Configuring An Ipsec Policy - HP 5500 HI Series Configuration Manual

NOTE:
Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
•
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Only when a security protocol is selected, can you configure security algorithms for it. For example, you
•
can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP
supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication. In FIPS mode, you must use both ESP encryption and authentication.

Configuring an IPsec policy

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
IPsec policies fall into two categories:
• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. (Available
•
only in FIPS mode.)
Configuring a manual IPsec policy
To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies
at the two ends of an IPsec tunnel:
The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,
•
security algorithms, and encapsulation mode.
The remote IP address configured on the local end must be the same as the IP address of the remote
•
end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
•
that different SAs use different SPIs. SPIs for the SAs in the same direction must be different.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
• The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:
• You do not need to configure ACLs or IPsec tunnel addresses.
Within a certain routed network scope, the SAs on all devices must use the same SPI and keys. For
•
OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope
can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly
connected neighbors or a peer group.
All SAs (both inbound and outbound) within the routed network scope must use the same SPI and
•
keys.
Configure the keys on all routers within the routed network scope in the same format. For example,
•
if you enter the keys in hexadecimal format on one router, do so across the routed network scope.
274