62 CHAPTER 33: IPSEC SERVICE PARAMETERS
Default No Default
Description All keysets are encrypted and protected with the current KeyEncryptionKey and
stored in the IPSEC configuration file. The value of the KeyEncryptionKey
parameter which is stored in the EEPROM, can be updated by root, but is not
readable by anyone. An embedded key is used to protect the keysets if
KeyEncryptionKey is never set. The Show command shows only the encoded value
of KeyEncryptionKey for comparison purposes only.
KeySet
Syntax ADD -IPSEC KeySet <key_set_name> [EncryptKey (“<encrypt_key>” |
“%<encrypt_key”>)] [AuthKey (“<auth_key>” | “%<auth_key>”)]
DELete -IPSEC KeySet [<key_set_name> | ALL]
SHow -IPSEC KeySet [<key_set_name>]
Description The KeySet parameter adds manual encryption and authentication keys. Key
values can be entered as either ASCII text strings or as a series of hexadecimal
digits. The text or hex key values are converted to actual key values for each
supported encryption and authentication algorithm.
When key sets are displayed using the SHow command, encoded values for the
keys, instead of the actual values, are displayed for added security. The encoded
key value is unique for each key value and can be used to verify that keys match
between different routers.
The encrypt_key and auth_key must match the values on the peer system at the
other end of the security association.
When the length of the EncryptKey or AuthKey key value entered is less than the
actual key size used by the selected encryption or authentication algorithm, the
key value is padded with zeroes to the appropriate key size. For example, if a
6-octet (character) EncryptKey is entered for DES-CBC encryption, two zero octets
are appended to the key value entered to create the 8-octet key. When the length
of EncryptKey or AuthKey key value entered is larger than the actual key size used
by the selected encryption or authentication algorithm, the key value is truncated
to the appropriate key size. For example, if a 10-octet (character) EncryptKey is
entered for DES-CBC encryption, only the first 8-octets of the value entered are
used.
When the key is entered, no particular length restriction is applied. Keys can be
entered as either ASCII text or hex values in the range of 1 to 128 bytes.
When a key is bound, certain length restriction are applied. The required key
length depends on the NETBuilder software package used. The xS packages
(S=strong encryption) allow key lengths of up to 128 bits for encryption, and the
xE packages allow up to 56-bit keys. When you bind the key to the policy during
configuration, if the entered key is too long for the package in use, the key is
truncated and a warning message is generated.
All packages reject keys that are less than 5 bytes long and generate error
messages. The xE packages truncate long keys to 7 or 8 bytes, and the xS
packages truncate long keys to 16 bytes, with appropriate warning messages.