Ericsson HL950 Administrator's Manual page 80

Multi service edge device

Hide thumbs Also See for HL950:

Quick installation manual (20 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

Table of Contents

Multi Service Edge Device HL950

Administrator's Guide

While defining VPN policies, you must always configure outbound selectors. The counter policy with

inbound selectors gets created automatically on the local system. When the network traffic enters into

the HL950 from corporate network interface, it first goes through the access policies. When it passes

through the access policies, a VPN policy will be applied to it. If there were no VPN policy found for

the certain type of network traffic, that traffic would pass through without any change. However, if the

traffic is selected by some VPN policy then, IPSec will be applied to it as defined in the VPN policy.

There are two different types available when adding a VPN policy; Manual Key Management and

Automatic Key Management.

For both types the following parameters have to be set:

Policy name; a symbolic (unique) name of the VPN policy

Source IP address range; allows you to configure the IP address range of the outbound

network traffic for which this VPN policy will provide security.

Destination IP address range; allows you to configure the IP address range of the outbound

network traffic for which this VPN policy will provide security.

Source and Destination port; the port value for this VPN policy selector. Default value is 0

that indicates the complete port range, i.e. 1 to 65535.

Protocol type, allow you to set the transport protocol for this VPN policy selector. It can be

set to TCP, UDP or ICMP. If you don't set a protocol type, all transport protocols riding on

IP will be allowed.

Peer Security Gateway; the IP address of the remote end of the VPN tunnel, i.e. WAN IP

address of the remote Security Gateway.

Local Security Gateway; the IP address of the local end of the VPN tunnel, i.e the WAN

interface IP address of your HL950.

Security protocols (AH, ESP, EWA, AH+ESP, or AH+EWA).

Authentication protocol (MD5, SHA1, or MAC).

Encryption protocol (DES, 3DES, or AES).

For establishing secure communication with the remote site you need to configure matching VPN

policies on both the SGs. An outbound VPN policy on one end should match to the inbound VPN

policy on the other end, and vice versa. Configuring SPI values for both inbound/outbound

authentication and inbound/outbound encryption does this.

NOTE!

This is only valid when configuring Manual Key Management policies.

For detailed information about prefixes and parameters for the SECURITY IPSEC command, see

section 6.6.7.

4.6.3.2

IKE

The SECURITY IKE command is used to control the IKE (Internet Key Exchange) service.

IKE is the protocol used to perform key exchange between IPSec devices and provides a way to:

Ensure that the key exchange and the IPSec communication occurs only between

authenticated parties;

Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts.

Securely update and re-negotiate SAs when they have expired.

IKE provides two modes of key exchange and setting up of SAs:

EN/LZT 108 5995 R3

June 2003

Page 80 (159)

Table of Contents

This manual is also suitable for:

Zat 759 63/a101 Zat 759 63/a2011 Zat 759 63/a2012 Zat 759 63/a301

Ericsson HL950 Administrator's Manual page 80

Related Manuals for Ericsson HL950

Related Products for Ericsson HL950

This manual is also suitable for:

Table of Contents