568CHAPTER 40: CONFIGURING IPSEC

Perform the following configurations in IPSec proposal view (or proposal view of crypto card)

Table 638 Select Encryption Algorithm and Authentication Algorithm

Operation

Command

 

 

Set the encryption algorithm adopted by

esp-new encryption-algorithm { 3des

ESP protocol (applicable to IPSec software)

des blowfish cast skipjack }

 

 

Set the encryption algorithm adopted by

esp-new encryption-algorithm { 3des

ESP protocol (applicable to crypto card)

des blowfish cast skipjack

 

aes qc5 }

 

 

Cancel the encryption algorithm adopted

undo esp-new encryption-algorithm

by ESP protocol(applicable to IPSec

 

software and crypto card)

 

 

 

Set the authentication algorithm adopted

esp-new authentication-algorithm {

by ESP protocol (applicable to IPSec

md5-hmac-96 sha1-hmac-96 }

software and crypto card)

 

Cancel the authentication algorithm

undo esp-new

adopted by ESP protocol (applicable to

authentication-algorithm

IPSec software and crypto card)

 

 

 

Set the authentication algorithm adopted

ah-new authentication-algorithm {

by AH protocol (applicable to IPSec

md5-hmac-96 sha1-hmac-96 }

software and crypto card)

 

Restore the authentication algorithm

undo ah-new authentication-algorithm

adopted by AH protocol (applicable to

 

IPSec software and crypto card)

 

 

 

By default, ESP protocol adopts des encryption algorithm and md5-hmac-96authentication algorithm, and AH protocol adopts md5-hmac-96authentication algorithm.

The commands undo esp-new encryption-algorithm and undo esp-new authentication-algorithm cannot be used at the same time. That is, ESP must use at least one type of encryption algorithm or authentication algorithm.

Creating a Security Policy

The following questions should be answered before a security policy is created:

Which data needs IPSec protection?

How long should the data stream be protected by SA?

What security policy will be used?

Is the security policy created manually or through IKE negotiation?

The following aspects require attention when a security policy is created:

To create a security policy, you must specify its negotiation mode. Once a security policy is created, its negotiation mode cannot be modified. To create a new security policy, the current one must be deleted. For example, a security policy created with manual mode cannot be modified to a policy with isakmp mode. To have the same policy with a different mode, you must delete the policy then recreate it with a different mode.

Security policies with the same name together comprise a security policy group. The name and the sequence number define a security policy uniquely, and a security policy group can include at most 100 security policies. The security policy with smaller sequence number in the same security policy group is of

Page 572
Image 572
3Com 10014299 manual Creating a Security Policy, Select Encryption Algorithm and Authentication Algorithm