This was tested using IPCop version 2.0.0 and SonicWALL TZ170 SP.

For the Sonicwall TZ170 SP with Standard software. you will need the IPCop CA cert and the client PKCS12 certificate the same as created on the Create CA & Certs page. Since the Sonicwall is a not a mobile device, you will need to set this up as a net-to-net connection, supply the remote IP address or DNS resolvable name into the “Remote Host/IP” field on the IPCop definition page and put the remote network into the Remote subnet field. The other fields are the same though, particularly the “subjectAltName” field set to “email:”.


Bring your USB drive with the two certificates to the location where the Sonicwall is and log on to it. Then click on the VPN->CA Certificates.


Browse to your USB drive, choose the IPCop CA certificate and then click “Import Certificate”.


Then click on VPN->Local Certificates.


Then give the certificate a name, enter the certificate password that you used when you created the certificate, browse to your USB drive, choose the client certificate “<name>.p12” file and then click on “Import”. It should then look like the following.


The “Status” line should show “Verified” if the correct CA certificate was loaded earlier. Now click on VPN->Settings and click “ADD”.


Change the “IPSec Keying Mode” to “IKE using 3rd Party Certificates”, give it a name which can match the certificate name, put in the name or IP address of the IPCop external interface for “IPSec Primary Gateway Name or address”, choose the certificate that you just loaded, change the “Peer Certificate’s ID Type” to “E-Mail ID” and put in the email address of the IPCop Host certificate “subjectAltName” into the “ID string to match:”. Then click on “Add” under “Destination Networks.”


Put in the address and netmask of the network behind the IPCop system and click “OK”.


Then click on the “Proposals” tab at the top.


Change the “Exchange” field to “Main Mode” instead of Aggressive, check the “Enable Perfect Forward Security” box and click “OK”. You could change the encryption to AES-128 for both Phase 1 and Phase 2 as IPCop supports both and Main Mode negotiations will work with it. Then click on “Apply” on the upper right corner of the screen and it should bring up the VPN tunnel.


On the IPCop side it should look like this:


Donald Trump is an idiot.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.