Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

181

182

183

184

185

186

187

188

189

190

Group 2 1024 bits RFC2409

Group 5 1536 bits RFC3526

IKE Traffic

To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet

established SA (that this packet perhaps is trying to establish), locally originated packets with UDP

source port 500 are not processed with SPD. The same way packets with UDP destination port 500

that are to be delivered locally are not processed in incoming policy check.

Setup Procedure

To get IPsec to work with automatic keying using IKE-ISAKMP you will have to configure policy,

peer and proposal (optional) entries.

For manual keying you will have to configure policy and manual-sa entries.

Policy Settings

ip ipsec policy

Description

Policy table is needed to determine whether encryption should be applied to a packet.

Property Description

src-address (IP address/mask:port; default: 0.0.0.0/32:any) - source IP address

dst-address (IP address/mask:port; default: 0.0.0.0/32:any) - destination IP address

protocol (name | integer; default: all) - protocol name or number

action (accept | drop | encrypt; default: accept) - specifies what action to undertake with a packet

that matches the policy

• accept - pass the packet

• drop - drop the packet

• encrypt - apply transformations specified in this policyand it's SA

level (acquire | require | use; default: require) - specifies what to do if some of the SAs for this

policy cannot be found:

• use - skip this transform, do not drop packet and do not acquire SA from IKE daemon

• acquire - skip this transform, but acquire SA for it from IKE daemon

• require - drop packet but acquire SA

ipsec-protocols (multiple choice: ah | esp; default: esp) - specifies what combination of

Authentication Header and Encapsulating Security Payload protocols you want to apply to matched

traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and

AH - in transport mode

tunnel (yes | no; default: no) - specifies whether to use tunnel mode

sa-src-address (IP address; default: 0.0.0.0) - SA source IP address

sa-dst-address (IP address; default: 0.0.0.0) - SA destination IP address

proposal (name; default: default) - name of proposal information that will be sent by IKE daemon

to establish SAs for this policy