SonicWALL 5.8.1 Microscope & Magnifier User Manual


  Open as PDF
of 1490
 
VPN > Settings
869
SonicOS 5.8.1 Administrator Guide
Initialization and Authentication in IKE v2
IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response
pairs).
Initialize communication: The first pair of messages (IKE_SA_INIT) negotiate cryptographic
algorithms, exchange nonces (random values generated and sent to guard against
repeated messages), and perform a public key exchange.
a. Initiator sends a list of supported cryptographic algorithms, public keys, and a nonce.
b. Responder sends the selected cryptographic algorithm, the public key, a nonce, and an
authentication request.
Authenticate: The second pair of messages (IKE_AUTH) authenticate the previous
messages, exchange identities and certificates, and establish the first CHILD_SA. Parts of
these messages are encrypted and integrity protected with keys established through the
IKE_SA_INIT exchange, so the identities are hidden from eavesdroppers and all fields in
all the messages are authenticated.
a. Initiator sends identity proof, such as a shared secret or a certificate, and a request to
establish a child SA.
b. Responder sends the matching identity proof and completes negotiation of a child SA.
Negotiating SAs in IKE v2
This exchange consists of a single request/response pair, and was referred to as a phase 2
exchange in IKE v1. It may be initiated by either end of the SA after the initial exchanges are
completed.
All messages following the initial exchange are cryptographically protected using the
cryptographic algorithms and keys negotiated in the first two messages of the IKE exchange.
Either endpoint may initiate a CREATE_CHILD_SA exchange, so in this section the term
“initiator” refers to the endpoint initiating this exchange.
1. Initiator sends a child SA offer and, if the data is to be encrypted, the encryption method
and the public key.
2. Responder sends the accepted child SA offer and, if encryption information was included,
a public key.
Note You can find more information about IKE v2 in the specification, RFC 4306, available on the
Web at: http://www.ietf.org/rfc/rfc4306.txt
For information on configuring VPNs in SonicOS En
hanced, see:
“Configuring VPNs in SonicOS Enhanced” section on page 869
“Configuring GroupVPN Policies” section on page 879
“Site-to-Site VPN Configurations” section on page 890
“Creating Site-to-Site VPN Policies” section on page 890
“VPN Auto-Added Access Rule Control” section on page 910
Configuring VPNs in SonicOS Enhanced
SonicWALL VPN, based on the industry-standard IPsec VPN implementation, provides a easy-
to-setup, secure solution for connecting mobile users, telecommuters, remote offices and
partners via the Internet. Mobile users, telecommuters, and other remote users with broadband