Configuring An Ipsec Sa - Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual

Configuring IPsec

Configuring an IPsec SA

IPsec Security Association (SA) is a set of security information that describes a particular kind of secure
connection between two devices. An SA specifies the actual IPsec algorithms applied to the IPv6 traffic
(e.g. encryption using 3DES, HMAC-SHA1 for authentication).
To configure an IPsec Security Association, use the
association, IPv6 source address, IPv6 destination address, encryption and authentication algorithms used
for SA. For example:
Local System
-> ipsec sa tcp_in_ah ah source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 spi
9901 authentication hmac-sha1 description "HMAC SHA1 on traffic from 99 to 1"
-> ipsec sa tcp_out_ah ah source 3ffe:1:1:1::1 destination 3ffe:1:1:1::99 spi
9902 authentication hmac-sha1 description "HMAC SHA1 on traffic from 1 to 99"
Remote System
-> ipsec sa tcp_out_ah ah source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 spi
9901 authentication hmac-sha1 description "HMAC SHA1 on traffic from 99 to 1"
-> ipsec sa tcp_in_ah ah source 3ffe:1:1:1::1 destination 3ffe:1:1:1::99 spi
9902 authentication hmac-sha1 description "HMAC SHA1 on traffic from 1 to 99"
The above commands configure bi-directional IPsec SAs of AH type for data traffic to and from source
IPv6 addresses 3ffe:1:1:1::99 and 3ffe:1:1:1::1 with security parameter indexes (SPI) of 9901 and 9902.
The combination of SPI, source, and destination addresses uniquely identify an SA. The above commands
also configure hmac-shal as the type of authentication algorithm which is to be used for the IPv6 traffic
covered by the configured SA.
Note. The IPsec endpoints must have identical SAs (SPI, source address, destination addresses) configured.
Use the admin-state enable/disable parameters to enable or disable the SA.
-> ipsec sa tcp_in_ah admin-state enable
Use the no form of the command to disable the SA.
-> no ipsec sa tcp_in_ah
Configuring ESP or AH
The IPsec SA can be configured as ESP or AH. In the above example, the IPsec SA is configured as AH.
You can also configure the SA as ESP, as shown below:
-> ipsec sa tcp_in_ah esp source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 spi
9901 encryption 3DES-CBC description "3DES on traffic from 99 to 1"
You can use the encryption parameter to specify the encryption algorithm to be used for the traffic
covered by the SA. This parameter can only be used when the SA type is ESP.
Configuring the ESP Key Size
Some types of encryption algorithms allow the key size to specified; specifying the key lengths overrides
their default values. To do so, use the key-size option after the specified encryption algorithm. For
example:
OmniSwitch AOS Release 8 Network Configuration Guide
Configuring IPsec on the OmniSwitch
ipsec sa command along with the type of security
December 2017 page 18-15