Table of Contents
Advertisement
6.7 Configuring IPSec VPN
Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers. Configure which packets are
sensitive and should be sent through secure tunnels, and what should be used to protect these sensitive packets. Once
configured, an IPsec peer creates a secure tunnel and sends the packet through the tunnel to the remote peer.
IPSec tunnels are sets of security associations (SA) established between two peers. The security associations define
which protocols and algorithms are applied to sensitive packets, and what keying material is used by the two peers.
Security associations are unidirectional and established per security protocol.
To configure IPSec security associations, Motorola Solutions uses the Crypto Map entries. Crypto Map entries created for
IPSec pull together the various parts used to set up IPSec security associations. Crypto Map entries include transform sets.
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec
protected traffic.
The Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with the IPSec
standard. IKE automatically negotiates IPSec security associations and enables IPSec secure communications without
costly manual configuration. To support IPSec VPN functionality, the following configuration activities are required:
• Configure a DHCP Sever to assign public IP address
An IPSec client needs an IP address before it can connect to the VPN Server and create an IPSec tunnel. A DHCP Server
needs to be configured on the interface to distribute public IP addresses to the IPSec clients.
• Configure a Crypto policy (IKE)
IKE automatically negotiates IPSec security associations and enables IPSec secure communications without costly
manual pre-configuration. IKE eliminates the need to manually specify all the IPSec security parameters in the Crypto
Maps at both peers, allows you to specify a lifetime for the IPSec security association, allows encryption keys to
change during IPSec sessions and permits Certification Authority (CA) support for a manageable, scalable IPSec
implementation. If you do not want IKE with your IPSec implementation, disable it for IPSec peers. You cannot have a
mix of IKE-enabled and IKE-disabled peers within your IPSec network.
• Configure security associations parameters
The use of manual security associations is a result of a prior arrangement between switch users and the IPSec peer. If
IKE is not used for establishing security associations, there is no negotiation of security associations. The configuration
information in both systems must be the same for traffic to be processed successfully by IPSec.
• Define transform sets
A transform set represents a combination of security protocols and algorithms. During the IPSec security association
negotiation, peers agree to use a particular transform set for protecting data flow.
With manually established security associations, there is no negotiation with the peer. Both sides must specify the
same transform set. If you change a transform set definition, the change is only applied to Crypto Map entries that
reference the transform set. The change is not applied to existing security associations, but is used in subsequent
negotiations to establish new security associations.
Switch Security 6 - 71
Advertisement
Table of Contents
Troubleshooting
