Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
according to the VPN ID in the packet. Then, it looks up the corresponding VPN
routing table and according to the matched entry to identify whether the
destination of this packet is a local host or not. If the packet is intended for the local
host, it is forwarded to the IP layer or a CE that belongs to the same VPN. If the
packet is not intended for the local host, it is labeled according to the matched
entry in the VPN routing table.
7.1.6 IPSec on V 2.41
V 2.41 implements the said aspects of IPSec.
Via IPSec, peers (here refer to the router where V 2.41 locates as well as its peer) can
perform various security protections (authentication, encryption or both) on different
data flows, which are differentiated based on ACL. Security protection elements, such
as security protocol, authentication algorithm, encryption algorithm and operation
mode, are defined in IPSec proposal. The association between data flows and IPSec
proposal (namely, apply a certain protection on a certain data flow) together with SA
negotiation mode, peer IP address configuration (i.e., the start/end of protection path),
the required key as well as the duration of SA are defined in IPSec policies. Finally,
IPSec policies are applied on router interfaces. This is the process of IPSec
configuration.
Following is the detailed description:
1)
Defining data flows to be protected
A data flow is an aggregation of a series of traffics, regulated by source address/mask,
destination address/mask, number of protocol over IP, source port number and
destination port number. An ACL rule defines a data flow, that is, traffic that matches an
ACL rule is a data flow logically. A data flow can be a single TCP connection between
two hosts or all traffics between two subnets. IPSec can apply different security
protections on different data flows. So the first step of IPSec configuration is to define
data flows.
2)
Defining IPSec proposal
IPSec proposal prescribes security protocol, authentication algorithm and encryption
algorithm as well as operation mode (namely, the packet encapsulation mode) for data
flows to be protected.
AH and ESP supported by V 2.41 can be used either independently or corporately. AH
supports MD5 and SHA-1 authentication algorithms. ESP supports MD5 and SHA-1
authentication algorithms as well as DES, 3DES, and AES encryption algorithms.
Working mode supported by V 2.41 includes transport mode and tunnel mode.
As for a data flow, peers should be configured with identical protocol, algorithm and
working mode. Moreover, if IPSec is applied on two security gateways (such as
between V 2.41 routers), the tunnel mode is recommended so as to hide the real
source and destination addresses.
3Com Corporation
7-7
Chapter 7 IPSec Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
