Supported Ipsec Security Protocols; Ipsec Modes; Shared Key Negotiation With Ike - Nortel Secure 4134 Configuration

48 IPsec VPN fundamentals

Supported IPsec security protocols

The SR4134 supports ESP (Encapsulating Security Payload) and AH
(Authentication Header) security protocols. Also, IPsec supports AH over
ESP (Security Association Bundle) where ESP is applied on the packet
and AH is applied on top of it.
ESP provides the following protection:
•
•
•
•
AH provides the following protection:
•
•
•

IPsec modes

IPsec supports Tunnel mode and Transport mode.
Tunnel mode is used to create VPNs where an entire IP packet is secured
and encapsulated into another IP packet along with the required security
protocol information.
Transport mode is used when protection is required for packets that already
encapsulated (or tunneled) using other protocols such as GRE and IPIP.
For information on GRE and IPIP tunnels, refer to
(page

Shared key negotiation with IKE

An important prerequisite for IPsec is to have an authenticated, symmetric
key that is shared between the gateways. Such a key can be established
either through the process of negotiation between the gateways or through
manual configuration (manual configuration is not supported on the
SR4134.) The SR4134 supports the Diffie Hellman key exchange using
Internet Key Exchange (IKE) protocol for the negotiation of the authenticated
symmetric key.
IKE provides the following services for IPsec:
•
•
•
Copyright © 2007, Nortel Networks
.
Confidentiality
Data integrity
Access control
Anti replay protection
Data integrity
Access control
Anti replay protection
15).
Negotiation of security parameters between IKE peers
Authentication of IKE peers (using certificates or pre-shared key)
Key Generation for encryption and hashing
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600 01.02 Standard
10.0 3 August 2007
"GRE and IPIP tunneling"