Support User Manuals

SonicWALL TZ 180 Humidifier User Manual

Open as PDF

of 843

VPN > Settings

541

SonicOS Enhanced 4.0 Administrator Guide

Note There is no restriction on nesting IKE v1 tunnels within an IKE v2 tunnel and visa-versa. For

example, if you are connecting to a wireless device using WiFiSec, which uses an IKE v1

tunnel, you can then connect over the internet to a corporate network using a site-to-site

VPN tunnel established with IKE v2.

Initialization and Authentication in IKE v2

IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response

pairs).

• Initialize communication: The first pair of messages (IKE_SA_INIT) negotiate cryptographic

algorithms, exchange nonces (random values generated and sent to guard against

repeated messages), and perform a public key exchange.

a. Initiator sends a list of supported cryptographic algorithms, public keys, and a nonce.

b. Responder sends the selected cryptographic algorithm, the public key, a nonce, and an

authentication request.

• Authenticate: The second pair of messages (IKE_AUTH) authenticate the previous

messages, exchange identities and certificates, and establish the first CHILD_SA. Parts of

these messages are encrypted and integrity protected with keys established through the

IKE_SA_INIT exchange, so the identities are hidden from eavesdroppers and all fields in

all the messages are authenticated.

a. Initiator identity proof, such as a shared secret or a certificate, and a request to

establish a child SA.

b. Responder sends the matching identity proof and completes negotiation of a child SA.

Negotiating SAs in IKE v2

This exchange consists of a single request/response pair, and was referred to as a phase 2

exchange in IKE v1. It may be initiated by either end of the SA after the initial exchanges are

completed.

All messages following the initial exchange are cryptographically protected using the

cryptographic algorithms and keys negotiated in the first two messages of the IKE exchange.

Either endpoint may initiate a CREATE_CHILD_SA exchange, so in this section the term

“initiator” refers to the endpoint initiating this exchange.

1. Initiator sends a child SA offer and, if the data is to be encrypted, the encryption method

and the public key.

2. Responder sends the accepted child SA offer and, if encryption information was included,

a public key.

Note You can find more information about IKE v2 in the specification, RFC 4306, available on the

web at:

http://rfc.net/rfc4306.html

For information on configuring VPNs in SonicOS Enhanced, see:

• “Configuring VPNs in SonicOS Enhanced” section on page 542

• “Configuring GroupVPN Policies” section on page 552

• “Site-to-Site VPN Configurations” section on page 561

• “Creating Site-to-Site VPN Policies” section on page 562

previous next