3Com 10014299 Configuring IPSec

Configuring IPSec 563

policy with smaller sequence number in the same security policy group is of

higher priority.

■SA (Security Association): IPSec provides security service for data streams

through security association, which includes protocol, algorithm, key and other

contents and specifies how to process IP messages. An SA is a unidirectional

logical connection between two IPSec systems. Inbound data stream and

outbound data stream are processed separately by inbound SA and outbound

SA. SA is identified uniquely by a triple (SPI, IP destination address and security

protocol number (AH or ESP). SA can be established through manual

configuration or automatic negotiation. A SA can be manually established after

some parameters set by the users at two ends are matched and the agreement

is reached through negotiation. Automatic negotiation mode is created and

maintained by IKE, i.e., both communication parties are matched and

negotiated based on their own security policies without user's interface.

■SA Update Time: There are two SA update time modes: time-based during

which SA is updated at regular intervals and traffic-based, during which SA is

updated whenever certain bytes are transmitted.

■SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec

message. The trio of SPI, IP destination address, security protocol number,

identify a specific SA uniquely. When SA is configured manually, SPI should also

be set manually. To ensure the uniqueness of an SA, you must specify different

SPI values for different SAs. When SA is generated with IKE negotiation, SPI will

be generated at random.

■IPSec Proposal: It includes security protocol, algorithm used by security

protocol, and the mode how security protocol encapsulates messages, and

prescribes how ordinary IP messages are transformed into IPSec messages. In

security policy, a IPSec proposal is quoted to prescribe the protocol and

algorithm adopted by this security policy.

Configuring IPSec IPSec configuration includes:

■Creating an Encryption Access Control List

■Configure NDEC Cards

■Enable the main software backup

■Defining IPSec Proposal

■Selecting the Encryption and Authentication Algorithm

■Creating a Security Policy

■Apply Security Policy Group on Interface

Creating an Encryption

Access Control List Matching the encrypted access control list determines which IP packets are

encrypted and sent, and which IP packets are directly forwarded. Encryption

access control lists are different from the ordinary ones, because the ordinary ones

only determine which data can pass an interface. An encryption access list is

defined by an extended IP access list.

For one kind of communication to accept one security protection mode (only

authentication, for instance), and another kind to accept a different one (both