Nortel 4134 用户指南
Multiple IPsec proposals
55
At least one proposal in the list must be agreeable to both peers for the
negotiation to proceed. Only one proposal on the list is ultimately negotiated
and used by the peers.
negotiation to proceed. Only one proposal on the list is ultimately negotiated
and used by the peers.
The SR4134 supports a comprehensive and flexible protection suite to
converge with several peers with dissimilar security capabilities. The
following table describes the security elements supported by the SR4134
in phase 1 IKE negotiation.
converge with several peers with dissimilar security capabilities. The
following table describes the security elements supported by the SR4134
in phase 1 IKE negotiation.
Table 1
Supported elements in phase 1 IKE
Supported elements in phase 1 IKE
Security element
Values
Comments
Authentication Method
PSK, RSA-SIG, DSS-SIG
Signature Authentication is
Hardware Accelerated
Hardware Accelerated
Encryption algorithms
DES, 3DES, AES-128,
AES-192, AES-256
AES-192, AES-256
Hash algorithms
MD5, SHA1
DH group
Group1, Group2, Group5
Used for deriving IKE
Phase 1 key material. DH
exponentiation is hardware
accelerated.
Phase 1 key material. DH
exponentiation is hardware
accelerated.
Security association lifetime
Time (in seconds) or volume
of traffic (in kilobytes)
of traffic (in kilobytes)
Number of proposals per policy
Five
Provides flexibility in
negotiation
negotiation
Multiple IPsec proposals
After IKE establishes a secure communication channel for itself in phase
1, it proceeds to negotiate the IPsec proposals in phase 2. During Phase
2 IKE may propose multiple Protection Suites for IPsec protocols such as
ESP and AH. Each phase 2 proposal specifies a choice for the following:
1, it proceeds to negotiate the IPsec proposals in phase 2. During Phase
2 IKE may propose multiple Protection Suites for IPsec protocols such as
ESP and AH. Each phase 2 proposal specifies a choice for the following:
•
encryption algorithm
•
hash algorithm
•
lifetime
•
encapsulation mode
Phase 2 proposals can specify a list of AND proposals for ESP and AH. The
phase 2 proposals can also specify a list of OR proposals for ESP with
proposal choice set 1 or ESP with proposal choice set 2. The following
example illustrates some of the possibilities:
phase 2 proposals can also specify a list of OR proposals for ESP with
proposal choice set 1 or ESP with proposal choice set 2. The following
example illustrates some of the possibilities:
1. ESP AND AH with 3DES, SHA1,2000 seconds, tunnel mode
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.