Using Ipsec With The Lenovo Rackswitch G8264; Setting Up Authentication - Lenovo RackSwitch G8264 Application Manual
For lenovo enterprise network operating system 8.4
Hide thumbs
Also See for RackSwitch G8264:
- Command reference manual (794 pages) ,
- Installation manual (106 pages) ,
- Product manual (26 pages)
Table of Contents
Advertisement
Using IPsec with the Lenovo RackSwitch G8264
Setting up Authentication
© Copyright Lenovo 2016
IPsec supports the fragmentation and reassembly of IP packets that occurs when
data goes to and comes from an external device. The Lenovo RackSwitch G8264
acts as an end node that processes any fragmentation and reassembly of packets
but does not forward the IPsec traffic. :You must authenticate the IKEv2 key
following the directions in "Setting up Authentication" on page
use IPsec.
The security protocol for the session key is either ESP or AH. Outgoing packets are
labeled with the SA SPI (Security Parameter Index), which the remote device will
use in its verification and decryption process.
Every outgoing IPv6 packet is checked against the IPsec policies in force. For each
outbound packet, after the packet is encrypted, the software compares the packet
size with the MTU size that it either obtains from the default minimum maximum
transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size
is larger than the MTU size, the receiver drops the packet and sends a message
containing the MTU size to the sender. The sender then fragments the packet into
smaller pieces and retransmits them using the correct MTU size.
The maximum traffic load for each IPsec packet is limited to the following:
IKEv2 SAs: 5
IPsec SAs: 10 (5 SAs in each direction)
SPDs: 20 (10 policies in each direction)
IPsec is implemented as a software cryptography engine designed for handling
control traffic, such as network management. IPsec is not designed for handling
data traffic, such as a VPN.
Before you can use IPsec, you need to have key policy authentication in place.
There are two types of key policy authentication:
Preshared key (default)
The parties agree on a shared, secret key that is used for authentication in an
IPsec policy. During security negotiation, information is encrypted before
transmission by using a session key created by using a Diffie‐Hellman
calculation and the shared, secret key. Information is decrypted on the receiving
end using the same key. One IPsec peer authenticates the other peerʹs packet by
decryption and verification of the hash inside the packet (the hash inside the
packet is a hash of the preshared key). If authentication fails, the packet is
discarded.
Digital certificate (using RSA algorithms)
The peer being validated must hold a digital certificate signed by a trusted
Certificate Authority and the private key for that digital certificate. The side
performing the authentication only needs a copy of the trusted certificate
authorities digital certificate. During IKEv2 authentication, the side being
validated sends a copy of the digital certificate and a hash value signed using the
private key. The certificate can be either generated or imported.
477 before you can
Chapter 30: IPsec with IPv6
477
- Quick Links:
- Chapter 18. Stacking
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
