Nortel 4134 用户指南
54
IPsec VPN fundamentals
The secure router can use the certificates in IKE to establish IPsec security
associations between two gateways.
associations between two gateways.
Manual certificate enrollment
As an alternative to SCEP, the SR4134 also supports manual certificate
enrollment. The steps that you must follow for manual enrollment are as
follows:
enrollment. The steps that you must follow for manual enrollment are as
follows:
•
Manually upload the CA certificate (using cut-and-paste)
•
Generate self certificate request
•
Manually submit the self certificate request to the CA (using
cut-and-paste)
cut-and-paste)
•
Manually upload the approved self certificate from the CA (using
cut-and-paste)
cut-and-paste)
Dead peer detection
The SR4134 provides support to detect when an IKE peer gateway dies
unexpectedly. This prevents a situation whereby packets are tunneled to a
black hole, resulting in bandwidth loss and recovery problems. The SR4134
supports RFC3706, which describes a method, called Dead Peer Detection
(DPD), to confirm the status of peer gateways.
unexpectedly. This prevents a situation whereby packets are tunneled to a
black hole, resulting in bandwidth loss and recovery problems. The SR4134
supports RFC3706, which describes a method, called Dead Peer Detection
(DPD), to confirm the status of peer gateways.
Nat Traversal support
During IKE negotiation, the SR4134 automatically detects NAT in the
middle between two security gateways. Since NAT in the middle can affect
the integrity of the secure packets (ESP or AH), upon NAT detection, the
SR4134 automatically uses NAT traversal protocol. This protocol provides
an additional UDP encapsulation over the secure packets. This is applied to
all subsequent IKE negotiations as well as to the secure packets.
middle between two security gateways. Since NAT in the middle can affect
the integrity of the secure packets (ESP or AH), upon NAT detection, the
SR4134 automatically uses NAT traversal protocol. This protocol provides
an additional UDP encapsulation over the secure packets. This is applied to
all subsequent IKE negotiations as well as to the secure packets.
Multiple IKE proposals
IKE establishes a secure communication channel for itself in phase 1
before negotiating the IPsec proposals in phase 2. During Phase 1, IKE
can propose up to five protection suites. Each IKE proposal specifies a
particular choice for the following:
before negotiating the IPsec proposals in phase 2. During Phase 1, IKE
can propose up to five protection suites. Each IKE proposal specifies a
particular choice for the following:
•
authentication method
•
encryption algorithm
•
hash algorithm
•
DH group
•
lifetime
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.