User Guide

ManualsBrandsSonicWALL ManualsOtherINTERNET SECURITY APPLIANCE

151

152

153

154

155

156

157

158

159

160

SonicWALL VPN Page 159

• Internet Key Exchange (IKE)

IKE is a negotiation and key exchange protocol specified by the Internet Engineering

Task Force (IETF). An IKE SA automatically negotiates Phase 1 Encryption/

Authentication Keys. With IKE, an initial exchange authenticates the VPN session and

automatically negotiates keys that is used to pass IP traffic. The initial exchange occurs

on UDP port 500, so when an IKE SA is created, the SonicWALL automatically opens

port 500 to allow the IKE key exchange.

• Manual Key

The Manual Key SA allows you to specify the Encryption and Authentication keys as

well as Incoming and Outgoing Security Parameter Indices (SPI). SonicWALL VPN

supports Manual Key VPN Security Associations.

• Shared Secret

A Shared Secret is a predefined field that the two endpoints of a VPN tunnel use to set

up an IKE SA. This field can be any combination of alphanumeric characters with a

minimum length of 4 characters and a maximum of 128 characters. Precautions should

be taken when delivering/exchanging this shared secret to assure that a third party

cannot compromise the security of a VPN tunnel.

• Encapsulating Security Payload (ESP)

ESP provides confidentiality and integrity of data by encrypting the data and

encapsulating it into IP packets. Encryption can be in the form of ARCFour (similar to

the popular RC4 encryption method), DES, etc.

The use of ESP increases the processing requirements in SonicWALL VPN and also

increases the communications latency. The increased latency is due to the encryption

and decryption required for each IP packet containing an Encapsulating Security

Payload.

ESP typically involves encryption of the packet payload using standard encryption

mechanisms, such as RC4, ARCFour, DES, or 3DES. The SonicWALL supports 56-bit

ARCFour and 56-bit DES and 168-bit 3DES.

• Authentication Header (AH)

The Authentication Header provides strong integrity and authentication by adding

authentication information to IP packets. This authentication information is calculated

using header and payload data in the IP packet which provides an additional level of

security.

Using AH increases the processing requirements of VPN and also increases the

communications latency. The increased latency is primarily due to the calculation of the

authentication data by the sender, and the calculation and comparison of the

authentication data by the receiver for each IP packet containing an Authentication

Header.

• Data Encryption Standard (DES)

integrated_manual.book Page 159 Friday, October 12, 2001 2:56 PM