3Com 11.1 For example, to create a new encryption key set, enter, Manual key information, use

Page 51

Configuring IPsec 53

<encrypt_key> and <auth_key> can be 1 to 128 bytes entered as either ASCII text strings or as a series of hexadecimal digits. See “Configuring Manual Key Information” next for more information about key set usage.

To delete a key set, use:

DELete -IPSEC KeySet [<key_set_name> ALL]

For example, to create a new encryption key set, enter:

ADD IPSEC KeySet esp_key EncryptKey “hello124”

To create a key set for both encryption and authentication, enter:

ADD IPSEC KeySet ahesp_key EncryptKey “hello124” AuthKey “world236”

Configuring Manual Key The ManualKeyInfo parameter binds manual keying information to an IPsec policy. Information Only one ManualKeyInfo command can be applied to each policy. To configure

manual key information, use:

SETDefault !<portlist> -IPSEC ManualKeyInfo = <policy_name>

(<key_set_name> NONE) [SpiEsp <spi_in> <spi_out>] [SpiAh <spi_in>

<spi_out>]

A Security Parameters Index (SPI) value is used in conjunction with the destination address to identify a particular security association which represents a set of agreements between senders and receivers on a key, on an encryption or authentication algorithm, and on SPI numbers.

<spi_in> is a number in the range 256 to 2000. All spi_in values must be unique on a system. An SPI number can be assigned only ONCE to a policy. The same number cannot be used by any other policy on the same system. spi_in must match the spi_out value specified at the peer system at the other end of the security association.

<spi_out> is a number in the range 256 to 2147483647. spi_out must match the spi_in value specified at the peer system at the other end of the security association.

A key is specified using the ADD -IPSEC KeySet command. It is later bound to an IPSEC manualPolicy when a SETDefault -IPSEC ManualKeyInfo command is entered. The keyset and policy must be entered before binding can take place.

When the key is entered, no particular length restriction is applied. Keys can be entered as either ASCII text or hex values in the range of 1 to 128 bytes.

When a key is bound, certain length restriction are applied. The required key length depends on the NETBuilder software package used. The xS packages (S=strong encryption) allow key lengths of up to 128 bits for encryption, and the xE packages allow up to 56-bit keys. When you bind the key to the policy during configuration, if the entered key is too long for the package in use, the key is truncated and a warning message is generated.

All packages reject keys that are less than 5 bytes long and generate error messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS packages truncate long keys to 16 bytes, with appropriate warning messages.

Page 50 Page 52
Image 51
Page 50 Page 52
Contents NETBuilder Family Software Version 11.1 Release Notes 95052-8145 3Com CorporationBayfront Plaza Santa Clara, CaliforniaContents Web Link Documentation Path Zmodem Time Out Known Problems Bcmfdinteg File Conversion ConsiderationsCPU Utilization Statistic Deleting ATM Neighbors Limitations Accm Not Configurable Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Displaying Configuration Profiles Dynamic PathsHow IPsec Works Policies Authentication Header AHCONFiguration Configuring IPsecStatPollInterval Contact 3Com or your network supplier Netbuilder Software Version Release NotesEncryption PackagesApproved 20 MB Flash Memory Cards New ProductsSupported PC Flash Memory Cards Lists 3Comapproved vendors of the PC flash memory cardSIMMs New FeaturesVPN Features Layer Two Tunneling Protocol Approved DramEncryption Strength Extensible Authentication ProtocolAdditional RAS Enhancements Dhcp ProxyAlgorithm Package ID Length Virtual Circuit PrioritizationSummary of Encryption Strengths Encryption KeyIP Version 6 Phase Firewall EnhancementsBGP-4 Enhancements Boundary Router Remote LAN Detection Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Data Over Voice B-Channel Isdn SpecificationNETBuilder Web Link Improvements Features Ascii BootToken Ring in Fast Ethernet Tife 56/64K CSU/DSU External LoopbackPlacing a Data Over Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Flash LoadToggle the respective paths. Type ExampleNew Features Application Notes NETBuilder II Software Features SoftwareVersion 11.1 for the NETBuilder bridge/router platforms IBM Protocols Other FeaturesNETBuilder II Firmware Requirements NETBuilder II Firmware RequirementsSuperStack II NETBuilder SI Software Features 458 438SuperStack II NETBuilder Ethernet and Token Ring Features Models Features Token RingMemory Requirements 131 OfficeConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols Model and Software Package 112 132 111 145112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 117 137 116136 Memory Requirements Ruuaix111.1 Utilities for the Solaris 2.5 platformsRuuhp111.1 Utilities for the HP-UX 10.x platformsNETBuilder Upgrade Management Utilities Etc/passwd. You must add an entry can be ignored Known IssuesSVCs PROfile ServiceBridge Static Routes DLSwToken Ring a non-source routed frame Dialog boxes will be fully visible without scrollingModems Ports in DCE ModeSupported Asynchronous Modems Supported Synchronous ModemHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Token Ring Frame Copy Errors Frame Copy Errors under LAN Net Manager3Com Bridge/Routers and Supported Features Known Problems Interrupt the boot cycle and enter monitor mode This systemValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations IBM Boundary Routing Processor/Frame Relay Relay port is Access for LLC2 TrafficNumber of TCP Connections Front-EndSnmp Management SpeedMultilink PPP Port running PPPSource Route Service Point Source-RouteSdlc Adjacent Link Stations for AppnSoftware Update Pages Using Netbuilder FamilyReplace with this chapter Configuring IpsecProcedures in this section describe how to configure IPsec Configuring IPsecOn bridge/router 2, enter Creating an Encryption PolicyOn bridge/router, 2 enter Creating a Security PolicyManual key information, use For example, to create a new encryption key set, enterConfidentiality and data integrity To disable Ipsec on port 1, enterConfigure an Ipsec policy/security association by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Create a route between the two tunnel endpoints by enteringIntercepted and viewed Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Create a route between two tunnel endpoints by enteringHow IPsec Works Configuring Ipsec Reference for Netbuilder Family CONTrol Ipsec Service ParametersCONFiguration Ipsec Service Parameters and CommandsKeySet ManualPOLicy ManualKeyInfoSrcipaddr/mask Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Be all or ALL239.255.255.254 Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt Specifies Cipher Block Chaining mode of the DataIpsec Service Parameters Rsvp Service Parameters UDPEndcap MaxFlowRateREQuest RESerVationSR Service Parameters AllRoutesPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters StatPollInterval Weblink Service ParametersWeblink Service Parameters
Top Page Image Contents