Enhancements To Ipsec/Vpn; Responding To Ipsec Packets From An Unknown Tunnel - Allied Telesis AT-8600 Release Note

Version 2.8.1

Hide thumbs Also See for AT-8600:

Installation and safety manual (38 pages)

Hardware reference manual (30 pages)

How to use manual (26 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

Table of Contents

Software Version 2.8.1

C613-10477-00 REV B

Enhancements to IPsec/VPN

This Software Version includes enhancements in the following IPsec functions:

■

Responding to IPsec Packets from an Unknown Tunnel

■

Modifying the Message Retransmission Delay

■

Retrying ISAKMP Phase 1 and 2 Negotiations

■

VPN Tunnel Licencing

This section describes the enhancements. The modified commands to

implement them are described in

Responding to IPsec Packets from an

Unknown Tunnel

This Software Version allows the router or switch to send a notification

message to a peer when IPsec traffic from the peer is not recognised. When the

peer receives the message, it deletes the SAs it has for the router or switch. This

provides a way to ensure that only valid IPsec tunnels exist between the router

or switch and its peer.

To enable the router or switch to send this type of notification message to its

peer, use the new respondbadspi parameter in the command:

create ipsec policy=name interface=interface action=ipsec

keymanagement=isakmp peeraddress=ipv4add

respondbadspi=true [other parameters]

This feature is only valid for connections where:

■

The peer IP address is a static IPv4 address.

■

IPsec tunnel mode is used. This is specified by setting the mode parameter

to tunnel in the create ipsec saspecification command.

■

The ISAKMP policy for the peer has the mode parameter set to main, and

the sendnotify parameter set to true.

■

The IPsec policy for the peer has the action parameter set to ipsec, the

keymanagement parameter set to isakmp, and the peeraddress parameter

set to a valid IPv4 address.

The router or switch recognises traffic for current IPsec tunnels by checking the

Security Parameter Index (SPI) value of the IPsec packets. If the router or

switch receives an IPsec packet with an unknown SPI value from a known peer,

this indicates there is a discrepancy with the IPsec tunnel between the router or

switch and its peer. When the respondbadspi parameter is configured to true,

the router or switch can then send a message to the peer, notifying it to delete

the SAs for the router or switch, which closes the tunnel.

Unknown SPI values can occur if the router or switch restarts while there is a

current IPsec tunnel. Because the IPsec SAs are lost, the router or switch no

longer recognises traffic sent through the IPsec tunnel. However, the peer will

keep sending traffic via the tunnel unless it is notified that the SAs are invalid.

Command Reference

Updates.

169

Table of Contents

Show Quick Links

Hide quick links:

Chapters

Table of Contents

Troubleshooting

This manual is also suitable for:

At-8800 At-9800 At-9900 At-8700xl At-8900 X900-48fe ... Show all

Enhancements To Ipsec/Vpn; Responding To Ipsec Packets From An Unknown Tunnel - Allied Telesis AT-8600 Release Note

Enhancements to IPsec/VPN

Responding to IPsec Packets from an Unknown Tunnel

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Allied Telesis AT-8600

Related Products for Allied Telesis AT-8600

This manual is also suitable for:

Table of Contents