Filter
Top Products
Nokia Network Voyager for IPSO 4.0 Reference Guide 333
The IPSec configuration in Network Voyager is based on three IPSec objects: proposals, filters,
and policies.
Proposals—Define the combination of encryption and authentication algorithms that secure
phase 1 negotiation (Main Mode) as well as phase 2 negotiations (Quick Mode) and IPSec
packets.
Filters—Determine which packets relate to certain proposals. The filters are matched
against the source or destination fields in the packet header depending on whether the filters
are used as source or destination filters. If applicable, Protocol and Port fields are also used.
Policies—Link the type of IPSec security that proposals with traffic define. The traffic is
defined by a list of filters specified for the source address and a second list specified for the
destination address. If the source address of a packet matches a filter from the source filter
list and the destination address matches a filter from the destination filter list, IPSec is
applied to the traffic. Protocols and ports are used in the matching process, if applicable.
The kind of security applied to a defined traffic is specified by a list of proposals ordered by
priority. This list is offered to the other peer beginning with the lowest priority value
proposal.
Proposals and filters can be reused in different policies. Other elements defined in a policy
are authentications methods (Preshared Keys or X.509 Certificates) and lifetime attributes.
Miscellaneous Tunnel Requirements
IPSec tunnels are defined by local and remote tunnel addresses. The tunnel requires a policy to
define what traffic is encapsulated by the tunnel and what security to use in the encapsulation.
The traffic that matches filters associated to the policy is encapsulated by using tunnel addresses.
Policies can also be reused in different tunnels. An IPSec tunnel cannot function without an
associated policy.
RFC 2406
IP Encapsulating Security Payload (ESP)
Supports algorithms: 3DES, DES, and Blowfish for encryption and SHA-1 and
MD5 for authentication.
RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2409 The Internet Key Exchange (IKE)
RFC 2411 IP Security Document Roadmap
RFC 2412 The OAKLEY Key Determination Protocol
RFC 2451 ESP CBC-Mode Cipher Algorithms
Table 20 IPSec RFCs
RFC Description