Table of Contents
Advertisement
768
IPSec
Both SHA1 and MD5 use Hashed Message Authentication Code (HMAC) to improve
authentication. HMAC is a technique that uses a secret key and a message digest function to create
a secret message authentication code.
IPSec capacity restrictions
The Business Communications Manager performs all IPSec processing using software. To prevent
overloading the Business Communications Manager processor with IPSec traffic processing, the
network traffic that requires IPSec processing should not exceed 6Mbps. This is based on using
3DES encryption with SHA authentication.
The maximum number of concurrent tunnels the Business Communications Manager supports is
16. However, this number could be less depending on the configuration. The following are the
factors to consider when determining maximum IPSec capacity:
•
Tunnel negotiation
Since tunnel negotiation requires a significant amount of processing time, the number of
tunnels that are negotiated at one time should be limited. The tunnels are re-negotiated based
on either the Rekey Timeout or the Rekey Data Count. If a number of tunnels will be running
concurrently, you should stagger these values.
•
Interface throughput
The maximum throughput of the interfaces of the IPSec endpoints must also be considered. It
is much easier to overload the Business Communications Manager if IPSec is being used over
a fast LAN interface rather than a slower WAN interface. This is due to the faster speed of the
data packets transferred over the LAN interface.
Settings required for IPSec tunnels
The data packets that pass through IPSec tunnels interact with other routing features in Business
Communications Manager. As a result, there are several settings you must make in other features
for IPSec tunnels to operate.
NAT (Network Address Translation)
Business Communications Manager does not support NAT on the Local Endpoint of an IPSec
Tunnel.
Packets can be sent through an IPSec tunnel with or without NAT applied. To send packets
through the tunnel with NAT applied, configure the Local Accessible Networks to include only a
network for the endpoint itself. For example, if the Local Endpoint is 10.10.13.2, then the Local
Accessible Network would be 10.10.13.2 with a mask of 255.255.255.255. To send packets
through the tunnel without NAT applied, configure the Local Accessible Networks with the local
Private IP network(s) and the Remote Accessible Networks with the networks on the other side of
the Remote Endpoint. Using the above example, we know that the other interfaces on the local
Business Communications Manager have IP addresses of 10.10.10.1 and 10.10.11.1. The remote
Business Communications Manager has a subnet of 12.12.12.1. Therefore, the Local Accessible
N0008589 3.3
Advertisement
Table of Contents
