Alcatel-Lucent 6850-48 网络指南
Configuring IPsec on the OmniSwitch
Configuring IPsec
page 27-12
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
The above command replaces the old security key with the new key value. The old key value must be
entered to modify an existing key. If an incorrect old key value is entered, then setting the new key will
fail.
entered to modify an existing key. If an incorrect old key value is entered, then setting the new key will
fail.
When the master security key is set or changed, its value is immediately propagated to the secondary
CMM. In a stacked configuration, the master security key is saved to all modules in the stack. When the
master security key is changed, save and synchronize the current configuration to ensure the proper opera-
tion of IPsec in the event of a switch reboot or takeover.
CMM. In a stacked configuration, the master security key is saved to all modules in the stack. When the
master security key is changed, save and synchronize the current configuration to ensure the proper opera-
tion of IPsec in the event of a switch reboot or takeover.
Note. By default, no master security key is set for the switch. When no master security key is configured
for the switch, the SA key values are written unencrypted to permanent storage (boot.cfg or other configu-
ration file).
for the switch, the SA key values are written unencrypted to permanent storage (boot.cfg or other configu-
ration file).
Configuring an IPsec Policy
A policy determines how traffic is going to be processed. For example, policies are used to decide if a
particular IP packet needs to be processed by IPsec or not. If security is required, the security policy
provides general guidelines as to how it should be provided, and if necessary, links to more specific detail.
particular IP packet needs to be processed by IPsec or not. If security is required, the security policy
provides general guidelines as to how it should be provided, and if necessary, links to more specific detail.
Each IPsec security policy is unidirectional and can be applied to IPv6 inbound or outbound traffic
depending upon the security level required for the network. Therefore, in order to cover all traffic between
source and destination, a minimum of two policies need to be defined; one policy for inbound traffic and
another policy for outbound traffic.
depending upon the security level required for the network. Therefore, in order to cover all traffic between
source and destination, a minimum of two policies need to be defined; one policy for inbound traffic and
another policy for outbound traffic.
To configure an IPsec policy, use the
command along with the policy name, source IPv6
address, destination IPv6 address and optional parameters such as IPv6 port number, and protocol to which
the security policy gets applied. For example:
the security policy gets applied. For example:
Local System
-> ipsec policy tcp_in source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 protocol
tcp in ipsec description “IPsec on all inbound TCP” no shutdown
-> ipsec policy tcp_out source 3ffe:1:1:1::1 destination 3ffe:1:1:1:99 protocol
tcp out ipsec description “IPsec on all outbound TCP” no shutdown
Remote System
-> ipsec policy tcp_out source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 proto-
col tcp out ipsec description “IPsec on all outbound TCP” no shutdown
-> ipsec policy tcp_in source 3ffe:1:1:1::1 destination 3ffe:1:1:1:99 protocol
tcp in ipsec description “IPsec on all inbound TCP” no shutdown
The above commands configure a bi-directional IPsec policy for IPv6 traffic destined to or from the speci-
fied IPv6 addresses and indicates the traffic should be processed using IPsec.
fied IPv6 addresses and indicates the traffic should be processed using IPsec.
Prefixes can also be used when configuring a policy to match a range of addresses as shown below:
-> ipsec policy tcp_in source 3ffe::/16 destination 4ffe::/16 protocol tcp in ipsec
description “Any 3ffe to any 4ffe” no shutdown
Use the no form of the command to remove the configured IPsec policy. For example:
-> no ipsec policy tcp_in