3com 3031 Instruccion De Instalación
836
C
HAPTER
60: IPS
EC
C
ONFIGURATION
Encryption ACLs defined at the local and peer routers must be consistent (i.e., they
can mirror each other), thus allowing either side to decrypt the data encrypted at
the other side. For example,
can mirror each other), thus allowing either side to decrypt the data encrypted at
the other side. For example,
Local end:
acl number 2101
rule 1 permit ip source 173.1.1.1 0.255.255.255 destination
173.2.2.2 0.255.255.255
Peer end:
acl number 2101
rule 1 permit ip source 173.2.2.2 0.255.255.255 destination
173.1.1.1 0.255.255.255
IPSec protects the data flow permitted in the ACL, therefore, the users are
recommended to configure the ACL accurately, that is, configure permit only to
the data flow needing IPSec protection so as to avoid the excessive use of the key
word
recommended to configure the ACL accurately, that is, configure permit only to
the data flow needing IPSec protection so as to avoid the excessive use of the key
word
any
.
The users are recommended to configure the ACLs of local and peer ends as the
mirror of each other.
mirror of each other.
Executing the
display acl
command will display all the ACLs, including all the
extended IP ACLs regardless whether they are for communications filtering or for
encryption. Simply speaking, the system does not discriminate the extended ACLs
for these two purposes in the output information of this command.
encryption. Simply speaking, the system does not discriminate the extended ACLs
for these two purposes in the output information of this command.
Defining IPSec Proposal
An IPSec proposal saves the particular security protocol and the
encryption/authentication algorithms applied in IPSec, intending for providing
security parameters for IPSec to make SA negotiation. To ensure the success of a
negotiation, the two ends involved in the negotiation MUST use the same IPSec
proposal.
encryption/authentication algorithms applied in IPSec, intending for providing
security parameters for IPSec to make SA negotiation. To ensure the success of a
negotiation, the two ends involved in the negotiation MUST use the same IPSec
proposal.
Perform the following tasks to configure an IPSec proposal.
■
Define IPSec proposal
■
Select security protocol
■
Select security algorithms
■
Set the mode adopted by the security protocol in IP datagram encapsulation
Defining IPSec proposal
IPSec proposal is a set of security protocol, algorithms and packet encapsulation
format used to implement IPSec protection. An IPSec policy can determine the
adopted security protocol, algorithms, and encapsulation mode by quoting one or
more IPSec proposals. Before an IPSec proposal is quoted by IPSec policy, this IPSec
proposal must be established. Up to 50 IPSec proposals can be configured.
format used to implement IPSec protection. An IPSec policy can determine the
adopted security protocol, algorithms, and encapsulation mode by quoting one or
more IPSec proposals. Before an IPSec proposal is quoted by IPSec policy, this IPSec
proposal must be established. Up to 50 IPSec proposals can be configured.
You are allowed to modify an IPSec proposal, but such modifications cannot take
effect at all if the modified proposal is applied to an SA that has been set up
between the two sides after negotiation - unless you execute the
effect at all if the modified proposal is applied to an SA that has been set up
between the two sides after negotiation - unless you execute the
reset ipsec sa
command to reset the SA. New security proposals can only apply to new SAs.