shall not reverse-engineer, de-compile, or disassemble the SOFTWAREPRODUCT, in whole or in part. The provisions of this section will survive the termination ofthis SLA.LICENSESonicWALL grants you a non-exclusive license to use the SOFTWARE PRODUCT forSonicWALLInternet Security Appliances.OEM - If the SOFTWARE PRODUCT is modified and enhanced for a SonicWALL OEM partner,you must adhere to the software license agreement of the SonicWALL OEM partner.EXPORTS LICENSELicensee will comply with, and will, at SonicWALL's request, demonstrate such compliance withall applicable export laws, restrictions, and regulations of the U.S. Department of Commerce,the U.S. Department of Treasury and any other any U.S. or foreign agency or authority.Licensee will not export or re-export, or allow the export or re-export of any product, technologyor information it obtains or learns pursuant to this Agreement (or any direct product thereof) inviolation of any such law, restriction or regulation, including, without limitation, export or reexportto Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria or any other country subject toapplicable U.S. trade embargoes or restrictions, or to any party on the U.S. ExportAdministration Table of Denial Orders or the U.S. Department of Treasury List of SpeciallyDesignated Nationals, or to any other prohibited destination or person pursuant to U.S. law,regulations or other provisions.SUPPORT SERVICESSonicWALL may provide you with support services related to the SOFTWARE PRODUCT("Support Services"). Use of Support Services is governed by the SonicWALL policies andprograms described in the user manual, in "online" documentation, and/or in other SonicWALLprovidedmaterials. Any supplemental software code provided to you as part of the SupportServices shall be considered part of the SOFTWARE PRODUCT and subject to terms andconditions of this SLA. With respect to technical information you provide to SonicWALL as partof the Support Services, SonicWALL may use such information for its business purposes,including for product support and development. SonicWALL shall not utilize such technicalinformation in a form that identifies its source.UPGRADESIf the SOFTWARE PRODUCT is labeled as an upgrade, you must be properly licensed to usea product identified by SonicWALL as being eligible for the upgrade in order to use theSOFTWARE PRODUCT. A SOFTWARE PRODUCT labeled as an upgrade replaces and/orsupplements the product that formed the basis for your eligibility for the upgrade. You may usethe resulting upgraded product only in accordance with the terms of this SLA. If thePage 48 SonicWALL Global VPN Client 2.1 Administrator’s Guide

SOFTWARE PRODUCT is an upgrade of a component of a package of software programs thatyou licensed as a single product, the SOFTWARE PRODUCT may be used and transferredonly as part of that single product package and may not be separated for use on more than onecomputer.COPYRIGHTAll title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to anyimages, photographs, animations, video, audio, music, text, and "applets" incorporated into theSOFTWARE PRODUCT), the accompanying printed materials, and any copies of theSOFTWARE PRODUCT are owned by SonicWALL or its suppliers/licensors. The SOFTWAREPRODUCT is protected by copyrights laws and international treaty provisions. Therefore, youmust treat the SOFTWARE PRODUCT like any other copyrighted material except that you mayinstall the SOFTWARE PRODUCT on a single computer provided you keep the original solelyfor backup or archival purposes. You may not copy the printed materials accompanying theSOFTWARE PRODUCT.U.S. GOVERNMENT RESTRICTED RIGHTSIf you are acquiring the Software including accompanying documentation on behalf of the U.S.Government, the following provisions apply. If the Software is supplied to the Department ofDefense ("DOD"), the Software is subject to "Restricted Rights", as that term is defined in theDOD Supplement to the Federal Acquisition Regulations ("DFAR") in paragraph 252.2277013(c) (1). If the Software is supplied to any unit or agency of the United States Governmentother than DOD, the Government's rights in the Software will be as defined in paragraph 52.22719(c) (2) of the Federal Acquisition Regulations ("FAR"). Use, duplication, reproduction ordisclosure by the Government is subject to such restrictions or successor provisions.MISCELLANEOUSThis SLA represents the entire agreement concerning the subject matter hereof between theparties and supercedes all prior agreements and representations between them. It may beamended only in writing executed by both parties. This SLA shall be governed by and construedunder the laws of the State of California as if entirely performed within the State and withoutregard for conflicts of laws. Should any term of this SLA be declared void or unenforceable byany court of competent jurisdiction, such declaration shall have no effect on the remainingterms hereof. The failure of either party to enforce any rights granted hereunder or to take actionagainst the other party in the event of any breach hereunder shall not be deemed a waiver bythat party as to subsequent enforcement of rights or subsequent actions in the event of futurebreaches.TERMINATIONThis SLA is effective upon your opening of the sealed package(s), installing or otherwise usingthe SOFTWARE PRODUCT, and shall continue until terminated. Without prejudice to any otherrights, SonicWALL may terminate this SLA if you fail to comply with the terms and conditions ofthis SLA. In such event, you agree to return or destroy the SOFTWARE PRODUCT (includingall related documents and components items as defined above) and any and all copies of same.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 49

LIMITED WARRANTYSonicWALL warrants that a) the SOFTWARE PRODUCT will perform substantially inaccordance with the accompanying written materials for a period of ninety (90) days from thedate of receipt, and b) any Support Services provided by SonicWALL shall be substantially asdescribed in applicable written materials provided to you by SonicWALL. Any impliedwarranties on the SOFTWARE PRODUCT are limited to ninety (90) days. Some states andjurisdictions do not allow limitations on duration of an implied warranty, so the above limitationmay not apply to you.CUSTOMER REMEDIESSonicWALL's and its suppliers' entire liability and your exclusive remedy shall be, atSonicWALL's option, either a) return of the price paid, or b) repair or replacement of theSOFTWARE PRODUCT that does not meet SonicWALL's Limited Warranty and which isreturned to SonicWALL with a copy of your receipt. This Limited Warranty is void if failure of theSOFTWARE PRODUCT has resulted from accident, abuse, or misapplication. Anyreplacement SOFTWARE PRODUCT shall be warranted for the remainder of the originalwarranty period or thirty (30) days, whichever is longer. Outside of the United States, neitherthese remedies nor any product Support Services offered by SonicWALL are available withoutproof of purchase from an authorized SonicWALL international reseller or distributor.NO OTHER WARRANTIESTo the maximum extent permitted by applicable law, SonicWALL and its suppliers/licensorsdisclaim all other warranties and conditions, either express or implied, including, but not limitedto, implied warranties of merchantability, fitness for a particular purpose, title, and noninfringement,with regard to the SOFTWARE PRODUCT, and the provision of or failure toprovide Support Services. This Limited Warranty gives you specific legal rights. You may haveothers, which vary from state/jurisdiction to state/jurisdiction.LIMITATION OF LIABILITYTo the maximum extent permitted by applicable law, in no event shall SonicWALL or itssuppliers/licensors be liable for any damages (including without limitation special, incidental,indirect, or consequential) whatsoever (including, without limitation, damages for loss ofbusiness profits, business interruption, loss of business information, or any other pecuniaryloss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision ofor failure to provide Support Services, even if SonicWALL has been advised of the possibilityof such damages. In any case, SonicWALL's entire liability under any provision of this SLA shallbe limited to the greater of the amount actually paid by you for the SOFTWARE PRODUCT orU.S. $10.00; provided, however, if you have entered into a SonicWALL Support ServicesAgreement, SonicWALL's entire liability regarding Support Services shall be governed by theterms of that agreement. Because some states and jurisdiction do not allow the exclusion orlimitation of liability, the above limitation may not apply to you.Page 50 SonicWALL Global VPN Client 2.1 Administrator’s Guide

SonicWALL Global VPN Client SupportSonicWALL’s comprehensive support services protect your network security investment andoffer the support you need - when you need it. SonicWALL Global VPN Client support isincluded as part of the support program of your SonicWALL Internet Security Appliance.For more information on SonicWALL Support Services, please visitwww.sonicwall.com/support/You can purchase/activate SonicWALL Support Services through your mySonicWALL.comaccount at www.mysonicwall.com.For Web based technical support, please visit www.sonicwall.com/support/.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 51

Appendix A - Creating and Deploying theDefault.rcf File for Global VPN ClientsThe default.rcf file allows the SonicWALL VPN Gateway administrator to create and distributepreconfigured VPN connections for SonicWALL Global VPN Clients. The SonicWALL VPNGateway administrator can distribute the default.rcf file with the Global VPN Client software toautomatically create preconfigured VPN connections for streamlined deployment.The VPN connections created from the default.rcf file appear in the SonicWALL Global VPNClient window. The Global VPN Client user simply enables the VPN connection and afterXAUTH authentication with a username and password, the policy download is automaticallycompleted.How the Global VPN Client uses the default.rcf FileWhen the Global VPN Client starts up, the program always looks for the SonicWALL GlobalVPN Client.rcf file in the C:\Documents and Settings\\ApplicationData\SonicWALL\SonicWALL Global VPN Client\ directory. If this file does not exist theGlobal VPN Client looks for the default.rcf file in the C:\ProgramFiles\SonicWALL\SonicWALL Global VPN Client\ directory.The Global VPN Client reads the default.rcf file, if it exists and creates the SonicWALL GlobalVPN Client.rcf file in the C:\Documents and Settings\\ApplicationData\SonicWALL\SonicWALL Global VPN Client\ directory. The encrypted SonicWALLGlobal VPN Client.rcf file contains all the VPN connection configuration information for theSonicWALL Global VPN Client.Page 52 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Deploying the default.rcf FileThere are three ways to deploy the default.rcf file for your SonicWALL Global VPN Clients.Include the default.rcf File with the Global VPN Client SoftwareAfter you create the default.rcf file, you can include it with the SonicWALL Global VPN Clientsoftware. When the user installs the Global VPN Client program, the SonicWALL Global VPNClient.rcf file is automatically created in the C:\Documents and Settings\\ApplicationData\SonicWALL\SonicWALL Global VPN Client\ directory based on the settings defined in thedefault.rcf file. This is the easiest method for Global VPN Client users.Alert! The default.rcf file must be included in the default Global VPN Client installationdirectory C:\Program Files\SonicWALL\SonicWALL Global VPN Client\ for the program to writethe SonicWALL Global VPN Client.rcf file based on the settings defined in the default.rcf file.Add the default.rcf file to the Default Global VPN Client DirectoryIf the Global VPN Client software is installed without VPN connections, the user can add thedefault.rcf file to the default Global VPN Client installation directory C:\ProgramFiles\SonicWALL\SonicWALL Global VPN Client\. When the user launches the Global VPNClient, the SonicWALL Global VPN Client.rcf file is created in the C:\Documents andSettings\\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory basedon the default.rcf file settings.Replace the Existing SonicWALL Global VPN Client.rcf FileIf the Global VPN Client is installed with VPN connections, the user can remove theSonicWALL Global VPN Client.rcf file from the C:\Documents andSettings\\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory andadd the default.rcf file to the default Global VPN Client installation directory C:\ProgramFiles\SonicWALL\SonicWALL Global VPN Client\. When the user launches the Global VPNClient, the SonicWALL Global VPN Client.rcf file is created in the C:\Documents andSettings\\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory basedon the default.rcf file settings.Alert! You cannot copy the SonicWALL Global VPN Client.rcf file created from the settingsdefined in the default.rcf file for one Global VPN Client to replace an existing SonicWALLGlobal VPN Client.rcf file of another Global VPN Client.Alert! Removing an existing SonicWALL Global VPN Client.rcf file will remove the VPNconnections created in the Global VPN Client. These VPN connections can be added againfrom the Global VPN Client into the new SonicWALL Global VPN Client.rcf file.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 53

Creating the default.rcf FileYou can create your custom default.rcf file from any text editor, such as Windows Notepad.Page 54 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Default.rcf File Tag DescriptionsThe following describes the tags used in the default.rcf file. Defines the connection profiles in the Default.rcf configuration file. There isno hard limit defined on the number of connection profiles allowed. Provides a name for the VPN connection thatappears in the Global VPN Client window. description text Provides a description for eachconnection profile that appears when the user moves the mouse pointer over the VPNPolicy in the Global VPN Client window. The maximum number of characters for the tag is 1023.Off=0/On=1 Enables this connection when program islaunched.Off=0/On=1 Starts IKE negotiation as soon as theconnection is enabled without waiting for network traffic. If disabled then only traffic to thedestination network(s) will initiate IKE negotiations.Off=0/On=1 Enables the connection whencomputer is coming out of sleep or hibernation.Disable=0/Enable=1 Forces launchlogin script. Defines the peer settings for a VPN connection. A VPN connection can support up to5 peers.IP Address/Domain Name The IP address or Domain name ofthe SonicWALL gateway.Off=0/On=1 Enablesdetection if the Peer stops responding to traffic. This will send Vendor ID to the SonicWALLduring IKE negotiation to enable Dead peer detection heart beat traffic.Off=0/On=1 Forces NAT traversal evenwithout a NAT device in the middle. Normally NAT devices in the middle are automaticallydetected and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete.IP AddressThe IP Address of the next hop for this connection. Thisis ONLY used if there is a need to use a next hop that is different from the default gateway.3 Defines timeout value in seconds for packet retransmissions. Theminimum value is 1 second and the maximum value is 10 seconds.3Number of times to retry packet retransmissions before theconnection is considered as dead. The minimum value is 1 and the maximumvalue is 10.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 55

Connection automatically selected based on link and IP detection=0/Connection always uses LAN=1/Connection always uses Dial-Up=2Forces the interface selection for the VPN connection. For redundant gateways on this connection, repeat all the tags under . Therecan up to 5 redundant gateways for each connection. Defines the end of each connection profile in the configuration file. Defines the end of all connection profiles in the Default.rcf file.Sample Default.rcf FileThe following is an example of a Default.rcf file. This file includes two VPN connections:Corporate Firewall and Overseas Office. The Corporate Firewall connection configurationincludes two peer entries for redundant VPN connectivity. (Defines the first connection)This is the corporate firewall. Call 1-800-fix-today for problems withconnections.010 (Defines the first VPN peer)10.0.79.101100.0.0.033 (Defines the second VPN peer)Redundant.acme.com1Page 56 SonicWALL Global VPN Client 2.1 Administrator’s Guide

00.0.0.033 (Defines the second connection profile)This is the firewall to connect when travelling overseas.01010.0.79.101100.0.0.033SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 57

Appendix B - SonicWALL Global VPN ClientInstallation using the InstallShield SilentResponse FileA normal (non-silent) installation of the SonicWALL Global VPN Client receives the necessaryinput from the user in the form of responses to dialog boxes. However, a silent installation doesnot prompt the user for input. A silent installation must get its user input from a different source.That source is the InstallShield Silent Response File (.iss file). This response file contains theinformation that an end user would enter as responses to dialog boxes when running a normalsetup. A silent setup reads the necessary input from the response file at run time. The followinginstructions explain how to create and execute a silent installation of the SonicWALL GlobalVPN Client.Creating the Silent InstallationThe format of response files resembles that of an .ini file, but the response file has an .issextensions. A response file is a plain text file consisting of sections containing data entries. Tocreate a response file, simply run the setup with the -r command line parameter:Setup.exe –rSetup records all your installation choices in Setup.iss and places the file in the Windowsfolder. To use this response file in a normal installation, copy it into the default install location(normally Disk1 or the same folder as Setup.ins).Playing Back the Silent InstallationAfter you have created the installation and the response file, you are ready to run the GlobalVPN Client installation in silent mode. When running an installation in silent mode, be awarethat no messages are displayed. Instead, a log file Setup.log captures installation information,including whether the installation was successful. You can review the log file and determine theresult of the installation.To launch the silent setup, run setup with the -s command line parameter:Setup.exe –sBy default, setup looks for the response file in its default location (normally Disk1 or the samefolder as Setup.ins). You can specify a different response file using the -f1 command lineparameter:Setup.exe –s –f1Page 58 SonicWALL Global VPN Client 2.1 Administrator’s Guide

To verify if a silent installation succeeded, look at the ResultCode value in the[ResponseResult] section of Setup.log. InstallShield writes an appropriate return value afterthe ResultCode keyname.Using Setup.log to Check for ErrorsSetup.log is the default name for the silent installation log file, and its default location is Disk1(in the same folder as Setup.ins). You can specify a different name and location for the setuplog file using the -f2 command line parameter:Setup.exe –s –f2The Setup.log file contains three sections:• The first section, [InstallShield Silent], identifies the version of InstallShield Silent used inthe silent installation. It also identifies the file as a log file.• The second section, [Application], identifies the installed application's name and version,and the company name.• The third section, [ResponseResult], contains the result code indicating whether or not thesilent installation succeeded. An integer value is assigned to the ResultCode keyname inthe [ResponseResult] section. The silent setup places one of the following return valuesafter the ResultCode keyname:0 Success-1 General error-2 Invalid mode-3 Required data not found in theSetup.iss file-4 Not enough memory available-5 File does not exist-6 Cannot write to the response file-7 Unable to write to the log file-8 Invalid path to the InstallShieldSilent response file-9 Not a valid list type (string ornumber)-10 Data type is invalid.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 59

-11 Unknown error during setup-12 Dialogs are out of order-51 Cannot create the specified folder-52 Cannot access the specified file orfolder-53 Invalid option selectedPage 60 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Appendix C - Running the Global VPN Client fromthe Command Line InterfaceThe SonicWALL Global VPN Client can run from the Command Line Interface (CLI). Thisinterface allows for the programmatic or script-based initiation of certain Global VPN Clientfunctions without requiring the user to directly act in the GVC application. The Global VPNClient CLI enables the setting up of scripts that automatically initiate a secure tunnel anytime aparticular application or connection methos is started.The CLI commands require the use of a complete path name to the Global VPN Clientapplication followed by various flags and variable information such as username or password.Alert! Embedding a user’s password directly in a script is a security risk. Anyone who can gainaccess to the script can read the password to circumvent security. It is recommended thatscripts or programmatic dashboards ask for the password before initiating a connection andthen clear the variable.Command Line OptionsYou can use the following options to perform a variety of Global VPN Client actions from thecommand line.• /E “Connection Name” Enables the specific connection.• /D “Connection Name” Disables the specific connection.• /Q - Quits a running an instance of the program. Ignored if program is not already running.• /A [filename] - Starts the program and sends all messages to the specified log file. If nolog file is specified, the default file name is gvcauto.log. If the program is already running,this option is ignored.• /U “Username” - Username to pass to XAUTH. Must be used in conjunction with /E.• /P “Password” - Password to pass to XAUTH. Must be used in conjunction with /E.Command Line Examples• \swgvpnclient - runs/starts application. If application is already running, it does notcreate another instance.• \swgvpnclient /E /U and /P -runs/starts the application and enables the named connection and use the and for user authentication. If you do not include a username and password.the Global VPN Client presents a dialog box asking for the information in order to continue.• \swgvpnclient /A - runs/starts the application and enables autologging of all events to a log file. If the filename is not specified, then the log file is createdwith the default name . If you want to save the autolog for each Global VPNClient session, you can use the filename option and specify a different filename each timethe application is stated. This file is created in the same directory where the Global VPNClient application is started, if the path is not specified.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 61

Appendix D - Installing the Global VPN Clientwith a Ghost ApplicationDuring the normal, non-Ghost installation of the Global VPN Client, a MAC address for thevirtual adapter is generated and assigned during the installation process. However, when theGlobal VPN Client is installed with CmdLine=/g (Ghost) option, a default MAC address isassigned to the SonicWALL VPN Adapter. After the installation when the Global VPN Client isstarted for the first time, this default MAC address is detected, which in turn generates a newMAC address and assigns it to the SonicWALL VPN Adapter.Alert! DO NOT OPEN the Global VPN Client application after installing it and BEFORE youghost it. Global VPN Client installation with the CmdLine=/g option works by recognizing that itis the FIRST time that the Global VPN Client has been started, and randomly creates a uniqueMAC address for the SonicWALL VPN Adapter. If you open the Global VPN Client BEFOREusing ghost, you receive the same MAC address for the SonicWALL VPN Adapter resulting innetwork conflicts.Page 62 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Appendix E- Log Viewer MessagesThe following table lists the Info, Error, and Warning messages that can appear in the GlobalVPN Client Log Viewer.Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERROR"Invalid DOI in notify message,": called with invalid parameters.A phase 2 IV has already been created.An error occurred.Attributes were specified but not offered.Authentication algorithm is not supported.CA certificate not found in list.Calculated policy configuration attributes length does not matchlength of attributes set into policy configuration payload.Calculated XAuth attributes length does not match length ofattributes set into XAuth payload.Can not change the Diffie-Hellman group for PFS.Can not process packet that does not have at least one payload.Can not process unsupported mode config type.Can not process unsupported XAuth type.Can not set IPSEC proposals into empty SA list.Cannot do quick mode: no SA's to negotiate.certificate error.Certificate ID not specified.Deallocation of event publisher context failed.Diffie-Hellman group generator length has not been set.Diffie-Hellman group prime length has not been set.DSS signature processing failed - signature is not valid.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 63

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERROREncryption algorithm is not supported.ESP transform algorithm is not supported.Failed to add a new AH entry to the phase 2 SA list.Failed to add a new ESP entry to the phase 2 SA list.Failed to add IPSEC encapsulation mode into the payload.Failed to add IPSEC group description into the payload.Failed to add IPSEC HMAC algorithm into the payload.Failed to add IPSEC life duration into the payload.Failed to add IPSEC life type into the payload.Failed to add OAKLEY authentication algorithm into the payload.Failed to add OAKLEY encryption algorithm into the payload.Failed to add OAKLEY generator G1 into the payload.Failed to add OAKLEY group description into the payload.Failed to add OAKLEY group type into the payload.Failed to add OAKLEY hash algorithm into the payload.Failed to add OAKLEY life duration into the payload.Failed to add OAKLEY life type into the payload.Failed to add OAKLEY prime P into the payload.Failed to add policy configuration INI format into the payload.Failed to add policy configuration version into the payload.Failed to add XAuth password '' into the payload.Failed to add XAuth status into the payload.Failed to add XAuth type into the payload.Failed to add XAuth username '' into the payload.Failed to allocate bytes.Failed to allocate memory.Page 64 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORFailed to begin phase 1 exchange.Failed to begin quick mode exchange.Failed to build a DSS object.Failed to build dead peer detection packet.Failed to build dead peer detection reply message.Failed to build dead peer detection request message.Failed to build phase 1 delete message.Failed to calculate DES mode from ESP transfor.Failed to calculate policy configuration attributes length.Failed to calculate XAuth attributes length.Failed to compute IV for connection entry.Failed to construct certificate payload.Failed to construct certificate request payload.Failed to construct certificate.Failed to construct destination proxy ID payload.Failed to construct DSS signature.Failed to construct hash payload.Failed to construct IPSEC nonce payload.Failed to construct IPSEC SA payload.Failed to construct ISAKMP blank hash payload.Failed to construct ISAKMP delete hash payload.Failed to construct ISAKMP DPD notify payload.Failed to construct ISAKMP ID payload.Failed to construct ISAKMP info hash payload.Failed to construct ISAKMP key exchange payload.Failed to construct ISAKMP nonce payload.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 65

Table 2: Log Viewer MessagesERRORERRORERRORERRORFailed to construct ISAKMP notify payload.Failed to construct ISAKMP packet header.Failed to construct ISAKMP phase 1 delete payload.Failed to construct ISAKMP SA payload.ERROR Failed to construct ISAKMP vendor ID payload (ID = ).ERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORFailed to construct mode config hash payload.Failed to construct NAT discovery payload.Failed to construct PFS key exchange payload.Failed to construct policy provisioning payload.Failed to construct quick mode hash payload.Failed to construct quick mode packet.Failed to construct responder lifetime payload.Failed to construct RSA signature.Failed to construct signature payload.Failed to construct source proxy ID payload.Failed to construct XAuth payload.Failed to convert the peer name to an IP address.Failed to create a new connection entry: an entry already existswith ID.Failed to create connection entry with message ID.Failed to decrypt buffer.Failed to decrypt mode config payload.Failed to decrypt notify payload.Failed to decrypt packet.Failed to decrypt quick mode payload.Failed to encrypt mode config payload.Page 66 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORFailed to encrypt notify payload.Failed to encrypt packet.Failed to encrypt quick mode payload.Failed to expand packet to size bytes.Failed to find an SA list for PROTO_IPSEC_AH.Failed to find an SA list for PROTO_IPSEC_ESP.Failed to find an SA list given the protocol.Failed to find certificate with ID.Failed to find connection entry for message ID.Failed to find exit interface to reach.Failed to find MAC address in the system interfaces table.Failed to find matching SA list.Failed to find message ID and matching cookies in the connectionentry list.Failed to find message ID in the connection entry list.Failed to find message ID in the SA list.Failed to find OAKLEY group specified in the SA payload.Failed to find private key for certificate with ID.Failed to find protocol ID in the SA list.Failed to find route to reach.ERROR Failed to find sequence number .ERRORERRORERRORERRORERRORFailed to find source IP address to reach.Failed to flush the system ARP cache.Failed to generate Diffie-Hellman parameters.Failed to generate quick mode initiator key.Failed to generate quick mode responder key.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 67

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORFailed to generate SKEYID.Failed to get the size of the system interfaces table.Failed to get the size of the system IP address table.Failed to get the system interface table.Failed to get the system IP address table.Failed to get transforms from SA list.Failed to match initiator cookie.Failed to match responder cookie.Failed to parse certificate data.Failed to parse configuration file.Failed to read the size of an incoming ISAKMP packet.Failed to re-allocate bytes.Failed to receive an incoming ISAKMP packet.Failed to receive an incoming ISAKMP packet. The length isincorrect.Failed to send an outgoing ISAKMP packet.Failed to set policy configuration attributes into payload.Failed to set proposals into phase 1 SA payload.Failed to set proposals into phase 2 SA payload.Failed to set responder lifetype attributes.Failed to set the ESP attributes from the SA payload into the SA.Failed to set the IPSEC AH attributes into the phase 2 SA.Failed to set the IPSEC ESP attributes into the phase 2 SA.Failed to set the OAKLEY attributes into the phase 1 SA.Failed to set vendor ID into packet payload.Failed to set XAuth attributes into payload.Page 68 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORFailed to sign hash.Failed to verify certificate signature.Failed to verify informational message hash payload.Failed to verify mode config message hash payload.Hash algorithm is not supported.Hash Payload does not match.Hash size invalid:Header invalid (verified)!Invalid certificate: ASN sequence is not correct.Invalid certificate: payload length is too small.Invalid hash payload.Invalid payload. Possible overrun attack!Invalid SA state:Invalid signature payload.Invalid SPI size.is not a supported Diffie-Hellman group type.is not a supported DOI.is not a supported exchange type.is not a supported ID payload type.is not a supported IPSEC protocol.is not a supported notify message type.is not a supported payload type.is not a supported policy configuration attribute type.is not a supported policy configuration message type.is not a supported proxy ID payload type.is not a supported XAuth attribute type.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 69

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORERRORis not a valid quick mode state.is not a valid XAuth message type.is not a valid XAuth status.ISAKMP SA delete msg for a different SA!No certificate for CERT authentication.No entry in the system IP address table was found with index.No KE payload while PFS configured mess_id.Out of memory.Phase 1 authentication algorithm is not supported.Phase 1 encryption algorithm is not supported.Protocol ID has already been added to the SA list.Protocol mismatch: expected PROTO_IPSEC_AH but got.Protocol mismatch: expected PROTO_IPSEC_ESP but got.Publisher deregistration failed.Responder cookie is not zero.RSA signature processing failed - signature is not valid.SA hash function has not been set in.Signature Algorithm mismatch is X.509 certificate.Signature verification failed!The certificate is not valid at this time.The current state is not valid for processing mode config payload.The current state is not valid for processing signature payload.The first payload is not a hash payload.The following error occurred while trying to open the configurationfile:The peer is not responding to phase 1 ISAKMP requests.Page 70 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesERRORERRORERRORERRORERRORThe peer is not responding to phase 1 ISAKMP requests.The state flag indicates that the IPSEC SA payload has not beenprocessed.The system interface table is empty.The system IP address table is empty.Unable to compute hash!ERROR Unable to compute shared secret for PFS in phase 2!ERRORERRORERRORERRORERRORINFOUnable to read configuration file.User did not enter XAuth next pin.XAuth CHAP requests are not supported at this time.XAuth failed.XAuth has requested a password but one has not yet beenspecified."The connection """" has been disabled."INFO A certificate is needed to complete phase 1.INFOA phase 2 SA can not be established with until a phase 1 SA isestablished.INFO A pre-shared key is needed to complete phase 1.INFOINFOINFOINFOINFOINFOINFOINFOINFOAG failed. SA state unknown. Peer:An incoming ISAKMP packet from was ignored.DSS g value:DSS p value:DSS q value:Event publisher deregistered.Event publisher registered for.Failed to negotiate configuration information with.Found CA certificate in CA certificate list.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 71

Table 2: Log Viewer MessagesINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOIgnoring unsupported payload.Ignoring unsupported vendor ID.ISAKMP phase 1 proposal is not acceptable.ISAKMP phase 2 proposal is not acceptable.MM failed. Payload processing failed. OAK_MM_KEY_EXCH.Peer:MM failed. Payload processing failed: OAK_MM_NO_STATE.Peer:MM failed. Payload processing failed: OAK_MM_SA_SETUP.Peer:MM failed. SA state not matching mask process auth. Peer:MM failed. SA state not matching mask process key. Peer:MM failed. SA state not matching mask process sa. Peer:MM failed. SA state unknown. Peer:NAT Detected: Local host is behind a NAT device.NAT Detected: Peer is behind a NAT device.peer certificate missing key value.Phase 1 has completed.Phase 1 SA lifetime set to.Phase 2 negotiation has failed.Phase 2 SA lifetime set to.Phase 2 with has completed.Proposal not acceptable: not authentication algorithm specified.Proposal not acceptable: not Diffie-Hellman group specified.Proposal not acceptable: not encryption algorithm specified.Proposal not acceptable: not hash algorithm specified.Proposal not acceptable: proposal not found in list.Page 72 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOQM failed. Load SA failed. Peer:Reading configuration file.Ready to negotiate phase 2 with.Received address notification notify.Received attributes not supported notify.Received authentication failed notify.Received bad syntax notify.Received certificate unavailable notify.Received dead peer detection acknowledgement.Received dead peer detection request.Received initial contact notify.Received invalid certificate authentication notify.Received invalid certificate encoding notify.Received invalid certificate notify.Received invalid certificate request syntax notify.Received invalid cookie notify.Received invalid exchange type notify.Received invalid flags notify.Received invalid ID information notify.Received invalid key info notify.Received invalid major version notify.Received invalid message ID notify.Received invalid minor version notify.Received invalid payload notify.Received invalid protocol ID notify.Received invalid signature notify.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 73

Table 2: Log Viewer MessagesINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOReceived invalid SPI notify.Received invalid transform ID notify.Received malformed payload notify.Received no proposal chosen notify.Received notify SA lifetime notify.Received phase 1 delete message.Received phase 2 delete message for SPI.Received policy provisioning acknowledgement.Received policy provisioning OK.Received policy provisioning update.Received policy provisioning version reply.Received policy provisioning version request.Received responder lifetime notify.Received situation not supported notify.Received unequal payload length notify.Received unknown notify.Received unsupported DOI notify.Received unsupported exchange type notify.Received XAuth request.Received XAuth status.Re-evaluating ID info after INVALID_ID_INFO message.INFO Releasing IP address for the virtual interface ().INFO Renewing IP address for the virtual interface ().INFOINFOINFOSaving configuration file.Sending dead peer detection acknowledgement.Sending dead peer detection request.Page 74 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOINFOSending phase 1 delete.Sending phase 2 delete for.Sending policy provisioning acknowledgement.Sending policy provisioning version reply.Sending XAuth acknowledgement.Sending XAuth reply.Signature Verified!SonicWALL Global VPN Client version.SonicWALL VPN Client.Starting aggressive mode phase 1 exchange.Starting authentication negotiation.Starting configuration negotiation.Starting ISAKMP phase 1 negotiation.Starting ISAKMP phase 2 negotiation with.Starting main mode phase 1 exchange.Starting quick mode phase 2 exchange.The configuration for the connection has been updated.The configuration for the connection is up to date.The configuration has been updated and must be reloaded.The connection has entered an unknown state.The connection is idle.INFO The hard lifetime has expired for phase 1.INFOINFOINFOThe hard lifetime has expired for phase 2 with.The IP address for the virtual interface has been released.The IP address for the virtual interface has changed to.SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 75

Table 2: Log Viewer MessagesINFOINFOINFOINFOINFOINFOINFOINFOThe ISAKMP port (500) is already in use. Port will be used as theISAKMP source port.The peer is not responding to phase 2 ISAKMP requests to.The phase 1 SA has been deleted.The phase 1 SA has died.The phase 2 SA has been deleted.The phase 2 SA has died.The SA lifetime for phase 1 is seconds.The SA lifetime for phase 2 is seconds.INFO The soft lifetime has expired for phase 1.INFOINFOINFOINFOINFOINFOINFOWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGThe soft lifetime has expired for phase 2 with.The system ARP cache has been flushed.Unable to encrypt payload!User authentication has failed.User authentication has succeeded.User authentication information is needed to complete theconnection.XAuth has requested a username but one has not yet beenspecified.A password must be entered.AG failed. SA state not matching mask process auth. Peer:AG failed. SA state not matching mask process key. Peer:AG failed. State OAK_AG_INIT_EXCH is invalid when responder.Peer:AG failed. State OAK_AG_NO_STATE is invalid when initiator.Peer:Failed to process aggressive mode packet.Failed to process final quick mode packet.Page 76 SonicWALL Global VPN Client 2.1 Administrator’s Guide

Table 2: Log Viewer MessagesWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGWARNINGFailed to process informational exchange packet.Failed to process main mode packet.Failed to process mode configuration packet.Failed to process packet payloads.Failed to process payload.Failed to process quick mode packet.Ignoring AUTH message when aggressive mode already complete.Peer:Invalid DOI in delete message:Invalid IPSEC SA delete message.Invalid ISAKMP SA delete message.is not a supported OAKLEY attribute class.Protocol ID is not supported in SA payloads.Received an encrypted packet when not crypto active!Received an unencrypted packet when crypto active!Responder lifetime protocol is not supported.The password is incorrect. Please re-enter the password.The pre-shared key dialog box was cancelled by the user. Theconnection will be disabled.The select certificate dialog box was cancelled by the user. Theconnection will be disabled.The username/password dialog box was cancelled by the user.The connection will be disabled.Unable to decrypt payload!SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 77

Page 78 SonicWALL Global VPN Client 2.1 Administrator’s Guide

AAdding VPN Connection Policies 11Default.rcf File 11Import Connection Policy 11New Connection Wizard 11CCertificate Manager 38Import Certificate 38Command Line Interface 61Configuring Program Launch Options 27Connection PoliciesDeleting 37Renaming 37Connection Properties 28General 28, 29PeerPeer Information 33Peers 32Status 35User Authentication 31Connection Status 25, 35Connection Warning 24DDefault.rfc File 52Dial-Up VPN ConnectionsConfiguration 17Digital Certificates 12Disabling a VPN Connection 25EEnabling VPN Connections 21GGlobal Security Client 3Global VPN Client Enterprise 3IImporting a VPN Policy 16Installation 7Setup Wizard 8LLaunching Global VPN Client 18Hide Window 18Licensing 44Log Viewer 39Log Files 41Messages 63MMultiple VPN Connections 22NNew Connection Wizard 13Office Gateway 13Remote Access 13PPre-Shared Key 23RRedundant GatewaysConfiguration 20SSelecting a Certificate 23SonicWALL VPN Gateway Configuration 44TTroubleshooting 39Generate Report 41, 42Log Viewer 39UUninstalling Global VPN Client 43Username/Password Authentication 24VVPN Connection Policies 12, 37Arranging 37Displaying 37VPN Connections Supported by SonicWALLProduct 44VPN Policy Shortcut 26SonicWALL Global VPN Client 2.1 Administrator’s Guide Page 79

SonicWALL,Inc.1143 Borregas AvenueSunnyvale,CA 94089-1306T: 408.745.9600F: 408.745.9300www.sonicwall.com© 2004 Son icWALL, I n c . SonicWALL is a registered tradema rk of Soni cWALL, I n c . Other product and company n ames mentioned herein may bet radema rks a nd/ or registered tradema rks of their respective companies. Specif ication s and descriptions subjec t to change with out notice.P/ N 232- 000411- 01Rev A 02/04