SonicWALL Internet Security Appliances Security Policy Settings for IKE using Pre-shared Secret

SonicWALL VPN Page 183

- Strong Encrypt and Authentic ate (ESP 3DES HMAC SHA1) - uses 168-bit 3DES encryption and

HMAC SHA1 authe ntication. 3DES is an extrem ely secure encryption meth od, and HMAC SHA1

is used to verify integrity. This method significantly impacts the data throughput of the

SonicWALL.

- Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) - uses 168-bit 3DES encryption and

HMAC MD5 authentication. 3DES is an extremely secure encryption method, and HMAC MD5 is

used to verify integrity. This method signi ficantly i mpacts the d ata throughput of the SonicWAL L.

- Strong Encrypt and Authenticate (ESP DES HMAC SHA1) - uses 56-bit DE S encrypti on and

HMAC SHA1 authentication.

- Strong Encrypt and Authenticate (ESP DES HMAC MD5) - uses 56-bit DES encryption and

HMAC MD5 authentication. This method impacts the data throughput of VPN communications.

SonicWALL VPN client supports this method.

- Strong Encrypt and Authenticate (ESP AES-128 HMAC MD5) - uses 128-bit AES encryption and

HMAC MD5 authentication.

- Strong Encrypt and Au thenti cate (E SP AES-1 28 HMAC SHA 1) - uses 128-bit AES encryption and

HMAC SHA1 authentication.

•Shared Secret - an alphanumeric key is automatically generated as the Shared Secret. The

Shared Secret is not exported with the VPN Client Configuration File. The Shared Secret must

be distributed by the So nicWALL administrator.

Security Policy Settings for IKE using Pre-shared Secret

•Exchange - select Main Mode or Aggressive Mode. Main Mode requires six one-way messages

between the peers and Aggressiv e Mode requires only three one-way messages making

Aggressive Mode a little faster when establishing the connection. Selecting Aggressive Mode

forces the SonicWALL applia nce t o us e Ag gre ssi ve Mode to es tab li sh th e VPN tun nel ev en i f th e

SonicWALL has a static IP add r ess. Aggressive Mode is useful when the SonicWALL is located

behind another NAT device.

•Phase 1 DH Group - Diffie-Hellman (DH) key exch ange (a key ag reement prot ocol) is used during

phase 1 of the authenticati on proc ess to es tabli sh pre- shared keys. Groups 1, 2, 5 use Mod ular-

Exponential with different prime lengths as listed below:

If network speed is preferred, select Group 1. If network security is preferred, select Group 5.

To compromise between network speed and netw o rk se cu rit y, sele ct G rou p 2.

•SA L ife tim e (se cs) - allows you to configure the length of time a VPN tunnel is active. The default

value is 28800 seconds (eight hours ). You can configure up to 2,500,000 seconds (28.9 days ).

Group Descriptor Prime Size

(bits)

Group 1 768

Group 2 1024

Group 5 1536