VPN > Settings
539
SonicOS Enhanced 4.0 Administrator Guide
One advantage of SSL VPN is that SSL is built into most Web Browsers. No special VPN
client software or hardware is required.
Note SonicWALL makes SSL-VPN devices that you can use in concert with or independently of
a SonicWALL UTM appliance running SonicOS. For information on SonicWALL SSL-VPN
devices, see the SonicWALL Website
:http://www.sonicwall.com/us/
Secure_Remote_Access.html
VPN Security
IPsec VPN traffic is secured in two stages:
• Authentication: The first phase establishes the authenticity of the sender and receiver of
the traffic using an exchange of the public key portion of a public-private key pair. This
phase must be successful before the VPN tunnel can be established.
• Encryption: The traffic in the VPN tunnel is encrypted, using an encryption algorithm such
as AES or 3DES.
Unless you use a manual key (which must be typed identically into each node in the VPN) The
exchange of information to authenticate the members of the VPN and encrypt/decrypt the data
uses the Internet Key Exchange (IKE) protocol for exchanging authentication information (keys)
and establishing the VPN tunnel. SonicOS Enhanced supports two versions of IKE, version 1
and version 2.
IKE version 1
IKE version 1 uses a two phase process to secure the VPN tunnel.
• IKE Phase 1 is the authentication phase. The nodes or gateways on either end of the tunnel
authenticate with each other, exchange encryption/decryption keys, and establish the
secure tunnel.
• IKE Phase 2 is the negotiation phase. Once authenticated, the two nodes or gateways
negotiate the methods of encryption and data verification (using a hash function) to be used
on the data passed through the VPN and negotiate the number of secure associations
(SAs) in the tunnel and their lifetime before requiring renegotiation of the encryption/
decryption keys.
IKE Phase 1
In IKE v1, there are two modes of exchanging authentication information: Main Mode and
Aggressive Mode.
Main Mode: The node or gateway initiating the VPN queries the node or gateway on the
receiving end, and they exchange authentication methods, public keys, and identity
information. This usually requires six messages back and forth. The order of authentication
messages in Main Mode is:
1. The initiator sends a list of cryptographic algorithms the initiator supports.
2. The responder replies with a list of supported cryptographic algorithms.
3. The initiator send a public key (part of a Diffie-Hellman public/private key pair) for the first
mutually supported cryptographic algorithm.
4. The responder replies with the public key for the same cryptographic algorithm.
5. The initiator sends identity information (usually a certificate).
6. The responder replies with identity information.