Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Best Practices

Best Practices:
How to configure Nokia IP VPN and Cisco VPN
Concentrator for certificate based authentication
_______________________________________________
_______________
September 2005
1. Introduction
The purpose of this document is to give basic guidelines how to configure Nokia IP VPN
gateway for accessing the Cisco VPN Concentrator when using the certificate based
authentication. The document is based on the following IP VPN and Cisco versions:
IP VPN v.6.3
 VPN Manager v6.3(2005062513)
 VPN gw kernel v.6.3(84)
Cisco VPN Concentrator
 VPN 3000 Concentrator Version 4.7.Rel Mar 10 2005 14:58:16
2. Cisco configuration
The following configuration settings are used in this sample:
Certificates
 Chained Certificate Authorities with one Root CA and one Device CA. The Device CA is
under the Root CA. The gateway certificates are signed by the Device CA.
IKE settings
 Authentication mode: RSA Digital Certificate
 Authentication algorithm: SHA/HMAC-160
 Encryption algorithm: 3DES-168
 Diffie-Hellman group: Group 5 (1536 bits)
 Data lifetime: 10000 kB
 Time lifetime: 28800s
 Certificate transmission: Entire certificate chain
IPSec






settings
Authentication algorithm: ESP/MD5/HMAC-128
Encryption algorithm: 3DES-168
Encapsulation mode: Tunnel
Perfect Forward Secrecy: Group 5 (1536-bits)
Data lifetime: 10000kB
Time lifetime: 28800
3. Nokia IP VPN Configuration
3.1 Import the CA certificates
Start by importing both the Root CA and the Device CA to VPN Manager. Import first the
Root CA and then the Device CA.
Go to Edit / VPN Global Properties / Certification Authorities menu and right-click the upper
part of the menu (Certification Authorities). Select “Import External Certification Authority”
and import the Root CA certificate file:
After this the Root CA is shown in the CA list:
Continue by importing the Device CA. When prompted for the parent of the Device CA
certificate, choose the previously imported Root CA.
After this the CA list shows the Root CA and the Device CA located under the Root CA:
3.2 Request device certificate for IP VPN gw
Apply the changes after importing the CA certificates in the previous step and continue by
requesting a device certificate for the IP VPN gw. Export the “p10” request into a file, get
the request signed by the Device CA and import the signed certificate back to VPN Manager.
Go to Gateway / Properties / Device Certificates menu and choose “Request”. In the
Certificate Authority selection box select the Device CA (check with View command that the
right CA is selected if the Root CA and Device CA names look identical in the selection list).
Check that FQDN and Static Outside IP Addresses are selected in the SubjectAltName fields.
Press “Submit” to create the certificate request.
Check that the Device CA is selected as the CA from which the certificate is requested:
Export the certificate request and get it signed by the Device CA. Import the signed
certificate to VPN Manager. Check that the signed certificate contains the correct outside IP
address in the SubjectAltName field:
3.3 Configure the protected networks on the local side
Configure the local networks that the IP VPN gw protects (internal networks).
Go to Gateway / Properties / VPN Participation menu and define the local host groups which
IP VPN gw protects:
3.4 Configure Cisco gateway as a non-managed gateway for IP VPN
Define Cisco as a non-managed gateway in the VPN Manager configuration and add it in the
same partition with the IP VPN gw.
Go to Edit / VPN Global Properties / Non-Managed Gateways menu and right-click the menu
to create a new non-managed gateway. In the Identity submenu define the outside ip
address of the Cisco gw. In the VPN submenu define the internal networks which Cisco
protects.
Go to Edit / VPN Global Properties / Partition menu and check that the newly created Cisco
gw and the IP VPN gw belong to the same partition (e.g. VPN Default Partition).
3.5 Define the IKE policy
Go to Edit / VPN Global Properties / IKE Policies menu and create an IKE policy with the
following settings:


Keying method: IKE Digital Certificate
Certificates issued by: Root CA. Select the earlier imported Root CA in the selection
box (the only choice available here because the Device CA is not shown in this
selection list).
In the IKE Advanced level menu define the following settings:








Integrity algorithm: SHA-1
Encryption algorithm: TRIPLE DES
Diffie-Hellman group: Group #5 (MODP 1536-bit)
Include ISAKMP VENDOR-ID payload = yes
Enable INITIAL-CONTACT payload processing = yes
Send Fully Qualified Domain Name = no
Lifetime settings: 8 hours
Select the option “Defer Main Mode deletion until Quick Mode rekey” (otherwise the
traffic can stop when the IKE lifetime expires)
3.6 Define the IPSec policy
Go to Edit / VPN Global Properties / IPSec Policies menu and create an IPSec policy with the
following settings:



Enable Privacy: TRIPLE DES
Integrity and Replay protection: HMAC MD5
IPSec protocol: ESP
In the Advanced level settings define:





Enable PFS: Group #5 (MODP 1536-bit)
Enable ISAKMP COMMIT processing = yes
Include REPLAY-STATUS = yes
Include RESPONDER-LIFETIME = yes
Keying lifetime = 8 hours
3.7 Select the policy to be used
Check that the correct IKE and IPSec policies are selected in the Edit / VPN Global Properties
/ Policy menu (or alternatively that the policies are selected in the VPN Partition / Policy
Override menu if using several partitions with different policies).
NOTE: Deselect the “Enable Dead Peer Detection” option because otherwise the IPSec
tunnels won’t stay up for more than a few seconds. The current IP VPN and Cisco
concentrator versions don’t work properly if the Dead Peer Detection feature is enabled.
About Nokia
Nokia is the world leader in mobile communications, driving the growth and sustainability of
the broader mobility industry. Nokia is dedicated to enhancing people's lives and productivity
by providing easy-to-use and secure products like mobile phones, and solutions for imaging,
games, media, mobile network operators and businesses. Nokia is a broadly held company
with listings on five major exchanges.
For more information, please visit http://www.nokia.com/forbusiness.
Americas
Nokia
313 Fairchild Drive, Mountain View, CA 94043
Tel: 1 877 997 9199
Email: mobile.business.americas@nokia.com
Europe, Middle East and Africa
Nokia
Nokia House, Summit Avenue
Southwood, Hampshire, GU14 ONG, UK
Tel UK: +44 161 601 8908
Tel France: +33 170 708 166
Email: mobile.business.emea@nokia.com
Asia Pacific
Nokia
438B Alexandra Road
#07-00 Alexandra Technopark, Singapore 119968
Tel: +65 6588 3364
Email: mobile.business.apac@nokia.com
www.nokia.com
Copyright© 2004 Nokia. All rights reserved. Nokia and Nokia Connecting People are registered trademarks of
Nokia Corporation. Other trademarks mentioned are the property of their respective owners. Nokia operates a
policy of continuous development. Therefore we reserve the right to make changes and improvements to any
of the products described in this document without prior notice. Under no circumstances shall Nokia be
responsible for any loss of data or income or any direct, special, incidental, consequential or indirect damages
howsoever caused. .
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
Establishment of the VPN connection with the
Establishment of the VPN connection with the
3.3d - mr-damon.com
3.3d - mr-damon.com
201193040347
201193040347
VPN_Request - ANS Group Plc
VPN_Request - ANS Group Plc
Partner Technical Contact Information
Partner Technical Contact Information
Network Connectivity Options
Network Connectivity Options
NOKIA BUSINESS MODEL & SCAMPER
NOKIA BUSINESS MODEL & SCAMPER
Ch. 6 - Teleworker Services - Information Systems Technology
Ch. 6 - Teleworker Services - Information Systems Technology
Download