Enterasys csx5500 用户指南
USER’S GUIDE
232 CyberSWITCH
C
ONFIGURING
S
ECURITY
A
SSOCIATIONS
AND
A
UTHENTICATION
(IP S
ECURITY
O
NLY
)
IP Security encryption configuration consists of the following elements:
•
•
setting up security associations for Encapsulating Security Payload (ESP)
•
optionally specifying keys for Authentication Headers (AH)
Security Associations are necessary for IP networks that plan to use an untrusted/unprotected
media, such as the Internet. Security Associations identify the IP addresses for which exchanged
datagrams must be encrypted. They also provide the parameters necessary to encrypt and decrypt
IP datagrams. By default, the CyberSWITCH has no Security Associations. Therefore, to enable
encryption, you must specify these associations.
media, such as the Internet. Security Associations identify the IP addresses for which exchanged
datagrams must be encrypted. They also provide the parameters necessary to encrypt and decrypt
IP datagrams. By default, the CyberSWITCH has no Security Associations. Therefore, to enable
encryption, you must specify these associations.
When configuring two CyberSWITCH nodes, the security association information from one node
must parallel the information on the other node. The parameters for Transform Menu, Shared Secret
Key, and Security Parameter Index must be the same on both nodes in order for the nodes to
communicate.
must parallel the information on the other node. The parameters for Transform Menu, Shared Secret
Key, and Security Parameter Index must be the same on both nodes in order for the nodes to
communicate.
Likewise, if you plan to authenticate packets prior to encryption/decryption, the authentication
key information from one node must parallel the information on the other node.
key information from one node must parallel the information on the other node.
U
SING
CFGEDIT
1.
From the CFGEDIT Main Menu, select Options.
2.
Select IP Routing. If IP routing is disabled, enable this now.
3.
Select IP Security Associations.
4.
Select Add. Respond to the following series of questions:
Security Association Packet Direction Menu:
1) Outgoing (packets from trusted local subnet to remote site)
2) Incoming (packets to trusted local subnet from remote site)
3) Both outgoing and incoming
2) Incoming (packets to trusted local subnet from remote site)
3) Both outgoing and incoming
ID of the Direction for this Security Association [default = 3] ?
Enter the Final Destination IP address in dotted decimal notation or <RET> to cancel?
197.1.0.0
197.1.0.0
Enter the number of significant bits for the Subnet Mask [default = 8 ]? 16
Enter the Source IP Address in dotted decimal notation or <RET> to cancel? 197.4.0.0
Enter the number of significant bits for the Subnet Mask [default = 8]? 16
Enter the Destination Gateway/Router IP Address in dotted decimal notation or <RET>
to cancel? 197.1.1.1
to cancel? 197.1.1.1
Security Association IV Length Menu:
1) 32 bits
2) 64 bits
1) 32 bits
2) 64 bits
ID of IV length to use: [default = 2]?
Enter the Shared Secret Encryption Key for this Security Association:
AAABBB1234567890
AAABBB1234567890