Configuring An Ipsec Policy - HP 5120 SI Series Security Configuration Manual
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
Step
4.
Specify the security
algorithms
5.
Specify the IP packet
encapsulation mode
for the IPsec proposal
NOTE:
Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
•
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
•
Only when a security protocol is selected, can you configure security algorithms for it. For example, you
can specify the ESP-specific security algorithms only when you select ESP as the security protocol.
You must use both ESP encryption and authentication.
•
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:
Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
•
IP addresses of the two ends in tunnel mode.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.
•
Configuring a manual IPsec policy
To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies
at the two ends of an IPsec tunnel:
The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,
•
security algorithms, and encapsulation mode.
The remote IP address configured on the local end must be the same as the IP address of the remote
•
end.
•
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
that different SAs use different SPIs. SPIs for the SAs in the same direction must be different.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
Command
•
Specify the encryption algorithm for ESP:
esp encryption-algorithm aes [ key-length ]
•
Specify the authentication algorithm for ESP:
esp authentication-algorithm sha1
•
Specify the authentication algorithm for AH:
ah authentication-algorithm sha1
encapsulation-mode { transport | tunnel }
346
Remarks
Optional.
For ESP, the default
encryption algorithm is
AES-128.
For ESP and AH, the
default authentication
algorithm is SHA1.
Optional.
Tunnel mode by default.
Transport mode applies
only when the source
and destination IP
addresses of data flows
match those of the IPsec
tunnel.
Advertisement
Table of Contents
Troubleshooting
