Nokia IPSO 4.0 Cell Phone User Manual


 
8
334 Nokia Network Voyager for IPSO 4.0 Reference Guide
Note
Native IPSO IPSec tunnels cannot coexist in the same machine with Check Point IPSec
software. Before you use IPSO IPSec software, ensure that no Check Point software is
running. Likewise, before you use Check Point IPSec software, ensure that no IPSO IPSec
software is running.
You can create IPSec tunnel rules with or without a logical interface for all IPSO platforms
except the IP3000 series. For the IP3000 series platform, you must create a logical interface with
each tunnel rule. You can create tunnel rules without logical interfaces if you require a large
number of tunnels. However, creating IPSec tunnels without interfaces can slow down non-
IPSec traffic.
Phase 1 Configuration
For IPSO, the Phase 1 encryption and authentication algorithms are the same as those used in
Phase 2. However, if Phase 2 encryption is NULL, such as with an AH proposal or NULL-
encryption-ESP proposal, IPSO uses 3DES as Phase 1 for the encryption algorithm.
The values set in the Lifetime table are used as the hard lifetime of the Phase 2 SA. Phase 1
lifetimes are calculated as Hard Phase 1 lifetime (seconds) = 5* Hard Phase 2 lifetime (seconds).
The soft limit value is approximately 80-90 percent of the hard-limit value, depending on
whether the device is working as a session initiator or responder.
If you create tunnels between an IPSO platform and non-IPSO systems, configure the non-IPSO
system so that the Phase 1 lifetime is five times the Phase 2 lifetime. Set the encryption to 3DES,
and set the authentication so that it is the same as the Phase 2 algorithm.
Platform Support
IPSec is supported across all Nokia security appliances.
IPSec Parameters
The two IPSec peers should agree on authentication and encryption methods, exchange keys,
and be able to verify each other’s identities. While you configuring the peer IPSec devices,
consider the following:
At least one proposal (encryption algorithm and hash function) should match on the peer
devices. See “Proposal and Filters” in “Creating an IPSec Policy” for more information.
Authentication method:
If you are using Shared Secret, both devices should have the same shared secret. See
“Putting It All Together” in “Creating an IPSec Policy” for more information.
If you are using X.509 certificates, both devices should install all the trusted CA
certificates in the trust hierarchy. See “Trusted CA Certificates” in “Creating an IPSec
Policy” for more information.