Support User Manuals

3Com 11.1 Network Router User Manual

Open as PDF

of 73

54 CHAPTER 17: CONFIGURING IPSEC

When you specify a key that is too short, the policy binding operation generates

an error message informing you of the key length discrepancy and the key is

rejected. If this should occur you will need to delete the speciﬁed key and reenter

a key of the appropriate length.

During boot, any previously conﬁgured policies and keys are bound together. The

various length restrictions are applied during this binding, so that you cannot use

keys that are longer than the package supports. At boot-time, binding accepts

DES keys that are shorter than 8 bytes and the system generates a warning rather

than an error.

For compatibility with previous software versions that did not enforce key lengths,

it is possible to enter a DES key as an 8-byte hex value with the appropriate

number of null characters at the end. For example, a DES key of abcd should now

be entered:

%6162636400000000

To change the manual keying information, you must ﬁrst delete the information

using NONE as the key set name, then add the new information using SETDefault.

For example, to create a security association and bind a key set to a corresponding

encryption policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501

To create a security association of an encryption and authentication policy, enter:

SETDefault !1 -IPSEC ManualKeyInfo = ahesp_pol ahesp_key SpiEsp 600 601

SpiAh 700 701

When keys are displayed using the SHow -IPSEC Keyset command, the MD5 hash

of the key is displayed rather than the key itself. This allows you to compare keys

for equality without exposing the actual key value. The length of the key is also

displayed, since the hash is always a 32-digit hex value.

Enabling IPsec Enable IPsec policy checking on the port using:

SETDefault !<portlist> -IPSEC CONTrol = Enable

You should only enable IPsec policy checking on ports that need IPsec protection.

Enabling IPsec policy checking can decrease the performance of your

bridge/router.

For example, to enable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Enable

To disable IPSEC on port 1, enter:

SETDefault !1 -IPSEC CONTrol = Disable

Setting up a

VPN PPTP Tunnel

The procedure that follows shows how to set up a VPN PPTP tunnel between

router 1 (170.0.0.1) and router 2 (180.0.0.1) with an IPSEC policy providing data

conﬁdentiality and data integrity.

previous next