VPN E-SERVER : INTERNET APPLICATIONS
Ed. 046/10 Réf. 3EH 21000 BSAA
INTEROPERABILITY WITH OTHER IPSEC GATEWAYS
IPsec Tunnel establishment phases
The IKE (Internet Key Exchange) protocol is used to establish secure IPsec connections. There are two
phases in the protocol.
IKE phase 1
Phase 1 purpose is to establish a bi-directional secure connection between the two IPsec gateways,
which is associated to an ISAKMP SA (Security Association). During this phase, the peers negotiate a
set of parameters to be used to secure this connection (encrypton and hashing algorithms), create keys
and authenticate each other.
The standards define two modes for Phase 1, namely Main Mode and Aggressive Mode. Alcatel Om-
niPCX Office only support Main Mode, which may sometime be referred as ID PROTECT.
IKE phase 2
The Phase 1 secure channel is then used to negotiate security parameters for a particular mechanism,
e.g. IPsec ESP in our case. This is the Phase 2 of IKE and it allows establishing IPSEC SA, which will
further be used to convey data securely between the two LANs.
The mode used for IKE Phase 2 is always Quick Mode.
Interoperability troubleshooting
This section describes the points in the IKE negotiation where interoperability problems are likely to
arise. Information about the Alcatel OmniPCX Office features should help tuning the peer device’s IP-
sec configuration and make the secure connection happen.
Foreward
The configuration of the IPsec VPN feature has been voluntary simplified on Alcatel OmniPCX Office
to feet the "Plug-and-Play" aspect and ease of configuration of product. This hides most of the technical
aspects implied by IPsec, i.e. details of protocols and algorithms used, and makes Alcatel OmniPCX
Office -Alcatel OmniPCX office IPsec connections straightforward.
However, this does not prevent interoperability with other products, as Alcatel OmniPCX Office inclu-
des support for the set of mandatory IPsec features required in the IETF standards. The only constraint
is that parameter’s tunning (other than IP parameters and authentication data) will have to be perfor-
med on the peer device, as the Alcatel OmniPCX Office configuration is rather static for the more "tech-
nical" details.
SA parameters negotiation
A security association gathers the parameters that are used to secure a connection. They contain al-
gorithms, keys, peers addresses, etc ... As explained in the previous section, a SA negotiation is per-
formed in each of the two IKE phases. They both follow the same negotiation, scheme, explained
herafter.