SonicWALL Internet Security Appliance Guide Page 153
•
Internet Key Exchange (IKE)
IKE is a negotiation and key exchange protocol specified by the Internet
Engineering Task Force (IETF). An IKE SA automatically negotiates Encryption and
Authentication Keys. With IKE, an initial exchange authenticates the VPN session
and automatically negotiates keys that will be used to pass IP traffic. The initial
exchange occurs on UDP port 500, so when an IKE SA is created, the SonicWALL
will automatically open up port 500 to allow the IKE key exchange.
•
Manual Keying
Manual keying allows you to specify the Encryption and Authentication keys.
SonicWALL VPN supports Manual Key VPN Security Associations.
•
Shared Secret
A Shared Secret is a predefined field that the two endpoints of a VPN tunnel use
to set up an IKE SA. This field can be any combination of alphanumeric characters
with a minimum length of 4 characters and a maximum of 128 characters.
Precautions should be taken when delivering/exchanging this shared secret to
assure that a third party cannot compromise the security of a VPN tunnel.
•
Encapsulating Security Payload (ESP)
ESP provides confidentiality and integrity of data by encrypting the data and
encapsulating it into IP packets. Encryption may be in the form of ARCFour (similar
to the popular RC4 encryption method), DES, etc.
The use of ESP increases the processing requirements in SonicWALL VPN and also
increases the communications latency. The increased latency is due to the
encryption and decryption required for each IP packet containing an Encapsulating
Security Payload.
ESP typically involves encryption of the packet payload using standard encryption
mechanisms, such as RC4, ARCFour, DES, or 3DES. The SonicWALL supports 56
bit ARCFour and 56 bit DES and 168 bit 3DES.
•
Authentication Header (AH)
The Authentication Header provides strong integrity and authentication by adding
authentication information to IP packets. This authentication information is
calculated using header and payload data in the IP packet which provides an
additional level of security.
Using AH increases the processing requirements of VPN and will also increase the
communications latency. The increased latency is primarily due to the calculation
of the authentication data by the sender, and the calculation and comparison of
the authentication data by the receiver for each IP packet containing an
Authentication Header.
integrated_manual.book Page 153 Wednesday, June 13, 2001 6:21 PM