3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

171

172

173

174

175

176

177

178

179

180

IKE Configuration 173

connection Tunnel for IKE negotiation), to prevent the NAT GW from modifying

the IPsec packets. That is, the NAT GW will change the outermost IP and UDP

headers but leave the IPsec packets encapsulated in the UDP packets intact, thus

ensuring the integrity of the IPsec packets. The authentication process of an IPsec

data encryption/decryption requires the IPsec packet to arrive at the destination

intact. Currently only the aggressive mode supports NAT traversal (the main mode

does not support NAT traversal).

Usually the two features described above are used together in the ADSL + IPsec

networking to solve the problems resulted from dynamic IP addresses on

broadband-access enterprise networks and NAT traversal on the public network.

The combination of these two features provides a security solution for substituting

the ADSL broadband access for the original leased line access.

Preparation for IKE

Configuration

Prior to IKE configuration, user needs to specify following subjects, so as to

smooth the configuration process:

■ Make clear of algorithm strength for IKE exchange process, i.e., security

protection strength (including identity authentication method, encryption

algorithm, and authentication-algorithm algorithm, DH algorithm). There are

different algorithm strengths. The higher strength the algorithm has, the

harder it is to decrypt the protected data, but more calculation resource will be

consumed. Generally, the longer the shared secret is, the higher the algorithm

strength is.

■ Make sure of the identity authentication key of both sides in communication.

IKE Configuration

Introduction to IKE

Configuration

IKE configuration includes:

1 Set a name for the local security GW

2 Define IKE proposal

■ Establish IKE Proposal

■ Select encryption algorithm

■ Select authentication method

■ Select authentication algorithm

■ Select Diffie-Hellman Group ID

■ Set lifetime of ISAKMP SA (optional)

3 Configure IKE peer

■ Create an IKE peer

■ Configure IKE negotiation mode

■ Configure identity authentication key (pre-shared key)

■ Configure ID type in IKE negotiation

■ Configure IP address in IKE negotiation

■ Configure NAT traversal