3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

IPsec Overview 147

The following describers how DPD operates after being enabled:

■ At the sender side

An IKE peer does not receive IPsec packets from its peer when interval-time timer

expires and now, it wants to send IPsec packets to its peer. Before that, the IKE

peer sends a DPD query to its peer for proof of liveliness. At the same time, a

time_out timer is started. If no acknowledgement is received upon expiration of

this timer, DPD records one failure event. When the number of failure events

reaches three, the involved ISAKMP SAs and IPsec SAs are deleted.

The same applies to the IPsec SAs set up between a router and the virtual address

of a VRRP standby group: when the failure count reaches three, the security

Tunnel between them is deleted. The setup of this security Tunnel is triggered only

when a packet matching the IPsec policy is present.

The failover duration depends on the setting of time_out timer. A shorter timer

setting means a shorter communication interruption period but increased

overheads.

You are recommended to use the default setting in normal cases.

■ At the responder end

The peer of the sender sends an acknowledgement after receiving the query.

IPsec on Comware Comware implements the said aspects of IPsec.

Via IPsec, peers (here refer to the security gateway where Comware locates as well

as its peer) can perform various security protections (authentication, encryption or

both) on different data flows, which are differentiated based on ACL. Security

protection elements, such as security protocol, authentication algorithm,

encryption algorithm and operation mode, are defined in IPsec proposal. The

association between data flows and IPsec proposal (namely, apply a certain

protection on a certain data flow) together with SA negotiation mode, peer IP

address configuration (i.e., the start/end of protection path), the required key as

well as the duration of SA are defined in IPsec policies. Finally, IPsec policies are

applied on interfaces of the security gateway. This is the process of IPsec

configuration.

Following is the detailed description:

1 Defining data flows to be protected

A data flow is an aggregation of a series of traffics, regulated by source

address/mask, destination address/mask, number of protocol over IP, source port

number and destination port number. An ACL rule defines a data flow, that is,

traffic that matches an ACL rule is a data flow logically. A data flow can be a single

TCP connection between two hosts or all traffics between two subnets. IPsec can

apply different security protections on different data flows. So the first step of

IPsec configuration is to define data flows.

2 Defining IPsec proposal