Setting Up A Key Policy - Lenovo RackSwitch G8264 Application Manual

Setting Up a Key Policy

1. To define which encryption and authentication algorithms are used, create a
transform set:
2. Decide whether to use tunnel or transport mode. The default mode is transport.
3. To describe the packets to which this policy applies, create a traffic selector using
the following command:
© Copyright Lenovo 2016
When configuring IPsec, you must define a key policy. This key policy can be either
manual or dynamic. Either way, configuring a policy involves the following steps:
 Create a transform set—This defines which encryption and authentication algo‐
rithms are used.
 Create a traffic selector—This describes the packets to which the policy applies.
 Establish an IPsec policy.
 Apply the policy.
RS G8264(config)# ipsec transform­set <transform ID> <encryption method> <integrity
algorithm> <AH authentication algorithm>
where the following parameters are used:
transform ID

 encryption method
 integrity algorithm
AH authentication algorithm

RS G8264(config)# ipsec transform­set tunnel|transport
RS G8264(config)# ipsec traffic­selector <traffic selector number> permit|deny
any|icmp <type|any> |tcp > <source IP address|any> <destination IP address|any> [<prefix
length>]
where the following parameters are used:
 traffic selector number
permit|deny

any

icmp <type>|any

tcp

source IP address|any

A number from 1‐10
One of the following: esp­des | esp­3des |
esp­aes­cbc | esp­null
One of the following: esp­sha1 | esp­md5 |
none
One of the following: ah­sha1 | ah­md5 | none
an integer from 1‐10
whether or not to permit IPsec encryption of
traffic that meets the criteria specified in this
command
apply the selector to any type of traffic
only apply the selector only to ICMP traffic of the
specified type (an integer from 1‐255) or to any
ICMP traffic
only apply the selector to TCP traffic
the source IP address in IPv6 format or "any"
source
Chapter 30: IPsec with IPv6
483