User Authentication For Remote Access Vpn; Digital Certiﬁcates In Ike - Nortel Secure 4134 Configuration

Security — configuration and management

Hide thumbs Also See for Secure 4134:

Installation manual (132 pages)

Installation — hardware components (124 pages)

Quick start manual (70 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

Table of Contents

User authentication for remote access VPN

With remote authentication, IKE inherently provides machine level

authentication of the VPN server and client. To authenticate the user as

well with a login and password prompt, you can optionally conﬁgure mode

conﬁguration and Xauth.

Authentication with mode conﬁguration for remote access VPN

The objective of mode conﬁguration is to make the VPN client appear to be

part of the private trusted network (after the packet undergoes decryption in

the VPN server).

In order to achieve this, during IKE negotiation, right after phase1 and

before phase2, the VPN server can allocate a private IP address to the

VPN client. The client then uses this address as the source IP address in

the inner IP header.

Optionally, the server can supply DNS and WINS server addresses to the

client. The VPN client then installs a virtual IP adapter in its host based on

the IP address provided by the VPN server.

A range of IP addresses can be allocated to each IKE policy so that an

IP address from this pool can be allocated to the remote users that are

conﬁgured to use that IKE policy.

Since the address range being allocated to each IKE policy is known,

conﬁguring inbound ﬁrewall policies is made easier.

This mode-cfg step is also referred to as phase 1.5.

Authentication with Xauth for remote access VPN

Xauth is optionally performed right after the modecfg step (phase 1.5)

and before phase 2 in IKE exchange. Xauth uses legacy authentication

mechanisms such as PAP or CHAP veriﬁed against a locally conﬁgured

username and password database or against a RADIUS server.

Digital Certiﬁcates in IKE

Signature based IKE authentication (RSA/DSS) provides an explicit form

of peer authentication after the Difﬁe Hellman exchange. Digital Signature

Authentication involves public key cryptography and is a stronger and

are two different types of popular digital signatures in use and both are

supported in SR4134 IKE authentication.

For details on the conﬁguration requirements for RSA and DSS

signatures, refer to

"Digital Certiﬁcates in IKE" (page

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Digital Certiﬁcates in IKE 51

51).

Table of Contents

User Authentication For Remote Access Vpn; Digital Certiﬁcates In Ike - Nortel Secure 4134 Configuration

User authentication for remote access VPN

Related Manuals for Nortel Secure 4134

Related Content for Nortel Secure 4134

Table of Contents