3Com 11.1 Network Router User Manual


 
64 CHAPTER 33: IPSEC SERVICE PARAMETERS
UDP [(<src_port>, <dst_port>)...up to 16 pairs]
<encrypt_algorithm> : 3DES2key | DES | RC5
<auth_algorithm> : MD5 | SHA
<portlist >: 1-65535 | * | Archie | DNS | Finger | FTP | FTPData |
Gopher | HTTP | NFS | NNTP | NTP | POP2 | POP3 |
PortMap | RIP | SMTP | SNMP | SNMPTrap | Syslog |
Telnet | TFTP | WAIS
DELete !<portlist> -IPSEC POLicy (<policy_name> | ALL)
SHow !<portlist> -IPSEC POLicy [<policy_name>]
Default encrypt_algorithms = DES
auth_algorithms = MD5
Description The manualPOLicy parameter adds IPSEC policies to a port. You must enable the
IPSEC CONTrol parameter on the port for policies to be active. You can add more
than one policy on a port. If more than one policy applies, the last policy entered is
used
A manual policy consists of an action, the packet types that require the action, and
the source and destination addresses between which the action occurs.You must
also use the SETDefault command with the ManualKeyInfo parameter.
The “mask” portion of the <scr_ipaddr/mask> and <dst_ipaddr/mask>
parameters is only used for special configurations and is normally not included.
The <src_ipaddr> parameter will normally be one of the router’s IP addresses. The
<dst_ipaddr> parameter will normally be one of the peer system’s local IP
addresses. Alternatively, DYNamic can be specified instead of <dst_ipaddr> when
the destination IP address of the peer system is not known when the policy is
configured. This would apply in cases where the peer system’s IP address is
assigned dynamically using IPCP or DHCP.
It is recommended that IPSEC control or the PORT service control be disabled while
configuring policies and enabled only after all IPSEC policy and key set
configuration has been completed.
This command can be executed by users with network manager privileges only.
Values
policy_name A name you assign to the policy you are adding.
<policy_name> can be 1 to 15 characters long, but cannot
be all or ALL.
src_ipaddr/mask,
dst_ipaddr/mask |
DYNamic
The source and destination addresses of the packets. You
can specify either a single address or a range of addresses
using a mask.
You can specify DYNamic if you do not know the
destination address, for example, if the system’s IP address
is assigned dynamically using IPCP or DHCP.