HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1938
273
[Device-pki-cert-acp-myacp] quit
4. Apply the SSL server policy and certificate attrib ute-based access control policy to HTTPS service
and enable HTTPS service:
# Apply SSL server policy myssl to HTTPS service.
[Device] ip https ssl-server-policy myssl
# Apply the certificate attribute- based access control policy of myacp to HTTPS service.
[Device] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Device] ip https enable
Troub l es h o o t i n g P KI
Failed...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1937.png "Page 1938
273
[Device-pki-cert-acp-myacp] quit
4. Apply the SSL server policy and certificate attrib ute-based access control policy to HTTPS service
and enable HTTPS service:
# Apply SSL server policy myssl to HTTPS service.
[Device] ip https ssl-server-policy myssl
# Apply the certificate attribute- based access control policy of myacp to HTTPS service.
[Device] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Device] ip https enable
Troub l es h o o t i n g P KI
Failed...")
276 Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 98 sho ws the format of IPsec packets. Basic concepts Security association A security association is an agreement negotiated between two communicating parties called IPsec peers. It comprises a set of parameters for data prot ection, including security protocols, encapsulation mode, authentication and encryption algorithms, and shared keys and their lifetime. SAs can be set up manually or through IKE. An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional communication. If two peers want to use both AH and ESP to protect data flows between them, they construct an independent SA for each protocol. An SA i s u niqu ely identi fie d by a tri pl et, which c ons ists of the security parameter index (SPI), destination IP address, and security protocol identifier (AH or ESP). An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A manually configured SA requires an SPI to be specified manually for it; an IKE created SA will have an SPI generated at random. A manually configured SA never ages out. An IKE created SA has a specified period of lifetime, which comes in two types: • Time-based lifetime, which defines how long the SA can be valid after it is created. • Traffic-based lifetime, which defines the maximum traffic that the SA can process. The SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation. Encapsulation modes IPsec supports the following IP packet encapsulation modes: • Tunn e l m od e —IPsec protects the entire IP packet, includ ing both the IP header and the payload. It uses the entire IP packet to calculate an AH or ESP header, and then encapsulates the original IP packet and the AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also encapsulated. Tunnel mode is typically used for protecting gateway-to-gateway communications. • Transpor t mode —IPsec protects only the IP payload. It uses only the IP payload to calculate the AH or ESP header, and inserts the calculated header between the original IP header and payload. If you use ESP, an ESP trailer is also encapsulated. Th e transport mode is typically used for protecting host-to-host or host-to-gateway communications. Figure 98 sh ows how the security protocols encapsulate an IP packet in different encapsulation modes.
277
Figure 98 Encapsulation by security pr otocols in different modes
Authentication algorithms and encryption algorithms
• Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash al gorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each
packet. If the resulting digests are iden tical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:
{ MD5, which takes as input a message of arbi trary length and produces a 128-bit message
digest.
{ SHA-1, which takes as input a message of a maximum length less than the 64th power of 2 in
bits and produces a 160-bit message digest.
Compared with SHA-1, MD5 is faster but less secure.
• Encryption algorithms
IPsec mainly uses symmetric encr yption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the switch:
{ Data Encryption Standard (DES), which encrypts a 64-bit plain text block with a 56-bit key.
DES is the least secure but the fastest algorithm. It is sufficient for general security requirements.
{ Triple DES (3DES), which encrypts plain text data with three 56-bit DES keys. The key length
totals up to 168 bits. It provides moderate security strength and is slower than DES.
{ Advanced Encryption Standard (AES), which encrypts plain text data with a 128-bit, 192-bit, or
256-bit key. AES provides the highest security strength and is slower than 3DES.
IPsec SA setup modes
There are two IPsec SA setup modes:
• Manual mode. In this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
• ISAKMP mode. In this mode, IKE automatically ne gotiates and maintains IPsec SAs for IPsec.
If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec
tunnels is large, use the ISAKMP mode.
IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or
more pairs of SAs.
278 IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: OSPFv3, IPv6 BGP, and RIPng. The HP 5500 EI switches support using IPsec for OSPFv3, IPv6 BGP, and RIPng; the HP 5500 SI switches only support using IPsec for RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP prot ocol. If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for exampl e, due to decryption or authentication failure, the routing protocol discards that packet. You must manually configure SA parameters in an IP sec policy for IPv6 routing protocols. The IKE key exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement automatic key exchange for one-to-many communicatio ns on a broadcast network, where routers must use the same SA parameters (SPI and key) to process packets for a routing protocol. Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • RFC 4552, Authentication/Confidentiality for OSPFv3 Configuring IPsec for IPv6 routing protocols The following is the generic configuration procedure for configuring IPsec for IPv6 routing protocols: 1. Configure an IPsec proposal to specify the secu rity protocols, authentication and encryption algorithms, and encapsulation mode. 2. Configure a manual IPsec policy to specify the keys and SPI. 3. Apply the IPsec policy to an IPv6 routing protocol. Complete the following tasks to configure IPsec for IPv6 routing protocols: Task Remarks Configuring an IPsec proposal Required. Configuring an IPsec policy Required. Applying an IPsec policy to an IPv6 routing protocol Required. See Layer 3 —IP Routing Configuration Guide . Configuring an IPsec proposal An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA negotiation, including the security protocol, the encryption and authentication algorithms, and the encapsulation mode. To configure an IPsec proposal:
279
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPsec proposal and
enter its view. ipsec
proposal proposal-name By default, no IPsec proposal
exists.
3.
Specify the security protocol
for the proposal. transform
{ ah | ah-esp | esp } Optional.
ESP by default.
Only when a security protocol is
selected, can you configure
security algorithms for it. For
example, you can specify the
ESP-specific security algorithms
only when you select ESP as the
security protocol. ESP supports
three IP packet protection
schemes: encryption only,
authentication only, or both
encryption and authentication.
4.
Specify the security
algorithms.
• Specify the encryption algorithm
for ESP:
esp encryption-algorithm { 3des
| aes [ key-length ] | des }
• Specify the authentication
algorithm for ESP:
esp authentication-algorithm
{ md5 | sha1 }
• Specify the authentication
algorithm for AH:
ah authentication-algorithm
{ md5 | sha1 } Optional.
By default, the encryption
algorithm for ESP is DES, the
authentication algorithm for ESP
is MD5, and the authentication
algorithm for AH is MD5.
5.
Specify the IP packet
encapsulation mode for the
IPsec proposal. encapsulation-mode
{ transport |
tunnel } Optional.
Tunnel mode by default.
Transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
NOTE:
Changes to an IPsec proposal affect only SAs nego tiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
280
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
The switch supports only manual IPsec policies. The parameters of a manual IPsec policy are all
configured manually, such as the keys and the SPIs.
Configuration guidelines
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies:
• Within a certain routed network scope, the IPsec pr oposals used by the IPsec policies on all routers
must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3,
the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be
directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected
neighbors or a neighbor group.
• All SAs (both inbound and outbound) within the routed network scope must use the same SPI and
keys.
• Configure the keys on all routers within the routed network scope in the same format. For example,
if you input the keys in hexadecimal format on on e router, do so across the routed network scope.
Configuration procedure
To configure a manual IPsec policy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a manual IPsec
policy and enter its view. ipsec
policy policy-name seq-number
manual By default, no IPsec policy exists.
3.
Assign an IPsec proposal to
the IPsec policy. proposal
proposal-name By default, an IPsec policy
references no IPsec proposal.
A manual IPsec policy can
reference only one IPsec
proposal. To change an IPsec
proposal for an IPsec policy, you
must remove the proposal
reference first.
4.
Configure the local address
of the tunnel tunnel
local ip-address Not needed for IPsec policies to
be applied to IPv6 routing
protocols and required for other
applications.
Not configured by default
5.
Configure the remote
address of the tunnel tunnel
remote ip-address Not configured by default.
6. Configure the SPIs for the
SAs. sa
spi { inbound | outbound } { ah |
esp } spi-number N/A
281
Step Command Remarks
7. Configure keys for the SAs.
• Configure an authentication key in
hexadecimal for AH:
sa authentication-hex { inbound |
outbound } ah hex-key
• Configure an authentication key in
characters for AH:
sa string-key { inbound |
outbound } ah string-key
• Configure a key in characters for
ESP:
sa string-key { inbound |
outbound } esp string-key
• Configure an authentication key in
hexadecimal for ESP:
sa authentication-hex { inbound |
outbound } esp hex-key
• Configure an encryption key in
hexadecimal for ESP:
sa encryption-hex { inbound |
outbound } esp hex-key Configure a key for AH, ESP, or
both.
If you configure a key in
characters for ESP, the router
automatically generates an
authentication key and an
encryption key for ESP.
If you configure a key in two
modes: string and hexadecimal,
the last configured one takes
effect.
Displaying and maintaining IPsec
Task Command Remarks
Display IPsec policy information.
display
ipsec policy [ brief | name policy-name
[ seq-number ] ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display IPsec proposal
information. display
ipsec proposal [ proposal-name ] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display IPsec SA information. display
ipsec sa [ brief | policy policy-name
[ seq-number ] ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display IPsec packet statistics. display
ipsec statistics [ | { begin | exclude |
include } regular-expression ] Available in any view
Clear SAs. reset
ipsec sa [ policy policy-name
[ seq-number ] ] Available in user view
Clear IPsec statistics.
reset ipsec statistics Available in user view
IPsec for RIPng configuration example
The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more
information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide . Only the
HP 5500 EI switches support IPsec for OSPFv3 and IPv6 BGP.
282 Network requirements As shown in Figure 99, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing information through RIPng. Configure IPsec for RIPng so that RIPng packets exchanged between the switches are transmitted through an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. Figure 99 Network diagram Configuation considerations To meet the requirements, perform the following configuration tasks: • Configure basic RIPng parameters. • Configure a manual IPsec policy. • Apply the IPsec policy to a RIPng process to protect RIPng packets in this process or to an interface to protect RIPng packets traveling through the interface. Configuration procedure 1. Configure Switch A: # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enabl e it on VLAN-interface 100. system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96. [SwitchA] ipsec proposal tran1 [SwitchA-ipsec-proposal-tran1] encapsulation-mode transport [SwitchA-ipsec-proposal-tran1] transform esp [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm des [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IPsec policy named policy001, specify the manual mode for it, and set the SPIs of the inbound and outbound SAs to 123456, and the keys for the inbound and outbound SAs using ESP to abcdefg. [SwitchA] ipsec policy policy001 10 manual [SwitchA-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp ab\ cdefg
283 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\ defg [SwitchA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchA] ripng 1 [SwitchA-ripng-1] enable ipsec-policy policy001 [SwitchA-ripng-1] quit 2. Configure Switch B # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200. system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96. [SwitchB] ipsec proposal tran1 [SwitchB-ipsec-proposal-tran1] encapsulation-mode transport [SwitchB-ipsec-proposal-tran1] transform esp [SwitchB-ipsec-proposal-tran1] esp encryption-algorithm des [SwitchB-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-proposal-tran1] quit # Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs of the inbound and outbound SAs to 123456, an d the keys for the inbound and outbound SAs using ESP to abcdefg. [SwitchB] ipsec policy policy001 10 manual [SwitchB-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchB-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchB-ipsec-policy-manual-policy001-10] sa string-key outbound esp ab\ cdefg [SwitchB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\ defg [SwitchB-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchB] ripng 1 [SwitchB-ripng-1] enable ipsec-policy policy001 [SwitchB-ripng-1] quit 3. Configure Switch C # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enabl e it on VLAN-interface 200. system-view [SwitchC] ripng 1
284
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
# Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the
security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to
SHA1-HMAC-96.
[SwitchC] ipsec proposal tran1
[SwitchC-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchC-ipsec-proposal-tran1] transform esp
[SwitchC-ipsec-proposal-tran1] esp encryption-algorithm des
[SwitchC-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SwitchC-ipsec-proposal-tran1] quit
# Create an IPsec policy named policy001, specify the manual mode for it, and configure the SPIs
of the inbound and outbound SAs to 123456, an d the keys for the inbound and outbound SAs
using ESP to abcdefg.
[SwitchC] ipsec policy policy001 10 manual
[SwitchC-ipsec-policy-manual-policy001-10] proposal tran1
[SwitchC-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456
[SwitchC-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456
[SwitchC-ipsec-policy-manual-policy001-10] sa string-key outbound esp ab\
cdefg
[SwitchC-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg
[SwitchC-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchC] ripng 1
[SwitchC-ripng-1] enable ipsec-policy policy001
[SwitchC-ripng-1] quit
4. Verify the configuration
After the configuration, Switch A, Switch B, and Switch C learns IPv6 routing information through
RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the
RIPng packets.
Using the display ripng command on Switch A, you will see the running status and configuration
information of the specified RIPng process. The ou tput shows that IPsec policy policy001 is applied
to this process successfully.
display ripng 1
RIPng process : 1
Preference : 100
Checkzero : Enabled
Default Cost : 0
Maximum number of balanced paths : 8
Update time : 30 sec(s) Timeout time : 180 sec(s\
)
Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s\
)
Number of periodic updates sent : 186
Number of trigger updates sent : 1
IPsec policy name: policy001, SPI: 123456
285
Using the display ipsec sa command on Switch A, you will s ee the information about the inbound
and outbound SAs.
display ipsec sa
===============================
Protocol: RIPng
===============================
-----------------------------
IPsec policy name: policy001
sequence number: 10
mode: manual
-----------------------------
connection id: 1
encapsulation mode: transport
perfect forward secrecy:
tunnel:
flow:
[inbound ESP SAs]
spi: 123456 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
[outbound ESP SAs]
spi: 123456 (0x3039)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
No duration limit for this sa
Similarly, you can view the information on Sw itch B and Switch C. (Details not shown.)