Nortel 4134 Guia Do Utilizador

IPsec VPN fundamentals

2. OR ESP AND AH with DES,MD5, 2000 seconds, tunnel mode

3. OR ESP with AES128,SHA1,2000 seconds, tunnel mode

4. OR ESP with AES128,SHA1,1000 seconds, tunnel mode

5. OR AH with SHA1, 1000 seconds, tunnel mode

At least one proposal in the list must be agreeable to both peers for the
negotiation to proceed. Multiple phase 2 proposals can be negotiated, one
for each protocol (ESP and AH).

The SR4134 supports a comprehensive and flexible protection suite to
converge with several peers with dissimilar security capabilities. The
following table describes the supported security elements in phase 2 IKE
negotiation.

Table 2
Supported elements in phase 2 IKE

Security element

Values

Comments

Encryption algorithms

DES, 3DES, AES-128,
AES-192, AES-256, null

Hardware accelerated

Hash algorithms

MD5, SHA1, null

Hardware accelerated

PFS group

Group1, Group2, Group5

Used for deriving IPsec key
material.

Security association lifetime

Time (in seconds) or volume
of traffic (in kilobytes)

Number of proposals per policy

Five

Provides flexibility in
negotiation

Identifying traffic to be encrypted with VPN

The IPsec VPN tunnel carries protected traffic from one trusted network
to another trusted network. The SR4134 provides the

crypto

command

to configure policies and parameters for IKE and IPsec for the creation
of VPNs.

To create the VPN, you must identify one untrusted interface that serves
as the local endpoint for the creation of the VPN tunnel (using the

crypto

untrusted

command).

To identify the IP stream requiring encryption, you must use the

match

command. This command allows you to specify at minimum the source IP
address (or range) and destination IP address (or range) of the protected
stream. Additional filter options are also available to specify a more granular
stream.

Nortel Secure Router 4134

Security — Configuration and Management

NN47263-600

01.02

Standard

10.0

3 August 2007