Chapter 33: Configuring Ipsec; About Ipsec - Enterasys C3G124-24 Configuration Manual

This chapter describes how to configure IPsec (IP Security) as specified in RFC 4301.
For information about...

About IPsec

Commands
About IPsec
The Security Architecture for IP (IPsec), defined in RFC 4301, describes how to provide a set of
security services for traffic at the IP layer in both IPv4 and IPv6 environments. As described in the
RFC, most of the security services are provided through use of two traffic security protocols, the
Authentication Header (AH) and the Encapsulating Security Payload (ESP), and through the use
of cryptographic key management procedures and protocols.
The current IPsec implementation on the Enterasys C3 provides the following functionality:
• IPsec and IKE (Internet Key Exchange protocol) are defined for the RADIUS host application
only. This implementation supports the creation of Security Associations (SAs) with servers
configured for RADIUS, and the RADIUS application helps define the IPsec flow.
Refer to
commands.
• Only the Encapsulating Security Payload (ESP) mode of operation is supported.
Authentication Header (AH) mode is not supported.
• Currently, IKEv1 is supported, and the RADIUS shared secret is used as the IKE pre-shared
key.
• HMAC-SHA1 is the default IKE integrity mechanism.
• 3DES and the Advanced Encryption Standard (AES) encryption algorithms are supported.
AES supports key lengths of 128, 192, and 256 bits. The default IPsec encryption algorithm is
AES-128.
• IPsec does not prevent the independent simultaneous use of MSCHAP-V2 style encryption of
user passwords between the switch and the RADIUS server.
"Configuring RADIUS" on page 32-6 for the RADIUS-specific IPsec configuration
Note: Although the use of certificates will be supported for IPsec in future releases, in the current
release only use of a shared secret is supported.
33
Configuring IPsec
Refer to page...
Enterasys C3 Configuration Guide 33-1