HP 5500 Ei 5500 Si Switch Series Configuration Guide

 276 
Both AH and ESP provide authentication services, but the authentication service provided by AH is 
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, 
an IP packet is encapsulated first by ESP and then by AH. Figure 98 sho
 ws the format of IPsec packets. 
Basic concepts 
Security association 
A security association is an agreement negotiated  between two communicating parties called IPsec 
peers. It comprises a set of parameters for data prot...

 277 
Figure 98 Encapsulation by security pr otocols in different modes 
 
 
Authentication algorithms and encryption algorithms 
•  Authentication algorithms 
IPsec uses hash algorithms to  perform authentication. A hash al gorithm produces a fixed-length 
digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each 
packet. If the resulting digests are iden tical, the packet is considered intact. 
IPsec supports the following hash  algorithms for authentication:...

 278 
IPsec for IPv6 routing protocols 
You can use IPsec to protect routing information and defend against attacks for these IPv6 routing 
protocols: OSPFv3, IPv6 BGP, and RIPng. The HP 5500 EI switches support using IPsec for OSPFv3, IPv6 
BGP, and RIPng; the HP 5500 SI switches only support using IPsec for RIPng. 
IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate 
inbound protocol packets with the AH or ESP prot ocol. If an inbound protocol packet...

 279 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Create an IPsec proposal and 
enter its view.  ipsec
 proposal  proposal-name  By default, no IPsec proposal 
exists. 
3.
  Specify the security protocol 
for the proposal.  transform
 { ah | ah-esp  | esp  }  Optional. 
ESP by default. 
Only when a security protocol is 
selected, can you configure 
security algorithms for it. For 
example, you can specify the 
ESP-specific security algorithms 
only when you select ESP as the...

 280 
Configuring an IPsec policy 
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy 
is uniquely identified by its name and sequence number. 
The switch supports only manual IPsec policies. The parameters of a manual IPsec policy are all 
configured manually, such as the keys and the SPIs. 
Configuration guidelines 
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies: 
•  Within a certain routed...

 281 
Step Command Remarks 
7.  Configure keys for the SAs. 
• Configure an authentication key in 
hexadecimal for AH: 
sa authentication-hex  { inbound | 
outbound  } ah hex-key  
• Configure an authentication key in 
characters for AH: 
sa string-key  { inbound | 
outbound  } ah string-key  
• Configure a key in characters for 
ESP: 
sa string-key  { inbound | 
outbound  } esp  string-key  
• Configure an authentication key in 
hexadecimal for ESP: 
sa authentication-hex  { inbound | 
outbound  } esp...

 282 
Network requirements 
As shown in Figure 99, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing 
information through RIPng.  
Configure IPsec for RIPng so that RIPng packets exchanged between the switches are transmitted through 
an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the 
authentication algorithm SHA1-HMAC-96. 
Figure 99  Network diagram 
 
 
Configuation considerations 
To meet the requirements, perform the...

 283 
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg 
[SwitchA-ipsec-policy-manual-policy001-10] quit 
# Apply IPsec policy policy001 to the RIPng process. 
[SwitchA] ripng 1 
[SwitchA-ripng-1] enable ipsec-policy policy001 
[SwitchA-ripng-1] quit 
2. Configure Switch B 
# Assign an IPv6 address to each  interface. (Details not shown.) 
# Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200. 
 system-view 
[SwitchB] ripng 1 
[SwitchB-ripng-1]...

 284 
[SwitchC-ripng-1] quit 
[SwitchC] interface vlan-interface 200 
[SwitchC-Vlan-interface200] ripng 1 enable 
[SwitchC-Vlan-interface200] quit 
# Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the 
security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to 
SHA1-HMAC-96. 
[SwitchC] ipsec proposal tran1 
[SwitchC-ipsec-proposal-tran1] encapsulation-mode transport 
[SwitchC-ipsec-proposal-tran1] transform esp...

 285 
Using the display ipsec sa command on Switch A, you will s ee the information about the inbound 
and outbound SAs. 
 display ipsec sa 
=============================== 
Protocol: RIPng 
=============================== 
 
  ----------------------------- 
  IPsec policy name: policy001 
  sequence number: 10 
  mode: manual 
  ----------------------------- 
    connection id: 1 
    encapsulation mode: transport 
    perfect forward secrecy: 
    tunnel: 
    flow: 
 
 [inbound ESP SAs] 
      spi:...