Preparation For Ike Configuration - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
II. NAT traversal
If there is a NAT GW on the VPN tunnel set up via IPSec/IKE and if this GW performs
NAT on the VPN service data, you must configure the NAT traversal function for
IPSec/IKE. With this function, the IKE negotiation will not authenticate the UDP port
number. At the same time, traversal allows NAT GW discovery on the VPN tunnel. If a
NAT GW is discovered, UDP encapsulation will be used in the subsequent IPSec data
transmission, i.e., encapsulating IPSec packets in the UDP connection tunnel for IKE
negotiation), to prevent the NAT GW from modifying the IPSec packets. That is, the
NAT GW will change the outermost IP and UDP headers but leave the IPSec packets
encapsulated in the UDP packets intact, thus ensuring the integrity of the IPSec
packets. The authentication process of an IPSec data encryption/decryption requires
the IPSec packet to arrive at the destination intact. At present, NAT traversal is
available only in aggressive mode.
Usually IKE aggressive mode and NAT traversal are used together in an ADSL + IPSec
network to solve the problems resulted from dynamic IP addresses on
broadband-access enterprise networks and NAT traversal on the public network. The
combination of these two features provides a security solution for substituting the ADSL
broadband access for the original leased line access.
III. IKE multi-instance
IKE multi-instance enables multiple CEs to perform IKE negotiation with a PE. In
conjunction with IPSec, IKE multi-instance allows the VPN-instance associated
interfaces between a PE and multiple CEs to implement IPSec/IKE multi-instance.
When a CE initiates an IKE negotiation, it sends an IP packet that carries VPN instance
information to the PE. The PE acquires the VPN instance information from the received
negotiation packet and saves the VPN ID. When the PE sends back a negotiation, it
adds this VPN ID to the IP packet and then forwards the packet to the IP layer. The IP
layer then forwards the packet according to the VPN routing table to the intended CE.

8.1.2 Preparation for IKE Configuration

Prior to IKE configuration, user needs to specify following subjects, so as to smooth the
configuration process:
Make clear of algorithm strength for IKE exchange process, i.e., security
protection strength (including identity authentication method, encryption algorithm,
and authentication-algorithm algorithm, DH algorithm). There are different
algorithm strengths. The higher strength the algorithm has, the harder it is to
decrypt the protected data, but more calculation resource will be consumed.
Generally, the longer the shared secret is, the higher the algorithm strength is.
Make sure of the identity authentication key of both sides in communication.
3Com Corporation
8-3
Chapter 8 IKE Configuration