Security Services

Creating and Deploying the default.rcf File for SonicWALL Global VPN Clients

Introduction
The default.rcf file allows the SonicWALL VPN Gateway administrator to create and distribute preconfigured VPN connections for SonicWALL Global VPN Clients. The SonicWALL VPN Gateway administrator can distribute the default.rcf file with the Global VPN Client software to automatically create preconfigured VPN connections for streamlined deployment. The VPN connections created from the default.rcf file appear in the SonicWALL Global VPN Client window. The Global VPN Client user simply enables the VPN connection and after XAUTH authentication with a username and password, the policy download is automatically completed.

How the Global VPN Client uses the default.rcf File

When the Global VPN Client starts up, the program always looks for the SonicWALL Global VPN Client.rcf file in the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory. If this file does not exist the Global VPN Client looks for the default.rcf file in the C:\Program Files\SonicWALL\SonicWALL Global VPN Client\ directory. The Global VPN Client reads the default.rcf file, if it exists and creates the SonicWALL Global VPN Client.rcf file in the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory. The encrypted SonicWALL Global VPN Client.rcf file contains all the VPN connection configuration information for the SonicWALL Global VPN Client.

Deploying the default.rcf File

There are three ways to deploy the default.rcf file for your SonicWALL Global VPN Clients.

Include the default.rcf File with the Global VPN Client Software
After you create the default.rcf file, you can include it with the SonicWALL Global VPN Client software. When the user installs the Global VPN Client program, the SonicWALL Global VPN Client.rcf file is automatically created in the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory based on the settings defined in the default.rcf file. This is the easiest method for Global VPN Client users. Alert! The default.rcf file must be included in the default Global VPN Client installation directory C:\Program Files\SonicWALL\SonicWALL Global VPN Client\ for the program to write the SonicWALL Global VPN Client.rcf file based on the settings defined in the default.rcf file.

Add the default.rcf file to the Default Global VPN Client Directory
If the Global VPN Client software is installed without VPN connections, the user can add the default.rcf file to the default Global VPN Client installation directory C:\Program Files\SonicWALL\SonicWALL Global VPN Client\. When the user launches the Global VPN Client, the SonicWALL Global VPN Client.rcf file is created in the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory based on the default.rcf file settings.

Replace the Existing SonicWALL Global VPN Client.rcf File

If the Global VPN Client is installed with VPN connections, the user can remove the SonicWALL Global VPN Client.rcf file from the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory and add the default.rcf file to the default Global VPN Client installation directory C:\Program Files\SonicWALL\SonicWALL Global VPN Client\. When the user launches the Global VPN Client, the SonicWALL Global VPN Client.rcf file is created in the C:\Documents and Settings\<user>\Application Data\SonicWALL\SonicWALL Global VPN Client\ directory based on the default.rcf file settings.

Alert! You cannot copy the SonicWALL Global VPN Client.rcf file created from the settings defined in the default.rcf file for one Global VPN Client to replace an existing SonicWALL Global VPN Client.rcf file of another Global VPN Client. Alert! Removing an existing SonicWALL Global VPN Client.rcf file will remove the VPN connections created in the Global VPN Client. These VPN connections can be added again from the Global VPN Client into the new SonicWALL Global VPN Client.rcf file.

Creating the default.rcf File

You can create your custom default.rcf file from any text editor, such as Windows Notepad. Alert! The default.rcf file must not contain any non ASCII characters. Be careful when using any text editor that the file does not have any paragraph marks, end of line characters, tabs, etc.

The default.rcf File Tag Descriptions

Any tag that is not explicitly listed in the default.rcf will be set to the default setting, just as when you configure a New VPN Connection within the Global VPN Client manually. The default setting for each tag is highlighted in [bold] text within brackets. <SW_Client_Policy version =9.0> <Connections> Defines the connection profiles in the default.rcf configuration file. There is no hard limit defined on the number of connection profiles allowed. <Connection name = connection name> Provides a name for the VPN connection that appears in the Global VPN Client window. <Description> description text</Description> Provides a description for each connection profile that appears when the user moves the mouse pointer over the VPN Policy in the Global VPN Client window. The maximum number of characters for the <Description> tag is 1023. <Flags> <AutoConnect>[Off=0]/On=1</AutoConnect> Enables this connection when program is launched. <ForceIsakmp>Off=0/[On=1]</ForceIsakmp> Starts IKE negotiation as soon as the connection is enabled without waiting for network traffic. If disabled then only traffic to the destination network(s) will initiate IKE negotiations. <ReEnableOnWake>[Off=0]/On=1</ReEnableOnWake> Enables the connection when computer is coming out of sleep or hibernation. <ReconnectOnError>Off=0/[On=1]</ReconnectOnError> Automatically keeps trying to enable the connection when an error has occured.

<ExecuteLogonScript>[Off=0]/On=1</ExecuteLogonScript> Automatically executes a domain logon script when connecting. </Flags> <Peer> Defines the peer settings for a VPN connection. A VPN connection can support up 5 peers. Alert! A special case of Host Name is for an Office Gateway scenario. If you want to use the Default Gateway as the host name use &lt;Default Gateway&gt; exactly as noted including the semicolons and &. In this case you must also set <UseDefaultGWAsPeerIP>=1. <HostName>IP Address/Domain Name</HostName> The IP address or Domain name of the SonicWALL gateway. <EnableDeadPeerDetection>Off=0/[On=1]</EnableDeadPeerDetection> Enables detection if the Peer stops responding to traffic. This will send Vendor ID to the SonicWALL during IKE negotiation to enable Dead peer detection heart beat traffic. Alert! NAT Traversal The implementation options for these settings were changed after Global VPN Client 1.x. In previous versions, there were check boxes for Forcing or Disabling NAT Traversal. With Global VPN Client 2.x and later, there is now a drop down selection list containing three items, Automatic (Will detect if NAT Traversal is on or off), Forced On (Force NAT Traversal On), and Disabled (Force NAT Traversal Off). To select Automatic, set ForceNATTraversal and DisableNATTraversal to 0, or do not have these tags listed at all <ForceNATTraversal>[Off=0]/On=1</ForceNATTraversal> Forces NAT traversal even without a NAT device in the middle. Normally NAT devices in the middle are automatically detected and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete. <DisableNATTraversal>[Off=0]/On=1</DisableNATTraversal> Disables NAT traversal even without a NAT device in the middle. Normally NAT devices in the middle are automatically detected and UDP encapsulation of IPSEC traffic starts after IKE negotiation is complete. <NextHop>IP Address/[0.0.0.0]</NextHop>The IP Address of the next hop for this connection. This is ONLY used if there is a need to use a next hop that is different from the default gateway. <Timeout>1-10/[3]<Timeout> Defines timeout value in seconds for packet retransmissions. The minimum <Timeout> value is 1 second and the maximum value is 10 seconds. <Retries>1-10/[3]<Retries>Number of times to retry packet retransmissions before the connection is considered as dead. The minimum <Retries> value is 1 and the maximum value is 10. <UseDefaultGWAsPeerIP>[Off=0]/On=1</UseDefaultGWAsPeerIP> This setting specifies whether or not the PCs Default Gateway IP Address will be used as the Peer IP Address. <InterfaceSelection>[Automatic=0]/LAN Only=1/Dial-Up Only=2</UseDefaultGWAsPeerIP> This setting specifies the interface selection to be used. <WaitForSourceIP>Off=0/[On=1]</WaitForSourceIP> This setting specifies whether or not to send packets when a local source IP Address is available. rd <DialupUseMicrosoftDUN>3 Party=0/[Microsoft=1]</DialupUseMicrosoftDUN> This setting specifies whether to use Microsoft or a third party Dialup connection. <DialupApp>c:\Program Files\Windows NT\dialer.exe</DialupApp> This setting specifies the directory path to a third party Dialup connection application including the application name. <DialupPhonebook>MSN Office Network/[Prompt When Necessary]</DialupPhonebook> This setting specifies the name of the Microsoft Dialup connection as listed in Network and Dial-up Connections for the local computer. <DialupLeaveConnected>[Off=0]/On=1</DialupLeaveConnected> This setting specifies whether or not to leave the dial-up connection logged in, when Global VPN Client is not connected. <DPDInterval>[[5]-30]</DPDInterval> Amount of time to wait in seconds, when checking for a Dead Peer. The interval times listed are incremented by 5. The allowed values are 5, 10, 15, 20, 25 and 30 seconds. <DPDAttempts>[3-[5]]</DPDAttempts> Number of times to try before declaring a Peer as dead. The allowed values are 3, 4 or 5 times. <DPDAlwaysSend>[Off=0]/On=1</DPDAlwaysSend> This setting specifies whether or not to send a DPD packet based on network traffic received from the peer. </Peer> For redundant gateways on this connection, repeat all the tags under <Peer>. There can up to 5 redundant gateways for each connection. </Connection> Defines the end of each connection profile in the configuration file. </Connections> Defines the end of connection profiles in the default.rcf file. </SW_Client_Policy>

Sample default.rcf File

The following is an example of a default.rcf file. This file includes two VPN connections: Corporate Firewall and Office Gateway. The Corporate Firewall connection configuration includes two peer entries for redundant VPN connectivity. Alert! If you attempt to directly copy this sample file to an ASCII text editor, you may have to remove all of the paragraph marks at the end of each line before saving it. Verify the file can be imported into the Global VPN Application before distributing it. <?xml version="1.0" standalone="yes"?> <SW_Client_Policy version="9.0"> <Connections> <Connection name="Corporate Firewall"> <Description>This is the corporate firewall. Call 1-800-fix-today for problems with connections.</Description> <Flags> <AutoConnect>0</AutoConnect> <ForceIsakmp>1</ForceIsakmp> <ReEnableOnWake>0</ReEnableOnWake> <ReconnectOnError>1</ReconnectOnError> <ExecuteLogonScript>0</ExecuteLogonScript> </Flags> <Peer> <HostName>CorporateFW</HostName> <EnableDeadPeerDetection>1</EnableDeadPeerDetection> <ForceNATTraversal>0</ForceNATTraversal> <DisableNATTraversal>0</DisableNATTraversal> <NextHop>0.0.0.0</NextHop> <Timeout>3</Timeout> <Retries>3</Retries> <UseDefaultGWAsPeerIP>0</UseDefaultGWAsPeerIP> <InterfaceSelection>0</InterfaceSelection> <WaitForSourceIP>0</WaitForSourceIP> <DialupUseMicrosoftDUN>1</DialupUseMicrosoftDUN> <DialupApp>c:\program files\aol\aol.exe</DialupApp> <DialupPhonebook>text</DialupPhonebook> <DialupLeaveConnected>0</DialupLeaveConnected> <DPDInterval>5</DPDInterval> <DPDAttempts>3</DPDAttempts> <DPDAlwaysSend>0</DPDAlwaysSend> </Peer> <Peer> <HostName>1.2.3.4</HostName> <EnableDeadPeerDetection>1</EnableDeadPeerDetection> <ForceNATTraversal>0</ForceNATTraversal> <DisableNATTraversal>0</DisableNATTraversal> <NextHop>0.0.0.0</NextHop> <Timeout>3</Timeout> <Retries>3</Retries> <UseDefaultGWAsPeerIP>0</UseDefaultGWAsPeerIP> <InterfaceSelection>0</InterfaceSelection> <WaitForSourceIP>0</WaitForSourceIP> <DialupUseMicrosoftDUN>1</DialupUseMicrosoftDUN> <DialupApp>c:\program files\aol\aol.exe</DialupApp> <DialupPhonebook>text</DialupPhonebook> <DialupLeaveConnected>0</DialupLeaveConnected>

Troubleshooting
Issue If there are any incorrect entries or typos in your default.rcf file, the settings in the default.rcf file will not be incorporated into the Global VPN Client and no connection profiles will appear in the Global VPN Client window. An error message Failed to parse configuration file appears in the Global VPN Client Log Viewer, or an error message Could not import the specified configuration file. The file appears to be corrupt. is displayed when attempting to import the file. Solution Make sure that the file does not contain any non ASCII characters. The SonicWALL Global VPN Client.rcf file created by the default.rcf file must be deleted from the \ directory and the default.rcf file edited to correct the errors.

The default.rcf file cannot have an attribute of READ Only.

The SonicWALL Global VPN Client.rcf file created by the default.rcf file must be deleted from the \ directory and the default.rcf file Read Only attribute removed to correct the error. When setting the Peer Name to the special case of <Default Gateway>, the tag for <UseDefaultGWAsPeerIP> must be set to 1. The SonicWALL Global VPN Client.rcf file created by the default.rcf file must be deleted from the \ directory.

The Peer Name <Default Gateway> gives an error display message when connecting Failed to convert the Peer name <Default Gateway> to an IP address.

Document Created: 08/09/2005 Last Updated: 06/27/2008 Version 1.1