SonicWALL TZ 180 Humidifier User Manual


 
VPN > Settings
541
SonicOS Enhanced 4.0 Administrator Guide
Note There is no restriction on nesting IKE v1 tunnels within an IKE v2 tunnel and visa-versa. For
example, if you are connecting to a wireless device using WiFiSec, which uses an IKE v1
tunnel, you can then connect over the internet to a corporate network using a site-to-site
VPN tunnel established with IKE v2.
Initialization and Authentication in IKE v2
IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response
pairs).
Initialize communication: The first pair of messages (IKE_SA_INIT) negotiate cryptographic
algorithms, exchange nonces (random values generated and sent to guard against
repeated messages), and perform a public key exchange.
a. Initiator sends a list of supported cryptographic algorithms, public keys, and a nonce.
b. Responder sends the selected cryptographic algorithm, the public key, a nonce, and an
authentication request.
Authenticate: The second pair of messages (IKE_AUTH) authenticate the previous
messages, exchange identities and certificates, and establish the first CHILD_SA. Parts of
these messages are encrypted and integrity protected with keys established through the
IKE_SA_INIT exchange, so the identities are hidden from eavesdroppers and all fields in
all the messages are authenticated.
a. Initiator identity proof, such as a shared secret or a certificate, and a request to
establish a child SA.
b. Responder sends the matching identity proof and completes negotiation of a child SA.
Negotiating SAs in IKE v2
This exchange consists of a single request/response pair, and was referred to as a phase 2
exchange in IKE v1. It may be initiated by either end of the SA after the initial exchanges are
completed.
All messages following the initial exchange are cryptographically protected using the
cryptographic algorithms and keys negotiated in the first two messages of the IKE exchange.
Either endpoint may initiate a CREATE_CHILD_SA exchange, so in this section the term
“initiator” refers to the endpoint initiating this exchange.
1. Initiator sends a child SA offer and, if the data is to be encrypted, the encryption method
and the public key.
2. Responder sends the accepted child SA offer and, if encryption information was included,
a public key.
Note You can find more information about IKE v2 in the specification, RFC 4306, available on the
web at:
http://rfc.net/rfc4306.html
For information on configuring VPNs in SonicOS Enhanced, see:
“Configuring VPNs in SonicOS Enhanced” section on page 542
“Configuring GroupVPN Policies” section on page 552
“Site-to-Site VPN Configurations” section on page 561
“Creating Site-to-Site VPN Policies” section on page 562