Table of Contents
Advertisement
One mode is defined for phase 2. This mode is called Quick Mode. Quick
Mode uses three messages, two for proposal parameters and a third one to
acquit the choice. With "perfect forward secrecy" enabled, the default value in
Nokia's configuration, a new Diffie-Hellman exchange must take place
during Quick Mode. Consequently, the two peers generate a new Diffie-
Hellman key pair.
Using PKI
For Phase 1 negotiation of IKE, the IPsec systems can use X.509 certificates
for authentication. X.509 certificates are issued by Certificate Authorities
(CA). IPSO IPsec implementation supports Entrust VPN connector and
Verisign IPsec on site services. Contact any of the above listed CA vendors
for certificate signing services.
To use the X.509 certificates, the IPsec system should follow these steps:
1. Install the trusted CA certificates (all, including yours) of all the peer
2. Make a certificate request with all the information required to identify the
3. Forward the certificate request to the CA or corresponding RA
4. Download and install the approved device certificate and the CA's
5. Link the certificate to an IPsec policy.
Voyager Reference Guide
IPsec systems.
system such as your IP address, a fully qualified domain name,
organization, organization unit, city, state, country and contact e-mail
address.
(Registration Authority) using the web interface or another file transfer
mechanism.
CA or RA verifies the identity of the IPsec system and generates the
approved certificate. A certificate is valid only for a certain period of
time.
certificate on the IPsec system.
591
Advertisement
Table of Contents
