3Com 11.1 manual To disable Ipsec on port 1, enter, Confidentiality and data integrity

Page 52

54CHAPTER 17: CONFIGURING IPSEC

When you specify a key that is too short, the policy binding operation generates an error message informing you of the key length discrepancy and the key is rejected. If this should occur you will need to delete the specified key and reenter a key of the appropriate length.

During boot, any previously configured policies and keys are bound together. The various length restrictions are applied during this binding, so that you cannot use keys that are longer than the package supports. At boot-time, binding accepts DES keys that are shorter than 8 bytes and the system generates a warning rather than an error.

For compatibility with previous software versions that did not enforce key lengths, it is possible to enter a DES key as an 8-byte hex value with the appropriate number of null characters at the end. For example, a DES key of abcd should now be entered:

%6162636400000000

To change the manual keying information, you must first delete the information using NONE as the key set name, then add the new information using SETDefault.

For example, to create a security association and bind a key set to a corresponding encryption policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501

To create a security association of an encryption and authentication policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = ahesp_pol ahesp_key SpiEsp 600 601

SpiAh 700 701

When keys are displayed using the SHow -IPSEC Keyset command, the MD5 hash of the key is displayed rather than the key itself. This allows you to compare keys for equality without exposing the actual key value. The length of the key is also displayed, since the hash is always a 32-digit hex value.

Enabling IPsec Enable IPsec policy checking on the port using:

SETDefault !<portlist> -IPSEC CONTrol = Enable

You should only enable IPsec policy checking on ports that need IPsec protection. Enabling IPsec policy checking can decrease the performance of your bridge/router.

For example, to enable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Enable

To disable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Disable

Setting up a The procedure that follows shows how to set up a VPN PPTP tunnel between VPN PPTP Tunnel router 1 (170.0.0.1) and router 2 (180.0.0.1) with an IPSEC policy providing data

confidentiality and data integrity.

Page 51 Page 53
Image 52
Page 51 Page 53
Contents NETBuilder Family Software Version 11.1 Release Notes 3Com Corporation Bayfront PlazaSanta Clara, California 95052-8145Contents Bcmfdinteg File Conversion Considerations Web Link Documentation Path Zmodem Time Out Known ProblemsCPU Utilization Statistic Deleting ATM Neighbors Web Link Login Support NAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex ModeDisplaying Configuration Profiles Dynamic Paths Limitations Accm Not ConfigurableAuthentication Header AH CONFigurationConfiguring IPsec How IPsec Works PoliciesStatPollInterval Netbuilder Software Version Release Notes EncryptionPackages Contact 3Com or your network supplierNew Products Supported PC Flash Memory CardsLists 3Comapproved vendors of the PC flash memory card Approved 20 MB Flash Memory CardsNew Features VPN Features Layer Two Tunneling ProtocolApproved Dram SIMMsExtensible Authentication Protocol Additional RAS EnhancementsDhcp Proxy Encryption StrengthVirtual Circuit Prioritization Summary of Encryption StrengthsEncryption Key Algorithm Package ID LengthFirewall Enhancements IP Version 6 PhaseBGP-4 Enhancements Ospf Not-So-Stubby-Area Nssa Frame Relay PVC Q.933 SupportData Over Voice B-Channel Isdn Specification Boundary Router Remote LAN DetectionFeatures Ascii Boot Token Ring in Fast Ethernet Tife56/64K CSU/DSU External Loopback NETBuilder Web Link ImprovementsUpgrade Management Utilities and NETBuilder Upgrade Link Application NotesFlash Load Placing a Data OverExample Toggle the respective paths. TypeNew Features Application Notes Software NETBuilder II Software FeaturesVersion 11.1 for the NETBuilder bridge/router platforms Other Features NETBuilder II Firmware RequirementsNETBuilder II Firmware Requirements IBM ProtocolsSuperStack II NETBuilder SI Software Features 438 458Models Features Token Ring SuperStack II NETBuilder Ethernet and Token Ring FeaturesMemory Requirements OfficeConnect NETBuilder Software Features Models Features Token Ring WAN ProtocolsModel and Software Package 112 132 111 145 131112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 116 117 137136 Memory Requirements Utilities for the Solaris 2.5 platforms Ruuhp111.1Utilities for the HP-UX 10.x platforms Ruuaix111.1NETBuilder Upgrade Management Utilities Known Issues Etc/passwd. You must add an entry can be ignoredPROfile Service Bridge Static RoutesDLSw SVCsDialog boxes will be fully visible without scrolling Token Ring a non-source routed framePorts in DCE Mode Supported Asynchronous ModemsSupported Synchronous Modem ModemsHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Frame Copy Errors under LAN Net Manager Token Ring Frame Copy Errors3Com Bridge/Routers and Supported Features Known Problems This system Interrupt the boot cycle and enter monitor modeValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Processor/Frame Relay Relay port is Access for LLC2 Traffic Number of TCP ConnectionsFront-End IBM Boundary RoutingSpeed Multilink PPPPort running PPP Snmp ManagementService Point Source-Route Sdlc Adjacent LinkStations for Appn Source RouteUsing Netbuilder Family Software Update PagesConfiguring Ipsec Procedures in this section describe how to configure IPsecConfiguring IPsec Replace with this chapterCreating an Encryption Policy On bridge/router, 2 enterCreating a Security Policy On bridge/router 2, enterFor example, to create a new encryption key set, enter Manual key information, useTo disable Ipsec on port 1, enter Confidentiality and data integrityEnable Layer 2 Tunnelling by entering Assign an IP address to the tunnel virtual port by enteringCreate a route between the two tunnel endpoints by entering Configure an Ipsec policy/security association by enteringEnable Layer 2 Tunnelling Pptp by entering How IPsec WorksCreate a route between two tunnel endpoints by entering Intercepted and viewedHow IPsec Works Configuring Ipsec Reference for Netbuilder Family Ipsec Service Parameters CONFigurationIpsec Service Parameters and Commands CONTrolKeySet ManualKeyInfo ManualPOLicyIs assigned dynamically using Ipcp or Dhcp Policyname Name you assign to the policy you are addingBe all or ALL Srcipaddr/maskEncrypt phases, and the second 8 bytes for the decrypt Phase of the encrypt-decrypt-encryptSpecifies Cipher Block Chaining mode of the Data 239.255.255.254Ipsec Service Parameters Rsvp Service Parameters MaxFlowRate REQuestRESerVation UDPEndcapAllRoutes SR Service ParametersPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters Weblink Service Parameters StatPollIntervalWeblink Service Parameters
Top Page Image Contents