Configuring Ipsec Vpn - Motorola RFS Series Reference Manual

5. Click the Stop Connection

6.8 Configuring IPSec VPN

Use IPSec Virtual Private Network (VPN) to define secure tunnels between two peers. Configure which
packets are sensitive and should be sent through secure tunnels, and what should be used to protect these
sensitive packets. Once configured, an IPsec peer creates a secure tunnel and sends the packet through the
tunnel to the remote peer.
IPSec tunnels are sets of security associations (SA) established between two peers. The security
associations define which protocols and algorithms are applied to sensitive packets, and what keying
material is used by the two peers. Security associations are unidirectional and established per security
protocol.
To configure IPSec security associations, Motorola uses the Crypto Map entries. Crypto Map entries created
for IPSec pull together the various parts used to set up IPSec security associations. Crypto Map entries
include transform sets. A transform set is an acceptable combination of security protocols, algorithms and
other settings to apply to IPSec protected traffic.
The Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with
the IPSec standard. IKE automatically negotiates IPSec security associations and enables IPSec secure
communications without costly manual configuration. To support IPSec VPN functionality, the following
configuration activities are required:
• Configure a DHCP Sever to assign public IP address
An IPSec client needs an IP address before it can connect to the VPN Server and create an IPSec tunnel.
A DHCP Server needs to be configured on the interface to distribute public IP addresses to the IPSec
clients.
• Configure a Crypto policy (IKE)
IKE automatically negotiates IPSec security associations and enables IPSec secure communications
without costly manual pre-configuration. IKE eliminates the need to manually specify all the IPSec
security parameters in the Crypto Maps at both peers, allows you to specify a lifetime for the IPSec
security association, allows encryption keys to change during IPSec sessions and permits Certification
Authority (CA) support for a manageable, scalable IPSec implementation. If you do not want IKE with your
IPSec implementation, disable it for IPSec peers. You cannot have a mix of IKE-enabled and IKE-disabled
peers within your IPSec network.
• Configure security associations parameters
The use of manual security associations is a result of a prior arrangement between switch users and the
IPSec peer. If IKE is not used for establishing security associations, there is no negotiation of security
associations. The configuration information in both systems must be the same for traffic to be processed
successfully by IPSec.
• Define transform sets
A transform set represents a combination of security protocols and algorithms. During the IPSec security
association negotiation, peers agree to use a particular transform set for protecting data flow.
With manually established security associations, there is no negotiation with the peer. Both sides must
specify the same transform set. If you change a transform set definition, the change is only applied to
Crypto Map entries that reference the transform set. The change is not applied to existing security
associations, but is used in subsequent negotiations to establish new security associations.
button to terminate the statistic collection of the selected IKE peer.
6-49
Switch Security