54CHAPTER 17: CONFIGURING IPSEC

When you specify a key that is too short, the policy binding operation generates an error message informing you of the key length discrepancy and the key is rejected. If this should occur you will need to delete the specified key and reenter a key of the appropriate length.

During boot, any previously configured policies and keys are bound together. The various length restrictions are applied during this binding, so that you cannot use keys that are longer than the package supports. At boot-time, binding accepts DES keys that are shorter than 8 bytes and the system generates a warning rather than an error.

For compatibility with previous software versions that did not enforce key lengths, it is possible to enter a DES key as an 8-byte hex value with the appropriate number of null characters at the end. For example, a DES key of abcd should now be entered:

%6162636400000000

To change the manual keying information, you must first delete the information using NONE as the key set name, then add the new information using SETDefault.

For example, to create a security association and bind a key set to a corresponding encryption policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501

To create a security association of an encryption and authentication policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = ahesp_pol ahesp_key SpiEsp 600 601

SpiAh 700 701

When keys are displayed using the SHow -IPSEC Keyset command, the MD5 hash of the key is displayed rather than the key itself. This allows you to compare keys for equality without exposing the actual key value. The length of the key is also displayed, since the hash is always a 32-digit hex value.

Enabling IPsec Enable IPsec policy checking on the port using:

SETDefault !<portlist> -IPSEC CONTrol = Enable

You should only enable IPsec policy checking on ports that need IPsec protection. Enabling IPsec policy checking can decrease the performance of your bridge/router.

For example, to enable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Enable

To disable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Disable

Setting up a The procedure that follows shows how to set up a VPN PPTP tunnel between VPN PPTP Tunnel router 1 (170.0.0.1) and router 2 (180.0.0.1) with an IPSEC policy providing data

confidentiality and data integrity.

Page 52
Image 52
3Com 11.1 manual To disable Ipsec on port 1, enter, Confidentiality and data integrity