Understanding Modes - Nortel BayStack Instant Internet 100-S Using Manual

168 Chapter 6 IP security and VPN
User data sessions through tunnels can specify DES encryption to assure privacy,
authentication, which proves that the data was not intercepted and modified, or
both. Instant Internet supports 56-bit encryption (DES) for VPN tunneling as a
standard feature. Instant Internet also supports 168-bit encryption (3DES) as an
add-on feature.
For authentication, Instant Internet supports:
• MD5 - Message Digest 5
• SHA - Secure Hash Algorithm

Understanding modes

Whenever you configure a tunnel between two Instant Internet units or an Instant
Internet unit and a Contivity CES, Setup determines what mode needs to be used.
After you add a VPN, you can change the mode to be used in the tunnel.
Internet Security Association and Key Management Protocol (ISAKMP)
negotiations proceed in two phases. During phase 1, two ISAKMP peers establish
a secure, authenticated channel with which to communicate. The ISAKMP is used
to protect further negotiation traffic. During phase 2, other Security Associations
(SA) are negotiated on behalf of IPsec.
Internet Key Exchange (IKE) defines two basic methods used to accomplish a
phase 1 authenticated key exchange:
• Main mode – Main mode provides identity protection because the identity of
the peers is exchanged in encrypted messages after the Diffie-Hellman key
exchange.
• Aggressive mode – In aggressive mode, the name of the tunnel interface is
sent as the source ID in the initial proposal. This allows the remote gateway to
identify the incoming connection by name, rather than by IP address and
therefore can be used with dynamic addresses.
300868-G
Note: The export of 3DES encryption outside North America is
regulated by the U.S. Government. If you require 3DES encryption, you
must purchase the 3DES Encryption Module (part number CQ1010005).
Contact your Nortel Networks sales representative for more information.