Home > 3Com > Router > 3Com Router User Manual

3Com Router User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual 3Com Router User Manual. The 3Com manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 571

    Page 571 Configuring IPSec567 The default mode is tunnel-encapsulation mode. Select Security Protocol After the transport mode is defined, it is necessary to select the security protocol for the transport mode. The security protocols available at present include AH and ESP, both of which can also be used at the same time. Both ends of security tunnel must select the same security protocols. The data encapsulation forms of various security protocols in transport and tunnel mode are shown in the following... 
    Configuring IPSec567
The default mode is tunnel-encapsulation mode.
Select Security Protocol
After the transport mode is defined, it is necessary to select the security protocol 
for the transport mode. The security protocols available at present include AH and 
ESP, both of which can also be used at the same time. Both ends of security tunnel 
must select the same security protocols. 
The data encapsulation forms of various security protocols in transport and tunnel 
mode are shown in the following...

    Page 572

    Page 572 568CHAPTER 40: CONFIGURING IPSEC Perform the following configurations in IPSec proposal view (or proposal view of crypto card) Ta b l e 638 Select Encryption Algorithm and Authentication Algorithm By default, ESP protocol adopts des encryption algorithm and md5-hmac-96 authentication algorithm, and AH protocol adopts md5-hmac-96 authentication algorithm. The commands undo esp-new encryption-algorithm and undo esp-new authentication-algorithm cannot be used at the same time. That is, ESP must... 
    568CHAPTER 40: CONFIGURING IPSEC 
Perform the following configurations in IPSec proposal view (or proposal view of 
crypto card) 
Ta b l e 638   Select Encryption Algorithm and Authentication Algorithm
By default, ESP protocol adopts des encryption algorithm and md5-hmac-96 
authentication algorithm, and AH protocol adopts md5-hmac-96 authentication 
algorithm. 
The commands undo esp-new encryption-algorithm and undo esp-new 
authentication-algorithm cannot be used at the same time. That is, ESP must...

    Page 573

    Page 573 Creating a Security Policy569 higher priority. When a security policy group is applied on an interface, actually multiple different security policies in this security policy group are applied on it at the same time, so that different data streams are protected by different SAs. Creating a Security Policy ManuallyPerform the following configurations in system view. Ta b l e 639 Establish Security Policy Manually By default, no security policy is created. Configure access control list quoted in... 
    Creating a Security Policy569
higher priority. When a security policy group is applied on an interface, actually 
multiple different security policies in this security policy group are applied on it 
at the same time, so that different data streams are protected by different SAs. 
Creating a Security 
Policy ManuallyPerform the following configurations in system view.
Ta b l e 639   Establish Security Policy Manually
By default, no security policy is created.
Configure access control list quoted in...

    Page 574

    Page 574 570CHAPTER 40: CONFIGURING IPSEC By default, the start point and the end point of the security tunnel are not specified. Set IPSec proposal quoted in security policy When SA is created manually, a security policy can quote only one IPSec proposal, and to set new IPSec proposal, the previously configured one must be deleted first. If the local IPSec proposal cannot match the peer one completely, then it will not establish SA successfully, then the messages that require protection will be discarded.... 
    570CHAPTER 40: CONFIGURING IPSEC 
By default, the start point and the end point of the security tunnel are not 
specified.
Set IPSec proposal quoted in security policy
When SA is created manually, a security policy can quote only one IPSec proposal, 
and to set new IPSec proposal, the previously configured one must be deleted first. 
If the local IPSec proposal cannot match the peer one completely, then it will not 
establish SA successfully, then the messages that require protection will be 
discarded....

    Page 575

    Page 575 Creating a Security Policy571 Perform the following configurations in IPSec policy view. 1Set SPI parameters for the security policy association Ta b l e 643 Configure SPI Parameters of Security Policy Association By default, no SPI value of inbound/outbound SA is set. 2Set the key used by the security policy association Ta b l e 644 Configure Key Used by Security Policy Association By default, no key is used by any security policy. OperationCommand Set SPI parameters of inbound SA of AH/ESP... 
    Creating a Security Policy571
Perform the following configurations in IPSec policy view.
1Set SPI parameters for the security policy association
Ta b l e 643   Configure SPI Parameters of Security Policy Association
By default, no SPI value of inbound/outbound SA is set. 
2Set the key used by the security policy association
Ta b l e 644   Configure Key Used by Security Policy Association
By default, no key is used by any security policy.
OperationCommand
Set SPI parameters of inbound SA of 
AH/ESP...

    Page 576

    Page 576 572CHAPTER 40: CONFIGURING IPSEC The keys are input in two modes and those input in string mode are preferred. At both ends of the security tunnel, the keys should be input in the same mode. If the key is input at one end in string mode, but at the other end in hexadecimal mode, the security tunnel cannot be created correctly. To set a new key, the previous key must be deleted first. Creating a Security Policy Association with IKEPerform the following configurations in system view. Ta b l e 645... 
    572CHAPTER 40: CONFIGURING IPSEC 
The keys are input in two modes and those input in string mode are preferred. At 
both ends of the security tunnel, the keys should be input in the same mode. If the 
key is input at one end in string mode, but at the other end in hexadecimal mode, 
the security tunnel cannot be created correctly. To set a new key, the previous key 
must be deleted first. 
Creating a Security 
Policy Association with 
IKEPerform the following configurations in system view.
Ta b l e 645...

    Page 577

    Page 577 Creating a Security Policy573 By default, the end point of the security tunnel is not specified. Set the IPSec proposal quoted in security policy Perform the following configurations in IPSec policy view. Ta b l e 648 Configure IPSec Proposal Quoted in Security Policy By default, the security policy quotes no IPSec proposal. When SA is created through IKE negotiation, a security policy can quote at most 6 IPSec proposals and IKE negotiation will search the completely matched IPSec proposal at both... 
    Creating a Security Policy573
By default, the end point of the security tunnel is not specified.
Set the IPSec proposal quoted in security policy
Perform the following configurations in IPSec policy view.
Ta b l e 648   Configure IPSec Proposal Quoted in Security Policy
By default, the security policy quotes no IPSec proposal.
When SA is created through IKE negotiation, a security policy can quote at most 6 
IPSec proposals and IKE negotiation will search the completely matched IPSec 
proposal at both...

    Page 578

    Page 578 574CHAPTER 40: CONFIGURING IPSEC defined by kilobytes. Hard timeout of SA means that the SA lives for the whole lifetime. Perform the following configurations in system view. Ta b l e 649 Configure Global SA LIfetime By default, time-based lifetime is 3600 seconds (an hour),- and traffic-based lifetime is 1843200 kilobytes. Configure a separate SA lifetime To be different from the global lifetime, SA should be configured with separate SA lifetime. Perform the following configurations in ipsec... 
    574CHAPTER 40: CONFIGURING IPSEC 
defined by kilobytes. Hard timeout of SA means that the SA lives for the whole 
lifetime.
Perform the following configurations in system view.
Ta b l e 649   Configure Global SA LIfetime
By default, time-based lifetime is 3600 seconds (an hour),- and traffic-based 
lifetime is 1843200 kilobytes.
Configure a separate SA lifetime
To be different from the global lifetime, SA should be configured with separate SA 
lifetime. 
Perform the following configurations in ipsec...

    Page 579

    Page 579 Displaying and Debugging IPSec575 Ta b l e 651 Enable Detection of the Router at the Remote End of the Tunnel By default, detection of the router at the remote end of the tunnel is disabled. Apply Security Policy Group on InterfaceTo put the defined SA into effect, it is necessary to apply a security policy to each interface (logical or physical) that will encrypt site-out data and decrypt site-in data. According to the encryption set configured on the interface, the interface cooperates with the... 
    Displaying and Debugging IPSec575
Ta b l e 651   Enable Detection of the Router at the Remote End of the Tunnel
By default, detection of the router at the remote end of the tunnel is disabled.
Apply Security Policy 
Group on InterfaceTo put the defined SA into effect, it is necessary to apply a security policy to each 
interface (logical or physical) that will encrypt site-out data and decrypt site-in 
data. According to the encryption set configured on the interface, the interface 
cooperates with the...

    Page 580

    Page 580 576CHAPTER 40: CONFIGURING IPSEC Ta b l e 653 Display and Debug IPSec Displaying and Debugging the NDEC Car d Resetting the crypto card When the crypto card operates abnormally, resetting the crypto card can be used to restore the crypto card to normality. When resetting the crypto card, the crypto card restores its initialization. At the same time, the host retransmits the cards configured information and SA information being used to the crypto card. In addition, the host automatically resets... 
    576CHAPTER 40: CONFIGURING IPSEC 
Ta b l e 653   Display and Debug IPSec 
Displaying and 
Debugging the NDEC 
Car
d
Resetting the crypto card
When the crypto card operates abnormally, resetting the crypto card can be used 
to restore the crypto card to normality. When resetting the crypto card, the crypto 
card restores its initialization. At the same time, the host retransmits the cards 
configured information and SA information being used to the crypto card. In 
addition, the host automatically resets...
    Start reading 3Com Router User Manual

    Related Manuals for 3Com Router User Manual

    All 3Com manuals