62CHAPTER 33: IPSEC SERVICE PARAMETERS

Default No Default

Description All keysets are encrypted and protected with the current KeyEncryptionKey and stored in the IPSEC configuration file. The value of the KeyEncryptionKey parameter which is stored in the EEPROM, can be updated by root, but is not readable by anyone. An embedded key is used to protect the keysets if KeyEncryptionKey is never set. The Show command shows only the encoded value of KeyEncryptionKey for comparison purposes only.

KeySet

Syntax ADD -IPSEC KeySet <key_set_name> [EncryptKey (“<encrypt_key>” “%<encrypt_key”>)] [AuthKey (“<auth_key>” “%<auth_key>”)]

DELete -IPSEC KeySet [<key_set_name> ALL]

SHow -IPSEC KeySet [<key_set_name>]

Description The KeySet parameter adds manual encryption and authentication keys. Key values can be entered as either ASCII text strings or as a series of hexadecimal digits. The text or hex key values are converted to actual key values for each supported encryption and authentication algorithm.

When key sets are displayed using the SHow command, encoded values for the keys, instead of the actual values, are displayed for added security. The encoded key value is unique for each key value and can be used to verify that keys match between different routers.

The encrypt_key and auth_key must match the values on the peer system at the other end of the security association.

When the length of the EncryptKey or AuthKey key value entered is less than the actual key size used by the selected encryption or authentication algorithm, the key value is padded with zeroes to the appropriate key size. For example, if a

6-octet (character) EncryptKey is entered for DES-CBC encryption, two zero octets are appended to the key value entered to create the 8-octet key. When the length of EncryptKey or AuthKey key value entered is larger than the actual key size used by the selected encryption or authentication algorithm, the key value is truncated to the appropriate key size. For example, if a 10-octet (character) EncryptKey is entered for DES-CBC encryption, only the first 8-octets of the value entered are used.

When the key is entered, no particular length restriction is applied. Keys can be entered as either ASCII text or hex values in the range of 1 to 128 bytes.

When a key is bound, certain length restriction are applied. The required key length depends on the NETBuilder software package used. The xS packages (S=strong encryption) allow key lengths of up to 128 bits for encryption, and the xE packages allow up to 56-bit keys. When you bind the key to the policy during configuration, if the entered key is too long for the package in use, the key is truncated and a warning message is generated.

All packages reject keys that are less than 5 bytes long and generate error messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS packages truncate long keys to 16 bytes, with appropriate warning messages.

Page 59
Image 59
3Com 11.1 manual KeySet