54 IPsec VPN fundamentalsThe secure router can use the certificates in IKE to establish IPsec securityassociations between two gateways.Manual certificate enrollmentAs an alternative to SCEP, the SR4134 also supports manual certificateenrollment. The steps that you must follow for manual enrollment are asfollows:• Manually upload the CA certificate (using cut-and-paste)• Generate self certificate request• Manually submit the self certificate request to the CA (usingcut-and-paste)• Manually upload the approved self certificate from the CA (usingcut-and-paste)Dead peer detectionThe SR4134 provides support to detect when an IKE peer gateway diesunexpectedly. This prevents a situation whereby packets are tunneled to ablack hole, resulting in bandwidth loss and recovery problems. The SR4134supports RFC3706, which describes a method, called Dead Peer Detection(DPD), to confirm the status of peer gateways.Nat Traversal supportDuring IKE negotiation, the SR4134 automatically detects NAT in themiddle between two security gateways. Since NAT in the middle can affectthe integrity of the secure packets (ESP or AH), upon NAT detection, theSR4134 automatically uses NAT traversal protocol. This protocol providesan additional UDP encapsulation over the secure packets. This is applied toall subsequent IKE negotiations as well as to the secure packets.Multiple IKE proposalsIKE establishes a secure communication channel for itself in phase 1before negotiating the IPsec proposals in phase 2. During Phase 1, IKEcan propose up to five protection suites. Each IKE proposal specifies aparticular choice for the following:• authentication method• encryption algorithm• hash algorithm• DH group• lifetimeNortel Secure Router 4134Security — Configuration and ManagementNN47263-600 01.02 Standard10.0 3 August 2007Copyright © 2007, Nortel Networks.