USER’S GUIDE

CONFIGURING SECURITY ASSOCIATIONS AND AUTHENTICATION (IP SECURITY ONLY)

IP Security encryption configuration consists of the following elements:

setting up security associations for Encapsulating Security Payload (ESP)

optionally specifying keys for Authentication Headers (AH)

Security Associations are necessary for IP networks that plan to use an untrusted/unprotected media, such as the Internet. Security Associations identify the IP addresses for which exchanged datagrams must be encrypted. They also provide the parameters necessary to encrypt and decrypt IP datagrams. By default, the CyberSWITCH has no Security Associations. Therefore, to enable encryption, you must specify these associations.

When configuring two CyberSWITCH nodes, the security association information from one node must parallel the information on the other node. The parameters for Transform Menu, Shared Secret Key, and Security Parameter Index must be the same on both nodes in order for the nodes to communicate.

Likewise, if you plan to authenticate packets prior to encryption/decryption, the authentication key information from one node must parallel the information on the other node.

USING CFGEDIT

1.From the CFGEDIT Main Menu, select Options.

2.Select IP Routing. If IP routing is disabled, enable this now.

3.Select IP Security Associations.

4.Select Add. Respond to the following series of questions:

Security Association Packet Direction Menu:

1)Outgoing (packets from trusted local subnet to remote site)

2)Incoming (packets to trusted local subnet from remote site)

3)Both outgoing and incoming

ID of the Direction for this Security Association [default = 3] ?

Enter the Final Destination IP address in dotted decimal notation or <RET> to cancel? 197.1.0.0

Enter the number of significant bits for the Subnet Mask

[default = 8 ]? 16

Enter the Source IP Address in dotted decimal notation or <RET> to cancel? 197.4.0.0

Enter the number of significant bits for the Subnet Mask [default = 8]? 16

Enter the Destination Gateway/Router IP Address in dotted decimal notation or <RET> to cancel? 197.1.1.1

Security Association IV Length Menu:

1)32 bits

2)64 bits

ID of IV length to use: [default = 2]?

Enter the Shared Secret Encryption Key for this Security Association:

AAABBB1234567890

232 CyberSWITCH

Page 232
Image 232
Enterasys Networks CSX6000 manual Select IP Security Associations, Select Add. Respond to the following series of questions