3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

IPsec Configuration 155

With respect to an IPsec policy set up manually, only if both local and peer

addresses are correctly configured, can a security Tunnel be set up. (As ISAKMP SA

can automatically obtain local and peer addresses, it does not require the

configuration of local or peer address.

5 Configuring SA SPI

This configuration task only applies to a manually created IPsec policy. Use the

following command to configure SA SPI for manually creating an SA. An

isakmp-mode IPsec policy does not need manual configuration and IKE will

automatically negotiate SPI and create SA.

Perform the following configuration in IPsec policy view.

When configuring an SA for the system, you must set the parameters in the

inbound and outbound directions separately.

The SA parameters set at both ends of the security Tunnel must be fully matched.

The SPI and key in the inbound SA at the local must be the same as those in the

outbound SA at the remote. Likewise, the SA SPI and key in the outbound SA at

the local must be the same as those in the inbound SA at the remote.

6 Configuring key for SA

This configuration is used only for manual mode IPsec policy. Security association

key can be input manually by using the following commands. (For isakmp

negotiation IPsec policy, manual configuration for key is not required. IKE will

automatically negotiate security association key.)

Perform the following configuration in IPsec policy view.

Delete the peer address configured in the

IPsec policy

undo tunnel remote [ ip-address ]

Table 135 Configure Tunnel start/end point

Operation Command

Tab le 136 Configure an SA SPI

Operation Command

Configure an SA SPI sa spi { inbound | outbound } { ah | esp } spi-number

Delete the SA SPI undo sa spi { inbound | outbound } { ah | esp }

Tab le 137 Configure key used by security association

Operation Command

Configure AH protocol authentication key

(input in hex form)

sa authentication-hex { inbound |

outbound } { ah | esp } hex-key

Configure protocol key

(input in character string)

sa string-key { inbound | outbound } { ah |

esp } string-key

Configure ESP encryption key

(input in hex form)

sa encryption-hex { inbound | outbound }

esp hex-key