Configuration Examples; Figure 14 Protected Endpoints Configuration - HP SN3000B Administrator's Manual

•
Using the ipsecConfig command, you must configure multiple security policies for traffic flows on
the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6
addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP). You must
specify the transforms and processing choices for the traffic flow (drop, protect or bypass). Also,
you must select and configure the key management protocol using an automatic or manual key.
For more information on IPv4 and IPv6 addressing, refer to
Configuration

Configuration examples

Below are several examples of various configurations you can use to implement an IPsec tunnel
between two devices. You can configure other scenarios as nested combinations of these
configurations.
Endpoint-to-endpoint transport or tunnel
In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in
RFC4301. Transport mode encrypts only the payload while tunnel mode encrypts the entire packet.
A single pair of addresses will be negotiated for packets protected by this SA.
It is possible in this scenario that one or both of the protected endpoints will be behind a network
address translation (NAT) node, in which case tunneled packets will have to be UDP-encapsulated
so that port numbers in the UDP headers can be used to identify individual endpoints behind the
NAT.
FIGURE 14
A possible drawback of end-to-end security is that various applications that require the ability to
inspect or modify a transient packet will fail when end-to-end confidentiality is employed. Various
QoS solutions, traffic shaping, and firewalling applications will be unable to determine what type of
packet is being transmitted and will be unable to make the decisions that they are supposed to
make.
Gateway-to-gateway tunnel
In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes
between them protect traffic for part of the way. Protection is transparent to the endpoints, and
depends on ordinary routing to send packets through the tunnel endpoints for processing. Each
endpoint would announce the set of addresses behind it, and packets would be sent in tunnel
mode where the inner IP header would contain the IP addresses of the actual endpoints.
Fabric OS Administrator's Guide
53-1002446-01
Automated Key Management—Automates the process, as well as manages the periodic
exchange and generation of new keys.
Tasks".
Protected endpoints configuration
Management interface security
Chapter 2, "Performing Basic
7
167