3Com Router User Manual

							Configuring IPSec567
The default mode is tunnel-encapsulation mode.
Select Security Protocol
After the transport mode is defined, it is necessary to select the security protocol 
for the transport mode. The security protocols available at present include AH and 
ESP, both of which can also be used at the same time. Both ends of security tunnel 
must select the same security protocols. 
The data encapsulation forms of various security protocols in transport and tunnel 
mode are shown in the following figure: 
Figure 173   Data encapsulation form of the security protocol
Please configure the following in IPSec Proposal view (or proposal view of crypto 
card).
Ta b l e 637   Select Security Protocol
The security protocol esp-new prescribed in RFC2406 is used by default.
Selecting the Encryption 
and Authentication 
AlgorithmAH protocol cannot encrypt but authenticate packets. ESP in IPSec software 
supports five security encryption algorithms that are 3des, des, blowfish, cast 
and skipjack. There are seven kinds of security encryption algorithms supported 
by ESP crypto card, which are 3des, des, blowfish, cast, skipjack, aes, and qc5. 
The current security authentication algorithm includes MD5 (message digest 
Version 5) and SHA (security hashing algorithm), both of which are HMAC 
variables. HMAC is a hashing algorithm with key, which can authenticate data. 
The algorithm md5 uses 128-bit key and the algorithm sha1 uses 160-bit key, and 
the former calculates faster than the latter while the latter is more secure than the 
former.
Both ends of security tunnel must select the same encryption algorithm and 
authentication algorithm.
Restore the default message 
encapsulating mode (applicable to IPSec 
software and crypto card)undo encapsulation-mode
OperationCommand
Set security protocol used for IPSec 
proposal (applicable to IPSec software and 
crypto card)transform { ah-new | esp-new | 
ah-esp-new }
Restore the default security protocol 
(applicable to IPSec software and crypto 
card)undo transform
Transmission modeEncryption
protocoltransport tunnel
ah-new
esp-new
ah-esp-new
IP AHdataIP AHdataIP
IP ESPdataESP-TIP ESPdataESP-TIP
IP ESPdataESP-TAHIP ESPdataESP-TAHIP 
						

							568CHAPTER 40: CONFIGURING IPSEC 
Perform the following configurations in IPSec proposal view (or proposal view of 
crypto card) 
Ta b l e 638   Select Encryption Algorithm and Authentication Algorithm
By default, ESP protocol adopts des encryption algorithm and md5-hmac-96 
authentication algorithm, and AH protocol adopts md5-hmac-96 authentication 
algorithm. 
The commands undo esp-new encryption-algorithm and undo esp-new 
authentication-algorithm cannot be used at the same time. That is, ESP must 
use at least one type of encryption algorithm or authentication algorithm.
Creating a Security 
PolicyThe following questions should be answered before a security policy is created:
■Which data needs IPSec protection?
■How long should the data stream be protected by SA?
■What security policy will be used?
■Is the security policy created manually or through IKE negotiation?
The following aspects require attention when a security policy is created:
■To create a security policy, you must specify its negotiation mode. Once a 
security policy is created, its negotiation mode cannot be modified. To create a 
new security policy, the current one must be deleted. For example, a security 
policy created with manual mode cannot be modified to a policy with isakmp 
mode. To have the same policy with a different mode, you must delete the 
policy then recreate it with a different mode. 
■Security policies with the same name together comprise a security policy group. 
The name and the sequence number define a security policy uniquely, and a 
security policy group can include at most 100 security policies. The security 
policy with smaller sequence number in the same security policy group is of 
OperationCommand
Set the encryption algorithm adopted by 
ESP protocol (applicable to IPSec software)esp-new encryption-algorithm { 3des | 
des | blowfish | cast | skipjack }
Set the encryption algorithm adopted by 
ESP protocol (applicable to crypto card)esp-new encryption-algorithm { 3des | 
des | blowfish | cast | skipjack | 
aes | qc5 }
Cancel the encryption algorithm adopted 
by ESP protocol(applicable to IPSec 
software and crypto card)undo esp-new encryption-algorithm
Set the authentication algorithm adopted 
by ESP protocol (applicable to IPSec 
software and crypto card)esp-new authentication-algorithm { 
md5-hmac-96 | sha1-hmac-96 }
Cancel the authentication algorithm 
adopted by ESP protocol (applicable to 
IPSec software and crypto card)undo esp-new 
authentication-algorithm
Set the authentication algorithm adopted 
by AH protocol (applicable to IPSec 
software and crypto card)ah-new authentication-algorithm { 
md5-hmac-96 | sha1-hmac-96 }
Restore the authentication algorithm 
adopted by AH protocol (applicable to 
IPSec software and crypto card)undo ah-new authentication-algorithm 
						

							Creating a Security Policy569
higher priority. When a security policy group is applied on an interface, actually 
multiple different security policies in this security policy group are applied on it 
at the same time, so that different data streams are protected by different SAs. 
Creating a Security 
Policy ManuallyPerform the following configurations in system view.
Ta b l e 639   Establish Security Policy Manually
By default, no security policy is created.
Configure access control list quoted in security policy
After a security policy is created, it is also necessary to specify the quoted 
encryption access control list item for it to judge which inbound/outbound 
communications should be encrypted and which should not.
Perform the following configurations in IPSec policy view.
Ta b l e 640   Configure Encryption Access Control List Quoted in Security Policy
By default, no encryption access control list is quoted in the security policy.
Set start point and end point of security tunnel
The channel with security policy applied is usually called a security tunnel. A 
security tunnel is established between local and peer gateways, so the local 
address and the remote address must be set correctly to successfully establish a 
security tunnel.
For the security policy created manually, only one remote address can be specified. 
To set a new remote address, the previously specified one must be deleted first. 
Only when both local address and remote address are set correctly can a security 
tunnel be created.
Perform the following configurations in IPSec policy view.
Ta b l e 641   Specify Start Point and End Point of Security Tunnel
OperationCommand
Create security policy manually to enter 
IPSec policy view(applicable to IPSec 
software and crypto card)ipsec policy policy-name 
sequence-number manual
Modify the created security policy 
manually (applicable to IPSec software and 
crypto card)ipsec policy policy-name 
sequence-number
Delete the created security policy 
(applicable to IPSec software and crypto 
card)undo ipsec policy policy-name 
sequence-number
OperationCommand
Configure encryption access control list 
quoted in security policy (applicable to 
IPSec software and crypto card)security acl access-list-number
Cancel encryption access control list 
quoted in security policy (applicable to 
IPSec software and crypto card)undo security acl
OperationCommand
Set local address of security tunnel 
(applicable to IPSec software and crypto 
card)tunnel local ip-address 
						

							570CHAPTER 40: CONFIGURING IPSEC 
By default, the start point and the end point of the security tunnel are not 
specified.
Set IPSec proposal quoted in security policy
When SA is created manually, a security policy can quote only one IPSec proposal, 
and to set new IPSec proposal, the previously configured one must be deleted first. 
If the local IPSec proposal cannot match the peer one completely, then it will not 
establish SA successfully, then the messages that require protection will be 
discarded.
The security policy determines its protocol, algorithm and encapsulation mode by 
quoting the IPSec proposal. A IPSec proposal must be established before it is 
quoted.
Perform the following configurations in IPSec policy view.
Ta b l e 642   Configure IPSec Proposal Quoted in Security Policy
By default, the security policy quotes no IPSec proposal.
Set SPI of security policy association and its adopted key
In security policy association established manually, if AH protocol is included in the 
quoted IPSec proposal, it is necessary to set manually the SPI of AH SA and the 
quoted authentication key for the inbound/outbound communications. If the ESP 
protocol is included in the quoted IPSec proposal, it is necessary to manually set 
the SPI of ESP SA and the quoted authentication key and ciphering key for the 
inbound/outbound communications.
At both ends of a security tunnel, the SPI and the key of the local inbound SA 
must be the same as those of the peer outbound SA, and the SPI and the key of 
the local outbound SA must be the same as those of the peer inbound SA.
Delete local address of security tunnel 
(applicable to IPSec software and crypto 
card)undo tunnel local ip-address
Set remote address of security tunnel 
(applicable to IPSec software and crypto 
card)tunnel remote ip-address
Delete remote address of security tunnel 
(applicable to IPSec software and crypto 
card)undo tunnel remote ip-address
OperationCommand
Set IPSec proposal quoted in security 
policy (applicable to IPSec software and 
crypto card)proposal proposal-name
Cancel IPSec proposal quoted in security 
policy (applicable to IPSec software and 
crypto card)undo proposal
Operation Command 
						

							Creating a Security Policy571
Perform the following configurations in IPSec policy view.
1Set SPI parameters for the security policy association
Ta b l e 643   Configure SPI Parameters of Security Policy Association
By default, no SPI value of inbound/outbound SA is set. 
2Set the key used by the security policy association
Ta b l e 644   Configure Key Used by Security Policy Association
By default, no key is used by any security policy.
OperationCommand
Set SPI parameters of inbound SA of 
AH/ESP protocol (applicable to IPSec 
software and crypto card)sa inbound {ah |esp} spi spi-number
Delete SPI parameters of inbound SA of 
AH/ESP protocol (applicable to IPSec 
software and crypto card)undo sa inbound {ah |esp} spi
Set SPI parameters of outbound SA of 
AH/ESP protocol (applicable to IPSec 
software and crypto card)sa outbound {ah |esp} spi spi-number
Delete SPI parameters of outbound SA of 
AH/ESP protocol (applicable to IPSec 
software and crypto card)undo sa outbound {ah |esp} spi
OperationCommand
Set authentication key of AH protocol 
(input in hexadecimal mode) (applicable to 
IPSec software and crypto card)sa { inbound | outbound } ah 
hex-key-string  hex-key
Delete authentication key of AH protocol 
(in hexadecimal mode) (applicable to IPSec 
software and crypto card)undo sa { inbound | outbound } ah 
hex-key-string  
Set authentication key of AH protocol 
(input in string mode) (applicable to IPSec 
software and crypto card)sa { inbound | outbound } { ah  
string-key  string-key
Delete authentication key of AH protocol 
(character string) (applicable to IPSec 
software and crypto card)undo sa { inbound | outbound } ah  
string-key 
Configure authentication key of ESP 
protocol (input in hexadecimal system) 
(applicable to IPSec software and crypto 
card)sa { inbound | outbound } esp 
authentication-hex  hex-key
Delete authentication key of ESP protocol 
(applicable to IPSec software and crypto 
card)undo sa { inbound | outbound } esp 
authentication-hex  
Set ciphering key of ESP protocol (input in 
hexadecimal system) (applicable to IPSec 
software and crypto card)sa { inbound | outbound } esp 
encryption-hex  hex-key
Delete ciphering key of ESP protocol 
(applicable to IPSec software and crypto 
card)undo sa { inbound | outbound } esp 
encryption-hex 
Configure both ciphering and 
authentication keys of ESP protocol (input 
in string) (applicable to IPSec software and 
crypto card)sa { inbound | outbound } esp  
string-key string-key
Delete the ciphering and authentication 
keys of ESP protocol (applicable to IPSec 
software and crypto card)undo sa { inbound | outbound } esp  
string-key  
						

							572CHAPTER 40: CONFIGURING IPSEC 
The keys are input in two modes and those input in string mode are preferred. At 
both ends of the security tunnel, the keys should be input in the same mode. If the 
key is input at one end in string mode, but at the other end in hexadecimal mode, 
the security tunnel cannot be created correctly. To set a new key, the previous key 
must be deleted first. 
Creating a Security 
Policy Association with 
IKEPerform the following configurations in system view.
Ta b l e 645   Establish Security Policy Association with IKE Negotiation View
By default, no security policy is created.
Set access control list quoted by security policy
After a security policy is created, it is also necessary to specify the quoted 
encryption access control list item for it so as to judge which inbound/outbound 
communications should be encrypted and which should not. 
Perform the following configurations in IPSec policy view.
Ta b l e 646   Configure Encryption Access Control List Quoted in Security Policy
By default, no encryption access control list is quoted in the security policy.
Set end point of security tunnel
For the security policy created with IKE negotiation view, it is unnecessary to set a 
local address, because IKE can obtain the local address from the interface on 
which this security policy is applied.
Only specify one remote address for security policy can be established by IKE. If a 
remote address is specified, the previous address must be deleted before 
specifying the new remote address.
Perform the following configurations in IPSec policy view.
Ta b l e 647   Specify End Point of Security Tunnel
OperationCommand
Create a security policy association with 
IKE to enter IPSec policy view (applicable 
to IPSec software and crypto card).ipsec policy policy-name 
sequence-number isakmp
Modify the security policy established by 
IKE (applicable to the main software IPSec 
and crypto cards)ipsec policy policy-name 
sequence-number
Delete the created security policy 
(applicable to IPSec software and crypto 
card)undo ipsec policy policy-name [ 
sequence-number ]
OperationCommand
Configure encryption access control list 
quoted in security policy (applicable to 
IPSec software and crypto card)security acl access-list-number
Cancel encryption access control list 
quoted in security policy (applicable to 
IPSec software and crypto card)undo security acl access-list-number
OperationCommand
Set remote address of security tunnel 
(applicable to IPSec software and crypto 
card)tunnel remote ip-address 
						

							Creating a Security Policy573
By default, the end point of the security tunnel is not specified.
Set the IPSec proposal quoted in security policy
Perform the following configurations in IPSec policy view.
Ta b l e 648   Configure IPSec Proposal Quoted in Security Policy
By default, the security policy quotes no IPSec proposal.
When SA is created through IKE negotiation, a security policy can quote at most 6 
IPSec proposals and IKE negotiation will search the completely matched IPSec 
proposal at both ends of the security tunnel. If IKE cannot find completely 
matched IPSec proposal, then it will not establish SA successfully, then the 
messages that require protection will be discarded.
The security policy determines its protocol, algorithm and encapsulation mode by 
quoting the IPSec proposal. A IPSec proposal must be established before it is 
quoted
Set SA lifetime 
There are two types of SA lifetime (or lifecycle): time-based and traffic-based. The 
SA becomes invalid on the first expiration of either type of lifetime. Before the SA 
becomes invalid, IKE establishes a new SA for IPSec negotiation, so a new SA is 
ready when the previous one becomes invalid. If the global lifetime is modified 
during the valid period of the current SA, the new one will be applied, not to the 
present SA but to the later SA negotiation.
The SA lifetime is only effective for an SA established with IKE, and the SA 
established manually does not involve the concept of lifetime.
If a security policy is not configured with lifetime value, when the router applies 
for a new SA, it sends a request to the remote end to set up a security tunnel 
negotiation and gets the SA lifetime of the remote end, and applies it as the new 
SA lifetime. If the local end has configured the SA lifetime when creating security 
policy, when it receives the application for security tunnel negotiation from the 
remote end, it will compare the lifetime proposed by the remote end with its own 
lifetime, and choose the smaller one as the SA lifetime.
SA is timeout based on the first expiration of the lifetime by seconds (specified by 
the key word time-based) or kilobytes of communication traffic (specified by the 
key word traffic-based).
The new SA should have completed the negotiation before the original SA times 
out, so that the new SA can be put into use as soon as the original SA expires. Soft 
timeout of SA occurs when a new SA is negotiated at the time when the existing 
SA lives for a certain percentage of lifetime defined by seconds (such as 90%), or 
when the traffic reaches a certain percentage (such as 90%) of the lifetime 
Delete remote address of security tunnel 
(applicable to IPSec software and crypto 
card)undo tunnel remote ip-address
OperationCommand
Set IPSec proposal quoted in security 
policy (applicable to IPSec software and 
crypto card)proposal proposal-name1 
[proposal-name2...proposal-name6]
Cancel IPSec proposal quoted in security 
policy (applicable to IPSec software and 
crypto card)undo proposal 
						

							574CHAPTER 40: CONFIGURING IPSEC 
defined by kilobytes. Hard timeout of SA means that the SA lives for the whole 
lifetime.
Perform the following configurations in system view.
Ta b l e 649   Configure Global SA LIfetime
By default, time-based lifetime is 3600 seconds (an hour),- and traffic-based 
lifetime is 1843200 kilobytes.
Configure a separate SA lifetime
To be different from the global lifetime, SA should be configured with separate SA 
lifetime. 
Perform the following configurations in ipsec policy view.
Ta b l e 650   Configure Separate SA LIfetime
By default, apply the global SA lifetime.
Enable the detection on the reach ability of router at the remote end of 
the tunnel
When there are primary and backup links between two routers, and both ends 
adopt IKE mode to create the SA dynamically, once the primary link goes into 
DOWN state, the communication switches to the backup link automatically. In this 
case, a new SA pair (including phase 1 SA and phase 2 SA) that correspond to the 
backup link are created, but the original SA pair on the primary link is not deleted 
in time. Once the phase 2 SA on the primary link times out and is released (phase 
1 SA still exists), if the primary link is restored and the communication switches 
back to the primary link, the phase 1 SAs saved on the local router and the remote 
router may be inconsistent, so that the IPSec tunnel cannot be established. 
Enabling the monitoring function can ensure that the phase 1 SA can be released 
when the phase 2 SA us released, so that a new SA pair can be reestablished 
between the two routers when the primary link goes into UP state, then the IPSec 
tunneling can be created correctly.
Please perform the following configurations in system view.
OperationCommand
Set global SA “Time-based” lifetime 
(applicable to IPSec software and crypto 
card)ipsec sa global-duration time-based 
seconds 
Restore the default value of the global SA 
(applicable to IPSec software and crypto 
card) “Time-based” lifetimeundo ipsec sa global-duration 
time-based 
Set global SA “Traffic-based” lifetime 
(applicable to IPSec software and crypto 
card)ipsec sa global-duration 
traffic-based kilobytes
Restore the default value of the global SA 
“Traffic-based” lifetime (applicable to 
IPSec software and crypto card)undo ipsec sa global-duration 
traffic-based 
OperationCommand
Set separate SA lifetime (applicable to 
IPSec software and crypto card)sa duration { time-based seconds | 
traffic-based kilobytes }}
Restore the default value of separate SA 
lifetime (applicable to IPSec software and 
crypto card)undo sa duration { time-based seconds 
| traffic-based kilobytes } 
						

							Displaying and Debugging IPSec575
Ta b l e 651   Enable Detection of the Router at the Remote End of the Tunnel
By default, detection of the router at the remote end of the tunnel is disabled.
Apply Security Policy 
Group on InterfaceTo put the defined SA into effect, it is necessary to apply a security policy to each 
interface (logical or physical) that will encrypt site-out data and decrypt site-in 
data. According to the encryption set configured on the interface, the interface 
cooperates with the remote encryption router to perform the packet encryption. 
When the security policy group is deleted from the interface, this interface will not 
have IPSec security protection function.
When messages are transmitted on an interface, the security policies in the 
security policy group are searched one by one, from the smaller sequence number 
to the greater one. If a message is matched with an access list quoted by a security 
policy, then this security policy is used for processing this message. If a message 
has no matched access list quoted by a security policy, then it will go on looking 
for next security policy. If a message is matched with no access list quoted by the 
security policy, then the message will be directly transmitted (IPSec will not protect 
the message).
One interface can be applied with only one security policy group, and one security 
policy group can be applied to only one interface.
Perform the following configurations in the interface view.
Ta b l e 652   Apply Security Policy Group on Interface
By default, no security policy group is applied to the interface.
Displaying and 
Debugging IPSecUse debugging, reset and display commands in all views. 
OperationCommand
Enable the detect on the reachability of 
router at the remote end of the tunnel (It 
is applicable to the operating system host 
software IPSec, NDEC)ipsec sa dynamic-detect
Disable the detect on the reachability of 
router at the remote end of the tunnel (It 
is applicable to the operating system host 
software IPSec, NDEC)undo ipsec sa dynamic-detect
OperationCommand
Apply security policy group on interface 
(applicable to IPSec software and crypto 
card)ipsec policy policy-name
Delete the security policy group applied on 
interface (applicable to IPSec software and 
crypto card)undo ipsec policy  
						

							576CHAPTER 40: CONFIGURING IPSEC 
Ta b l e 653   Display and Debug IPSec 
Displaying and 
Debugging the NDEC 
Car
d
Resetting the crypto card
When the crypto card operates abnormally, resetting the crypto card can be used 
to restore the crypto card to normality. When resetting the crypto card, the crypto 
card restores its initialization. At the same time, the host retransmits the cards 
configured information and SA information being used to the crypto card. In 
addition, the host automatically resets the crypto card when it finds that the 
crypto card operates abnormally.
Configure the following in the system view:
Ta b l e 654   Reset crypto card
OperationCommand
Display all created SA (applicable to IPSec 
software)display ipsec sa all
Display all SA information briefly 
(applicable to IPSec software)display ipsec sa brief
Display the specific SA information 
(applicable to IPSec software)display ipsec sa parameters 
dest-address protocol spi
Display global SA lifetime (applicable to 
IPSec software)display ipsec sa duration
Display SA established with specific peer 
ends (applicable to IPSec software)display ipsec sa remote ip-address
Display all security policy base information 
(applicable to IPSec software)display ipsec sa policy policy-name [ 
sequence-number ]
Display statistic information related to 
security message (applicable to IPSec 
software)display ipsec statistics
Display configured IPSec proposal 
(applicable to IPSec software)display ipsec proposal [ 
proposal-name ]
Display all security policy base information 
(applicable to IPSec software)display ipsec policy all
Display brief security policy base 
information (applicable to IPSec software)display ipsec policy brief
Display all security policy base information 
by name (applicable to IPSec software)display ipsec policy name policy-name 
[ sequence-number ]
Clear all SA (applicable to IPSec software)reset ipsec sa all
Clear specific SA information (applicable 
to IPSec software)reset ipsec sa parameters 
dest-address protocol spi
Clear SA of the specified security policy 
base (applicable to IPSec software)reset ipsec sa policy policy-name [ 
sequence-number ]
Clear SA established with specified peer 
ends (applicable to IPSec software)reset ipsec sa remote ip-address
Clear statistic information related to 
security messages (applicable to IPSec 
software)reset ipsec statistics
information debugging related to IPSec 
(applicable to IPSec software)debugging ipsec { sa | packet | misc }
Operation Command
Reset crypto card (applicable to crypto 
card)encrypt-card reset [ slot-id ]