For further information about the product please have a look at the Nokia Website.
Tested configurations:
Verwandte Links |
Interoperability with Nokia Firewall
| Phase1 | Phase1 | Phase1 | Phase2 | Phase2 | status | |
| Authentication | Proposal | DH group | Mode | Proposal | PFS group |
| PreSharedKeys | DES/md5 | 2 | aggressive | esp(DES/md5) | 2 | ok |
| PreSharedKeys | DES/sha1 | 2 | ID-protect | esp(DES/md5) | 0 | ok |
| certificates | any | 2 | ANY | ANY | ANY | nok |
Summary of problems:
- The Firewall always send its external IP-address as ID, even if the IP-address is not included in the certicate as an sub-alt-name. As bintec only had certificates without the IP-address included bintec couldn't do any test using certificates.
Supposed Solution:
As the FW1 does not include her IP in the certificate request it is necessary that the CA adds the IP-address manually as an subject_alternative_name, and that the correspondin ID in the peerlist is set on the X-side.
table = ipsecPeerTable PeerIds = "IP.of.the.fw1"
-
It's not possible to choose an alternate DH group, meaning that the FW1 allways uses DH group 2.
Solution: Set the DH group on the Xxx00 to 2
table = ipsecGlobals
ipsecGlobDefaultIkeGroup = 2 to set the defaultvalue to DH group 2
table = ipsecPeerTable
IkeGroup:X = 2 to set DH group only for the coreseponding peer.
- per default the FW1 seems to use PFS group = 2, which can be deactivated, or must be set on the brick identically.
table = ipsecPeerTable
PfsGroup = X
- under certain circumstances multiple resets of the Nokia seem to be necessary in order to drop all SAs.
Nokia Firewall Configuration File * (60 kB)
* Funkwerk Enterprise Communications can´t assume no liability for these configuration files