Nokia IPSO 4.0 manual Creating an IPSec Policy, Choosing IPv4 or IPv6 General Configuration

„Some IPSec systems require that the SA lifetimes (seconds, as well as megabytes) match on both devices. See “Putting It All Together” in “Creating an IPSec Policy” for more information.

„IKE and PFS groups should match on both devices. See “Putting It All Together” in “Creating an IPSec Policy” for more information.

The Diffie-Hellman key exchange uses the IKE group during the establishment of Phase 1 ISAKMP SA. Value options are 1, 2, or 5; 2 is the default value.

The Diffie-Hellman key exchange uses the PFS group in Phase 2 to construct key material for IPSec SAs. The value options are 1, 2, 5, or none; 2 is the default. Setting the value to none disables PFS.

Note

When IPSO is acting as the responder of the Phase 2 negotiation, it always accepts the PFS group proposed by the initiator.

Creating an IPSec Policy

Choosing IPv4 or IPv6 General Configuration Page

To chose IPv4 or IPv6 general configuration pages

1.Click IPSec under Security and Access in the tree view. .

2.Access the appropriate IPSec General Configuration page:

„To display the IPv4 IPSec General Configuration page—click on the IPSec link

„To display the IPv6 IPSec General Configuration page—first click on the IPv6 Configuration link; this takes you to the main IPv6 page. Next, click on the IPSec link; this takes you to the IPv6 IPSec General Configuration Page.

„If you are on the IPv4 General Configuration page—6to move to the IPv6 General configuration page, scroll down to the bottom of the page and click the IPv6 IPSec General Configuration link.

Note

Application procedures are the same for both configuration page types. The primary difference is the format of the IP addresses. IPv4 uses dotted quad format and IPv6 uses canonical address format. Selected range values might be different; consult the inline Help option for specifics.

The following sections describe how to create an IPSec policy.