8334 Nokia Network Voyager for IPSO 4.0 Reference GuideNoteNative IPSO IPSec tunnels cannot coexist in the same machine with Check Point IPSecsoftware. Before you use IPSO IPSec software, ensure that no Check Point software isrunning. Likewise, before you use Check Point IPSec software, ensure that no IPSO IPSecsoftware is running.You can create IPSec tunnel rules with or without a logical interface for all IPSO platformsexcept the IP3000 series. For the IP3000 series platform, you must create a logical interface witheach tunnel rule. You can create tunnel rules without logical interfaces if you require a largenumber of tunnels. However, creating IPSec tunnels without interfaces can slow down non-IPSec traffic.Phase 1 ConfigurationFor IPSO, the Phase 1 encryption and authentication algorithms are the same as those used inPhase 2. However, if Phase 2 encryption is NULL, such as with an AH proposal or NULL-encryption-ESP proposal, IPSO uses 3DES as Phase 1 for the encryption algorithm.The values set in the Lifetime table are used as the hard lifetime of the Phase 2 SA. Phase 1lifetimes are calculated as Hard Phase 1 lifetime (seconds) = 5* Hard Phase 2 lifetime (seconds).The soft limit value is approximately 80-90 percent of the hard-limit value, depending onwhether the device is working as a session initiator or responder.If you create tunnels between an IPSO platform and non-IPSO systems, configure the non-IPSOsystem so that the Phase 1 lifetime is five times the Phase 2 lifetime. Set the encryption to 3DES,and set the authentication so that it is the same as the Phase 2 algorithm.Platform SupportIPSec is supported across all Nokia security appliances.IPSec ParametersThe two IPSec peers should agree on authentication and encryption methods, exchange keys,and be able to verify each other’s identities. While you configuring the peer IPSec devices,consider the following: At least one proposal (encryption algorithm and hash function) should match on the peerdevices. See “Proposal and Filters” in “Creating an IPSec Policy” for more information. Authentication method: If you are using Shared Secret, both devices should have the same shared secret. See“Putting It All Together” in “Creating an IPSec Policy” for more information. If you are using X.509 certificates, both devices should install all the trusted CAcertificates in the trust hierarchy. See “Trusted CA Certificates” in “Creating an IPSecPolicy” for more information.
