3Com 11.1 Creating an Encryption Policy, On bridge/router, 2 enter, Creating a Security Policy

Page 50

52CHAPTER 17: CONFIGURING IPSEC

<auth_algorithm> : MD5 SHA

<portlist >: 1-65535 * Archie DNS Finger FTP FTPData Gopher HTTP NFS NNTP NTP POP2 POP3 PortMap RIP SMTP SNMP SNMPTrap Syslog Telnet TFTP WAIS

The default for encrypt_algorithms is DES. The default for auth_algorithms is

MD5.

Creating an Encryption Policy

To create an encryption policy for Telnet trafﬁc using the default encryption algorithm DesCbc from router 1 with IP address 170.0.0.1 to router 2 with IP address 180.0.0.1, follow these steps:

1On bridge/router 1, enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(*, Telnet) 170.0.0.1 180.0.0.1

2On bridge/router, 2 enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 180.0.0.1 170.0.0.1

To conﬁgure an encryption policy for Telnet trafﬁc using the 3DES2key encryption algorithm between router 1 with IP address 170.0.0.1 and router 2 with IP address 180.0.0.1, follow these steps:

1On bridge/router 1, enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) (*,Telnet) 170.0.0.1

180.0.0.1 3DES2key

2On bridge/router, 2 enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) (*,Telnet) 180.0.0.1

170.0.0.1 3DES2key

Creating a Security Policy

To create a security policy to provide data conﬁdentiality and data integrity for

PPTP tunnel trafﬁc between router 1 and router 2, follow these steps:

1On bridge/router 1 enter:

ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 170.0.0.1 180.0.0.1

2On bridge/router 2, enter:

ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 180.0.0.1 170.0.0.1

Creating Key Sets To create a key set, use:

ADD -IPSEC KeySet <key_set_name> [EncryptKey (“<encrypt_key>”

“%<encrypt_key>”)] [AuthKey (“<auth_key>” “%<auth_key>”)]

The encrypt_key and auth_key must match the values on the peer system at the other end of the security association.

<key_set_name> is a name you assign to the key set you are adding.

Image 50

Contents NETBuilder Family Software Version 11.1 Release Notes Santa Clara, California 3Com CorporationBayfront Plaza 95052-8145Contents CPU Utilization Statistic Deleting ATM Neighbors Web Link Documentation Path Zmodem Time Out Known ProblemsBcmfdinteg File Conversion Considerations Displaying Conﬁguration Proﬁles Dynamic Paths Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Limitations Accm Not ConﬁgurableConﬁguring IPsec Authentication Header AHCONFiguration How IPsec Works PoliciesStatPollInterval Packages Netbuilder Software Version Release NotesEncryption Contact 3Com or your network supplierLists 3Comapproved vendors of the PC ﬂash memory card New ProductsSupported PC Flash Memory Cards Approved 20 MB Flash Memory CardsApproved Dram New FeaturesVPN Features Layer Two Tunneling Protocol SIMMsDhcp Proxy Extensible Authentication ProtocolAdditional RAS Enhancements Encryption StrengthEncryption Key Virtual Circuit PrioritizationSummary of Encryption Strengths Algorithm Package ID LengthBGP-4 Enhancements IP Version 6 PhaseFirewall Enhancements Data Over Voice B-Channel Isdn Speciﬁcation Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Boundary Router Remote LAN Detection56/64K CSU/DSU External Loopback Features Ascii BootToken Ring in Fast Ethernet Tife NETBuilder Web Link ImprovementsFlash Load Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Placing a Data OverExample Toggle the respective paths. TypeNew Features Application Notes Version 11.1 for the NETBuilder bridge/router platforms NETBuilder II Software FeaturesSoftware NETBuilder II Firmware Requirements Other FeaturesNETBuilder II Firmware Requirements IBM ProtocolsSuperStack II NETBuilder SI Software Features 438 458Memory Requirements SuperStack II NETBuilder Ethernet and Token Ring FeaturesModels Features Token Ring Model and Software Package 112 132 111 145 OfﬁceConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols 131112 131 120 132 Additional OfﬁceConnect NETBuilder Models Software Features 136 117 137116 Memory Requirements Utilities for the HP-UX 10.x platforms Utilities for the Solaris 2.5 platformsRuuhp111.1 Ruuaix111.1NETBuilder Upgrade Management Utilities Known Issues Etc/passwd. You must add an entry can be ignoredDLSw PROﬁle ServiceBridge Static Routes SVCsDialog boxes will be fully visible without scrolling Token Ring a non-source routed frameSupported Synchronous Modem Ports in DCE ModeSupported Asynchronous Modems ModemsHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports 3Com Bridge/Routers and Supported Features Token Ring Frame Copy ErrorsFrame Copy Errors under LAN Net Manager Known Problems Value Interrupt the boot cycle and enter monitor modeThis system SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Front-End Processor/Frame Relay Relay port is Access for LLC2 TrafﬁcNumber of TCP Connections IBM Boundary RoutingPort running PPP SpeedMultilink PPP Snmp ManagementStations for Appn Service Point Source-RouteSdlc Adjacent Link Source RouteUsing Netbuilder Family Software Update PagesConﬁguring IPsec Configuring IpsecProcedures in this section describe how to conﬁgure IPsec Replace with this chapterCreating a Security Policy Creating an Encryption PolicyOn bridge/router, 2 enter On bridge/router 2, enterFor example, to create a new encryption key set, enter Manual key information, useTo disable Ipsec on port 1, enter Conﬁdentiality and data integrityCreate a route between the two tunnel endpoints by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Conﬁgure an Ipsec policy/security association by enteringCreate a route between two tunnel endpoints by entering Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Intercepted and viewedHow IPsec Works Configuring Ipsec Reference for Netbuilder Family Ipsec Service Parameters and Commands Ipsec Service ParametersCONFiguration CONTrolKeySet ManualKeyInfo ManualPOLicyBe all or ALL Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Srcipaddr/maskSpecifies Cipher Block Chaining mode of the Data Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt 239.255.255.254Ipsec Service Parameters Rsvp Service Parameters RESerVation MaxFlowRateREQuest UDPEndcapPlace this page in front of Chapter SR Service ParametersAllRoutes ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters Weblink Service Parameters StatPollIntervalWeblink Service Parameters