8
332 Nokia Network Voyager for IPSO 4.0 Reference Guide
exchange must take place during Quick Mode. Consequently, the two peers generate a new
Diffie-Hellman key pair.
Using PKI
For Phase 1 negotiation of IKE, the IPSec systems can use X.509 certificates for authentication.
X.509 certificates are issued by Certificate Authorities (CA). IPSO IPSec implementation
supports Entrust VPN connector and Verisign IPSec on site services. Contact any of the listed
CA vendors for certificate signing services.
To use the X.509 certificates, the IPSec system should follow these steps:
1. Install the trusted CA certificates (all, including yours) of all the peer IPSec systems.
2. Make a certificate request with all the information required to identify the system such as
your IP address, a fully qualified domain name, organization, organization unit, city, state,
country, and contact email address.
3. Forward the certificate request to the CA or corresponding RA (Registration Authority)
using the Web interface or another file transfer mechanism.
CA or RA verifies the identity of the IPSec system and generates the approved certificate. A
certificate is valid only for a certain period of time.
4. Download and install the approved device certificate and the CA certificate on the IPSec
system.
5. Link the certificate to an IPSec policy.
Note
The IPSO Web-based Network Voyager interface provides the mechanism you need to
complete all the above steps.
IPSec Implementation in IPSO
Note
The IP2250 appliance does not support IPSO’s implementation of IPSec.
The IPSO operating system provides a native IPSec implementation supporting ESP in tunnel
mode. This implementation is compliant with the following RFCs:
Table 20 IPSec RFCs
RFC Description
RFC 2401 Security Architecture for the Internet Protocol
RFC 2402 IP authentication header