VPN E-SERVER : INTERNET APPLICATIONS
Ed. 048/10 Réf. 3EH 21000 BSAA
Thing to know :
- The authentication method must be configured consistently on the two IPsec gateways. As the use
of raw RSA public keys is not widely deployed aside from Linux Freeswan-based implementations,
PSK will be preferred way to autenticate with other implementations. The shared secret ty-
pically consists in a character string password.
- Authentication using digital certificates is not supported on R1.x.
- Upon failure of a SA negotiation, a NO_PROPOSAL_CHOSEN informational message may be re-
ceived by the Alcatel OmniPCX Office.
- Phase 2 SA parameters
The same parameters as in Phase 1 are negotiated, except the authentication method. The mecha-
nism used to protect the traffic for the VPN is always ESP, with tunnel mode encapsulation.
Thing to know :
- AH is not used on Alcatel OmniPCX Office.
- Perfect Forward Secrecy (PFS) must be enabled at the peer.
- If ever it is possible to configure separate Diffie Helpman groups for Phase 1 and Phase 2, it is
highly recommended to set the same group for both phases.
Peers identity checking
Before Phase 2 can begin, the peer devices must authenticate each other. For this purpose, they use
the method defined during the Phase 1 SA negotiation to compute some data that can be derived only
by acknowledge of a secret (RSA private key or shared secret). This piece of data is sent along (and
also depends on) an identity payload that identifies the IPsec gateway.
The Alcatel OmniPCX Office does not allow configuration of peer’s identities, hence identities are
always the WAN IP addresses of the systems.
It must be ensured that the remote system is configured to send its IP address to identify itself (often
referred as "local id" parameter), and also uses an IP address to identify the remote Alcatel OmniPCX
Office system. Such a configuration is shown in the next figure.
To Next Page
Loading...
Need help?
General