Nortel 4134 Guia Do Utilizador
58
IPsec VPN fundamentals
IKE makes use of the Diffle-Hellman key agreement protocol to allow two
peers to generate the same key material. The peers must perform a DH
step once during IKE phase 1 to set up a secret from which they derive their
phase 1 keys. This DH secret can also be used for phase 2 negotiation.
But if this DH secret is compromised, then all phase 2 SAs also become
vulnerable.
peers to generate the same key material. The peers must perform a DH
step once during IKE phase 1 to set up a secret from which they derive their
phase 1 keys. This DH secret can also be used for phase 2 negotiation.
But if this DH secret is compromised, then all phase 2 SAs also become
vulnerable.
To provide additional protection, IKE can optionally perform a second DH
step as part of phase 2 to create a new secret between the peers for each
IPsec SA. In this case, every time IKE builds a new phase 2 SA, a different
secret is used.
step as part of phase 2 to create a new secret between the peers for each
IPsec SA. In this case, every time IKE builds a new phase 2 SA, a different
secret is used.
PFS consumes more computational time than standard key negotiation;
however, the SR4134 is capable of doing 10’s of DH agreements per
second. Although, in very large scaling environments (many hundreds of
tunnels), the router may begin to experience computational delays.
however, the SR4134 is capable of doing 10’s of DH agreements per
second. Although, in very large scaling environments (many hundreds of
tunnels), the router may begin to experience computational delays.
The PFS is disabled by default. To enable it, you must use two commands:
crypto ike pfs
and
crypto ipsec pfs-group
.
Dead peer detection
The dead peer detection provides a means to monitor the status of a VPN
peer. This feature makes use of the IKE phase 1 SA between the peers
to send R_U_THERE and ACK messages periodically during periods of
inactivity. If the router has traffic to send and no traffic has been received
from the peer in a specified time period, the router sends an R_U_THERE
message to the peer, which responds with an ACK message. If the peer
misses a configurable number of ACKs, the IKE phase 1 SA and all relevant
IPsec SAs to the peer are torn down. After the tear down, if the router has
traffic to the same destination, the router attempts to re-negotiate IKE with
the peer. In which case, either the peer is recovered, or the peer remains
unreachable. In the latter situation, the IKE negotiation fails and an event is
logged.
peer. This feature makes use of the IKE phase 1 SA between the peers
to send R_U_THERE and ACK messages periodically during periods of
inactivity. If the router has traffic to send and no traffic has been received
from the peer in a specified time period, the router sends an R_U_THERE
message to the peer, which responds with an ACK message. If the peer
misses a configurable number of ACKs, the IKE phase 1 SA and all relevant
IPsec SAs to the peer are torn down. After the tear down, if the router has
traffic to the same destination, the router attempts to re-negotiate IKE with
the peer. In which case, either the peer is recovered, or the peer remains
unreachable. In the latter situation, the IKE negotiation fails and an event is
logged.
In the case of VPN failure, the SR4134 does not provide a VPN failover
feature. However, failover recovery can be achieved by using GRE (not
IPIP) tunnel interfaces with tunnel protection.
feature. However, failover recovery can be achieved by using GRE (not
IPIP) tunnel interfaces with tunnel protection.
The GRE tunnel interfaces use their own keepalives to monitor peers. If a
failure is detected, the routing system stops routing traffic over the failed
tunnel and forwards traffic over another failover path.
failure is detected, the routing system stops routing traffic over the failed
tunnel and forwards traffic over another failover path.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.