Advertisement
security parameters in the Crypto Maps at both peers, allows you to specify a lifetime for the IPSec
security association, allows encryption keys to change during IPSec sessions and permits Certification
Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE
with your IPSec implementation, disable it for IPSec peers. You cannot have a mix of IKE-enabled
and IKE-disabled peers within your IPSec network.
Configure security associations parameters
●
The use of manual security associations is a result of a prior arrangement between controller users
and the IPSec peer. If IKE is not used for establishing security associations, there is no negotiation of
security associations. The configuration information in both systems must be the same for traffic to
be processed successfully by IPSec.
Define transform sets
●
A transform set represents a combination of security protocols and algorithms. During the IPSec
security association negotiation, peers agree to use a particular transform set for protecting data flow.
With manually established security associations, there is no negotiation with the peer. Both sides
must specify the same transform set. If you change a transform set definition, the change is only
applied to Crypto Map entries that reference the transform set. The change is not applied to existing
security associations, but is used in subsequent negotiations to establish new security associations.
Create Crypto Map entries
●
When IKE is used to establish security associations, the IPSec peers can negotiate the settings they
use for the new security associations. Therefore, specify lists (such as lists of acceptable transforms)
within the Crypto Map entry.
Apply Crypto Map sets to Interfaces
●
Assign a Crypto Map set to each interface through which IPSec traffic flows. The security appliance
supports IPSec on all interfaces. Assigning the Crypto Map set to an interface instructs the security
appliance to evaluate all the traffic against the Crypto Map set and use the specified policy during
connection or SA negotiation. Assigning a Crypto Map to an interface also initializes run-time data
structures (such as the SA database and the security policy database). Reassigning a modified Crypto
Map to the interface resynchronizes the run-time data structures with the Crypto Map configuration.
With the controller, a Crypto Map cannot get applied to more than one interface at a time.
Monitor and maintain IPSec tunnels
●
New configuration changes only take effect when negotiating subsequent security associations. If
you want the new settings to take immediate effect, clear the existing security associations so they
will be re-established with the changed configuration.
For manually established security associations, clear and reinitialize the security associations or the
changes will not take effect.
For more information on configuring IPSec VPN, refer to the following:
Defining the IPSec Configuration
●
Defining the IPSec VPN Remote Configuration
●
Configuring IPSEC VPN Authentication
●
Configuring Crypto Maps
●
Viewing IPSec Security Associations
●
Defining the IPSec Configuration
Use the IPSec VPN Configuration tab to view the attributes of existing VPN tunnels and modify the
security association lifetime and keep alive intervals used to maintain the sessions between VPN peers.
From the Configuration tab, transform sets can be created as existing sets, modified or deleted.
Summit WM3000 Series Controller System Reference Guide
375
- Quick Links:
- Introduction
- Configuration Management
Hide quick links:
Advertisement
Troubleshooting
