Versions Compared

Old Version 3

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
Not_for_SWe
Not_for_SWe

...

Note
iconfalse
titlePrerequisites

Before you can create an IPsec Tunnel Entry you must have done the need to meet one of the following conditions:

  • A Sonus SBC
    Spacevars
    0product2
    Certificate and Trusted CA Certificate must be obtained and imported to the SBC
    Spacevars
    0product2
    when Certificate is selected Authentication Mode list box in the Authentication Parameters panel. Refer to Working with Certificates for information about configuring certificates on the SBC
    Spacevars
    0product2
    .
  • An IPsec license is required to manage IPsec tunnels.
Info
iconfalse
titleImportant Information for Previous SIP-TLS Users:
  • When upgrading to version 3.0 existing Sonus SBC
    Spacevars
    0product2
    Certificates will fail authentication due to key integrity verification errors when used to bring up the IPsec tunnel in the Certificate authentication mode.
  • Before beginning to manage an IPsec tunnel for Certificate authentication, you must generate a new Certificate Signing Request (CSR), re-sign, and re-import a new Sonus SBC
    Spacevars
    0product2
    Certificate.

To create or modify an existing IPsec Tunnel:

...

The Restart Service button on the IPsec Tunnel Table page enables you to restart the services in order for any changes to the system certificates to become effective. For more information about system certificates, see refer to Managing IPsec Tunnels.

  1. Click on Restart Services on the IPsec Tunnel Table page. A confirmation window is displayed.
  2. Click OK.

Creating an IPsec Tunnel

Info

The SBC supports IPv4 addresses for this feature; IPv6 is not supported. 

To create an IPsec Tunnel

  1. Click the Create IPsec Tunnel Entry ( ) icon on the IPsec Connection Table page.

    Panel
    borderStylenone

    Caption
    0Figure
    1Create IPsec Tunnel Entry

     

     

    Anchor
    properties
    properties

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the operating mode for communication with the remote VPN peer for IKE negotiations and IPsec connections.

Initiator: Enables the branch office SBC

Spacevars
0product2
gateway to initiate the IKE Security Association (SA) and IPsec tunnel negotiation request.
Responder: Enables the corporate SBC
Spacevars
0product2
gateway to receive the request to establish an IKE/IPsec tunnel connection.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the how SBC

Spacevars
0product2
communications with the remote VPN peer is initiated. The IKE and IPsec phase negotiations are initiated as either permanent or on-demand depending on the type of activation selected. This field is only visible when "Initiator" is selected in the Operating Mode list box.
Always: Initiates the IKE Security Association(SA) and IPsec phase negotiations permanently with the remote VPN peer.
Link Monitor Action: Initiates the IKE and IPsec phase negotiations with the remote VPN peer as on-demand upon request from the link monitor switch-over action.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the IP address or fully-qualified domain name of the local network interface. If Allow Any Local Address is enabled, then the SBC

Spacevars
0product2
allows any outgoing address during negotiations.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the IP address or fully-qualified domain name of the remote network interface. If Allow any remote address is enabled, the SBC

Spacevars
0product2
allows any incoming address during negotiations.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies whether or not the SBC

Spacevars
0product2
requests a renegotiation when the connection expires.

Enabled: Initiate SA Negotiation upon connection expiry. Applies to both IKE SA and IPsec SA.
Disabled: SA Negotiation is not initiated upon connection expiry.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the number of times the SBC

Spacevars
0product2
will attempt to negotiate a connection. Applies to both IKE SA and IPsec SA.

If the number of number of retries value is exceeded, the SBC

Spacevars
0product2
issues a Tunnel Link Lost alarm."

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies whether or not the SBC

Spacevars
0product2
reauthenticates when a re-key is accomplished.

Enabled: IKE SA Rekeying also initiates Peer Authentication. IKE and IPsec SA's are uninstalled then recreated.
Disabled: IKE SA Rekeying performed without the Peer Authentication.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies whether or not the Subject Alternative Name (SAN) Identifier is used for peer authentication. This field is only visible when Certificate is selected from the "Authentication Mode* select list.

Enabled: The SAN Identifier is sent to the remote gateway for an authentication match. The SAN identifier must be configured in the Local SAN Identifier attribute when this option is Enabled.
Disabled: By default, the Sonus SBC

Spacevars
0product2
Certificate's Subject Distinguished Name (Subject DN) identifier is automatically extracted from the certificate and sent to the remote gateway for an authentication config match.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the SAN identifier to be sent to the remote gateway for a peer authentication config match. This field is only available if Enabled is selected in the Use SAN Identifier select list.

If the Peer Authentication Identifier on the remote gateway is configured to authenticate a SAN identifier from the peer's certificate, it will attempt to match its configured SAN identifier with the expected SAN identifier retrieved from the peer authentication config.

If Use SAN Identifier is enabled, the SAN identifier must be picked from a list of DNS names displayed under the local attributes for the Sonus SBC

Spacevars
0product2
Certificate.

Authentication Mode

Panel
bgColor#FAFAFA
borderStylenone

Specifies the authentication method required from the remote side.

Certificate: Specifies the use of public key signature when authenticating the peer VPN gateway. The SBC

Spacevars
0product2
must contain a valid server certificate/private key, the Certificate Authority (CA) that signed the SBC
Spacevars
0product2
server certificate, and the CA that signed the peer's Server Certificate.

Preshared Key: Specifies the key to be shared with the peer. This key must match the same key configured on the peer system.

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies Internet Key Exchange(IKE) Encapsulating Security Payload (ESP) the IKE ESP and hash algorithm.

DH Group

Panel
bgColor#FAFAFA
borderStylenone

Specifies which Diffie-Hellman group to use for exchanging keys (IKE and ESP).

Pagebreak