3com 3031 Instruccion De Instalación
834
C
HAPTER
60: IPS
EC
C
ONFIGURATION
support some advanced features of IPSec, such as key update timer. However, its
advantage is that it can implement IPSec independent of IKE. The latter one is
much easier because SA can be established and maintained by IKE
auto-negotiation as long as security policies of IKE negotiation are configured.
advantage is that it can implement IPSec independent of IKE. The latter one is
much easier because SA can be established and maintained by IKE
auto-negotiation as long as security policies of IKE negotiation are configured.
Manual mode is feasible in the case of few peer devices or in a small-sized static
environment. For middle/big-sized dynamic environment, IKE auto-negotiation
mode is recommended
environment. For middle/big-sized dynamic environment, IKE auto-negotiation
mode is recommended
Implementation of IPSec
The software implements the said aspects of IPSec.
Via IPSec, peers (here refer to the router where the software locates as well as its
peer) can perform various security protections (authentication, encryption or both)
on different data streams, which are differentiated based on ACL. Security
protection elements, such as security protocol, authentication algorithm,
encryption algorithm and operation mode, are defined in IPSec proposal. The
association between data streams and IPSec proposal (namely, apply a certain
protection on a certain data stream) together with SA negotiation mode, peer IP
address configuration (i.e., the start/end of protection path), the required key as
well as the duration of SA are defined in IPSec policies. Finally, IPSec policies are
applied on router interfaces. This is the process of IPSec configuration.
peer) can perform various security protections (authentication, encryption or both)
on different data streams, which are differentiated based on ACL. Security
protection elements, such as security protocol, authentication algorithm,
encryption algorithm and operation mode, are defined in IPSec proposal. The
association between data streams and IPSec proposal (namely, apply a certain
protection on a certain data stream) together with SA negotiation mode, peer IP
address configuration (i.e., the start/end of protection path), the required key as
well as the duration of SA are defined in IPSec policies. Finally, IPSec policies are
applied on router interfaces. This is the process of IPSec configuration.
Following is the detailed description:
1 Defining data streams to be protected
A data stream is an aggregation of a series of traffic, regulated by source
address/mask, destination address/mask, number of protocol over IP, source port
number and destination port number. An ACL rule defines a data stream, that is,
traffic that matches an ACL rule is a data stream logically. A data stream can be a
single TCP connection between two hosts or all traffic between two subnets. IPSec
can apply different security protections on different data streams. So the first step
of IPSec configuration is to define data streams.
address/mask, destination address/mask, number of protocol over IP, source port
number and destination port number. An ACL rule defines a data stream, that is,
traffic that matches an ACL rule is a data stream logically. A data stream can be a
single TCP connection between two hosts or all traffic between two subnets. IPSec
can apply different security protections on different data streams. So the first step
of IPSec configuration is to define data streams.
2 Defining IPSec proposal
IPSec proposal prescribes security protocol, authentication algorithm and
encryption algorithm as well as operation mode (namely, the packet encapsulation
mode) for data streams to be protected.
encryption algorithm as well as operation mode (namely, the packet encapsulation
mode) for data streams to be protected.
AH and ESP can be used either independently or corporately. AH supports MD5
and SHA-1 authentication algorithms. ESP supports MD5 and SHA-1
authentication algorithms as well as DES and 3DES encryption algorithms.
Working mode supported by the software includes transport mode and tunnel
mode.
and SHA-1 authentication algorithms. ESP supports MD5 and SHA-1
authentication algorithms as well as DES and 3DES encryption algorithms.
Working mode supported by the software includes transport mode and tunnel
mode.
As for a data stream, peers should be configured with identical protocol, algorithm
and working mode. Moreover, if IPSec is applied on two security gateways (such as
between routers), the tunnel mode is recommended so as to hide the real source
and destination addresses.
and working mode. Moreover, if IPSec is applied on two security gateways (such as
between routers), the tunnel mode is recommended so as to hide the real source
and destination addresses.
Therefore, you should define an IPSec proposal based on requirements so that you
can associate it with data streams.
can associate it with data streams.
3 Defining IPSec policy or IPSec policy group
IPSec policy specifies a certain IPSec proposal for a certain data stream. An IPSec
policy is defined by “name” and “sequence number” uniquely. It falls into two
policy is defined by “name” and “sequence number” uniquely. It falls into two