3Com 11.1 manual How IPsec Works, Create a route between two tunnel endpoints by entering

Page 54

56CHAPTER 17: CONFIGURING IPSEC

On router 2, setup the PPTP tunnel from 170.0.0.1 to 180.0.0.1 by following these steps:

1Set the system name of router 2 to "router2" by entering:

SETDefault scid="router2"

2Create a virtual port that will accept connection requests from only router1 by entering:

ADD !v1 -POrt VirtualPort scid"router1"

3Assign an IP address to the tunnel virtual port by entering:

SETDefault !v1 -IP NETaddr=20.0.0.2 255.255.0.0

4Create a route between two tunnel endpoints by entering:

ADD -IP ROUte 170.0.0.1 !1 1

5Add a static route to route trafﬁc over a PPTP tunnel by entering the following or turn on routing protocols on the corresponding virtual port:

ADD -IP ROUte 130.0.0.0 255.255.0.0 !v1 1

6Assign the peer dial number to the PPTP tunnel dial number list by entering:

ADD !v1 -POrt DialNoList "@170.0.0.1" Type=pptp

7Optionally set dial idle time-out to zero to keep tunnel from timing out by entering:

SETDefault !v1 -POrt DialIdleTime=0

8Enable Layer 2 Tunnelling (PPTP) by entering:

SETDefault -L2Tunnel CONTrol=Enable

9Conﬁgure an IPSEC policy/security association by entering:

ADD !1 -IPSEC manualPOLicy pptp_ahesp AhEspXport tcp,gre 170.0.0.1 180.0.0.1

ADD -IPSEC keyset pptp_key EncryptKey "hello124" AuthKey "world678"

SETDefault !1 -IPSEC ManualKeyInfo=pptp_ahesp pptp_key SpiEsp 501 500

SpiAh 601 600

SETDefault !1 -IPSEC CONTrol=Enable

Establishing the Dialup After all the conﬁguration is completed at both ends of the connection, you can Tunnel dial the PPTP tunnel from either end by entering:

DIal !v1

How IPsec Works	IPsec integrates security directly into IP. IPsec provides three main areas of security:
	authentication, which validates the communicating parties; integrity, which makes
	sure the data has not been altered; and privacy, which ensures the data cannot be
	intercepted and viewed.
	IPsec secures the underlying network layer. That way, an IPsec link is secure
	regardless of the application.

Image 54

Contents NETBuilder Family Software Version 11.1 Release Notes Santa Clara, California 3Com CorporationBayfront Plaza 95052-8145Contents Web Link Documentation Path Zmodem Time Out Known Problems Bcmfdinteg File Conversion ConsiderationsCPU Utilization Statistic Deleting ATM Neighbors Displaying Conﬁguration Proﬁles Dynamic Paths Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Limitations Accm Not ConﬁgurableConﬁguring IPsec Authentication Header AHCONFiguration How IPsec Works PoliciesStatPollInterval Packages Netbuilder Software Version Release NotesEncryption Contact 3Com or your network supplierLists 3Comapproved vendors of the PC ﬂash memory card New ProductsSupported PC Flash Memory Cards Approved 20 MB Flash Memory CardsApproved Dram New FeaturesVPN Features Layer Two Tunneling Protocol SIMMsDhcp Proxy Extensible Authentication ProtocolAdditional RAS Enhancements Encryption StrengthEncryption Key Virtual Circuit PrioritizationSummary of Encryption Strengths Algorithm Package ID LengthIP Version 6 Phase Firewall EnhancementsBGP-4 Enhancements Data Over Voice B-Channel Isdn Speciﬁcation Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Boundary Router Remote LAN Detection56/64K CSU/DSU External Loopback Features Ascii BootToken Ring in Fast Ethernet Tife NETBuilder Web Link ImprovementsFlash Load Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Placing a Data OverExample Toggle the respective paths. TypeNew Features Application Notes NETBuilder II Software Features SoftwareVersion 11.1 for the NETBuilder bridge/router platforms NETBuilder II Firmware Requirements Other FeaturesNETBuilder II Firmware Requirements IBM ProtocolsSuperStack II NETBuilder SI Software Features 438 458SuperStack II NETBuilder Ethernet and Token Ring Features Models Features Token RingMemory Requirements Model and Software Package 112 132 111 145 OfﬁceConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols 131112 131 120 132 Additional OfﬁceConnect NETBuilder Models Software Features 117 137 116136 Memory Requirements Utilities for the HP-UX 10.x platforms Utilities for the Solaris 2.5 platformsRuuhp111.1 Ruuaix111.1NETBuilder Upgrade Management Utilities Known Issues Etc/passwd. You must add an entry can be ignoredDLSw PROﬁle ServiceBridge Static Routes SVCsDialog boxes will be fully visible without scrolling Token Ring a non-source routed frameSupported Synchronous Modem Ports in DCE ModeSupported Asynchronous Modems ModemsHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Token Ring Frame Copy Errors Frame Copy Errors under LAN Net Manager3Com Bridge/Routers and Supported Features Known Problems Interrupt the boot cycle and enter monitor mode This systemValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Front-End Processor/Frame Relay Relay port is Access for LLC2 TrafﬁcNumber of TCP Connections IBM Boundary RoutingPort running PPP SpeedMultilink PPP Snmp ManagementStations for Appn Service Point Source-RouteSdlc Adjacent Link Source RouteUsing Netbuilder Family Software Update PagesConﬁguring IPsec Configuring IpsecProcedures in this section describe how to conﬁgure IPsec Replace with this chapterCreating a Security Policy Creating an Encryption PolicyOn bridge/router, 2 enter On bridge/router 2, enterFor example, to create a new encryption key set, enter Manual key information, useTo disable Ipsec on port 1, enter Conﬁdentiality and data integrityCreate a route between the two tunnel endpoints by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Conﬁgure an Ipsec policy/security association by enteringCreate a route between two tunnel endpoints by entering Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Intercepted and viewedHow IPsec Works Configuring Ipsec Reference for Netbuilder Family Ipsec Service Parameters and Commands Ipsec Service ParametersCONFiguration CONTrolKeySet ManualKeyInfo ManualPOLicyBe all or ALL Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Srcipaddr/maskSpecifies Cipher Block Chaining mode of the Data Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt 239.255.255.254Ipsec Service Parameters Rsvp Service Parameters RESerVation MaxFlowRateREQuest UDPEndcapSR Service Parameters AllRoutesPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters Weblink Service Parameters StatPollIntervalWeblink Service Parameters