Alcatel-Lucent 6850-48 网络指南
Configuring IPsec
Configuring IPsec on the OmniSwitch
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 27-17
Configuring the ESP Key Size
Some types of encryption algorithms allow the key size to specified; specifying the key lengths overrides
their default values. To do so, use the key-size option after the specified encryption algorithm. For exam-
ple:
their default values. To do so, use the key-size option after the specified encryption algorithm. For exam-
ple:
-> ipsec sa tcp_in_ah esp source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 spi
9901 encryption aes-cbc key-size 192
The above command configures an IPsec SA of ESP using aes-cbs and a key length of 192 bits. You can
allow an IPsec SA to operate as an ESP confidentiality-only SA by using the none option with the authen-
tication parameter or by simply omitting the authentication parameter from the command.
allow an IPsec SA to operate as an ESP confidentiality-only SA by using the none option with the authen-
tication parameter or by simply omitting the authentication parameter from the command.
or the
command for supported encryption
types and key lengths.
Verifying IPsec SA
To display the configured IPsec SA, use the
command. For example:
-> show ipsec sa
Name
Type Source-> Destination[SPI]
Encryption Authentication State
---------+---+----------------------------------------+----------+-------------+---
tcp_in_ah ah
3ffe:1:1:1::99 -> 3ffe:1:1:1::1 [9901] none
hmac-sha1
active
tcp_out_ah ah
3ffe:1:1:1::1 -> 3ffe:1:1:1::99 [9902] none
hmac-sha1
active
To display the configuration of a specific IPsec SA, use the
command followed by the
name of the configured IPsec SA. For example:
-> show ipsec sa tcp_in_ah
Name = tcp_in_ah
Type = AH
Source = 3ffe:1:1:1::99,
Destination = 3ffe:1:1:1::1,
SPI = 9901
Encryption = none
Authentication = hmac-sha1
State = active
Description:
"HMAC SHA1 on traffic from 99 to 1
Configuring IPsec SA Keys
To configure the authentication and encryption keys for a manually configured SA, use the
command along with the SA name and key value which will be used for AH or ESP. For example:
-> ipsec key tcp_in_ah sa-authentication 0x11223344556677889900112233445566
The above command configures an IPsec SA key named tcp_in_ah. This IPsec SA key will be used for the
AH authentication protocol and has a value of 0x11223344556677889900112233445566.
AH authentication protocol and has a value of 0x11223344556677889900112233445566.