10 Configuring Security and Access594 Voyager Reference GuidePhase 1 ConfigurationFor IPSO, the Phase 1 encryption and authentication algorithms are the sameas those used in Phase 2. However, if Phase 2 encryption is NULL, such aswith an AH proposal or NULL-encryption-ESP proposal, IPSO uses 3DES asPhase 1 the encryption algorithm.The values set in the L IFETIME table are used as hard lifetime of the Phase 2SA. Phase 1 lifetimes are calculated as Hard Phase 1 lifetime (seconds) = 5*Hard Phase 2 lifetime (seconds). The soft limit value is approximately 80-90% of the hard limit value, depending on whether the device is working as asession initiator or responder.If you create tunnels between an IPSO platform and non-IPSO systems,configure the non-IPSO system so that the Phase 1 lifetime is five times thePhase 2 lifetime. Set the encryption to 3DES, and set the authentication sothat it is the same as the Phase 2 algorithm.PlatformsIPsec is supported across all Nokia security appliances.IPsec ParametersThe two IPsec peers should agree on authentication and encryption methods,exchange keys, and be able to verify each other’s identities. Whileconfiguring the peer IPsec devices, consider the following:! At least one proposal (encryption algorithm and hash function) shouldmatch on the peer devices. See “Proposal and Filters” in “Creating anIPsec Policy” .
