Configuring IPsec 53
<encrypt_key> and <auth_key> can be 1 to 128 bytes entered as either ASCII text
strings or as a series of hexadecimal digits. See “Configuring Manual Key
Information” next for more information about key set usage.
To delete a key set, use:
DELete -IPSEC KeySet [<key_set_name> | ALL]
For example, to create a new encryption key set, enter:
ADD IPSEC KeySet esp_key EncryptKey “hello124”
To create a key set for both encryption and authentication, enter:
ADD IPSEC KeySet ahesp_key EncryptKey “hello124” AuthKey “world236”
Configuring Manual Key
Information
The ManualKeyInfo parameter binds manual keying information to an IPsec policy.
Only one ManualKeyInfo command can be applied to each policy. To configure
manual key information, use:
SETDefault !<portlist> -IPSEC ManualKeyInfo = <policy_name>
(<key_set_name> | NONE) [SpiEsp <spi_in> <spi_out>] [SpiAh <spi_in>
<spi_out>]
A Security Parameters Index (SPI) value is used in conjunction with the destination
address to identify a particular security association which represents a set of
agreements between senders and receivers on a key, on an encryption or
authentication algorithm, and on SPI numbers.
<spi_in> is a number in the range 256 to 2000. All spi_in values must be unique
on a system. An SPI number can be assigned only ONCE to a policy. The same
number cannot be used by any other policy on the same system. spi_in must
match the spi_out value specified at the peer system at the other end of the
security association.
<spi_out> is a number in the range 256 to 2147483647. spi_out must match the
spi_in value specified at the peer system at the other end of the security
association.
A key is specified using the ADD -IPSEC KeySet command. It is later bound to an
IPSEC manualPolicy when a SETDefault -IPSEC ManualKeyInfo command is
entered. The keyset and policy must be entered before binding can take place.
When the key is entered, no particular length restriction is applied. Keys can be
entered as either ASCII text or hex values in the range of 1 to 128 bytes.
When a key is bound, certain length restriction are applied. The required key
length depends on the NETBuilder software package used. The xS packages
(S=strong encryption) allow key lengths of up to 128 bits for encryption, and the
xE packages allow up to 56-bit keys. When you bind the key to the policy during
configuration, if the entered key is too long for the package in use, the key is
truncated and a warning message is generated.
All packages reject keys that are less than 5 bytes long and generate error
messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS
packages truncate long keys to 16 bytes, with appropriate warning messages.