Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks X-PeditionTM manual Security Policy Considerations, Configuring Policy

Models: X-PeditionTM

1 466
Download 466 pages 52.77 Kb
Page 345
Image 345

VPN Configuration Overview

More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks a common proposal on both peers with identical parameters. IKE policy is configured using the crypto isakmp peer command. Specified parameters are effective when a peer address/subnet matches the IP address of the peer. The wildcard 0.0.0.0 0.0.0.0 may be used to match any peer. Configurable IKE policy values are:

IKE peer address/subnet

IKE proposal list

Client or server Mode-config

Main or aggressive IKE exchange mode (outbound tunnels only)

User-defined identification (with aggressive mode only)

Enable or disabled NAT automatic options

Transform-sets used for IPSec are created by the crypto ipsec transform-setcommand. You can choose AH, ESP, or IP compression values as follows:

MD5-HMAC or SHA-HMAC hashing algorithms

3DES, AES or DES encryption

MD-5 or SHA-1 hash algorithms

Security Policy Considerations

Be aware of these considerations when configuring security policy:

DES is a weaker form of encryption than 3DES and provides a lower level of security than the newer algorithm. We recommend 3DES.

Selecting any Perfect Forward Secrecy (PFS) option will make each generated key used in data encryption independent of previous keys. If the key is compromised, the next key generated by Phase 2 exchange cannot be determined by knowing the value of the previous key. This comes at the cost of slightly lower performance.

Two IPSec encapsulation modes are supported but the default, tunnel mode, is typically used with VPNs because it is more inclusive.

It is useful to specify a user ID instead of an IP address when configuring an SA in aggressive mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no ID, its IP address will be used by default. But, in that case, you will have to re-configure (with a new entry in the aaa user database) both ends of the tunnel every time the address changes. Use the user-idcommand instead.

Configuring Policy

The following example defines simple IKE Phase I, remote peer and IPSec transform-sets. Configure the IKE proposal try1:

XSR(config)#crypto isakmp proposal try1

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#encryption aes

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#group 5

XSR(config-isakmp)#lifetime 40000

XSR User’s Guide 14-23

Page 344 Page 346
Page 345
Image 345
Enterasys Networks X-PeditionTM manual Security Policy Considerations, Configuring Policy
Page 344 Page 346