3Com 11.1 For example, to create a new encryption key set, enter, Manual key information, use

Configuring IPsec 53

<encrypt_key> and <auth_key> can be 1 to 128 bytes entered as either ASCII text strings or as a series of hexadecimal digits. See “Configuring Manual Key Information” next for more information about key set usage.

To delete a key set, use:

DELete -IPSEC KeySet [<key_set_name> ALL]

For example, to create a new encryption key set, enter:

ADD IPSEC KeySet esp_key EncryptKey “hello124”

To create a key set for both encryption and authentication, enter:

ADD IPSEC KeySet ahesp_key EncryptKey “hello124” AuthKey “world236”

Configuring Manual Key The ManualKeyInfo parameter binds manual keying information to an IPsec policy. Information Only one ManualKeyInfo command can be applied to each policy. To configure

manual key information, use:

SETDefault !<portlist> -IPSEC ManualKeyInfo = <policy_name>

(<key_set_name> NONE) [SpiEsp <spi_in> <spi_out>] [SpiAh <spi_in>

<spi_out>]

A Security Parameters Index (SPI) value is used in conjunction with the destination address to identify a particular security association which represents a set of agreements between senders and receivers on a key, on an encryption or authentication algorithm, and on SPI numbers.

<spi_in> is a number in the range 256 to 2000. All spi_in values must be unique on a system. An SPI number can be assigned only ONCE to a policy. The same number cannot be used by any other policy on the same system. spi_in must match the spi_out value specified at the peer system at the other end of the security association.

<spi_out> is a number in the range 256 to 2147483647. spi_out must match the spi_in value specified at the peer system at the other end of the security association.

A key is specified using the ADD -IPSEC KeySet command. It is later bound to an IPSEC manualPolicy when a SETDefault -IPSEC ManualKeyInfo command is entered. The keyset and policy must be entered before binding can take place.

When the key is entered, no particular length restriction is applied. Keys can be entered as either ASCII text or hex values in the range of 1 to 128 bytes.

When a key is bound, certain length restriction are applied. The required key length depends on the NETBuilder software package used. The xS packages (S=strong encryption) allow key lengths of up to 128 bits for encryption, and the xE packages allow up to 56-bit keys. When you bind the key to the policy during configuration, if the entered key is too long for the package in use, the key is truncated and a warning message is generated.

All packages reject keys that are less than 5 bytes long and generate error messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS packages truncate long keys to 16 bytes, with appropriate warning messages.