Manual Certificate Enrollment; Dead Peer Detection; Nat Traversal Support; Multiple Ike Proposals - Nortel Secure 4134 Configuration

54 IPsec VPN fundamentals
The secure router can use the certificates in IKE to establish IPsec security
associations between two gateways.
Manual certificate enrollment
As an alternative to SCEP, the SR4134 also supports manual certificate
enrollment. The steps that you must follow for manual enrollment are as
follows:
•
•
•
•

Dead peer detection

The SR4134 provides support to detect when an IKE peer gateway dies
unexpectedly. This prevents a situation whereby packets are tunneled to a
black hole, resulting in bandwidth loss and recovery problems. The SR4134
supports RFC3706, which describes a method, called Dead Peer Detection
(DPD), to confirm the status of peer gateways.

Nat Traversal support

During IKE negotiation, the SR4134 automatically detects NAT in the
middle between two security gateways. Since NAT in the middle can affect
the integrity of the secure packets (ESP or AH), upon NAT detection, the
SR4134 automatically uses NAT traversal protocol. This protocol provides
an additional UDP encapsulation over the secure packets. This is applied to
all subsequent IKE negotiations as well as to the secure packets.

Multiple IKE proposals

IKE establishes a secure communication channel for itself in phase 1
before negotiating the IPsec proposals in phase 2. During Phase 1, IKE
can propose up to five protection suites. Each IKE proposal specifies a
particular choice for the following:
•
•
•
•
•
Copyright © 2007, Nortel Networks
.
Manually upload the CA certificate (using cut-and-paste)
Generate self certificate request
Manually submit the self certificate request to the CA (using
cut-and-paste)
Manually upload the approved self certificate from the CA (using
cut-and-paste)
authentication method
encryption algorithm
hash algorithm
DH group
lifetime
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600 01.02 Standard
10.0 3 August 2007