3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

146 CHAPTER 10: IPSEC CONFIGURATION

decrypting data with identical key via symmetric key system. IPsec in Comware

implements three types of encryption algorithms:

■ DES (Data Encryption Standard): Encrypt a 64-bit clear text via a 56-bit key.

■ 3DES (Triple DES): Encrypt a clear text via three 56-bit keys (168 bits key).

■ AES (Advanced Encryption Standard): 128-bit 192-bit and 256-bit AES

algorithm, conforming to IETF standards, can be implemented on Comware.

Negotiation mode

There are two negotiation modes to establish SA: manual mode (manual) and IKE

auto-negotiation mode (isakmp). The former is a bit complex because all

information about SA has to be configured manually. Moreover, it does not

support some advanced features of IPsec, such as key update timer. However, its

advantage is that it can implement IPsec independent of IKE. The latter one is

much easier because SA can be established and maintained by IKE

auto-negotiation as long as security policies of IKE negotiation are configured.

Manual mode is feasible in the case of few peer devices or in a small-sized static

environment. For middle/big-sized dynamic environment, IKE auto-negotiation

mode is recommended.

IPsec DPD

IPsec dead peer detection (IPsec DPD) is a function that allows on-demand IKE

peer liveliness detection on IPsec/IKE Tunnels.

The idea of DPD is that when an IKE peer receives no packets from its peer for a

specified period, a DPD query is triggered. The IKE peer sends a query to its peer

detecting the liveliness asking for proof of liveliness.

Compared with other keepalive mechanisms available with IPsec, DPD generates

less traffic, but allows more prompt detection and quicker Tunnel recovery.

In the scheme using internet security association and key management protocol

security association (ISAKMP SA) established between a router address and a

virtual address of a virtual router redundancy protocol (VRRP) backup group, DPD

can recover rapidly and automatically security Tunnels when the master and slave

switchover in a virtual router redundancy protocol (VRRP) backup group. DPD

avoids security Tunnels from interrupting when the master and slave switchover,

expands the IPsec application scope, and makes the IPsec protocol more robust.

DPD is implemented in compliance with RFC3706 and RFC2408.

1 Timers

IPsec DPD uses the following two timers to control sending and receipt of DPD

packets:

■ Interval-time: specifies the idle interval for triggering a DPD query. If an IKE peer

receives no IPsec packet from its peer when this timer times out, DPD query is

triggered.

■ Time_out: specifies the time waiting for a DPD acknowledgement.

2 Operating mechanism