Table of Contents
Advertisement
Configuring IPsec
Quick Steps for Configuring an IPsec AH Policy
IP Authentication Header (AH) provides data origin authentication, data integrity, and replay protection.
Data integrity verifies that the contents of the datagram were not changed in transit, either deliberately or
due to random errors, however, AH does not provide data encryption.
1
Configure the master security key. The master security key must be set if keys are to be encrypted
when saved in the boot.cfg and snapshot files.
-> ipsec security-key master-key-12345
2
Define the policy. A policy defines the traffic that requires IPsec protection. The commands below
define a bi-directional policy for any protocol and the associated IPv6 address ranges. For example:
-> ipsec policy ALLoutMD5 source 664:1:1:1::199/64 destination 664:1:1:1::1/64
protocol any out ipsec admin-state disable
-> ipsec policy ALLinMD5 source 664:1:1:1::1/64 destination 664:1:1:1::199/64
protocol any in ipsec admin-state disable
3
Define the rule. A rule defines the security services for the traffic defined by its associated policy. For
example the commands below add an AH rule to the polices defined above:
-> ipsec policy ALLoutMD5 rule 1 ah
-> ipsec policy ALLinMD5 rule 1 ah
4
Enable the policies. A policy cannot be enabled until the rules are defined. Now that rules have been
defined, enable the policy using the commands below:
-> ipsec policy ALLoutMD5 admin-state enable
-> ipsec policy ALLinMD5 admin-state enable
5
Define the Security Keys. Each SA has its own unique set of security keys. The key name is the SA
name that is going to use the key and the length must match the authentication algorithm key size. Keys
must be defined before the SA can be enabled.
-> ipsec key ALLoutMD5_SA sa-authentication
-> ipsec key ALLinMD5_SA sa-authentication
6
Define the SA. An SA specifies the actual actions to be performed. The security parameters index
(SPI) helps identify the source/destination pair. The security parameters index (SPI) in combination with
the source and destination addresses uniquely identifies an SA. An identical SA (same SPI, source, and
destination) must be configured on both systems exchanging IPsec protected traffic.
-> ipsec sa ALLoutMD5_SA ah source 664:1:1:1::199 destination 664:1:1:1::1 spi
2000 authentication HMAC-MD5 admin-state enable
-> ipsec sa ALLinMD5_SA ah source 664:1:1:1::1 destination 664:1:1:1::199 spi
2001 authentication HMAC-MD5 admin-state enable
7
Use the following show commands to verify the IPsec configuration:
-> show ipsec policy
-> show ipsec sa
-> show ipsec key sa-authentication
OmniSwitch AOS Release 7 Network Configuration Guide
Quick Steps for Configuring an IPsec AH Policy
0x11112222333344445555666677778888
0x11112222333344445555666677778888
March 2011
page 14-3
Advertisement
Table of Contents
