8

Note

Native IPSO IPSec tunnels cannot coexist in the same machine with Check Point IPSec software. Before you use IPSO IPSec software, ensure that no Check Point software is running. Likewise, before you use Check Point IPSec software, ensure that no IPSO IPSec software is running.

You can create IPSec tunnel rules with or without a logical interface for all IPSO platforms except the IP3000 series. For the IP3000 series platform, you must create a logical interface with each tunnel rule. You can create tunnel rules without logical interfaces if you require a large number of tunnels. However, creating IPSec tunnels without interfaces can slow down non- IPSec traffic.

Phase 1 Configuration

For IPSO, the Phase 1 encryption and authentication algorithms are the same as those used in Phase 2. However, if Phase 2 encryption is NULL, such as with an AH proposal or NULL- encryption-ESP proposal, IPSO uses 3DES as Phase 1 for the encryption algorithm.

The values set in the Lifetime table are used as the hard lifetime of the Phase 2 SA. Phase 1 lifetimes are calculated as Hard Phase 1 lifetime (seconds) = 5* Hard Phase 2 lifetime (seconds). The soft limit value is approximately 80-90 percent of the hard-limit value, depending on whether the device is working as a session initiator or responder.

If you create tunnels between an IPSO platform and non-IPSO systems, configure the non-IPSO system so that the Phase 1 lifetime is five times the Phase 2 lifetime. Set the encryption to 3DES, and set the authentication so that it is the same as the Phase 2 algorithm.

Platform Support

IPSec is supported across all Nokia security appliances.

IPSec Parameters

The two IPSec peers should agree on authentication and encryption methods, exchange keys, and be able to verify each other’s identities. While you configuring the peer IPSec devices, consider the following:

„At least one proposal (encryption algorithm and hash function) should match on the peer devices. See “Proposal and Filters” in “Creating an IPSec Policy” for more information.

„Authentication method:

„If you are using Shared Secret, both devices should have the same shared secret. See “Putting It All Together” in “Creating an IPSec Policy” for more information.

„If you are using X.509 certificates, both devices should install all the trusted CA certificates in the trust hierarchy. See “Trusted CA Certificates” in “Creating an IPSec Policy” for more information.

334

Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 333 Page 335
Page 334
Image 334
Nokia IPSO 4.0 manual IPSec Parameters, Phase 1 Configuration, Platform Support, 334
Page 333 Page 335
Top Page Image Contents