Using A Dynamic Key Policy - IBM RackSwitch G8000 Application Manual
A top-of-rack (tor) switch
Hide thumbs
Also See for RackSwitch G8000:
- Manual (18 pages) ,
- Manual (14 pages) ,
- Installation manual (86 pages)
Table of Contents
Advertisement
Using a Dynamic Key Policy
© Copyright IBM Corp. 2011
Note: When configuring a manual policy ESP, the ESP authenticator key is
optional.
3. After you configure the IPSec policy, you need to apply it to the interface to
enforce the security policies on that interface and save it to keep it in place after
a reboot. To accomplish this, enter:
RS G8000(config-ip)#interface ip <IP interface number, 1-128>
RS G8000(config-ip-if)#address <IPv6 address>
RS G8000(config-ip-if)#ipsec manual-policy <policy index, 1-10>
RS G8000(config-ip-if)#enable (enable the IP interface)
RS G8000#write (save the current configuration)
When you use a dynamic key policy, the first packet triggers IKE and sets the IPsec
SA and IKEv2 SA. The initial packet negotiation also determines the lifetime of the
algorithm, or how long it stays in effect. When the key expires, a new key is
automatically created. This helps prevent break-ins.
To configure a dynamic key policy:
1. Choose a dynamic policy to configure.
RS G8000(config)#ipsec dynamic-policy <policy number>
2. Configure the policy.
RS G8000(config-ipsec-dynamic)#peer <peer's IPv6 address>
RS G8000(config-ipsec-dynamic)#traffic-selector <index of traffic selector>
RS G8000(config-ipsec-dynamic)#transform-set <index of transform set>
RS G8000(config-ipsec-dynamic)#sa-lifetime <SA lifetime, in seconds>
RS G8000(config-ipsec-dynamic)#pfs enable|disable
where the following parameters are used:
– peer's IPv6 address
3000::1)
– index of traffic-selector
– index of transform-set
– SA lifetime, in seconds
integer from120-86400
– pfs enable|disable Whether to enable or disable the perfect forward
security feature. The default is disable.
Note: In a dynamic policy, the AH and ESP keys are created by IKEv2.
3. After you configure the IPSec policy, you need to apply it to the interface to
enforce the security policies on that interface and save it to keep it in place after
a reboot. To accomplish this, enter:
RS G8000(config-ip)#interface ip <IP interface number, 1-128>
RS G8000(config-ip-if)#address <IPv6 address>
RS G8000(config-ip-if)#ipsec dynamic-policy <policy index, 1-10>
RS G8000(config-ip-if)#enable (enable the IP interface)
RS G8000#write (save the current configuration)
The IPv6 address of the peer (for example,
A number from1-10
A number from1-10
The length of time the SA is to remain in effect; an
Chapter 17. IPsec with IPv6
209
Advertisement
Table of Contents
Troubleshooting
