Version 6.6 339 October 2014
Installation & Operation Manual 33. Configuring Security Settings
33.11 IPSEC and IKE
IPSEC and IKE protocols are part of IETF standards for a secured IP connection
between two applications. Providing security services at the IP layer, IKE and IPSEC
protocols are transparent to the IP applications.
IKE and IPSEC are used in conjunction to provide security for call control (e.g., MGCP
and MEGACO) and management (e.g., SNMP) protocols, but not for media (i.e., RTP,
RTCP and T.38).
The IKE protocol is responsible for obtaining the IPSEC encryption keys and
encryption profile (known as IPSec Security Association (SA).
IPSEC is responsible for securing the IP traffic. This is accomplished by using the
Encapsulation Security Payload (ESP) protocol to encrypt the IP payload (illustrated in
the figure below).
Figure
33-4: IPSec Encryption
IPSEC supports the following two modes of operation:
Transport mode – used for host-to-host communication (e.g. for communication
between the Media Gateway and the EMS server); encrypts the payload of the IP
packet, but leaves IP headers intact.
Tunnel mode – used to create Virtual Private Networks (VPNs) for network-to-
network or host-to-network communication (e.g. for communication between the
Media Gateway and the VPN gateway); the entire packet is encrypted and then
encapsulated in a new IP packet with a new IP header.
The Mediant 8000 Media Gateway implements the following IPSEC/IKE specifications:
33.11.1 For Management Interfaces (on SC boards)
This section describes the Management Interfaces (on SC boards.
33.11.1.1 IKE Protocol
Authentication: pre-shared key or X.509 certificate (*)
IKE Phase 1 exchange mode: main
IKE SA encryption algorithms: DES, 3DES and AES (*)
IKE SA hash types: SHA1, SHA256 (*), SHA384 (*), SHA512 (*) and MD5
Diffie-Helman groups: ModP768, ModP1024, ModP1536 (*), ModP2048 (*),
ModP3072 (*), ModP4096 (*), ModP6144 (*) and ModP8192 (*)
Dead-peer detection (as per RFC 3706) (*)
To Next Page
Loading...
