3Com 11.1 manual Configuring Ipsec, Configuring IPsec, Replace with this chapter

Page 49

17

CONFIGURING IPSEC

11.1Release Notes, Using NETBuilder Family Software Version 11.0

Replace Chapter 17 with this chapter.

This chapter describes how to configure the IP Security Protocol (IPsec) on your IP router. IPsec provides security at the network layer. Because IPsec is integrated into IP itself, IPsec adds security to any link, regardless of the application used.

Before configuring IPsec, you should configure a tunneling protocol like PPTP. See

Chapter 12 for more information about PPTP.

It is recommended that IPSEC control or the PORT service control be disabled while configuring policies and enabled only after all IPSEC policy and key set configuration has been completed.

For conceptual information, see “How IPsec Works” on page 56.

Configuring IPsec

The procedures in this section describe how to configure IPsec.

Creating Policies An IPsec policy consists of an action, the packet types that require the action, and the source and destination addresses between which the action occurs. The following three actions are supported:

Action AhXport provides data integrity and authentication.

Action EspXport provides data confidentiality through encryption.

Action AhEspXport provides data integrity and authentication and data confidentiality through encryption.

To configure a security policy, use:

ADD !<portlist> -IPSEC manualPOLicy <policy_name> <action> <filters> <src_ipaddr/mask> (<dst_ipaddr/mask> DYNamic) [<encrypt_algorithms] [<auth_algorithms>]

<action> : AhEspXport AhXport EspXport

<filters> :list of the following values separated by commas: GRE, ICMP, OSPF,

TCP [(<src_port>,<dst_port>)...up to 16 pairs],

UDP [(<src_port>, <dst_port>)...up to 16 pairs]

<encrypt_algorithm> : 3DES2key DES RC5

Page 48 Page 50
Image 49
Page 48 Page 50
Contents NETBuilder Family Software Version 11.1 Release Notes Bayfront Plaza 3Com CorporationSanta Clara, California 95052-8145Contents Bcmfdinteg File Conversion Considerations Web Link Documentation Path Zmodem Time Out Known ProblemsCPU Utilization Statistic Deleting ATM Neighbors NAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Web Link Login SupportDisplaying Configuration Profiles Dynamic Paths Limitations Accm Not ConfigurableCONFiguration Authentication Header AHConfiguring IPsec How IPsec Works PoliciesStatPollInterval Encryption Netbuilder Software Version Release NotesPackages Contact 3Com or your network supplierSupported PC Flash Memory Cards New ProductsLists 3Comapproved vendors of the PC flash memory card Approved 20 MB Flash Memory CardsVPN Features Layer Two Tunneling Protocol New FeaturesApproved Dram SIMMsAdditional RAS Enhancements Extensible Authentication ProtocolDhcp Proxy Encryption StrengthSummary of Encryption Strengths Virtual Circuit PrioritizationEncryption Key Algorithm Package ID LengthFirewall Enhancements IP Version 6 PhaseBGP-4 Enhancements Frame Relay PVC Q.933 Support Ospf Not-So-Stubby-Area NssaData Over Voice B-Channel Isdn Specification Boundary Router Remote LAN DetectionToken Ring in Fast Ethernet Tife Features Ascii Boot56/64K CSU/DSU External Loopback NETBuilder Web Link ImprovementsApplication Notes Upgrade Management Utilities and NETBuilder Upgrade LinkFlash Load Placing a Data OverToggle the respective paths. Type ExampleNew Features Application Notes Software NETBuilder II Software FeaturesVersion 11.1 for the NETBuilder bridge/router platforms NETBuilder II Firmware Requirements Other FeaturesNETBuilder II Firmware Requirements IBM ProtocolsSuperStack II NETBuilder SI Software Features 458 438Models Features Token Ring SuperStack II NETBuilder Ethernet and Token Ring FeaturesMemory Requirements Models Features Token Ring WAN Protocols OfficeConnect NETBuilder Software FeaturesModel and Software Package 112 132 111 145 131112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 116 117 137136 Memory Requirements Ruuhp111.1 Utilities for the Solaris 2.5 platformsUtilities for the HP-UX 10.x platforms Ruuaix111.1NETBuilder Upgrade Management Utilities Etc/passwd. You must add an entry can be ignored Known IssuesBridge Static Routes PROfile ServiceDLSw SVCsToken Ring a non-source routed frame Dialog boxes will be fully visible without scrollingSupported Asynchronous Modems Ports in DCE ModeSupported Synchronous Modem ModemsHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Frame Copy Errors under LAN Net Manager Token Ring Frame Copy Errors3Com Bridge/Routers and Supported Features Known Problems This system Interrupt the boot cycle and enter monitor modeValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Number of TCP Connections Processor/Frame Relay Relay port is Access for LLC2 TrafficFront-End IBM Boundary RoutingMultilink PPP SpeedPort running PPP Snmp ManagementSdlc Adjacent Link Service Point Source-RouteStations for Appn Source RouteSoftware Update Pages Using Netbuilder FamilyProcedures in this section describe how to configure IPsec Configuring IpsecConfiguring IPsec Replace with this chapterOn bridge/router, 2 enter Creating an Encryption PolicyCreating a Security Policy On bridge/router 2, enterManual key information, use For example, to create a new encryption key set, enterConfidentiality and data integrity To disable Ipsec on port 1, enterAssign an IP address to the tunnel virtual port by entering Enable Layer 2 Tunnelling by enteringCreate a route between the two tunnel endpoints by entering Configure an Ipsec policy/security association by enteringHow IPsec Works Enable Layer 2 Tunnelling Pptp by enteringCreate a route between two tunnel endpoints by entering Intercepted and viewedHow IPsec Works Configuring Ipsec Reference for Netbuilder Family CONFiguration Ipsec Service ParametersIpsec Service Parameters and Commands CONTrolKeySet ManualPOLicy ManualKeyInfoPolicyname Name you assign to the policy you are adding Is assigned dynamically using Ipcp or DhcpBe all or ALL Srcipaddr/maskPhase of the encrypt-decrypt-encrypt Encrypt phases, and the second 8 bytes for the decryptSpecifies Cipher Block Chaining mode of the Data 239.255.255.254Ipsec Service Parameters Rsvp Service Parameters REQuest MaxFlowRateRESerVation UDPEndcapAllRoutes SR Service ParametersPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters StatPollInterval Weblink Service ParametersWeblink Service Parameters
Top Page Image Contents