Nortel 4134 Guia Do Utilizador
117
IPsec VPN configuration
The following are the high-level configuration steps for Site-to-site VPN:
ATTENTION
IPsec is only supported on the SR4134 when the VPN/IPsec module is installed
on the chassis.
on the chassis.
Step
Action
1
Configure at least one trusted interface and one untrusted interface.
2
Configure an IKE policy for a specific remote gateway
3
Configure one or more IPsec policies for the same remote gateway
4
Configure an IP route (specific or default) for the destination
addresses specified in the IPsec policies
addresses specified in the IPsec policies
Even though the application traffic, matching the IPsec policy, is
getting tunneled, the built-in firewall uses the IP route to cross check
whether the router is expected to handle this traffic at all.
getting tunneled, the built-in firewall uses the IP route to cross check
whether the router is expected to handle this traffic at all.
5
Configure an inbound firewall policy in the internet zone for IKE
negotiation (UDP 500).
negotiation (UDP 500).
6
If a NAT-in-the-middle exists between the peers, configure an
inbound firewall policy in the internet zone for IKE negotiation with
NAT traversal (UDP 4500).
inbound firewall policy in the internet zone for IKE negotiation with
NAT traversal (UDP 4500).
7
If you are configuring L2TP remote access VPN, configure an
inbound firewall policy in the internet zone for L2TP (UDP 1701).
inbound firewall policy in the internet zone for L2TP (UDP 1701).
8
If you are configuring a management tunnel, configure inbound
firewall policies in the internet map for the required services (telnet,
icmp etc,.)
firewall policies in the internet map for the required services (telnet,
icmp etc,.)
9
If you are configuring a transit tunnel, configure inbound firewall
policies in the appropriate map (for example, corp) for the required
services
policies in the appropriate map (for example, corp) for the required
services
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.