3Com 11.1 Network Router User Manual


 
54 CHAPTER 17: CONFIGURING IPSEC
When you specify a key that is too short, the policy binding operation generates
an error message informing you of the key length discrepancy and the key is
rejected. If this should occur you will need to delete the specified key and reenter
a key of the appropriate length.
During boot, any previously configured policies and keys are bound together. The
various length restrictions are applied during this binding, so that you cannot use
keys that are longer than the package supports. At boot-time, binding accepts
DES keys that are shorter than 8 bytes and the system generates a warning rather
than an error.
For compatibility with previous software versions that did not enforce key lengths,
it is possible to enter a DES key as an 8-byte hex value with the appropriate
number of null characters at the end. For example, a DES key of abcd should now
be entered:
%6162636400000000
To change the manual keying information, you must first delete the information
using NONE as the key set name, then add the new information using SETDefault.
For example, to create a security association and bind a key set to a corresponding
encryption policy, enter:
SETDefault !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501
To create a security association of an encryption and authentication policy, enter:
SETDefault !1 -IPSEC ManualKeyInfo = ahesp_pol ahesp_key SpiEsp 600 601
SpiAh 700 701
When keys are displayed using the SHow -IPSEC Keyset command, the MD5 hash
of the key is displayed rather than the key itself. This allows you to compare keys
for equality without exposing the actual key value. The length of the key is also
displayed, since the hash is always a 32-digit hex value.
Enabling IPsec Enable IPsec policy checking on the port using:
SETDefault !<portlist> -IPSEC CONTrol = Enable
You should only enable IPsec policy checking on ports that need IPsec protection.
Enabling IPsec policy checking can decrease the performance of your
bridge/router.
For example, to enable IPSEC on port 1, enter:
SETDefault !1 -IPSEC CONTrol = Enable
To disable IPSEC on port 1, enter:
SETDefault !1 -IPSEC CONTrol = Disable
Setting up a
VPN PPTP Tunnel
The procedure that follows shows how to set up a VPN PPTP tunnel between
router 1 (170.0.0.1) and router 2 (180.0.0.1) with an IPSEC policy providing data
confidentiality and data integrity.