Nokia IPSO 4.0 manual Miscellaneous Tunnel Requirements

Table 20 IPSec RFCs

The IPSec configuration in Network Voyager is based on three IPSec objects: proposals, filters, and policies.

„Proposals—Define the combination of encryption and authentication algorithms that secure phase 1 negotiation (Main Mode) as well as phase 2 negotiations (Quick Mode) and IPSec packets.

„Filters—Determine which packets relate to certain proposals. The filters are matched against the source or destination fields in the packet header depending on whether the filters are used as source or destination filters. If applicable, Protocol and Port fields are also used.

„Policies—Link the type of IPSec security that proposals with traffic define. The traffic is defined by a list of filters specified for the source address and a second list specified for the destination address. If the source address of a packet matches a filter from the source filter list and the destination address matches a filter from the destination filter list, IPSec is applied to the traffic. Protocols and ports are used in the matching process, if applicable.

The kind of security applied to a defined traffic is specified by a list of proposals ordered by priority. This list is offered to the other peer beginning with the lowest priority value proposal.

Proposals and filters can be reused in different policies. Other elements defined in a policy are authentications methods (Preshared Keys or X.509 Certificates) and lifetime attributes.

Miscellaneous Tunnel Requirements

IPSec tunnels are defined by local and remote tunnel addresses. The tunnel requires a policy to define what traffic is encapsulated by the tunnel and what security to use in the encapsulation. The traffic that matches filters associated to the policy is encapsulated by using tunnel addresses. Policies can also be reused in different tunnels. An IPSec tunnel cannot function without an associated policy.