Policy Configuration : VPN Terms and Concepts
VPN Terms and Concepts
Before installing and SonicWALL VPN, it is important to understand the following basic terms and concepts.
Asymmetric vs. Symmetric Cryptography—Asymmetric and symmetric cryptography refer to the keys used to authenticate, or encrypt and decrypt the data.

Asymmetric cryptography, or public key cryptography, uses two keys for verification. Organizations such as RSA Data Security and VeriSign support asymmetric cryptography.

With symmetric cryptography, the same key is used to authenticate on both ends of the VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data need to be exchanged.

SonicWALL VPN uses symmetric cryptography. As a result, the key on both ends of the VPN tunnel must match exactly.
ARCFour—ARCFour is used for communications with secure Web sites using the SSL protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a 128-bit key. SonicWALL VPN uses a 56-bit key for ARCFour.

The ARCFour key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”
Authentication Header (AH)—The authentication header is a mechanism for providing strong integrity and authentication for IP packets. The Authentication Header does not offer confidentiality and protection from traffic analysis.

The IP authentication header provides security by adding authentication information to an IP packet. This authentication information is calculated using all header and payload data in the IP packet. This provides significantly more security than is currently present in IP.

Use of an AH increases the processing requirements of SonicWALL VPN and also increases the communications latency. The increased latency is primarily because of the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet.
Data Encryption Standard (DES)—When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. The SonicWALL DES encryption algorithm uses a 56-bit key.

The DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”
Encapsulating Security Payload (ESP)—ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets. Encryption might be in the form of ARCFour (similar to the popular RC4 encryption method), DES, and so on.

The use of ESP typically increases the processing requirements and communications latency. The increased latency is primarily because of the encryption and decryption required for each IP packet containing an ESP.

ESP typically involves encryption of the packet payload using standard encryption mechanisms, such as RC4, ARCFour, DES, or 3DES.

ESP has no mechanism for providing strong integrity and authentication of the data.
Encryption—Encryption is a mathematical operation that transforms data from “clear text” (something that a human or a program can interpret) to “cipher text” (something that cannot be interpreted). Usually the mathematical operation requires that an alphanumeric “key” be supplied along with the clear text. The key and clear text are processed by the encryption operation that leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms cipher text to clear text. Decryption also requires a key.
Shared Secret—A shared secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of alphanumeric characters with a minimum length of four characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third-party cannot compromise the security of a VPN tunnel.
Internet Key Exchange (IKE)—IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates encryption and authentication keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that are used to pass IP traffic.
Key—A key is an alphanumeric string that is used by the encryption operation to transform clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN communications can vary in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is that most methods used to break encryption involve trying every possible combination of characters, similar to trying to find someone’s telephone number by dialing every possible combination of phone numbers.
Manual Key—Manual keying allows the SonicWALL administrator to specify the encryption and authentication keys. SonicWALL VPN supports the ability to manually set up a security association as well as the ability to automatically negotiate an SA using IKE.
Security Association (SA)—An SA is the group of security settings needed to create a VPN tunnel. All SAs require an encryption method, an IPSec gateway address, and a destination network address. IKE includes a shared secret. manual keying includes two SPIs and an encryption and authentication key.

SonicWALL PRO appliances supports up to 100 SAs. SonicWALL SOHO2 and SonicWALL XPRS2 appliances support 10 and 25 SAs, respectively. Different SAs might be created to connect branch offices, allow secure remote management, and pass unsupported traffic.
Security Parameter Index (SPI)—The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption, and key values that the administrator associated with the SPI to establish the tunnel.

The SPI must be unique, is from one to eight characters long, and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or “1234abcd.”
Triple Data Encryption Standard (3DES)—3DES is the same as DES, except that it applies three DES keys in succession and is significantly more secure. However, 3DES has significantly more processing requirements than DES.

The 3DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”
VPN Tunnel—Tunneling is the encapsulation of point-to-point transmissions inside IP packets. A VPN Tunnel is a term that is used to describe a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet.