Support User Manuals

3Com 11.1 Network Router User Manual

Open as PDF

of 73

64 CHAPTER 33: IPSEC SERVICE PARAMETERS

UDP [(<src_port>, <dst_port>)...up to 16 pairs]

<encrypt_algorithm> : 3DES2key | DES | RC5

<auth_algorithm> : MD5 | SHA

<portlist >: 1-65535 | * | Archie | DNS | Finger | FTP | FTPData |

Gopher | HTTP | NFS | NNTP | NTP | POP2 | POP3 |

PortMap | RIP | SMTP | SNMP | SNMPTrap | Syslog |

Telnet | TFTP | WAIS

DELete !<portlist> -IPSEC POLicy (<policy_name> | ALL)

SHow !<portlist> -IPSEC POLicy [<policy_name>]

Default ■ encrypt_algorithms = DES

■ auth_algorithms = MD5

Description The manualPOLicy parameter adds IPSEC policies to a port. You must enable the

IPSEC CONTrol parameter on the port for policies to be active. You can add more

than one policy on a port. If more than one policy applies, the last policy entered is

used

A manual policy consists of an action, the packet types that require the action, and

the source and destination addresses between which the action occurs.You must

also use the SETDefault command with the ManualKeyInfo parameter.

The “mask” portion of the <scr_ipaddr/mask> and <dst_ipaddr/mask>

parameters is only used for special conﬁgurations and is normally not included.

The <src_ipaddr> parameter will normally be one of the router’s IP addresses. The

<dst_ipaddr> parameter will normally be one of the peer system’s local IP

addresses. Alternatively, DYNamic can be speciﬁed instead of <dst_ipaddr> when

the destination IP address of the peer system is not known when the policy is

conﬁgured. This would apply in cases where the peer system’s IP address is

assigned dynamically using IPCP or DHCP.

It is recommended that IPSEC control or the PORT service control be disabled while

conﬁguring policies and enabled only after all IPSEC policy and key set

conﬁguration has been completed.

This command can be executed by users with network manager privileges only.

Values

policy_name A name you assign to the policy you are adding.

<policy_name> can be 1 to 15 characters long, but cannot

be all or ALL.

src_ipaddr/mask,

dst_ipaddr/mask |

DYNamic

The source and destination addresses of the packets. You

can specify either a single address or a range of addresses

using a mask.

You can specify DYNamic if you do not know the

destination address, for example, if the system’s IP address

is assigned dynamically using IPCP or DHCP.

previous next