SonicOS 8 IPSec VPN
- titlepage
- table-of-contents
- SonicOS 8
- About SonicOS
- IPSec VPN Overview
- Site to Site VPNs
- VPN Auto Provisioning
- Rules and Settings
- Advanced
- DHCP over VPN
- L2TP Servers and VPN Client Access
- AWS VPN
- SonicWall Support
About Establishing the IKE Phase 1 Security Association
Because the goal of the VPN AP Client is ease of use, many IKE and IPsec parameters are defaulted or auto-negotiated. The VPN AP Client initiates Security Association establishment, but does not know the configuration of the VPN AP Server at initiation.
To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes multiple transforms (combined security parameters) from which the VPN AP Server can select its configured values. A Phase 1 transform contains the following parameters:
- Authentication – One of the following:
- PRESHRD – Uses the preshared secret.
- RSA_SIG – Use an X.509 certificate.
- SW_DEFAULT_PSK – Uses the Default Provisioning Key.
- XAUTH_INIT_PRESHARED – Uses the preshared secret combined with XAUTH user credentials.
- XAUTH_INIT_RSA – Uses an X.509 certificate combined with XAUTH user credentials.
SW_XAUTH_DEFAULT_PSK – Uses the Default Provisioning Key combined with XAUTH user credentials.
All the previously mentioned transforms contain the restricted or default values for the Phase 1 proposal settings:
- Exchange - Aggressive Mode
- Encryption – AES-256
- Hash – SHA1
- DH Group – Diffie-Hellman Group 5
- Life Time (seconds) – 28800
The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client proposal. If the VPN AP Server selects a transform which uses an XAUTH Authentication Method, the VPN AP Client awaits an XAUTH challenge following Phase 1 completion. If a non-XAUTH transform is chosen, the provisioning phase begins. The VPN AP Server provisions the VPN AP Client with the appropriate policy values including the Shared Secret, if one was configured on the VPN AP Server, and the VPN AP Client ID that was configured on the VPN AP Server.
After the Phase 1 SA is established and policy provisioning has completed, the Destination Networks appear in the VPN Policies section of the NETWORK | IPSec VPN > Rules and Settings page.
Was This Article Helpful?
Help us to improve our support portal