FIG. 2 in this regard shows one example of a message sequence for establishing an IPSec tunnel between the UE and N3IWF via untrusted non-3GPP access (e.g., WLAN), where the message 20 in FIG. 1 is an IKE_AUTH request message and the response 24 in FIG. 1 is an IKE_AUTH response to the IKE_AUTH request message. More particularly, in step 1 of FIG. 2, the UE 30 in its role as IKE initiator first sends an IKE_SA_INIT message to the N3IWF 32 in its role as IKE responder, via an access point 34 of an untrusted WLAN. The IKE_SA_INIT message contains the cryptographic algorithms that the UE 30 supports for the IKE SA (Security Association), its public Diffie-Hellman value and its Nonce. In step 2, the N3IWF 32 responds to this message with an IKE_SA_INIT message containing the chosen cryptographic suite from the UE's offered choices, its public Diffie-Hellman value and its Nonce. This first pair of messages (IKE_SA_INIT) thereby negotiates cryptographic algorithms, exchange nonces, and does a Diffie-Hellman exchange. At this stage, then, both the UE 30 and N3IWF 32 derive a (currently unauthenticated) shared secret called SKEYSEED. The UE 30 and N3IWF 32 derive keys from the SKEYSEED and use those derived keys to establish a secure communication channel in the form of an IKE Security Association (SA) over which to send subsequent messages that are encrypted and integrity protected.