Table of Contents
Advertisement
IPsec Overview
Master Security Key
The master security key is used to encrypt and decrypt the configured SA keys that are saved to perma-
nent storage (e.g., boot.cfg file).
Therefore, configuring a master key is VITALLY IMPORTANT and STRONGLY RECOMMENDED. A
warning message will be logged if the config is saved witout a Master Security Key being set.
IPsec Policy
IPsec Policies define which traffic requires IPsec processing. The policy requires the source and destina-
tion of the traffic to be specified as IPv6 addresses. The policy may cover all traffic from source to desti-
nation or may further restrict it by specifying an upper-layer protocol, source, and/or destination ports.
Each policy is unidirectional, applying either to inbound or outbound traffic. Therefore, to cover all traffic
between a source and destination, two policies would need to be defined.
IPsec Policy Rules
Rules are created and applied to policies. Rules determine what type of encryption or authentication
should be used for the associated policy. For example, for a security policy where an IPv6 payload should
be protected by an ESP header, which should then be protected by an AH header, two rules would be
applied to the policy, one for ESP and one for AH.
Security Association (SA)
A Security Association, more commonly referred to as an SA, is a basic building block of IPsec. It speci-
fies the actual IPsec algorithms to be employed. SA is a unidirectional agreement between the participants
regarding the methods and parameters to use in securing a communication channel. A Security Associa-
tion is a management tool used to enforce a security policy in the IPsec environment. SA actually speci-
fies encryption and authentication between communicating peers.
Manually configured SAs are unidirectional; bi-directional communication requires at least two SAs, one
for each direction. Manually-configured SAs are specified by a combination of their SPI, source and desti-
nation addresses. However, multiple SAs can be configured for the same source and destination combina-
tion. Such SAs are distinguished by a unique Security Parameter Index (SPI).
SA Keys
Keys are used for encrypting and authenticating the traffic. Key lengths must match what is required by
the encryption or authentication algorithm specified in the SA. Key values may be specified either in hexa-
decimal format or as a string.
Note. The OmniSwitch currently supports manually configured SAs only.
Discarding Traffic using IPsec
In order to discard IPv6 datagrams, a policy is configured in the same manner as an IPsec security policy,
the difference being that the action is set to 'discard' instead of 'ipsec'. A discard policy can prevent IPv6
traffic from traversing the network.
page 14-8
If no master security key is configured, SA keys are stored unencrypted.
OmniSwitch AOS Release 7 Network Configuration Guide
Configuring IPsec
March 2011
Advertisement
Table of Contents
