Nortel 4134 Guia Do Utilizador
Digital Certificates in IKE
51
are two different types of popular digital signatures in use and both are
supported in SR4134 IKE authentication.
supported in SR4134 IKE authentication.
For details on the configuration requirements for RSA and DSS
signatures, refer to
signatures, refer to
.
User authentication for remote access VPN
With remote authentication, IKE inherently provides machine level
authentication of the VPN server and client. To authenticate the user as
well with a login and password prompt, you can optionally configure mode
configuration and Xauth.
authentication of the VPN server and client. To authenticate the user as
well with a login and password prompt, you can optionally configure mode
configuration and Xauth.
Authentication with mode configuration for remote access VPN
The objective of mode configuration is to make the VPN client appear to be
part of the private trusted network (after the packet undergoes decryption in
the VPN server).
part of the private trusted network (after the packet undergoes decryption in
the VPN server).
In order to achieve this, during IKE negotiation, right after phase1 and
before phase2, the VPN server can allocate a private IP address to the
VPN client. The client then uses this address as the source IP address in
the inner IP header.
before phase2, the VPN server can allocate a private IP address to the
VPN client. The client then uses this address as the source IP address in
the inner IP header.
Optionally, the server can supply DNS and WINS server addresses to the
client. The VPN client then installs a virtual IP adapter in its host based on
the IP address provided by the VPN server.
client. The VPN client then installs a virtual IP adapter in its host based on
the IP address provided by the VPN server.
A range of IP addresses can be allocated to each IKE policy so that an
IP address from this pool can be allocated to the remote users that are
configured to use that IKE policy.
IP address from this pool can be allocated to the remote users that are
configured to use that IKE policy.
Since the address range being allocated to each IKE policy is known,
configuring inbound firewall policies is made easier.
configuring inbound firewall policies is made easier.
This mode-cfg step is also referred to as phase 1.5.
Authentication with Xauth for remote access VPN
Xauth is optionally performed right after the modecfg step (phase 1.5)
and before phase 2 in IKE exchange. Xauth uses legacy authentication
mechanisms such as PAP or CHAP verified against a locally configured
username and password database or against a RADIUS server.
and before phase 2 in IKE exchange. Xauth uses legacy authentication
mechanisms such as PAP or CHAP verified against a locally configured
username and password database or against a RADIUS server.
Digital Certificates in IKE
Signature based IKE authentication (RSA/DSS) provides an explicit form
of peer authentication after the Diffie Hellman exchange. Digital Signature
Authentication involves public key cryptography and is a stronger and
of peer authentication after the Diffie Hellman exchange. Digital Signature
Authentication involves public key cryptography and is a stronger and
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.