Black Box ET0010A User Manual
ETEP Configuration
338
EncrypTight User Guide
Selecting the Traffic Handling Mode
The ETEP has three options for processing packets:
●
Encrypt all packets
●
Discard all packets
●
Pass all packets in the clear
Under normal operation, the ETEP is configured to encrypt all traffic that is exchanged between two peer
appliances. This is the ETEP’s default mode of operation. Other methods of traffic handling are used for
debugging and troubleshooting. The traffic handling setting persists through a reboot.
appliances. This is the ETEP’s default mode of operation. Other methods of traffic handling are used for
debugging and troubleshooting. The traffic handling setting persists through a reboot.
How the ETEP Encrypts and Authenticates Traffic
When operating as a Layer 2 encryptor in a point-to-point policy, the ETEP’s encapsulation mode
authenticates the encrypted frame’s Ethernet payload. The ETEP uses the AES algorithm with 256-bit
keys to encrypt the Ethernet payload. The HMAC-SHA-1 authentication algorithm provides the data
origin authentication and data integrity.
authenticates the encrypted frame’s Ethernet payload. The ETEP uses the AES algorithm with 256-bit
keys to encrypt the Ethernet payload. The HMAC-SHA-1 authentication algorithm provides the data
origin authentication and data integrity.
Figure 117 Layer 2 encrypted frame format
To encrypt traffic, ETEPs must establish security associations (SAs). A security association defines the
processing to be done on a specific packet. It associates security services and a key with the traffic to be
protected and the remote peer with whom secured traffic is being exchanged. The SA is a unidirectional
secure tunnel through which data passes between the two appliances. Each secure connection has two
SAs, one for each direction. SAs are identified by a value called an SPI.
processing to be done on a specific packet. It associates security services and a key with the traffic to be
protected and the remote peer with whom secured traffic is being exchanged. The SA is a unidirectional
secure tunnel through which data passes between the two appliances. Each secure connection has two
SAs, one for each direction. SAs are identified by a value called an SPI.
In point-to-point Layer 2 configurations the SAs are automatically negotiated using IKE. Timeout values
force the IKE protocol to renegotiate the IKE Phase 1 and Phase 2 keys periodically. The ETEP can uses
a preshared key for authentication in IKE negotiations.
force the IKE protocol to renegotiate the IKE Phase 1 and Phase 2 keys periodically. The ETEP can uses
a preshared key for authentication in IKE negotiations.
When encrypting traffic the ETEP uses the values shown in
. These values are
hard-coded and cannot be modified by the user.
Table 107 IKE Phase 1 Parameters
Parameter
Value
Cipher algorithm
AES-256
Hash algorithm
HMAC-SHA-1
Diffie-Hellman group
5
Lifetime
24 hours
Negotiation mode
Main mode
Table 108 IKE Phase 2 Parameters
Parameter
Value
Cipher algorithm
AES-256