3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

150 CHAPTER 10: IPSEC CONFIGURATION

Peer end:

acl number 3101

rule 1 permit ip source 173.2.2.0 0.0.0.255 destination 173.1.1.0 0.0.0.255

■ IPsec protects the data flow permitted in the ACL, therefore, the users are

recommended to configure the ACL accurately, that is, configure permit only to

the data flow needing IPsec protection so as to avoid the excessive use of the

key word any.

■ The users are recommended to configure the ACLs of local and peer ends as

the mirror of each other. Otherwise, one end cannot decrypt data sending from

the other end.

Executing the display acl all command will display all the ACLs, including all the

advanced IP ACLs regardless of whether they are for communications filtering or

for encryption.

Defining an IPsec

Proposal

An IPsec proposal saves the particular security protocol and the

encryption/authentication algorithms applied in IPsec, intending for providing

security parameters for IPsec to make SA negotiation. To ensure the success of a

negotiation, the two ends involved in the negotiation must use the same IPsec

proposal.

Perform the following tasks to configure a security proposal.

■ Create an IPsec or card SA proposal

■ Specify the encryption card in the card SA proposal (only applied when an

encryption card is involved)

■ Select a security algorithms

■ Set the mode adopted by the security protocol in IP datagram encapsulation

■ Select a security protocol

■ Select a security algorithm

Creating an IPsec or card SA proposal

An IPsec proposal is a set of security protocol, algorithms and packet

encapsulation format used to implement IPsec protection. An IPsec policy can

determine the adopted security protocol, algorithms, and encapsulation mode by

referencing one or more IPsec proposals. Before an IPsec proposal is referenced by

IPsec policy, this IPsec proposal must be established.

You are allowed to modify an IPsec proposal, but such modifications cannot take

effect at all if the modified proposal is applied to an SA that has been setup

between the two sides after negotiation - unless you execute the reset ipsec sa

(or reset encrypt-card sa) command to reset the SA. New security proposals can

only apply to new SAs.

Perform the following configuration in system view.