SonicOS 8 IPSec VPN

About Establishing the IKE Phase 1 Security Association

Because the goal of the VPN AP Client is ease of use, many IKE and IPsec parameters are defaulted or auto-negotiated. The VPN AP Client initiates Security Association establishment, but does not know the configuration of the VPN AP Server at initiation.

To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes multiple transforms (combined security parameters) from which the VPN AP Server can select its configured values. A Phase 1 transform contains the following parameters:

  • Authentication – One of the following:
    • PRESHRD – Uses the preshared secret.
    • RSA_SIG – Use an X.509 certificate.
    • SW_DEFAULT_PSK – Uses the Default Provisioning Key.
    • XAUTH_INIT_PRESHARED – Uses the preshared secret combined with XAUTH user credentials.
    • XAUTH_INIT_RSA – Uses an X.509 certificate combined with XAUTH user credentials.
    • SW_XAUTH_DEFAULT_PSK – Uses the Default Provisioning Key combined with XAUTH user credentials.

    All the previously mentioned transforms contain the restricted or default values for the Phase 1 proposal settings:

    • Exchange - Aggressive Mode
    • Encryption – AES-256
    • Hash – SHA1
    • DH Group – Diffie-Hellman Group 5
    • Life Time (seconds) – 28800

The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client proposal. If the VPN AP Server selects a transform which uses an XAUTH Authentication Method, the VPN AP Client awaits an XAUTH challenge following Phase 1 completion. If a non-XAUTH transform is chosen, the provisioning phase begins. The VPN AP Server provisions the VPN AP Client with the appropriate policy values including the Shared Secret, if one was configured on the VPN AP Server, and the VPN AP Client ID that was configured on the VPN AP Server.

After the Phase 1 SA is established and policy provisioning has completed, the Destination Networks appear in the VPN Policies section of the NETWORK | IPSec VPN > Rules and Settings page.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden