3Com 11.1 manual How IPsec Works

Page 55

How IPsec Works 57

IPsec works with the existing Internet infrastructure using encapsulation. It secures a packet of data by encrypting it before sending it over the Internet. On the receiving end, an IPsec-compliant device decrypts the data.

On each end of the link (systems at both ends comprise a security association), IPsec is configured with the same key set and manual key information. The key set allows each system in the security association to encrypt, decrypt, or authenticate each other’s data.

The security protection can be selectively applied to various types of data traffic based on protocols, IP addresses, network addresses, applications (via TCP/UDP port addresses), and network interfaces. System-originated IP traffic (Telnet, OSPF, RIP for example) can be protected by IPSEC directly. SNA traffic can be protected by IPSEC through the DLSw tunnel. Other multiprotocol traffic (IPX, AppleTalk, DECnet for example) and forwarded IP traffic are protected by IPSEC through the PPTP tunnel. See Chapter 12 for more information about PPTP/L2TP tunneling.

Policies IPsec policies allow you to protect various types of traffic based on protocols, IP addresses, network addresses, network interfaces, and applications (via port addresses).

Encapsulation Security ESP is used to provide data confidentiality via encryption using the DES-CBC crypto Payload (ESP) algorithm. For outbound traffic, it encrypts the IP payload and inserts an ESP

header between the IP header and the payload. For inbound traffic, it decrypts the IP payload and removes the ESP header.

DES and RC5 encryption algorithms are supported in the xE packages. 3DES2key is supported only in xS packages.

DES is the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard (DES). It requires an 8-byte key and operates on an 8-byte data block where the output of each block is fed into the next block to avoid repeating the same cipher output for those blocks with the same cleartext data.

RC5 is a cipher block chain encryption algorithm that may provide slightly faster performance than DES. RC5 requires a minimum of 5 bytes for the encryption key. The key may be as long as 7 bytes in xE packages, and as long as 16 bytes in xS packages.

3DES2key is a three-stage block cipher encryption algorithm that uses an encrypt-decrypt-encrypt sequence for greater security than standard DES encryption. The operation is similar to the 3DES encryption algorithm except that instead of using unique keying information for each stage, 3DES2key uses the same keying information for both encryption stages. 3DES2key requires a 16-byte encryption key to be entered. It uses the first 8 bytes for both encryption phases, and the second 8 bytes for the decrypt phase.

Key lengths are enforced when they are entered. Warning or error messages inform you when the entered key does not meet the requirements.

Entered keys longer than the supported maximum length for the chosen crypto algorithm and the package are truncated as necessary.

Page 54 Page 56
Image 55
Page 54 Page 56
Contents NETBuilder Family Software Version 11.1 Release Notes 95052-8145 3Com CorporationBayfront Plaza Santa Clara, CaliforniaContents Bcmfdinteg File Conversion Considerations Web Link Documentation Path Zmodem Time Out Known ProblemsCPU Utilization Statistic Deleting ATM Neighbors Limitations Accm Not Configurable Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Displaying Configuration Profiles Dynamic PathsHow IPsec Works Policies Authentication Header AHCONFiguration Configuring IPsecStatPollInterval Contact 3Com or your network supplier Netbuilder Software Version Release NotesEncryption PackagesApproved 20 MB Flash Memory Cards New ProductsSupported PC Flash Memory Cards Lists 3Comapproved vendors of the PC flash memory cardSIMMs New FeaturesVPN Features Layer Two Tunneling Protocol Approved DramEncryption Strength Extensible Authentication ProtocolAdditional RAS Enhancements Dhcp ProxyAlgorithm Package ID Length Virtual Circuit PrioritizationSummary of Encryption Strengths Encryption KeyFirewall Enhancements IP Version 6 PhaseBGP-4 Enhancements Boundary Router Remote LAN Detection Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Data Over Voice B-Channel Isdn SpecificationNETBuilder Web Link Improvements Features Ascii BootToken Ring in Fast Ethernet Tife 56/64K CSU/DSU External LoopbackPlacing a Data Over Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Flash LoadToggle the respective paths. Type ExampleNew Features Application Notes Software NETBuilder II Software FeaturesVersion 11.1 for the NETBuilder bridge/router platforms IBM Protocols Other FeaturesNETBuilder II Firmware Requirements NETBuilder II Firmware RequirementsSuperStack II NETBuilder SI Software Features 458 438Models Features Token Ring SuperStack II NETBuilder Ethernet and Token Ring FeaturesMemory Requirements 131 OfficeConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols Model and Software Package 112 132 111 145112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 116 117 137136 Memory Requirements Ruuaix111.1 Utilities for the Solaris 2.5 platformsRuuhp111.1 Utilities for the HP-UX 10.x platformsNETBuilder Upgrade Management Utilities Etc/passwd. You must add an entry can be ignored Known IssuesSVCs PROfile ServiceBridge Static Routes DLSwToken Ring a non-source routed frame Dialog boxes will be fully visible without scrollingModems Ports in DCE ModeSupported Asynchronous Modems Supported Synchronous ModemHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports Frame Copy Errors under LAN Net Manager Token Ring Frame Copy Errors3Com Bridge/Routers and Supported Features Known Problems This system Interrupt the boot cycle and enter monitor modeValue SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations IBM Boundary Routing Processor/Frame Relay Relay port is Access for LLC2 TrafficNumber of TCP Connections Front-EndSnmp Management SpeedMultilink PPP Port running PPPSource Route Service Point Source-RouteSdlc Adjacent Link Stations for AppnSoftware Update Pages Using Netbuilder FamilyReplace with this chapter Configuring IpsecProcedures in this section describe how to configure IPsec Configuring IPsecOn bridge/router 2, enter Creating an Encryption PolicyOn bridge/router, 2 enter Creating a Security PolicyManual key information, use For example, to create a new encryption key set, enterConfidentiality and data integrity To disable Ipsec on port 1, enterConfigure an Ipsec policy/security association by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Create a route between the two tunnel endpoints by enteringIntercepted and viewed Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Create a route between two tunnel endpoints by enteringHow IPsec Works Configuring Ipsec Reference for Netbuilder Family CONTrol Ipsec Service ParametersCONFiguration Ipsec Service Parameters and CommandsKeySet ManualPOLicy ManualKeyInfoSrcipaddr/mask Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Be all or ALL239.255.255.254 Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt Specifies Cipher Block Chaining mode of the DataIpsec Service Parameters Rsvp Service Parameters UDPEndcap MaxFlowRateREQuest RESerVationAllRoutes SR Service ParametersPlace this page in front of Chapter ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters StatPollInterval Weblink Service ParametersWeblink Service Parameters
Top Page Image Contents