Protocols And Standards; Fips Compliance; Ipsec Tunnel Establishment; Implementing Acl-Based Ipsec - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a
headquarters gateway).
Protocols and standards
•
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode (see
non-FIPS mode.
IPsec tunnel establishment
CAUTION:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or
IPsec configured.
IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec
tunnels according to your network conditions:
•
ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based
IPsec tunnel, configure an IPsec policy, specify an ACL in the policy, and apply the policy to an
interface (see
same in an IPv4 network and in an IPv6 network.
•
Application-based IPsec tunnel—Protects the packets of an application. This method can be
used to protect IPv6 routing protocols. It does not require any ACL. For information about IPv6
routing protocol protection, see
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for
the device. They do not take effect on traffic forwarded through the device. For example, an
ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot
protect all the data flows and voice flows that are forwarded by the device. For more information
about configuring an ACL for IPsec, see
ACL-based IPsec configuration task list
The generic configuration procedure for implementing ACL-based IPsec is as follows:
1.
Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic,
you do not need to specify the VPN parameters in the ACL rules.
"Implementing ACL-based
"Configuring IPsec for IPv6 routing
"Configuring an
IPsec"). The IPsec tunnel establishment steps are the
ACL."
282
"Configuring
FIPS") and
protocols."
Advertisement
Table of Contents
Troubleshooting
