3Com 11.1 manual KeySet

Page 59

62CHAPTER 33: IPSEC SERVICE PARAMETERS

Default No Default

Description All keysets are encrypted and protected with the current KeyEncryptionKey and stored in the IPSEC configuration file. The value of the KeyEncryptionKey parameter which is stored in the EEPROM, can be updated by root, but is not readable by anyone. An embedded key is used to protect the keysets if KeyEncryptionKey is never set. The Show command shows only the encoded value of KeyEncryptionKey for comparison purposes only.

KeySet

Syntax ADD -IPSEC KeySet <key_set_name> [EncryptKey (“<encrypt_key>” “%<encrypt_key”>)] [AuthKey (“<auth_key>” “%<auth_key>”)]

DELete -IPSEC KeySet [<key_set_name> ALL]

SHow -IPSEC KeySet [<key_set_name>]

Description The KeySet parameter adds manual encryption and authentication keys. Key values can be entered as either ASCII text strings or as a series of hexadecimal digits. The text or hex key values are converted to actual key values for each supported encryption and authentication algorithm.

When key sets are displayed using the SHow command, encoded values for the keys, instead of the actual values, are displayed for added security. The encoded key value is unique for each key value and can be used to verify that keys match between different routers.

The encrypt_key and auth_key must match the values on the peer system at the other end of the security association.

When the length of the EncryptKey or AuthKey key value entered is less than the actual key size used by the selected encryption or authentication algorithm, the key value is padded with zeroes to the appropriate key size. For example, if a

6-octet (character) EncryptKey is entered for DES-CBC encryption, two zero octets are appended to the key value entered to create the 8-octet key. When the length of EncryptKey or AuthKey key value entered is larger than the actual key size used by the selected encryption or authentication algorithm, the key value is truncated to the appropriate key size. For example, if a 10-octet (character) EncryptKey is entered for DES-CBC encryption, only the first 8-octets of the value entered are used.

When the key is entered, no particular length restriction is applied. Keys can be entered as either ASCII text or hex values in the range of 1 to 128 bytes.

When a key is bound, certain length restriction are applied. The required key length depends on the NETBuilder software package used. The xS packages (S=strong encryption) allow key lengths of up to 128 bits for encryption, and the xE packages allow up to 56-bit keys. When you bind the key to the policy during configuration, if the entered key is too long for the package in use, the key is truncated and a warning message is generated.

All packages reject keys that are less than 5 bytes long and generate error messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS packages truncate long keys to 16 bytes, with appropriate warning messages.

Page 58 Page 60
Image 59
Page 58 Page 60
Contents NETBuilder Family Software Version 11.1 Release Notes 95052-8145 3Com CorporationBayfront Plaza Santa Clara, CaliforniaContents CPU Utilization Statistic Deleting ATM Neighbors Web Link Documentation Path Zmodem Time Out Known ProblemsBcmfdinteg File Conversion Considerations Limitations Accm Not Configurable Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Displaying Configuration Profiles Dynamic PathsHow IPsec Works Policies Authentication Header AHCONFiguration Configuring IPsecStatPollInterval Contact 3Com or your network supplier Netbuilder Software Version Release NotesEncryption PackagesApproved 20 MB Flash Memory Cards New ProductsSupported PC Flash Memory Cards Lists 3Comapproved vendors of the PC flash memory cardSIMMs New FeaturesVPN Features Layer Two Tunneling Protocol Approved DramEncryption Strength Extensible Authentication ProtocolAdditional RAS Enhancements Dhcp ProxyAlgorithm Package ID Length Virtual Circuit PrioritizationSummary of Encryption Strengths Encryption KeyBGP-4 Enhancements IP Version 6 PhaseFirewall Enhancements Boundary Router Remote LAN Detection Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Data Over Voice B-Channel Isdn SpecificationNETBuilder Web Link Improvements Features Ascii BootToken Ring in Fast Ethernet Tife 56/64K CSU/DSU External LoopbackPlacing a Data Over Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Flash LoadToggle the respective paths. Type ExampleNew Features Application Notes Version 11.1 for the NETBuilder bridge/router platforms NETBuilder II Software FeaturesSoftware IBM Protocols Other FeaturesNETBuilder II Firmware Requirements NETBuilder II Firmware RequirementsSuperStack II NETBuilder SI Software Features 458 438Memory Requirements SuperStack II NETBuilder Ethernet and Token Ring FeaturesModels Features Token Ring 131 OfficeConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols Model and Software Package 112 132 111 145112 131 120 132 Additional OfficeConnect NETBuilder Models Software Features 136 117 137116 Memory Requirements Ruuaix111.1 Utilities for the Solaris 2.5 platformsRuuhp111.1 Utilities for the HP-UX 10.x platformsNETBuilder Upgrade Management Utilities Etc/passwd. You must add an entry can be ignored Known IssuesSVCs PROfile ServiceBridge Static Routes DLSwToken Ring a non-source routed frame Dialog boxes will be fully visible without scrollingModems Ports in DCE ModeSupported Asynchronous Modems Supported Synchronous ModemHistory, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports 3Com Bridge/Routers and Supported Features Token Ring Frame Copy ErrorsFrame Copy Errors under LAN Net Manager Known Problems Value Interrupt the boot cycle and enter monitor modeThis system SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations IBM Boundary Routing Processor/Frame Relay Relay port is Access for LLC2 TrafficNumber of TCP Connections Front-EndSnmp Management SpeedMultilink PPP Port running PPPSource Route Service Point Source-RouteSdlc Adjacent Link Stations for AppnSoftware Update Pages Using Netbuilder FamilyReplace with this chapter Configuring IpsecProcedures in this section describe how to configure IPsec Configuring IPsecOn bridge/router 2, enter Creating an Encryption PolicyOn bridge/router, 2 enter Creating a Security PolicyManual key information, use For example, to create a new encryption key set, enterConfidentiality and data integrity To disable Ipsec on port 1, enterConfigure an Ipsec policy/security association by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Create a route between the two tunnel endpoints by enteringIntercepted and viewed Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Create a route between two tunnel endpoints by enteringHow IPsec Works Configuring Ipsec Reference for Netbuilder Family CONTrol Ipsec Service ParametersCONFiguration Ipsec Service Parameters and CommandsKeySet ManualPOLicy ManualKeyInfoSrcipaddr/mask Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Be all or ALL239.255.255.254 Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt Specifies Cipher Block Chaining mode of the DataIpsec Service Parameters Rsvp Service Parameters UDPEndcap MaxFlowRateREQuest RESerVationPlace this page in front of Chapter SR Service ParametersAllRoutes ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters StatPollInterval Weblink Service ParametersWeblink Service Parameters
Top Page Image Contents