3com 3031 Instruccion De Instalación
IPSec Configuration
835
types, manual IPSec policy and IKE negotiation IPSec policy. The former one is to
configure parameters such as key, SPI and SA duration as well as IP addresses of
two ends in the tunnel mode manually. As for the latter one, these parameters are
automatically generated by IKE negotiation.
configure parameters such as key, SPI and SA duration as well as IP addresses of
two ends in the tunnel mode manually. As for the latter one, these parameters are
automatically generated by IKE negotiation.
An IPSec policy group is an aggregation of IPSec policies with identical name but
different sequence numbers. In an IPSec policy group, the smaller the sequence
number is, the higher the priority is.
different sequence numbers. In an IPSec policy group, the smaller the sequence
number is, the higher the priority is.
4 Applying IPSec policies on an interface
Apply all IPSec policies in a group on an interface so as to perform different
security protections on different data streams passing the interface.
security protections on different data streams passing the interface.
IPSec Configuration
IPSec configuration includes:
1 Configure ACL
2 Configure IPSec proposal
■
Define IPSec proposal
■
Select security protocol
■
Select security algorithm
■
Select packet encapsulation mode
3 Configure IPSec policy
■
Define IPSec policy
■
Apply IPSec proposal to IPSec policy
■
Apply ACL to IPSec policy
■
Configure duration for SA
■
Configure start and end for tunnel
■
Configure SPI for SA
■
Configure key for SA
■
Set IKE peer for IPSec policy
■
Set PFS for negotiation
4 Apply IPSec policies on an interface
5 Other configurations
■
Configure duration for global SA
■
Configure IPSec policy template
Defining ACL
The role of ACL in IPSec is different from what introduced in firewalls. Normally,
ACL is used for determining which data can be permitted and which must be
denied on which interface. ACL in IPSec, however, is used by IPSec to determine
which packet needs security protection and which does not. For this reason, ACL
applied in IPSec is in fact encryption ACL. Packets permitted by ACL will be in
protection, while packets denied by ACL will not be protected. An encryption ACL
can apply on both input interfaces and output interfaces.
ACL is used for determining which data can be permitted and which must be
denied on which interface. ACL in IPSec, however, is used by IPSec to determine
which packet needs security protection and which does not. For this reason, ACL
applied in IPSec is in fact encryption ACL. Packets permitted by ACL will be in
protection, while packets denied by ACL will not be protected. An encryption ACL
can apply on both input interfaces and output interfaces.
For more information about that, see “1.4.3 II ACL”.