3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

148 CHAPTER 10: IPSEC CONFIGURATION

IPsec proposal prescribes security protocol, authentication algorithm and

encryption algorithm as well as operation mode (namely, the packet encapsulation

mode) for data flows to be protected.

AH and ESP supported by Comware can be used either independently or

corporately. AH supports MD5 and SHA-1 authentication algorithms. ESP supports

MD5 and SHA-1 authentication algorithms as well as DES and 3DES encryption

algorithms. Working mode supported by Comware includes transport mode and

Tunnel mode.

As for a data flow, peers should be configured with identical protocol, algorithm

and working mode. Moreover, if IPsec is applied on two security gateways (such as

between Comware security gateways), the Tunnel mode is recommended so as to

hide the real source and destination addresses.

Therefore, you should define an IPsec proposal based on requirements so that you

can associate it with data flows.

3 Defining IPsec policy or IPsec policy group

IPsec policy specifies a certain IPsec proposal for a certain data flow. An IPsec

policy is defined by "name" and "sequence number" uniquely. It falls into two

types, manual IPsec policy and IKE negotiation IPsec policy. The former one is to

configure parameters such as key, SPI as well as IP addresses of two ends in the

Tunnel mode manually. As for the latter one, these parameters are automatically

generated by IKE negotiation.

An IPsec policy group is an aggregation of IPsec policies with identical name but

different sequence numbers. In an IPsec policy group, the smaller the sequence

number is, the higher the priority is.

4 Applying IPsec policies on an interface

Apply all IPsec policies in a group on an interface so as to perform different

security protections on different data flows passing the interface.

IPsec Configuration Configuring IPsec

1 Configure ACL

2 Configure a security proposal

■ Create a security proposal (IPsec proposal or card SA proposal)

■ Specify the encryption card used in the card SA proposal (only applies to

encryption cards)

■ Select security protocol

■ Select security algorithm

■ Select packet encapsulation mode

3 Create IPsec policy (manually or by using IKE)

For manual mode:

■ Create IPsec policy