Multiple Ipsec Proposals - Nortel Secure 4134 Configuration

At least one proposal in the list must be agreeable to both peers for the
negotiation to proceed. Only one proposal on the list is ultimately negotiated
and used by the peers.
The SR4134 supports a comprehensive and flexible protection suite to
converge with several peers with dissimilar security capabilities. The
following table describes the security elements supported by the SR4134
in phase 1 IKE negotiation.
Table 1
Supported elements in phase 1 IKE
Security element
Authentication Method
Encryption algorithms
Hash algorithms
DH group
Security association lifetime
Number of proposals per policy

Multiple IPsec proposals

After IKE establishes a secure communication channel for itself in phase
1, it proceeds to negotiate the IPsec proposals in phase 2. During Phase
2 IKE may propose multiple Protection Suites for IPsec protocols such as
ESP and AH. Each phase 2 proposal specifies a choice for the following:
•
•
•
•
Phase 2 proposals can specify a list of AND proposals for ESP and AH. The
phase 2 proposals can also specify a list of OR proposals for ESP with
proposal choice set 1 or ESP with proposal choice set 2. The following
example illustrates some of the possibilities:
1. ESP AND AH with 3DES, SHA1,2000 seconds, tunnel mode
Copyright © 2007, Nortel Networks
.
Values
PSK, RSA-SIG, DSS-SIG
DES, 3DES, AES-128,
AES-192, AES-256
MD5, SHA1
Group1, Group2, Group5
Time (in seconds) or volume
of traffic (in kilobytes)
Five
encryption algorithm
hash algorithm
lifetime
encapsulation mode
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600 01.02 Standard
10.0 3 August 2007
Multiple IPsec proposals 55
Comments
Signature Authentication is
Hardware Accelerated
Used for deriving IKE
Phase 1 key material. DH
exponentiation is hardware
accelerated.
Provides flexibility in
negotiation