Nortel 4134 Guia Do Utilizador
48
IPsec VPN fundamentals
Supported IPsec security protocols
The SR4134 supports ESP (Encapsulating Security Payload) and AH
(Authentication Header) security protocols. Also, IPsec supports AH over
ESP (Security Association Bundle) where ESP is applied on the packet
and AH is applied on top of it.
(Authentication Header) security protocols. Also, IPsec supports AH over
ESP (Security Association Bundle) where ESP is applied on the packet
and AH is applied on top of it.
ESP provides the following protection:
•
Confidentiality
•
Data integrity
•
Access control
•
Anti replay protection
AH provides the following protection:
•
Data integrity
•
Access control
•
Anti replay protection
IPsec modes
IPsec supports Tunnel mode and Transport mode.
Tunnel mode is used to create VPNs where an entire IP packet is secured
and encapsulated into another IP packet along with the required security
protocol information.
and encapsulated into another IP packet along with the required security
protocol information.
Transport mode is used when protection is required for packets that already
encapsulated (or tunneled) using other protocols such as GRE and IPIP.
For information on GRE and IPIP tunnels, refer to
encapsulated (or tunneled) using other protocols such as GRE and IPIP.
For information on GRE and IPIP tunnels, refer to
.
Shared key negotiation with IKE
An important prerequisite for IPsec is to have an authenticated, symmetric
key that is shared between the gateways. Such a key can be established
either through the process of negotiation between the gateways or through
manual configuration (manual configuration is not supported on the
SR4134.) The SR4134 supports the Diffie Hellman key exchange using
Internet Key Exchange (IKE) protocol for the negotiation of the authenticated
symmetric key.
key that is shared between the gateways. Such a key can be established
either through the process of negotiation between the gateways or through
manual configuration (manual configuration is not supported on the
SR4134.) The SR4134 supports the Diffie Hellman key exchange using
Internet Key Exchange (IKE) protocol for the negotiation of the authenticated
symmetric key.
IKE provides the following services for IPsec:
•
Negotiation of security parameters between IKE peers
•
Authentication of IKE peers (using certificates or pre-shared key)
•
Key Generation for encryption and hashing
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.