3Com 10014299 Network Router User Manual


 
Configuring IPSec 563
policy with smaller sequence number in the same security policy group is of
higher priority.
SA (Security Association): IPSec provides security service for data streams
through security association, which includes protocol, algorithm, key and other
contents and specifies how to process IP messages. An SA is a unidirectional
logical connection between two IPSec systems. Inbound data stream and
outbound data stream are processed separately by inbound SA and outbound
SA. SA is identified uniquely by a triple (SPI, IP destination address and security
protocol number (AH or ESP). SA can be established through manual
configuration or automatic negotiation. A SA can be manually established after
some parameters set by the users at two ends are matched and the agreement
is reached through negotiation. Automatic negotiation mode is created and
maintained by IKE, i.e., both communication parties are matched and
negotiated based on their own security policies without user's interface.
SA Update Time: There are two SA update time modes: time-based during
which SA is updated at regular intervals and traffic-based, during which SA is
updated whenever certain bytes are transmitted.
SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec
message. The trio of SPI, IP destination address, security protocol number,
identify a specific SA uniquely. When SA is configured manually, SPI should also
be set manually. To ensure the uniqueness of an SA, you must specify different
SPI values for different SAs. When SA is generated with IKE negotiation, SPI will
be generated at random.
IPSec Proposal: It includes security protocol, algorithm used by security
protocol, and the mode how security protocol encapsulates messages, and
prescribes how ordinary IP messages are transformed into IPSec messages. In
security policy, a IPSec proposal is quoted to prescribe the protocol and
algorithm adopted by this security policy.
Configuring IPSec IPSec configuration includes:
Creating an Encryption Access Control List
Configure NDEC Cards
Enable the main software backup
Defining IPSec Proposal
Selecting the Encryption and Authentication Algorithm
Creating a Security Policy
Apply Security Policy Group on Interface
Creating an Encryption
Access Control List
Matching the encrypted access control list determines which IP packets are
encrypted and sent, and which IP packets are directly forwarded. Encryption
access control lists are different from the ordinary ones, because the ordinary ones
only determine which data can pass an interface. An encryption access list is
defined by an extended IP access list.
For one kind of communication to accept one security protection mode (only
authentication, for instance), and another kind to accept a different one (both