3Com 10014299 Creating a Security Policy

568 CHAPTER 40: CONFIGURING IPSEC

Perform the following configurations in IPSec proposal view (or proposal view of

crypto card)

Tabl e 638 Select Encryption Algorithm and Authentication Algorithm

By default, ESP protocol adopts des encryption algorithm and md5-hmac-96

authentication algorithm, and AH protocol adopts md5-hmac-96 authentication

algorithm.

The commands undo esp-new encryption-algorithm and undo esp-new

authentication-algorithm cannot be used at the same time. That is, ESP must

use at least one type of encryption algorithm or authentication algorithm.

Creating a Security

Policy The following questions should be answered before a security policy is created:

■Which data needs IPSec protection?

■How long should the data stream be protected by SA?

■What security policy will be used?

■Is the security policy created manually or through IKE negotiation?

The following aspects require attention when a security policy is created:

■To create a security policy, you must specify its negotiation mode. Once a

security policy is created, its negotiation mode cannot be modified. To create a

new security policy, the current one must be deleted. For example, a security

policy created with manual mode cannot be modified to a policy with isakmp

mode. To have the same policy with a different mode, you must delete the

policy then recreate it with a different mode.

■Security policies with the same name together comprise a security policy group.

The name and the sequence number define a security policy uniquely, and a

security policy group can include at most 100 security policies. The security

policy with smaller sequence number in the same security policy group is of

Operation Command

Set the encryption algorithm adopted by

ESP protocol (applicable to IPSec software) esp-new encryption-algorithm { 3des |

des | blowfish | cast | skipjack }

Set the encryption algorithm adopted by

ESP protocol (applicable to crypto card) esp-new encryption-algorithm { 3des |

des | blowfish | cast | skipjack |

aes | qc5 }

Cancel the encryption algorithm adopted

by ESP protocol(applicable to IPSec

software and crypto card)

undo esp-new encryption-algorithm

Set the authentication algorithm adopted

by ESP protocol (applicable to IPSec

software and crypto card)

esp-new authentication-algorithm {

md5-hmac-96 | sha1-hmac-96 }

Cancel the authentication algorithm

adopted by ESP protocol (applicable to

IPSec software and crypto card)

undo esp-new

authentication-algorithm

Set the authentication algorithm adopted

by AH protocol (applicable to IPSec

software and crypto card)

ah-new authentication-algorithm {

md5-hmac-96 | sha1-hmac-96 }

Restore the authentication algorithm

adopted by AH protocol (applicable to

IPSec software and crypto card)

undo ah-new authentication-algorithm