Alcatel-Lucent 6850-48 ネットワークガイド
Quick Steps for Configuring an IPsec AH Policy
Configuring IPsec
page 27-4
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Quick Steps for Configuring an IPsec AH Policy
IP Authentication Header (AH) provides data origin authentication, data integrity, and replay protection.
Data integrity verifies that the contents of the datagram were not changed in transit, either deliberately or
due to random errors, however, AH does not provide data encryption.
Data integrity verifies that the contents of the datagram were not changed in transit, either deliberately or
due to random errors, however, AH does not provide data encryption.
1 Configure the master security key. The master security key must be set if keys are to be encrypted
when saved in the boot.cfg and snapshot files.
when saved in the boot.cfg and snapshot files.
-> ipsec security-key master-key-12345
2 Define the policy. A policy defines the traffic that requires IPsec protection. The commands below
define a bi-directional policy for any protocol and the associated IPv6 address ranges. For example:
define a bi-directional policy for any protocol and the associated IPv6 address ranges. For example:
-> ipsec policy ALLoutMD5 source 664:1:1:1::199/64 destination 664:1:1:1::1/64
protocol any out ipsec shutdown
-> ipsec policy ALLinMD5 source 664:1:1:1::1/64 destination 664:1:1:1::199/64
protocol any in ipsec shutdown
3 Define the rule. A rule defines the security services for the traffic defined by its associated policy. For
example the commands below add an AH rule to the polices defined above:
example the commands below add an AH rule to the polices defined above:
-> ipsec policy ALLoutMD5 rule 1 ah
-> ipsec policy ALLinMD5 rule 1 ah
4 Enable the policies. A policy cannot be enabled until the rules are defined. Now that rules have been
defined, enable the policy using the commands below:
defined, enable the policy using the commands below:
-> ipsec policy ALLoutMD5 no shutdown
-> ipsec policy ALLinMD5 no shutdown
5 Define the Security Keys. Each SA has its own unique set of security keys. The key name is the SA
name that is going to use the key and the length must match the authentication algorithm key size. Keys
must be defined before the SA can be enabled.
name that is going to use the key and the length must match the authentication algorithm key size. Keys
must be defined before the SA can be enabled.
-> ipsec key ALLoutMD5_SA sa-authentication 0x11112222333344445555666677778888
-> ipsec key ALLinMD5_SA sa-authentication 0x11112222333344445555666677778888
6 Define the SA. An SA specifies the actual actions to be performed. The security parameters index (SPI)
helps identify the source/destination pair. The security parameters index (SPI) in combination with the
source and destination addresses uniquely identifies an SA. An identical SA (same SPI, source, and desti-
nation) must be configured on both systems exchanging IPsec protected traffic.
helps identify the source/destination pair. The security parameters index (SPI) in combination with the
source and destination addresses uniquely identifies an SA. An identical SA (same SPI, source, and desti-
nation) must be configured on both systems exchanging IPsec protected traffic.
-> ipsec sa ALLoutMD5_SA ah source 664:1:1:1::199 destination 664:1:1:1::1 spi
2000 authentication HMAC-MD5 no shutdown
-> ipsec sa ALLinMD5_SA ah source 664:1:1:1::1 destination 664:1:1:1::199 spi
2001 authentication HMAC-MD5 no shutdown
7 Use the following show commands to verify the IPsec configuration:
-> show ipsec policy
-> show ipsec sa
-> show ipsec key sa-authentication