SonicWALL Internet Security Appliances User Manual

Appendices Page 275

•

Internet Key Exchange (IKE)

IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force
(IETF). An IKE SA automatically negotiates Phase 1 Encryption/Authentication Keys. With IKE,
an initial exchange authenticates the VPN session and automatically negotiates keys that is
used to pass IP traffic. The initial exchange occurs on UDP port 500, so when an IKE SA is
created, the SonicWALL automatically opens port 500 to allow the IKE key exchange.

•

Manual Key

The Manual Key SA allows you to specify the Encryption and Authentication keys as well as
Incoming and Outgoing Security Parameter Indices (SPI). SonicWALL VPN supports Manual Key
VPN Security Associations.

•

Shared Secret

A Shared Secret is a predefined field that the two endpoints of a VPN tunnel use to set up an
IKE SA. This field can be any combination of alphanumeric characters with a minimum length
of 4 characters and a maximum of 128 characters. Precautions should be taken when
delivering/exchanging this shared secret to assure that a third party cannot compromise the
security of a VPN tunnel.

•

Advanced Encryption Standard (AES)

AES is an encryption algorithm for securing sensitive but unclassified materials by U.S.
Government agencies. It may eventually become the standard encryption method for
commercial transactions in the private sector.

As a potential replacement for DES and possible 3DES, AES is a symmetric algorithm which
means it uses the same key for encryption and decryption and block encryption 128-bits in size.
The algorithm supports key sizes of 128, 192, and 256 bits as a minimum.

•

Encapsulating Security Payload (ESP)

ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it
into IP packets. Encryption can be in the form of ARCFour (similar to the popular RC4 encryption
method), DES, etc.

The use of ESP increases the processing requirements in SonicWALL VPN and also increases
the communications latency. The increased latency is due to the encryption and decryption
required for each IP packet containing an Encapsulating Security Payload.

ESP typically involves encryption of the packet payload using standard encryption mechanisms,
such as RC4, ARCFour, DES, or 3DES. The SonicWALL supports 56-bit ARCFour and 56-bit DES
and 168-bit 3DES.

•

Authentication Header (AH)

The Authentication Header provides strong integrity and authentication by adding
authentication information to IP packets. This authentication information is calculated using
header and payload data in the IP packet which provides an additional level of security.