Ipsec; Configuring The Ipsec And Ike - 3Com VCX v7111 User Manual

IPSec

IPSec is responsible for encrypting and decrypting the IP streams.
The IPSec Security Policy Database (SPD) table defines up to 20 IP peers to which the
IPSec security is applied. IPSec can be applied to all packets designated to a specific IP
address or to a specific IP address, port (source or destination) and protocol type.
Each outgoing packet is analyzed and compared to the SPD table. The packet's destination
IP address (and optionally, destination port, source port and protocol type) are compared to
each entry in the table. If a match is found, the gateway checks if an SA already exists for
this entry. If it does not, the IKE protocol is invoked (see IKE) and an IPSec SA is
established. The packet is encrypted and transmitted. If a match is not found, the packet is
transmitted un-encrypted.
An incoming packet, whose parameters match one of the entries of the SPD table,
but received un-encrypted is dropped.
IPSec specifications include:
Transport mode only
Encapsulation Security Payload (ESP) only
Support for Cipher Block Chaining (CBC)
Supported IPSec SA encryption algorithms – DES, 3DES, and AES
Hash types for IPSec SA are SHA1 and MD5

Configuring the IPSec and IKE

To enable IPSec and IKE on the gateway set the ini file parameter EnableIPSec to 1.
IKE Configuration
The parameters described in
the IKE negotiation for a specific peer. A different set of parameters can be configured for
each of the 20 available peers.
Up to two IKE main mode proposals (Encryption / Authentication / DH group combinations)
can be defined. The same proposals must be configured for all peers.
®
3Com VCX V7111 VoIP Gateway User Guide
Table 92 are used to configure the first phase (main mode) of
323