Creating an Encryption Policy | 3Com 11.1 manual

52CHAPTER 17: CONFIGURING IPSEC

<auth_algorithm> : MD5 SHA

<portlist >: 1-65535 * Archie DNS Finger FTP FTPData Gopher HTTP NFS NNTP NTP POP2 POP3 PortMap RIP SMTP SNMP SNMPTrap Syslog Telnet TFTP WAIS

The default for encrypt_algorithms is DES. The default for auth_algorithms is

MD5.

Creating an Encryption Policy

To create an encryption policy for Telnet trafﬁc using the default encryption algorithm DesCbc from router 1 with IP address 170.0.0.1 to router 2 with IP address 180.0.0.1, follow these steps:

1On bridge/router 1, enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(*, Telnet) 170.0.0.1 180.0.0.1

2On bridge/router, 2 enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 180.0.0.1 170.0.0.1

To conﬁgure an encryption policy for Telnet trafﬁc using the 3DES2key encryption algorithm between router 1 with IP address 170.0.0.1 and router 2 with IP address 180.0.0.1, follow these steps:

1On bridge/router 1, enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) (*,Telnet) 170.0.0.1

180.0.0.1 3DES2key

2On bridge/router, 2 enter:

ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) (*,Telnet) 180.0.0.1

170.0.0.1 3DES2key

Creating a Security Policy

To create a security policy to provide data conﬁdentiality and data integrity for

PPTP tunnel trafﬁc between router 1 and router 2, follow these steps:

1On bridge/router 1 enter:

ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 170.0.0.1 180.0.0.1

2On bridge/router 2, enter:

ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 180.0.0.1 170.0.0.1

Creating Key Sets To create a key set, use:

ADD -IPSEC KeySet <key_set_name> [EncryptKey (“<encrypt_key>”

“%<encrypt_key>”)] [AuthKey (“<auth_key>” “%<auth_key>”)]

The encrypt_key and auth_key must match the values on the peer system at the other end of the security association.

<key_set_name> is a name you assign to the key set you are adding.

Image 50

3Com 11.1 Creating an Encryption Policy, On bridge/router, 2 enter, Creating a Security Policy, On bridge/router 2, enter

Contents

NETBuilder Family Software Version 11.1 Release Notes Santa Clara, California 3Com CorporationBayfront Plaza 95052-8145 Contents CPU Utilization Statistic Deleting ATM Neighbors Web Link Documentation Path Zmodem Time Out Known ProblemsBcmfdinteg File Conversion Considerations Displaying Conﬁguration Proﬁles Dynamic Paths Web Link Login SupportNAT Proxy ARP RouteDiscovery Sdhlc Half-Duplex Mode Limitations Accm Not Conﬁgurable Conﬁguring IPsec Authentication Header AHCONFiguration How IPsec Works Policies StatPollInterval Packages Netbuilder Software Version Release NotesEncryption Contact 3Com or your network supplier Lists 3Comapproved vendors of the PC ﬂash memory card New ProductsSupported PC Flash Memory Cards Approved 20 MB Flash Memory Cards Approved Dram New FeaturesVPN Features Layer Two Tunneling Protocol SIMMs Dhcp Proxy Extensible Authentication ProtocolAdditional RAS Enhancements Encryption Strength Encryption Key Virtual Circuit PrioritizationSummary of Encryption Strengths Algorithm Package ID Length BGP-4 Enhancements IP Version 6 PhaseFirewall Enhancements Data Over Voice B-Channel Isdn Speciﬁcation Ospf Not-So-Stubby-Area NssaFrame Relay PVC Q.933 Support Boundary Router Remote LAN Detection 56/64K CSU/DSU External Loopback Features Ascii BootToken Ring in Fast Ethernet Tife NETBuilder Web Link Improvements Flash Load Upgrade Management Utilities and NETBuilder Upgrade LinkApplication Notes Placing a Data Over Example Toggle the respective paths. Type New Features Application Notes Version 11.1 for the NETBuilder bridge/router platforms NETBuilder II Software FeaturesSoftware NETBuilder II Firmware Requirements Other FeaturesNETBuilder II Firmware Requirements IBM Protocols SuperStack II NETBuilder SI Software Features 438 458 Memory Requirements SuperStack II NETBuilder Ethernet and Token Ring FeaturesModels Features Token Ring Model and Software Package 112 132 111 145 OfﬁceConnect NETBuilder Software FeaturesModels Features Token Ring WAN Protocols 131 112 131 120 132 Additional OfﬁceConnect NETBuilder Models Software Features 136 117 137116 Memory Requirements Utilities for the HP-UX 10.x platforms Utilities for the Solaris 2.5 platformsRuuhp111.1 Ruuaix111.1 NETBuilder Upgrade Management Utilities Known Issues Etc/passwd. You must add an entry can be ignored DLSw PROﬁle ServiceBridge Static Routes SVCs Dialog boxes will be fully visible without scrolling Token Ring a non-source routed frame Supported Synchronous Modem Ports in DCE ModeSupported Asynchronous Modems Modems History, the PPP link does not come up IBM-Related Feature Settings for Token Ring Ports 3Com Bridge/Routers and Supported Features Token Ring Frame Copy ErrorsFrame Copy Errors under LAN Net Manager Known Problems Value Interrupt the boot cycle and enter monitor modeThis system SHow !profileID -PROFILE CONFiguration Notation Known Problems ADD !v1 -PPP ARU user, password Limitations Front-End Processor/Frame Relay Relay port is Access for LLC2 TrafﬁcNumber of TCP Connections IBM Boundary Routing Port running PPP SpeedMultilink PPP Snmp Management Stations for Appn Service Point Source-RouteSdlc Adjacent Link Source Route Using Netbuilder Family Software Update Pages Conﬁguring IPsec Configuring IpsecProcedures in this section describe how to conﬁgure IPsec Replace with this chapter Creating a Security Policy Creating an Encryption PolicyOn bridge/router, 2 enter On bridge/router 2, enter For example, to create a new encryption key set, enter Manual key information, use To disable Ipsec on port 1, enter Conﬁdentiality and data integrity Create a route between the two tunnel endpoints by entering Enable Layer 2 Tunnelling by enteringAssign an IP address to the tunnel virtual port by entering Conﬁgure an Ipsec policy/security association by entering Create a route between two tunnel endpoints by entering Enable Layer 2 Tunnelling Pptp by enteringHow IPsec Works Intercepted and viewed How IPsec Works Configuring Ipsec Reference for Netbuilder Family Ipsec Service Parameters and Commands Ipsec Service ParametersCONFiguration CONTrol KeySet ManualKeyInfo ManualPOLicy Be all or ALL Is assigned dynamically using Ipcp or DhcpPolicyname Name you assign to the policy you are adding Srcipaddr/mask Specifies Cipher Block Chaining mode of the Data Encrypt phases, and the second 8 bytes for the decryptPhase of the encrypt-decrypt-encrypt 239.255.255.254 Ipsec Service Parameters Rsvp Service Parameters RESerVation MaxFlowRateREQuest UDPEndcap Place this page in front of Chapter SR Service ParametersAllRoutes ROUte ROUte SR Service Parameters SYS Service Parameters SYS Service Parameters Weblink Service Parameters StatPollInterval Weblink Service Parameters