3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
IPsec Configuration 153
ESP protocol supports three types of encryption algorithms: des, 3des and aes,
and two authentication algorithms: hmac-md5 and hmac-sha1.
AH protocol supports two types of authentication algorithms: hmac-md5 and
hmac-sha1.
By default, encryption algorithm used by ESP is des and authentication method
used is md5. Authentication method used by AH protocol is md5.
n
Only when the desired security protocol is selected with the transform command,
can security algorithm be configured. For example, if you can select ESP, you can
only configure those security algorithms particular to ESP, excluding those for AH.
Creating IPsec Policy IPsec policy specifies a certain IPsec proposal for a certain data flow. An IPsec
policy is defined by "name" and "sequence number" uniquely. It falls into two
types, manual IPsec policy and IKE negotiation IPsec policy. The former one is to
configure parameters such as key, SPI and SA duration as well as IP addresses of
two ends in the Tunnel mode manually. As for the latter one, these parameters are
automatically generated by IKE negotiation.
n
This section introduces configurations about IPsec policy in detail, including
manual configuration and IKE negotiation configuration. Configuration for one
mode will be followed by a special description. Otherwise, the configuration
should be performed in both manual mode and IKE negotiation mode.
Manually creating an IPsec policy
1 Manually creating an IPsec policy
You are not allowed to modify the negotiation mode of an IPsec policy that has
been created. For example: If manual IPsec policy is established, it cannot be
revised into isakmp mode, and you have to delete this IPsec policy before
establishing a new one.
Perform the following configuration in system view.
IPsec policies with the same name and different sequence numbers can compose
an IPsec policy group. In one IPsec policy group, up to 500 IPsec policies can be
configured. However, the maximum number of all IPsec policies in all IPsec policy
groups is 500. In an IPsec policy group, the smaller the sequence number is, the
higher the priority will be.
By default, there is no IPsec policy.
2 Referencing IPsec proposal in IPsec policy
Tab le 132 Establish IPsec policy
Operation Command
Manually create an IPsec policy for an SA ipsec policy policy-name seq-number manual
Modify the IPsec policy of the SA ipsec policy policy-name seq-number manual
Delete the IPsec policy undo ipsec policy policy-name [ seq-number ]