Avaya Configuring IPsec Services User's Manual
Contents
1. Topic Page About Psec 1 2 Configuring IPsec and NAT on One Interface 1 2 Network Requirements for Nortel Networks Routers 13 IPsec Services 1 4 How IPsec Works 1 5 IPsec Elements 1 7 Security Protocols 1 15 Internet Key Exchange Protocol 1 17 Performance Considerations 1 17 308630 15 1 Rev 00 1 1 Configuring IPsec Services About IPsec IP Security is the IETF set of emerging standards for security services for communications over public networks The standards are documented in the IETF Requests for Comments RFCs 2401 through 2412 Additional RFCs may be relevant as well These standards were developed to ensure secure private communications for the remote access extranet and intranet virtual private networks VPNs used in enterprise communications They are the security architecture for the next generation of IP called IPv6 but are available for the current IPv4 Internet as well The Nortel Networks implementation of the IETF standards provides network layer 3 security services for Ethernet and wide area network WAN communications on Nortel Networks routers Configuring IPsec and NAT on One Interface You can configure both IPsec and unidirectional Network Address Translation NAT on the same router interface However the address ranges that you configure for NAT and in IPsec policy filters cannot overlap You configure IPsec using Site Manager You can configu2. Table E 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 41 IPv6 Internet Protocol version 6 44 IPv6 Frag Fragment Header for IPv6 58 IPv6 ICMP ICMP for IPv6 59 IPv6 NoNxt No Next Header for IPv6 60 IPv6 Opts Destination Options for IPv6 43 IPv6 Route Routing Header for IPv6 111 IPX in IP IPX in IP 28 IRTP Internet Reliable Transaction Protocol 124 ISIS ISIS over IPv4 80 ISO IP ISO Internet Protocol 29 ISO TP4 ISO Transport Protocol Class 4 65 KRYPTOLAN Kryptolan 115 L2TP Layer Two Tunneling Protocol 91 LARP Locus Address Resolution Protocol 25 LEAF 1 Leaf 1 26 LEAF 2 Leaf 2 32 MERIT INP MERIT Internodal Protocol 31 MFE NSP MFE Network Services Protocol 48 MHRP Mobile Host Routing Protocol 95 MICP Mobile Internetworking Control Protocol 55 MOBILE IP Mobility 92 MTP Multicast Transport Protocol 18 MUX Multiplexing 54 NARP NBMA Address Resolution Protocol 30 NETBLT Bulk Data Transfer Protocol 85 NSFNET IGP N A 11 NVP II Network Voice Protocol 89 OSPFIGP N A 113 PGM PGM Reliable Transport Protocol continued 308630 15 1 Rev 00 Protocol Numbers Table E 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 103 PIM Protocol Independent Multicast 131 PIPE
3. IP source address 119 68 12 1 119 68 12 1 IP destination 192 32 1 5 192 32 1 5 address Security parameter 256 256 index SPI Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity key Ox090aO0bbbOcOd0e0f11011 OxO90aObbbOcOd0eOf1 1011 020304050607082 020304050607082 RTR1 Unprotect SA RTR4 Protect SA IP source address 119 32 1 5 119 32 1 5 IP destination 192 68 12 1 192 68 12 1 address Security parameter 258 258 index SPI Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity key Ox090a0bbbOc0d0e0f11011 OxO9DaObbbOcOd0e0f1 1011 020304050607082 020304050607082 308630 15 1 Rev 00 Appendix D Contivity VPN Switch Interoperability The BayRS implementation of IPsec can interoperate with the IPsec implementation on the Nortel Networks Contivity VPN Switch This appendix provides the following information about how to configure the BayRS router and the Contivity VPN Switch for IPsec interoperability Topic Page Supported Software Versions D 1 Web Browser Configuration of the Contivity VPN Switch D 2 IPsec Terminology D 2 Configuration Considerations D 3 Feature Comparison Summary D 4 Troubleshooting BayRS Contivity IPsec Interoperability D 6 Refer to the Contivity VPN Switch documentation for more information Suppor
4. ccceeeseeeeeeeeeeteeee 1 8 Figure 1 4 Security Associations for Bidirectional Traffic 0 00 0 ee eeeeeeeeeeeeeeeeee 1 13 Figure C 1 IPsec Automated Outbound Policies 2 0 0 ee eesseseeeeeseesenereeeeeseereaeeeanes C 2 Figure C 2 IPsec Manual Outbound Polleles sss ccccesaisiseccsissesieeiisrcineneressaaversscinies C 6 Figure C 3 Single Protect Unprotect SA Pair ccecceseceeeeeeeeeeeeeeeeeeeeeeeeteeeeeeees C 10 Figure C 4 Multiple Protect Unprotect SA Pairs ccceceeeseeeeeceeeteneeeeeeeeeeeaeeeesaees C 13 308630 15 1 Rev 00 ix Tables Table 1 1 Security Policy Specifications Table 1 2 Manual SA Configurations 00 ccccceeescceeeeceeeeneeeeeneeeeeaeeeseneseseneeeeenenens 1 15 Table 2 1 IPsec Installation Files by Router Platform c cecseeeseeeeeeeeeseeeeeeaes 2 2 Table D 1 Comparison of BayRS and Contivity IPsec Terminology ceeeee D 2 Table E 1 Internet Protocol Numbers Sorted by Acronym cccsceeeetetetteeeeees E 2 Table E 2 Internet Protocol Numbers Sorted by Number cseeeeeeeeeeeeeeeeee E 7 308630 15 1 Rev 00 xi Preface This guide describes the Nortel Networks implementation of IP Security IPsec and how to configure it on a Nortel Networks router Before You Begin Before using this guide you must complete the following procedures For a new router e Install the router see the installation guide that came with yo
5. 308630 15 1 Rev 00 1 13 Configuring IPsec Services Examples of Security Policies and Security Associations Table 1 1 and Table 1 2 provide examples of how policies and SAs can be implemented For more detailed examples of how to configure security policies and SAs see Appendix C Configuration Examples In Table 1 1 each row defines the policy specification for the policy named in the first column For example the blue policy specifies two criteria IP source address and IP destination address and the drop action This policy might be used to discard all traffic from an undesirable site The yellow and green policies specify a Protect SA action The yellow policy applies to traffic in just one protocol TCP to a particular subnet the green policy covers all traffic to particular addresses The black policy specifies the Protocol criterion only and the bypass action In this case the protocol ICMP typically used for ping functions is passed through the security gateway without IPsec encryption You can define SA parameters automatically or manually for a policy immediately after you create the policy that uses them Table 1 2 Table 1 1 Security Policy Specifications IP Source IP Destination Policy Name Protocol Address Address Action Blue any IP address IP address Drop Yellow 6 TCP IP subnet IP subnet Protect SA Green any Range of Range of Protect SA I
6. An IPsec policy determines which packets are handled and which IPsec security service for example confidentiality is applied to the packets You can apply one or more IPsec security services SAs themselves must be created and shared in a secure manner To create SAs you can use one of two methods e Use the automated security negotiation process provided by the Internet Key Exchange IKE protocol IKE is the recommended method e Manually configure the sending and receiving devices with a shared secret A shared secret is a unique security identifier Automated Security Associations Using IKE Internet Key Exchange is an automated protocol to establish security associations over the Internet IKE is also referred to as the Internet Security Association Key Management Protocol with Oakley Key Determination or ISAKMP Oakley IKE negotiates establishes modifies and deletes security associations 308630 15 1 Rev 00 1 11 Configuring IPsec Services To set up these security associations IKE itself must create a confidential secure connection between the sender and receiver Authentication is accomplished using one or more of the following e Preshared keys These are set up ahead of time at each node in a transaction e Public key cryptography Using the RSA public key algorithm each member of a transaction authenticates itself to the other using the other member s public key to encrypt an authentication value
7. 256 256 to 65535 The SPI is an arbitrary 32 bit value that when combined with the destination IP address and the numeric value of the security protocol being used ESP identifies the SA for the data packet Enter a value from 256 to the value configured for the Maximum SPI parameter None Cipher Algorithm Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA DES CBC DES CBC Identifies the cipher algorithm for this SA None To implement the cipher or confidential encrypted level of security select the DES algorithm If you select None this level of security is not applied to data packets processed according to this SA that is the data packets will not be encrypted 1 3 6 1 4 1 18 3 5 3 26 5 1 6 A 6 308630 15 1 Rev 00 Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Site Manager Parameters Cipher Key Length Configuration Manager gt Protocols gt IP gt IP Security gt
8. Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA DES56 DES40 DES56 Identifies the cipher key length strength for this SA Select a cipher key length of either 40 or 56 bits The longer key length strength provides greater security 1 3 6 1 4 1 18 3 5 3 26 5 1 8 Cipher Key 8 Byte Hex Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid 8 byte value Specifies the key for an SA cipher algorithm This key value must match on both sides of an SA to enable the encryption and decryption of data packets according to the DES algorithm Enter a 16 digit 8 byte hexadecimal value Enter the prefix 0x before the 1
9. index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 0x010123040506070890a0 bOcOd0e0f1 11 bOcOd0e0f111 RTR1 Unprotect SA RTR2 Protect SA IP source address 189 132 10 1 189 132 10 1 IP destination 119 68 12 1 119 68 12 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 0x010123040506070890a0 bOcOd0e0f1 11 bOcOd0e0f111 308630 15 1 Rev 00 C 11 Configuring IPsec Services SA Example 2 Configuring Two Protect Unprotect SA Pairs In this example two Protect Unprotect SA pairs are configured using DES encryption Both ends of the SA pair use the same cipher algorithm and key The integrity algorithm is set to None refer to Figure C 3 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity key None None RTR1 Unprotect SA RTR2 Protect SA IP source address 189 132 10 1 189 132 10 1 IP destination 119 68 1
10. 2 1 inbound security policies 1 5 1 9 initialization vectors IVs 2 5 installation 2 2 integrity service algorithm considerations 3 9 description 1 4 encryption key 2 4 Internet Assigned Numbers Authority IANA 1 11 E 1 Internet Engineering Task Force IETF role in IPsec development 1 2 Internet Key Exchange IKE description 1 11 1 17 negotiating security associations 1 13 using 3 8 IP destination address 1 11 IP interface 1 5 IPsec description 1 2 disabling 4 11 enabling 3 1 installing 2 2 key constructs 1 7 ISAKMP Oakley 1 11 K k commands 2 6 B 1 L log policy criterion 3 3 router log NPK confirmation 2 8 Index 2 management information base MIB 2 5 2 8 Message Digest 5 MDS 1 4 1 16 A 8 N node protection key NPK configuration considerations 2 4 generating 2 5 Site Manager parameter A 1 usage 2 5 O outbound security policies 1 5 1 10 P Passport 2430 support 1 3 Passport 5430 support 1 3 perfect forward secrecy PFS 1 17 performance considerations 1 17 policies See security policy policy template creating inbound 3 6 creating outbound 3 4 description 1 9 usage 3 2 PPP support 1 3 pre shared key IKE use 1 17 product support xvii protocol policy criterion 1 11 protocols supported 1 3 public data network tunnel mode use 1 6 publications hard copy xvi R random number generator RNG 2 5 Router Files Manager 2 1 router lo
11. 3 Enter your password If you enter the ksession command before you set a password you will be prompted to create one Use the kpassword command described in step 1 The prompt changes to SSHELL 4 Begin generating the encryption seed by entering kseed The secure shell prompts you for a random seed value 2 6 308630 15 1 Rev 00 Installing IPsec Type a random set of keystrokes The secure shell informs you when you have typed the required number of keystrokes Enter the following command kset npk 0x lt NPK_value gt lt NPK_value gt is the 16 digit hexadecimal NPK value that you assigned to the router that you are configuring For more information see Generating NPKs on page 2 5 The kset npk command stores your NPK value in the router NVRAM and calculates a hash of this value that it stores in the router MIB Save the configuration by entering save config lt config_file_name gt config_file_name is the name that you assign to the configuration file You cannot exit the secure shell without saving the configuration This step is necessary so that when you reboot the router with the saved configuration file the hash of the NPK in the MIB corresponds to the NPK in NVRAM Exit the secure shell by entering the following command kexit Changing an NPK To maintain security periodically change the NPK on each router To change an NPK 1 At the Technician Interface prompt enter the secure sh
12. Criteria SA Interface S11 Outbound Protect IP source address range 192 131 141 0 192 131 141 255 IP destination address range 192 32 5 0 192 32 5 255 Source 2 2 2 2 Destination 1 1 1 1 SPI 257 308630 15 1 Rev 00 C 9 Configuring IPsec Services Manual Protect and Unprotect SA Configuration SAs specify which IPsec services are applied to the data packets traveling between the security gateways An individual SA protects data traveling in one direction A Protect SA applies IPsec services to outbound traffic an Unprotect SA decrypts and or authenticates incoming data packets The examples in this section show how to manually configure both Protect and Unprotect SAs IKE provides automated SA configuration without requiring user configuration For SA examples 1 and 2 refer to Figure C 3 for SA example 3 refer to Figure C 4 31 119 68 12 1 132 10 1 52 Figure C 3 Single Protect Unprotect SA Pair C 10 308630 15 1 Rev 00 Configuration Examples SA Example 1 Configuring a Single Protect Unprotect SA Pair In this example a single Protect Unprotect SA pair is configured using DES encryption Both ends of the SA pair use the same cipher algorithm cipher key and integrity key see Figure C 3 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 256 256
13. Oxabba1579daba1234 SHA1 expiry minutes 1440 Manual SA Policy Examples As you review the security policy examples in this section refer to Figure C 2 Two routers RTR1 and RTR2 have OSPF interfaces configured for type NBMA transmit unicast frames An outbound and an inbound bypass policy protect all unicast traffic for the specified router subnetworks Security policy examples 1 and 2 show how to configure outbound policies to protect all unicast traffic between RTR1 and RTR2 examples 3 and 4 show how to configure outbound policies to protect all unicast traffic between RTR2 and RTR3 and examples 5 6 and 7 show how to configure outbound policies to protect all traffic between RTR1 and RTR3 A bypass inbound policy is in effect for all incoming traffic to the routers so that no SAs are required 308630 15 1 Rev 00 C 5 Configuring IPsec Services Protect Unprotect SA RTR1 to RTR2 SPI 256 192 28 41 0 Protect Unprotect SA RTR2 to RTR3 SPI 256 192 32 5 0 192 131 141 0 A E IP IPsec RIP s IP IPsec OSPF Type NBM g a 3 e SS z RTR2 11 RTR1 Pa i ue Ee 2 2 2 2 2 2 2 RTR3 ie Protect Unprotect SA RTR1 to RTR3 SPI 257 Figure C 2 IPsec Manual Outbound Policies Example 1 Required Policies on RTR1 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 28 41 0 RTR 1 Interface S21 Polic
14. 1 Rev 00 C 3 Configuring IPsec Services Example 2 Required Policies Proposals and SA Destinations on RTR1 and RTR3 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR3 subnet 192 32 20 0 RTR 1 Policy Action Criteria SA Destination Preshared Key Proposal RTR 3 Policy Action Criteria SA Destination Preshared Key Proposal Interface S31 Outbound Protect IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 32 20 0 192 32 20 255 129 43 12 19 Oxbeef1234daba1234 DES Interface S28 Outbound Protect IP source address range 192 32 20 0 192 32 20 255 IP destination address range 192 32 5 0 192 32 5 255 119 68 12 1 Oxbeef1234daba1234 DES 308630 15 1 Rev 00 Configuration Examples Example 3 Required Policies Proposals and SA Destinations on RTR1 and RTR4 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR4 Subnet 192 32 30 0 RTR 1 Policy Action Criteria SA Destination Preshared Key Proposal RTR 4 Policy Action Criteria SA Destination Preshared Key Proposal Interface S31 Outbound Protect IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 32 30 0 192 32 30 255 192 32 1 5 Oxabba1579daba1234 SHA1 expiry minutes 1440 Interface S33 Outbound Protect IP source address range 192 32 30 0 192 32 30 255 IP destination address range 192 32 5 0 192 32 5 255 119 68 12 1
15. DDX D II Data Exchange 86 DGP Dissimilar Gateway Protocol continued 308630 15 1 Rev 00 Protocol Numbers Table E 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 8 EGP Exterior Gateway Protocol 88 EIGRP N A 14 EMCON N A 98 ENCAP Encapsulation Header 50 ESP Encapsulating Security Payload for IPv6 97 ETHERIP Ethernet within IP Encapsulation 133 FC Fibre Channel 125 FIRE N A 3 GGP Gateway to Gateway Protocol 100 GMTP N A 47 GRE General Routing Encapsulation 20 HMP Host Monitoring Protocol 0 HOPOPT IPv6 Hop by Hop Option 52 I NLSP Integrated Net Layer Security Protocol 117 IATP Interactive Agent Transfer Protocol 1 ICMP Internet Control Message Protocol 35 IDPR Inter Domain Policy Routing Protocol 38 IDPR CMTP IDPR Control Message Transport Protocol 45 IDRP Inter Domain Routing Protocol 101 IFMP Ipsilon Flow Management Protocol 2 IGMP Internet Group Management Protocol 9 IGP Any private interior gateway 40 IL IL Transport Protocol 4 IP IP in IP encapsulation 108 IPComp IP Payload Compression Protocol 71 IPCV Internet Packet Core Utility 94 IPIP IP within IP Encapsulation Protocol 129 IPLT N A 67 IPPC Internet Pluribus Packet Core continued 308630 15 1 Rev 00 E 3 Configuring IPsec Services
16. ESP DES encryption transform These values are statistically random As its source the RNG uses a seed that you supply from the Technician Interface secure shell See Entering an Initial NPK and a Seed for Encryption on page 2 6 Creating and Using NPKs The NPK encrypts manually configured IPsec ESP cipher and integrity keys or IKE preshared authentication keys for management information base MIB storage It does not encrypt decrypt or authenticate data The NPK is stored in the router nonvolatile random access memory NVRAM Its fingerprint which is a 128 bit version of the NPK generated by a hash algorithm is stored in the MIB For encryption to occur the NPK and its fingerprint in the MIB must match Create and configure a different NPK for each secure router on your network The NPK should be different on every router because if an NPK is compromised the security gateway for the router is compromised If the same NPK is used for all secure routers the entire network could be compromised Caution Make sure that you protect all files where NPKs are stored Store your NPKs on removable media for example diskettes and keep the media in a secure location Generating NPKs You create NPKs using the Technician Interface secure shell You must then enter the same NPKs into the Site Manager NPK parameter for that router To generate an NPK use a method available at your site to create random 16 digit hexadec
17. Interface S11 Policy Outbound Action Protect Criteria IP source address range 192 131 141 0 192 131 141 255 IP destination address range 192 28 41 0 192 28 41 255 SA Source 2 2 2 2 Destination 2 2 2 1 SPI 256 Example 5 Required Outbound Policies on RTR1 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR3 Subnet 192 131 141 0 RTR 1 Interface S21 Policy Outbound Action Protect Criteria IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 131 141 0 192 131 141 255 SA Source 1 1 1 1 Destination 2 2 2 2 SPI 257 RTR1 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP C 8 308630 15 1 Rev 00 Configuration Examples Example 6 Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing Updates Between RTR1 and RTR3 RTR2 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 50 ESP Protocol 50 ESP RTR2 Interface S31 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 50 ESP Protocol 50 ESP Example 7 Required Policies on RTR3 to Protect Data Between RTR3 Subnet 192 131 141 0 and RTR1 192 32 5 0 RTR 3 Policy Action
18. Node ARN e Backbone Node BN e Passport 2430 e Passport 5430 e System 5000 router modules Nortel Networks Contivity VPN Switch hardware also supports IPsec The Contivity VPN Switch does not use BayRS software but it can be configured to interoperate with BayRS Refer to Appendix D Contivity VPN Switch Interoperability and the Contivity documentation for more information Supported WAN Protocols The Nortel Networks implementation of IPsec supports Point to Point Protocol PPP and frame relay WAN protocols The Nortel Networks IPsec implementation also supports dial services which provide backup and demand services for PPP and frame relay 308630 15 1 Rev 00 1 3 Configuring IPsec Services IPsec Services IPsec services consist of confidentiality integrity and authentication services for data packets traveling between security gateways e Confidentiality service ensures the privacy of communications e Integrity service detects modification of data packets e Authentication services verify the origin of every data packet Confidentiality Confidentiality is accomplished by encrypting and decrypting data packets The Encapsulating Security Payload ESP protocol uses the Data Encryption Standard DES algorithm in cipher block chaining CBC mode to encrypt and decrypt data packets You set confidentiality with the cipher algorithm and cipher key parameters The cipher algorithm and cipher key are spec
19. OR SAVINGS WHETHER IN CONTRACT TORT OR OTHERWISE INCLUDING NEGLIGENCE ARISING OUT OF YOUR USE OF THE SOFTWARE EVEN IF NORTEL NETWORKS ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY The forgoing limitations of remedies also apply to any developer and or supplier of the Software Such developer and or supplier is an intended beneficiary of this Section Some jurisdictions do not allow these limitations or exclusions and in such event they may not apply 308630 15 1 Rev 00 iii General a If Customer is the United States Government the following paragraph shall apply All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and in the event Software is licensed for or on behalf of the United States Government the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U S Federal Regulations at 48 C F R Sections 12 212 for non DoD entities and 48 C F R 227 7202 for DoD entities Customer may terminate the license at any time Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license In either event upon termination Customer must either return the Software to Nortel Networks or certify its destruction Customer is responsible for payment of any taxes including personal property ta
20. Private IP Encapsulation within IP 102 PNNI PNNI over IP 21 PRM Packet Radio Measurement 123 PTP Performance Transparency Protocol 12 PUP N A 75 PVP Packet Video Protocol 106 QNX N A 27 RDP Reliable Data Protocol 46 RSVP Reservation Protocol 66 RVD MIT Remote Virtual Disk Protocol 64 SAT EXPAK SATNET and Backroom EXPAK 69 SAT MON SATNET Monitoring 96 SCC SP Semaphore Communications Security Protocol 105 SCPS N A 132 SCTP Stream Control Transmission Protocol 42 SDRP Source Demand Routing Protocol 82 SECURE VMTP N A 33 SEP Sequential Exchange Protocol 57 SKIP N A 122 SM N A 121 SMP Simple Message Protocol 109 SNP Sitara Networks Protocol 90 Sprite RPC Sprite RPC Protocol 130 SPS Secure Packet Shield 119 SRP SpectraLink Radio Protocol 128 SSCOPMCE N A 5 ST Stream 118 ST Schedule Transfer Protocol continued 308630 15 1 Rev 00 E 5 Configuring IPsec Services Table E 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 77 SUN ND SUN ND Protocol Temporary 53 SWIPE IP with Encryption 87 TCF N A 6 TCP Transmission Control Protocol 56 TLSP Transport Layer Security Protocol using Kryptonet key management 39 TP TP Transport Protocol 23 TRUNK 1 Trunk 1 24 TRUNK 2 Trunk 2 84 TTP N A 17 UDP User Datagram Protocol 120 UTI N A 83 VINES N A 70 VISA VISA Protocol 81 VMTP N A 112 VRRP Virt
21. e Digital signature Each member of a transaction sends a digital signature to the other The signatures are authenticated using the member s public key obtained via an X 509 digital certificate Note The BayRS implementation of IKE uses preshared keys only Manual Security Associations Manually configuring security associations is a more cumbersome and labor intensive process than using IKE If possible use IKE to make large scale secure communications practical Manually configured SAs often rely on static symmetric keys on communicating hosts or security gateways Therefore you must coordinate the configuration of the keys that will protect your information within your organization and with outside parties Security Associations for Bidirectional Traffic An SA specifies the security services that are applied to data packets traveling in one direction between security gateways To secure the traffic in both directions the security gateway must have a Protect SA for data transmitted from the local IPsec interface and an Unprotect SA for data received by the local IPsec interface Figure 1 4 308630 15 1 Rev 00 Overview of IPsec Protect SA Unprotect SA Source 132 245 145 195 Source 132 245 145 195 Destination 132 245 145 205 Destination 132 245 145 205 Security gateway Security gateway aq Network 2 132 245 145 195 q _ 132 245 145 205 l
22. file size 1 to 4 KB Copy the new capi exe or capi ppc file from the router platform directory for example BN or Passport 5430 to the Image Builder directory Restart the Image Builder and open the image from which you removed the capi exe or capi ppc file Click on Details in the Available Components box Select capi exe or capi ppc and click on Add Check the size of the capi exe or capi ppc file to verify that it is significantly larger than the file size noted in step 2 for example capi exe for the BN should be 82 KB If the file size is not larger you have not loaded the IPsec software Repeat this procedure or call the Nortel Networks Technical Solutions Center for assistance Save the modified image that includes IPsec to a new file Exit the Image Builder 10 Copy this new image to the router 11 Reboot the router 308630 15 1 Rev 00 2 3 Configuring IPsec Services Securing Your Site To enforce IPsec carefully restrict unauthorized access to the routers that encrypt data and the workstations that you use to configure IPsec Keep in mind that the encryption standards that IPsec uses are public Your data is secure only if you properly protect the encryption and authentication keys The configuration files that contain these keys include safeguards to prevent unauthorized access Securing Your Configuration Encryption Store any files containing encryption keys on diskettes or other removable me
23. implement PFS IKE uses the Diffie Hellman algorithm to exchange keys for each SA This means that as IKE and IPsec SAs are automatically rekeyed over the course of IPsec peer communication old keys if compromised cannot be used to derive previous or future keys used for other SAs With PFS if an intruder manages to break an encryption key the intruder gains access to a limited amount of data packets protected by a single SA Performance Considerations IPsec performance can vary greatly and can affect overall router performance Factors that affect performance include e Cryptographic algorithms used by IPsec e Other protocols and features running on the slot that share the same CPU resources as IPsec e Processing power of the BayRS router 308630 15 1 Rev 00 1 17 Configuring IPsec Services You can optimize performance by using the information in this section to plan and manage CPU resources on BayRS routers configured with IPsec Greater security can adversely affect performance Before you deploy IPsec identify the data traffic that must be protected Effective traffic analysis can result in minimal performance impact on the router Configure IPsec to bypass traffic that does not need to be protected thereby reducing the CPU resources used Also the amount of CPU resources required varies significantly for different encryption and authentication algorithms These algorithms are listed in order of increasing CPU cons
24. on Done You return to the IPsec Outbound Policies window 10 Click on Add Policy The Create Outbound Policy window opens continued 308630 15 1 Rev 00 Starting IPsec Site Manager Procedure continued You do this 11 In the Policy Name field type a name for the policy For a description of this parameter see page A 4 12 From the Templates list select a template on which to base this policy System responds 13 Click on OK If the policy includes a Protect action the Choose SA Type dialog box opens Go to step 14 If the policy does not include a Protect action you return to the IPsec Outbound Policies window Go to step 15 14 In the Choose SA Type dialog box click on Automated SA or Manual SA e If you chose Automated SA go to step 4 on page 3 8 e f you chose Manual SA go to step 2 on page 3 10 15 To create other outbound policies repeat steps 10 through 13 16 Click on Done You return to the IPsec Configuration for Interface window 17 Go to Creating an Inbound Policy Template and Policy on page 3 6 308630 15 1 Rev 00 Configuring IPsec Services Creating an Inbound Policy Template and Policy The process for creating inbound policies is almost identical to the process for creating outbound policies with the exception that you cannot specify a protect action for an inbound policy To create an i
25. parameter descriptions beginning on page A 5 for more information Click on OK You return to the Protect SA List for Interface window Repeat steps 2 through 4 to create additional Protect SAs if necessary Click on Done when you are finished You return to the IPsec Configuration for Interface window 308630 15 1 Rev 00 Creating an Unprotect SA Manually Starting IPsec To create an Unprotect SA manually complete the following tasks Site Manager Procedure You do this System responds 1 Inthe IPsec Configuration for Interface window click on Manual Unprotect SA The Unprotect SA List for Interface window opens 2 Click on Add The IPsec Manual Unprotect SA window opens 3 Set the following parameters SA Source IP Address SA Destination IP Address Security Parameter Index Cipher Algorithm Cipher Key Length Cipher Key 8 Byte Hex Integrity Algorithm Integrity Key 16 Byte Hex Position the cursor in a field and click on Values to display a menu of valid options if applicable Click on Help or see the parameter descriptions beginning on page A 5 for more information 4 Click on OK You return to the Unprotect SA List for Interface window 5 Repeat steps 2 through 4 to create additional Unprotect SAs if necessary Click on Done when you are finished You return to the IPsec Configuration for Interface window 30863
26. 0 15 1 Rev 00 Chapter 4 Customizing IPsec This chapter provides information about changing an existing IPsec configuration For information about creating an initial IPsec configuration see Chapter 3 Starting IPsec This chapter includes the following information Topic Page Changing Existing Policies 4 1 Changing Existing Security Associations 4 8 Disabling IPsec 4 11 Changing Existing Policies This section provides instructions for editing existing policies and for adding policies to an existing configuration Topic Page Editing a Policy 4 2 Adding a Policy 4 3 Reordering Policies 4 6 308630 15 1 Rev 00 4 1 Configuring IPsec Services Editing a Policy To edit an existing IPsec policy on a router interface complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols menu opens Choose IP 3 Choose IP Security The IP menu opens The IPsec menu opens 4 Choose Outbound Policies or Inbound The IPsec Outbound Policies or the IPsec Policies Inbound Policies window opens 5 Select the policy that you want to edit from the list 6 Click on Edit Policy The Edit IPsec Outbound Policies or the Edit IPsec Inbound Policies window opens 7 Edit the policy specification as follows e To remove an a
27. 0 C 1 Configuring IPsec Services Automated SA IKE Policy Examples As you review the security policy examples in this section refer to Figure C 1 192 32 10 0 189 132 10 1 S52 E RTR2 s51 129 43 12 19 192 32 20 0 See 192 32 1 5 33 192 32 5 0 192 32 30 0 31 Figure C 1 IPsec Automated Outbound Policies The following outbound policies are configured for the four routers shown in Figure C 1 e The SA pair between RTR1 and RTR2 uses both 3DES and HMAC MDS and the default SA expiry time of 8 hours e The SA pair between RTR1 and RTR3 uses only DES and the default SA expiry time of 8 hours e The SA pair between RTR1 and RTR4 uses only SHA1 and an SA expiry time of 24 hours C 2 308630 15 1 Rev 00 Configuration Examples Example 1 Required Policies Proposals and SA Destinations on RTR1 and RTR2 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 32 10 0 RTR 1 Interface S31 Policy Outbound Action Protect Criteria IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 32 10 0 192 32 10 255 SA Destination 189 132 10 1 Preshared Key Oxabba1234daba1234 Proposal 3DES MD5 RTR 2 Interface S52 Policy Outbound Action Protect Criteria IP source address range 192 32 10 0 192 32 10 255 IP destination address range 192 32 5 0 192 32 5 255 SA Destination 119 68 12 1 Preshared Key Oxabba1234daba1234 Proposal 3DES MD5 308630 15
28. 2 1 119 68 12 1 address Security parameter 257 257 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity key None None 308630 15 1 Rev 00 Configuration Examples SA Example 3 Configuring Multiple Protect Unprotect SA Pairs In this example multiple Protect Unprotect SA pairs are configured between RTR1 and RTR2 RTR3 and RTR4 e The SA pair between RTR1 and RTR2 uses DES56 and HMAC MDS e The SA pair between RTR1 and RTR3 uses only DES56 e The SA pair between RTR1 and RTR4 uses only HMAC MDS As you review the examples refer to Figure C 4 189 132 10 1 52 RTR2 129 43 12 19 31 119 68 12 1 192 32 1 5 Figure C 4 Multiple Protect Unprotect SA Pairs 308630 15 1 Rev 00 C 13 Configuring IPsec Services The following two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR2 refer to Figure C 4 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 257 257 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 0x010123040506070890a0 bOcOd0e0f1 11 bOcOd0e0f1 11 RTR1 Unprotect SA RTR2 Protect SA IP sou
29. 6 digits 1 3 6 1 4 1 18 3 5 3 26 5 1 7 308630 15 1 Rev 00 A 7 Configuring IPsec Services Parameter Path Default Options Function Instructions MIB Object ID Integrity Algorithm Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA None None HMAC MD5 Enables implementation of the HMAC MDS algorithm which determines whether a data packet was changed between the source and destination To implement the security integrity level select the HMAC MDS algorithm If you select None this level of security is not applied to data packets processed according to this SA that is IP security cannot determine whether a data packet was changed between the source and destination 1 3 6 1 4 1 18 3 5 3 26 5 1 9 A 8 308630 15 1 Rev 00 Site Manager Parameters Parameter Integrity Key 16 Byte Hex Path Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP
30. 630 15 1 Rev 00 Starting IPsec Specifying an Action The action specification in a policy controls how a packet that matches the specified criteria is processed You decide how you want packets to be processed and apply one or more policies to implement your decision With IPsec a packet can be processed in one of three ways e The packet can be dropped e The packet can be transmitted or received without alteration e The packet can be protected outbound only In this case an SA is linked to the policy In addition to processing a packet or in the absence of a processing action packet receipt or transmission can be recorded in a log The corresponding policy actions are e Drop e Bypass e Protect outbound only e Log a message is written to the router log The drop bypass and protect actions are mutually exclusive You can specify a logging action for any of these or in their absence If an incoming packet that does not match any configured policy arrives at an IPsec interface it is dropped Policy Considerations When you configure an interface with IPsec all inbound and outbound traffic on that interface is processed by IPsec including traffic being forwarded However see Configuring IPsec and NAT on One Interface on page 1 2 For unicast traffic containing routing or control information consider configuring policies that allow such traffic to bypass IPsec For example to allow ICMP traffic such
31. 630 15 1 Rev 00 3 7 Configuring IPsec Services Creating an Outbound Protect Policy with Automated SAs IKE To use IKE to create automated SAs complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface window click on Outbound Policies The IPsec Outbound Policies window opens Click on Add Policy The Create Outbound Policy window opens Type a name for the policy choose a template containing a Protect action and then click on OK The Choose SA Type dialog box opens Click on Automated SA If the NPK has not yet been entered in Site Manager the Node Protection Key dialog box opens Otherwise the Add Proposal to Policy window opens If necessary set the Node Protection Key 8 Byte Hex parameter and click on OK Click on Help or see the parameter description on page A 2 For more information see Creating and Using NPKs on page 2 5 From the PFS menu choose Enabled or Disabled to enable or disable perfect forward secrecy PFS The Add Proposal to Policy window opens From the Anti Replay Window Size menu choose Disabled or select a packet size Click on Add to specify the SA destination address and preshared key for IKE SAs The Add IKE SA Destination window opens Enter the SA name destination IP address and preshared key Click on Help or see the parameter descriptio
32. BayRS Version 15 1 Part No 308630 15 1 Rev 00 October 2001 600 Technology Park Drive Billerica MA 01821 4130 Configuring IPsec Services NORTEL NETWORKS Copyright 2001 Nortel Networks All rights reserved October 2001 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license The software license agreement is included in this document Trademarks Nortel Networks the Nortel Networks logo the Globemark Unified Networks AN BN Contivity and Passport are trademarks of Nortel Networks Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated RSA is a trademark of RSA Security Inc The asterisk after a name denotes a trademarked item Restricted Rights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other lice
33. Control Protocol 96 SCC SP Semaphore Communications Security Protocol 97 ETHERIP Ethernet within IP Encapsulation 98 ENCAP Encapsulation Header 99 Any private encryption scheme 100 GMTP N A 101 IFMP Ipsilon Flow Management Protocol 102 PNNI PNNI over IP 103 PIM Protocol Independent Multicast 104 ARIS N A 105 SCPS N A 106 QNX N A 107 A N Active Networks 108 IPComp IP Payload Compression Protocol 109 SNP Sitara Networks Protocol 110 Compaq Peer Compag Peer Protocol 111 IPX in IP IPX in IP 112 VRRP Virtual Router Redundancy Protocol continued 308630 15 1 Rev 00 Protocol Numbers Table E 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 113 PGM PGM Reliable Transport Protocol 114 Any 0 hop protocol 115 L2TP Layer Two Tunneling Protocol 116 DDX D II Data Exchange 117 IATP Interactive Agent Transfer Protocol 118 ST Schedule Transfer Protocol 119 SRP SpectraLink Radio Protocol 120 UTI N A 121 SMP Simple Message Protocol 122 SM N A 123 PTP Performance Transparency Protocol 124 ISIS ISIS over IPv4 125 FIRE N A 126 CRTP Combat Radio Transport Protocol 127 CRUDP Combat Radio User Datagram Protocol 128 SSCOPMCE N A 129 IPLT N A 130 SPS Secure Packet Shield 131 PIPE Private IP Encapsulation within IP 132 SCTP Stream Control Transmission Protocol 133 FC Fibre Channel 134 254
34. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties ii 308630 15 1 Rev 00 Nortel Networks Inc Software License Agreement This Software License Agreement License Agreement is between you the end user Customer and Nortel Networks Corporation and its subsidiaries and affiliates Nortel Networks PLEASE READ THE FOLLOWING CAREFULLY YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND OR USE THE SOFTWARE USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT If you do not accept these terms and conditions return the Software unused and in the original shipping container within 30 days of purchase to obtain a credit for the full purchase price Software is owned or licensed by Nortel Networks its parent or one of its subsidiaries or affiliates and is copyrighted and licensed not sold Software consists of machine readable instructions its components data audio visual content such as images text recordings or pictures and related licensed materials including all whole or partial copies Nortel Networks grants you a license to use the Software only in the country where you acquired the Software You obtain no ri
35. P addresses IP addresses Black 1 ICMP Any IP address Bypass 308630 15 1 Rev 00 Overview of IPsec In Table 1 2 the IP source and destination addresses for the SA are the tunnel end points for the IPsec tunnel through which the traffic passes Intermediate routers are unaware that the traffic is encrypted and pass it along just like any other packet Table 1 2 Manual SA Configurations Security Association SPI Cipher Integrity Source Destination Key Address Address Algorithm Length Key Algorithm Key IP address IP address 270 DES 40 Hex value HMAC MD5 Hex value IP address IP address 260 DES 56 Hex value HMAC MD5 Hex value Security Protocols IPsec can use two protocols to provide traffic security e Encapsulating Security Payload ESP e Authentication Header AH You can use either protocol or both to protect data packets on a VPN Generally only one protocol is necessary Note The Nortel Networks implementation of IPsec uses ESP only Nortel Networks does not implement the AH protocol because the same functions are available in ESP Encapsulating Security Payload ESP Protocol The ESP protocol provides confidentiality encryption services It can also provide data integrity data origin authentication and an anti replay service e Data integrity ensures that the data has not been altered e Data origin authentication validates the sending and r
36. Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA Default None Options Any valid 16 byte value Function Specifies the key for an SA integrity algorithm This key value must match on both sides of an SA to enable the integrity algorithm to determine whether a data packet was changed between the source and destination Instructions To establish the integrity level of IP security enter a 32 digit hexadecimal value Enter the prefix 0x before the 32 digits MIB Object ID 1 3 6 1 4 1 18 3 5 3 26 5 1 10 308630 15 1 Rev 00 A 9 Configuring IPsec Services Automated Security Association IKE Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID SA Name Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE None Any text string Used to identify various IKE SAs as you alter them Enter a meaningful alphanumeric string to identify the SA 1 3 6 1 4 1 18 3 5 27 1 1 8 Pre shared Key
37. Type Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE ASCII ASCII HEX Determines which type of preshared key is used activating the appropriate field for you to enter a preshared key Choose the pre shared key type Configure the same preshared key type on the destination router None Pre shared Key ascii Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE None Any ASCII value Used as a cryptographic key for creating IKE SAs between routers IKE is then used to create automated SAs for data packets Enter an ASCII string Configure the same preshared key on the destination router None A 10 308630 15 1 Rev 00 Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Site Manager Parameters Pre shared Key hex Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE None Any hexadecimal value Used as a cryptographic key for creating IKE SAs between routers IKE is then used to create automated SAs for data packets Enter a hexadecimal number Enter the prefix 0x before th
38. Unassigned 255 Reserved 308630 15 1 Rev 00 Numbers 3DES 1 16 A Access Node AN support 1 3 Access Stack Node ASN support 1 3 acronyms Xv Advanced Remote Node ARN support 1 3 anti replay service description 1 15 auditing service 1 5 authentication 1 4 authentication header AH 1 15 authentication service 1 4 Backbone Node BN support 1 3 BayRS version requirements 1 3 2 1 bidirectional traffic with security associations 1 12 C capi exe file 2 2 capi ppc file 2 2 cipher algorithm and key parameters 1 4 block chaining CBC 1 4 1 16 considerations 3 9 Site Manager parameters A 6 A 7 confidentiality service 1 4 Configuration Manager enabling IPsec 3 1 configuration security 2 4 308630 15 1 Rev 00 Index conventions text xiv customer support xvii D Data Encryption Standard DES 1 16 data integrity description 1 15 data origin authentication description 1 15 dial services support 1 3 Diffie Hellman protocol use in perfect forward secrecy 1 17 disabling IPsec 4 11 E enabling IKE 3 1 IPsec 3 1 Encapsulating Security Payload ESP 1 15 encryption export limitations 1 16 generating a seed 2 6 limitations 2 4 F frame relay support 1 3 H Hashing Message Authentication Code HMAC 1 16 HMAC MDS 1 4 1 16 A 8 Index 1 IKE description 1 11 enabling 3 1 security associations 3 7 Image Builder
39. VPNs with IPsec 1 2 W WAN interface security gateway 1 8 WAN protocols supported 1 3 Index 3
40. a 16 digit hexadecimal value Enter the prefix Ox before the digits None A 2 308630 15 1 Rev 00 Site Manager Parameters IPsec Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID IP Security Enable Configuration Manager gt Protocols gt IP gt IP Security gt Globals global setting Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Enable IPsec individual IPsec interface setting Enable Enable Disable Enables or disables IPsec on a router If this parameter is set to Disable you cannot implement IPsec To implement IP security on a router set this parameter to Enable 1 3 6 1 4 1 18 3 5 3 26 1 2 global 1 3 6 1 4 1 18 3 5 3 2 1 24 1 59 individual IPsec interface Maximum SPI Configuration Manager gt Protocols gt IP gt IP Security gt Globals 384 256 to 65535 Specifies the maximum acceptable SPI value for manually configured SAs Enter an integer that represents the maximum SPI value required for manual SAs for this interface 1 3 6 1 4 1 18 3 5 3 26 1 5 308630 15 1 Rev 00 A 3 Configuring IPsec Services IPsec Policy Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Policy Enable Co
41. all the IPsec software the router must be running at a minimum BayRS Version 13 10 and Site Manager Version 7 10 To use Internet Key Exchange IKE and automated security associations SAs BayRS Version 13 20 and Site Manager Version 7 20 or later are required If you are upgrading your router software copy the router image from the upgrade CD to a directory on your hard drive To modify an existing image first use the Router Files Manager to transfer the image to a directory on your hard drive For instructions on upgrading router software see Upgrading Routers to BayRS Version 15 x For information about the Image Builder the Router Files Manager and booting routers see Configuring and Managing Routers with Site Manager 308630 15 1 Rev 00 2 1 Configuring IPsec Services Installing the IPsec Software Before you can enable and use IPsec services you must create an IPsec capable router image You create this image during the installation process The installation instructions that appear on the IPsec software CD are duplicated in this section The IPsec software CD contains a capi exe and a capi ppc file Note To use Triple DES 3DES encryption with IPsec you must purchase the 3DES IPsec Option CD and install the capi exe or capi ppc file from it The version of the capi exe and capi ppc files on this CD includes both 56 bit DES encryption and the stronger 3DES encryption Table 2 1 identifies which file to use
42. as ping or destination unreachable messages to bypass IPsec processing configure the first policy for the interface with the protocol criterion set to 1 ICMP and the action specification set to bypass If a data packet matches the criteria for more than one policy the first matching policy is applied 308630 15 1 Rev 00 3 3 Configuring IPsec Services Creating an Outbound Policy Template and Policy To create an outbound policy template and policy complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface window click on Outbound Policies The IPsec Outbound Policies window opens 2 Click on Template The IPsec Policy Template Management window opens 3 Click on Create The Create IPsec Template window opens 4 Inthe Policy Name field type a name for the template For a description of this parameter see page A 4 5 Use the Criteria menu to specify ranges for the IP source addresses IP destination addresses and protocol criteria Note If you plan to specify the protect action configure both a source and a destination IP address range 6 Use the Action menu to specify the action that you want applied to traffic with the criteria that you just defined 7 Click on OK You return to the IPsec Policy Template Management window 8 To create other policy templates repeat steps 3 through 7 9 Click
43. atoustisgimnibedeneiiendiasabemianene 4 8 Mocitving Automated SAS IKE virineska ria 4 8 Modig MANIA CAS sonno a 4 9 Ethernet Interface or WAN Interface with PPP sesssssssessrnurnanesnnessanessansennnoennnase 4 9 WAN Interface with Frame Relay ccccccceessecceeeeeseneeeneseseneeeeeseenseeneeeseneees 4 10 Boile a 2 asc sae eer teres ter Rete rete E AAA tr S rr Teer eer A rts trent er T 4 11 Appendix A Site Manager Parameters Node Protection Key Parameter otic ccrs secs ences sc ceccel accents sececuaes ce eaunstaschennassiccssebecteacius A 2 IP ee eV aN seeds ernest wast acca cG aera esetegldanien ceca tacibastasacmnpanista deja tasteneauerneakets A 3 PeSe Poles Farame ies senhali A nal aes A 4 Manual Security Association Parameters cccccceseseeseneeseeeeeeaeeeseaeeeeeaeeeteneeeteaeees A 5 Automated Security Association IKE Parameters c ccccceceeeeeseeeseteeseeeeeseeeeeaes A 10 308630 15 1 Rev 00 vii Appendix B Definitions of k Commands Appendix C Configuration Examples inbound and Outbound PS sassszei ceases sacs abeka sade ead ani i C 1 Automated SA IKE Policy EXaINPlGS cccicccitvcced ais Rie temnttelariei ceed C 2 Manual SA Policy Examples csini u a aai aa aa C 5 Manual Protect and Unprotect SA Configuration c cccccceseseeeeeeeeseneeeeeeeeeeseeeeeaes C 10 Appendix D Contivity VPN Switch Interoperability Supported SoftWwale VerOnS acscicicsaiccoicedsuial adelectisasicn EEn ais
44. cscccceeeeeeeeeeseneeeeeneeeeees 3 4 Creating an Inbound Policy Template and Policy cccccceeseeeeeeeeeeeeeeeseneeteeneeeees 3 6 CSC SACI Ny ASSOC MONS ss cccsive cccsia ices saacesveescedeetusshiciatias elec bed ead na TESE 3 7 Automated SA RANGED cece ccs taser a iedinedy NAE ee tacit gate an hae 3 7 Creating an Outbound Protect Policy with Automated SAs IKE ecen 3 8 About Manual SA Creation 0 cccceeeeeeeeeeeeees DRAA DONAA AARTE 3 9 Creating a Protect SA Manually srissiassricsninonnnissniniini onneani 3 10 Creating an Unprotect SA Manually accicaicisiaiesisiacisasincsd costa nia rddecteteia cea sebesaiaiedbeseaceie 3 11 Chapter 4 Customizing IPsec Changing Existing Policies ep eee E ee eee 4 1 Editing a Policy ppesbadanee accuneuneateieaaGenaianapnmedaiaaanentaaad walle ashen ite E T 4 2 elnek ia ge eee ee eter pees rere ners teeter ecm rey ac reryy cere Ceri eer A rt reer re rrreert terre rers A 4 3 Ethernet Interface or WAN Interface with PPP sessssssssessrsneruroenunnenreennanennseansnnnn 4 3 WAN Interlace with Frame Relay cas ics cates sadeceas sds ans ats asians aes ews Reaves 4 4 i216 2 dL Blaell a 1 Saeneeer reer eee Peter rere tiny N 4 6 Ethernet Interface or WAN Interface with PPP cssceceeesesneeeeeeseeeeeeneees 4 6 WAN Interface with Frame Relay sisi sescecricsaavennictnutstnraadeersieeseereadstirienaenin 4 7 Changing Existing Security Associations sccscicsisscnstes yin iabis
45. ction or criterion select it in the Policy Information text field and click on Delete e To change policy criteria select the appropriate line The range values appear in the Range Min and Range Max boxes below the text field Make changes in these boxes and click on Modify e To add an action choose Log Protect or Bypass from the Action menu e To add criteria choose IP Source Address IP Destination Address or Protocol from the Criteria menu 8 Click on OK You return to the IPsec Outbound Policies or the IPsec Inbound Policies window 9 Click on Done You return to the Configuration Manager window 308630 15 1 Rev 00 Adding a Policy Customizing IPsec The procedure to add an IPsec policy to an existing IPsec interface depends on the connector type and the WAN protocol used on a WAN interface Choose the appropriate procedure for Ethernet and PPP or for frame relay Ethernet Interface or WAN Interface with PPP To add an IPsec policy to an Ethernet interface or to an interface configured with PPP complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the connector on which you want to add an IPsec policy The Edit Connector dialog box opens Click on Edit Circuit The Circuit Definition window opens From the Protocols menu choose Edit IP gt IP Security gt Outbound Policies or Inb
46. d Policies gt Edit Proposal 64 Packets Disabled 32 Packets 64 Packets 128 Packets Specifies the number of packets that are used for replay checking Anti replay checking examines the sequence number of encrypted packets received and determines whether the packet has been received before Choose a number of packets to track for anti replay checking or choose Disabled to turn this feature off None PFS Perfect Forward Secrecy Configuration Manager gt Add Circuit gt WAN Protocols gt PPP Frame Relay gt Select Protocols gt IKE gt IPsec Configuration for Interface gt Outbound Policies gt Add Policy Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Edit Proposal Disabled Enabled Disabled Specifies whether perfect forward secrecy is used for this SA Choose Enabled or Disabled from the list None 308630 15 1 Rev 00 Appendix B Definitions of k Commands This appendix contains definitions of the k commands that you use to work in the Technician Interface secure shell Command System Response kexit Exits the secure shell kpassword Changes the password of the secure shell kseed Initializes the cryptographic random number generator while in the secure shell ksession Initiates a secure shell session kset lt subcommand gt Sets parameter values in the secure shell lt flags gt Example kset npk lt va ue gt sets t
47. dia and keep the media in a secure place Physically protecting your equipment is always a good strategy and the easiest way to prevent unauthorized access to these files Always configure your node protection keys NPKs locally not over a network When you connect a PC or a workstation to a router console port to configure encryption use a machine that is not connected to any other equipment Make sure that you also protect the routers on which the NPKs reside Keys IPsec uses a hierarchy of keys to protect and transmit data e Node protection key NPK Encrypts the manual cipher and integrity keys for storage on the router or transfer from Site Manager Cipher key Encrypts data that travels across the network in the IKE or ESP payload IKE cipher and integrity keys are not stored on the router Integrity key Calculates the integrity check value ICV which is used at the data packet destination to detect any unauthorized modification of the ESP or IKE data e Preshared authentication key Authenticates the IKE SA used to protect the negotiation and rekeying of IPsec SAs Caution The NPK is the most critical key in the hierarchy If the NPK is compromised all encrypted data on the router can be compromised 2 4 308630 15 1 Rev 00 Installing IPsec Random Number Generator The router software uses the secure random number generator RNG to generate initialization vectors IVs that are used in the
48. dix lists the values that apply to each protocol To obtain the most recent list of the numeric values assigned to various protocols see the Internet Assigned Numbers Authority IANA Web site at http www iana org The direct path to the list of legal values that you can specify for an IPsec policy protocol criterion is http www iana org assignments protocol numbers 308630 15 1 Rev 00 E 1 Configuring IPsec Services Assigned Internet Protocol Numbers by Name Table E 1 lists the Internet Protocol numbers alphabetically by their acronyms Table E 1 Internet Protocol Numbers Sorted by Acronym Number Protocol Acronym Protocol Name Expanded 61 Any host internal protocol 63 Any local network 68 Any distributed file system 99 Any private encryption scheme 114 Any 0 hop protocol 34 3PC Third Party Connect Protocol 107 A N Active Networks 51 AH Authentication Header for IPv6 13 ARGUS N A 104 ARIS N A 93 AX 25 AX 25 Frames 10 BBN RCC MON BBN RCC Monitoring 49 BNA N A 76 BR SAT MON Backroom SATNET Monitoring 7 CBT N A 62 CFTP N A 16 CHAOS Chaos 110 Compaq Peer Compag Peer Protocol 73 CPHB Computer Protocol Heart Beat 72 CPNX Computer Protocol Network Executive 126 CRTP Combat Radio Transport Protocol 127 CRUDP Combat Radio User Datagram Protocol 19 DCN MEAS DCN Measurement Subsystems 37 DDP Datagram Delivery Protocol 116
49. e digits Configure the same preshared key on the destination router 1 3 6 1 4 1 18 3 5 27 1 1 9 Expiry Value Minutes Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE 480 Any integer Specifies when an SA key will expire Enter a value that is appropriate for your site 1 3 6 1 4 1 18 3 5 27 1 1 10 SA Destination Configuration Manager gt Add Circuit gt WAN Protocols gt PPP Frame Relay gt Select Protocols gt IKE gt IPsec Configuration for Interface gt Outbound Policies Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE gt Add None Any valid IP address Specifies the IP address of the destination interface for this automated SA Enter the IP address of the remote IPsec interface that will negotiate automated SAs using the specified preshared key 1 3 6 1 4 1 18 3 5 27 1 1 3 308630 15 1 Rev 00 Configuring IPsec Services Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Anti Replay Window Size Configuration Manager gt Add Circuit gt WAN Protocols gt PPP Frame Relay gt Select Protocols gt IKE gt IPsec Configuration for Interface gt Outbound Policies gt Add Policy Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outboun
50. e inner one Only the tunneled packet is protected not the outer header Authentication Header AH Protocol The AH protocol provides data integrity data origin authentication and optional anti replay services It provides encryption services to the header only not to the entire IP packet The AH protocol uses HMAC MD5 and HMAC SHAI transform identifiers The AH protocol is not used in the Nortel Networks implementation of IPsec 308630 15 1 Rev 00 Overview of IPsec Internet Key Exchange Protocol The IKE protocol negotiates and provides private and authenticated keying material for security associations Before IKE can provide keying material the IKE protocol itself must be authenticated that is some other mechanism must create an IKE security association between the security gateways that IKE is servicing BayRS software creates an IKE SA through a preshared authentication key IKE creates and changes IPsec SAs dynamically with no user intervention necessary To negotiate a security association IKE peers form a security association an IKE SA between themselves The IKE SA protects the negotiation of the IPsec SA parameters and key exchange The IKE protocol can change IPsec and IKE SA keys based on preconfigured criteria such as elapsed time or number of bytes sent Perfect Forward Secrecy Perfect forward secrecy PFS disassociates each IPsec SA key from others in the same IKE negotiated security association To
51. eceiving parties e Anti replay service ensures that the receiver receives and processes each packet only once 308630 15 1 Rev 00 1 15 Configuring IPsec Services ESP applies the following algorithms and transform identifiers to deliver its services e DES 56 bit e 40 bit DES manual keying only e Triple DES 3DES 3DES IPsec option only e HMAC Message Digest 5 MD5 e HMAC SHA1 ESP uses the DES algorithm or the Triple DES 3DES algorithm for encryption ESP uses Hashing Message Authentication Code Message Digest 5 HMAC MDS or HMAC SHA transform identifiers for authentication ESP uses the CBC mode of the DES encryption algorithm CBC is considered the most secure mode of DES A 56 bit or 40 bit number known as a key controls encryption and decryption Key management is automated through IKE or can be controlled manually Both sides of an SA must use the same encryption service Normally you should use the stronger 56 bit DES key for greater security or triple DES if appropriate However if you are communicating with a security gateway that is limited to a 40 bit DES key due to cryptography export restrictions you must use the 40 bit key When ESP protection is used in tunnel mode an outer IP header specifies the IPsec processing destination and an inner IP header specifies the actual target destination for the packet The security protocol header appears after the outer IP header and before th
52. ed a service contract for your Nortel Networks product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased a Nortel Networks service program contact one of the following Nortel Networks Technical Solutions Centers Technical Solutions Center Telephone Europe Middle East and Africa 33 4 92 966 968 800 4NORTEL or 800 466 7835 61 2 9927 8800 800 810 5000 North America Asia Pacific China alallala Additional information about the Nortel Networks Technical Solutions Centers is available from the www nortelnetworks com help contact global URL An Express Routing Code ERC is available for many Nortel Networks products and services When you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate an ERC for your product or service go to the http www130 nortelnetworks com cgi bin eserv common essContactUs jsp URL 308630 15 1 Rev 00 xvii Chapter 1 Overview of IPsec This chapter describes the emerging Internet Engineering Task Force IETF standards for security services over public networks commonly referred to as IP Security or IPsec The chapter also includes information specific to the Nortel Networks implementation of IPsec and requirements for that implementation This chapter includes the following information
53. ed by Number continued Number Protocol Acronym Protocol Name Expanded 26 LEAF 2 Leaf 2 27 RDP Reliable Data Protocol 28 IRTP Internet Reliable Transaction Protocol 29 ISO TP4 ISO Transport Protocol Class 4 30 NETBLT Bulk Data Transfer Protocol 31 MFE NSP MFE Network Services Protocol 32 MERIT INP MERIT Internodal Protocol 33 SEP Sequential Exchange Protocol 34 3PC Third Party Connect Protocol 35 IDPR Inter Domain Policy Routing Protocol 36 XTP N A 37 DDP Datagram Delivery Protocol 38 IDPR CMTP IDPR Control Message Transport Protocol 39 TP TP Transport Protocol 40 IL IL Transport Protocol 41 IPv6 Internet Protocol version 6 42 SDRP Source Demand Routing Protocol 43 IPv6 Route Routing Header for IPv6 44 IPv6 Frag Fragment Header for IPv6 45 IDRP Inter Domain Routing Protocol 46 RSVP Reservation Protocol 47 GRE General Routing Encapsulation 48 MHRP Mobile Host Routing Protocol 49 BNA N A 50 ESP Encapsulating Security Payload for IPv6 51 AH Authentication Header for IPv6 52 I NLSP Integrated Net Layer Security Protocol 53 SWIPE IP with Encryption 54 NARP NBMA Address Resolution Protocol continued 308630 15 1 Rev 00 Protocol Numbers Table E 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 55 MOBILE IP Mobility 56 TLSP Transport Layer Security Pro
54. ell by entering the following command ksession Enter your password The prompt changes to SSHELL Begin generating the encryption seed by entering kseed The secure shell prompts you for a random seed value Type a random set of keystrokes The secure shell informs you when you have typed the required number of keystrokes 308630 15 1 Rev 00 2 7 Configuring IPsec Services 5 Enter the following command kset npk 0x lt NPK_value gt lt NPK_value gt is the new 16 digit hexadecimal NPK value that you are assigning to the router The new NPK overwrites the original and IPsec uses the new NPK value However this command does not change the hashed NPK value in the MIB 6 To change the NPK value used by the MIB enter the following command ktranslate lt old_NPK_value gt lt old_NPK_value gt is the original NPK value The older hashed NPK in the MIB is decrypted and the new NPK is hashed and stored in the MIB The MIB now has the same NPK as the router 7 Save the configuration file Monitoring NPKs If the NPK on a router does not match the NPK in the MIB IPsec services do not work This situation usually occurs when you change a CPU board in a router slot and the slot now lacks the current NPK or you revert to an older configuration that is protected by an older NPK View the router log to make sure that the NPK for each slot matches the NPK value in the MIB If the values do not match use the secure s
55. ent designated hardware or CFE is no longer in use Customer will promptly return the Software to Nortel Networks or certify its destruction Nortel Networks may audit by remote polling or other reasonable means to determine Customer s Software activation or usage levels If suppliers of third party software included in Software require Nortel Networks to include additional or different terms Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software 2 Warranty Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer Software is provided AS IS without any warranties conditions of any kind NORTEL NETWORKS DISCLAIMS ALL WARRANTIES CONDITIONS FOR THE SOFTWARE EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON INFRINGEMENT Nortel Networks is not obligated to provide support of any kind for the Software Some jurisdictions do not allow exclusion of implied warranties and in such event the above exclusions may not apply 3 Limitation of Remedies INNO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING a DAMAGES BASED ON ANY THIRD PARTY CLAIM b LOSS OF OR DAMAGE TO CUSTOMER S RECORDS FILES OR DATA OR c DIRECT INDIRECT SPECIAL INCIDENTAL PUNITIVE OR CONSEQUENTIAL DAMAGES INCLUDING LOST PROFITS
56. eorder The Change Precedence dialog box opens Change the order in which the policy is applied e To move the policy up click on Insert Before e To move the policy down click on Insert After In the Precedence Number field type the number of the policy before or after which you want to insert the selected policy Click on OK You return to the IPsec Inbound Policies or the IPsec Outbound Policies window The policies reflect the new order that you specified 10 Click on Done You return to the Frame Relay Service List window 11 Click on Done You return to the Frame Relay Circuit Definition window 12 Click on Done You return to the Configuration Manager window 308630 15 1 Rev 00 Configuring IPsec Services Changing Existing Security Associations To ensure the integrity of SAs vital information such as IKE preshared keys or manual SA shared secrets needs to be changed from time to time You may also want to change other settings associated with an SA Modifying Automated SAs IKE To create a new automated SA you must add an outbound protect policy For instructions see Adding a Policy on page 4 3 To change the IKE settings for an existing automated SA on a router complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols menu o
57. er and integrity algorithms and keys that you specify in SAs must be identical on both ends of a connection You must select the cipher the integrity service or both within the Protect and Unprotect SA parameters For example the cipher key in a Protect SA on the local IP interface must match the cipher key in the Unprotect SA on the remote router IP interface 308630 15 1 Rev 00 3 9 Configuring IPsec Services Note You must configure manual SAs to encrypt authenticate or both Site Manager does not allow you to create an SA if both the Cipher Algorithm and the Integrity Algorithm parameters are set to None For examples of how to configure manual SAs see Manual Protect and Unprotect SA Configuration on page C 10 Creating a Protect SA Manually To create a Protect SA manually complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface window click on Manual Protect SA The Protect SA List for Interface window opens Click on Add The IPsec Manual Protect SA window opens Set the following parameters SA Source IP Address SA Destination IP Address Security Parameter Index Cipher Algorithm Cipher Key Length Cipher Key 8 Byte Hex Integrity Algorithm Integrity Key 16 Byte Hex Position the cursor in a field and click on Values to display a menu of valid options if applicable Click on Help or see the
58. ernet like ordinary IP packets to branch offices corporate partners or other remote organizations in a secure encrypted and private manner Several well established technologies provide encryption and authentication at the application layer IPsec adds security at the underlying network layer providing a higher degree of security for all applications including those without any security features of their own IPsec Protection To configure a router with IPsec you first configure the router interface as an IP interface Then you add the IPsec software to the IP interface creating a security gateway A security gateway is a router between a trusted network for example the enterprise intranet and an untrusted network the Internet that provides a security service such as IPsec The router interface is secured with inbound and outbound security policies that filter traffic to and from the router module The data packets themselves are protected by the IPsec processing specified by security associations SAs 308630 15 1 Rev 00 1 5 Configuring IPsec Services Figure 1 1 shows how IPsec can protect data communications within an enterprise and from external hosts Corporate headquarters Server I El J Ro
59. es not appear to traverse the IPsec tunnel first check for configuration mismatches such as the following PFS is enabled on Contivity but not enabled on BayRS for every policy with a proposal that has the Contivity switch as the destination gateway Sample Contivity event log message 09 02 1999 23 15 53 0 ISAKMP 03 PFS required but not provided by 144 1 1 152 Encryption or network addressing does not have matching values with the remote IPsec gateway configuration Sample BayRS event log message 23 09 02 1999 22 33 27 832 INFO SLOT 1 IKE Code 130 No Proposal Chosen Source 10 1 0 1 Dest 144 1 1 152 Message ID 0x0 SPI length 4 SPI 1165167 Sample Contivity event log message 09 02 1999 22 28 38 0 ISAKMP 13 Error notification No proposal chosen received from 144 1 1 152 09 02 1999 22 28 38 0 Security 12 Session IPSEC 2083 logged out BayRS source and destination address ranges do not match the Contivity branch office remote and local network address ranges derived from the network and mask specified If you see the following events repeated in the Contivity event log this condition may be present 09 02 1999 22 49 53 0 ISAKMP 13 Invalid key information in message from 142 1 1 152 09 02 1999 22 49 53 0 ISAKMP 03 Deleting IPsec SAs with 140 1 1 152 BayRS response time is sluggish when you use Site Manager or the Technician Interface to manage the router This problem may be the result of misconfigu
60. g NPK confirmation 2 8 routers supported 1 3 308630 15 1 Rev 00 S security configuration 2 4 site considerations 2 4 security association automated 3 7 creating 3 7 description 1 11 examples 1 14 IKE use 3 8 manual 3 9 3 10 manual creation 3 11 protect 1 10 3 9 Site Manager parameters A 5 unprotect 3 9 security associations database SAD IPsec usage 1 13 security associations manual sample configurations C 10 security gateway creating 1 5 1 8 encryption strength 1 16 security parameter index SPI 1 11 1 13 security policy action 1 10 3 3 C 5 creating 3 2 criteria 1 9 1 10 3 2 examples 1 14 C 5 inbound 1 5 1 8 1 9 number 1 8 outbound 1 5 1 8 1 10 3 4 3 6 A 4 Site Manager parameters A 4 unicast traffic 3 3 security policy database SPD 1 9 seed for encryption generating 2 6 SHA1 1 4 1 16 shared secret description 1 11 Site Manager enabling IPsec 3 1 parameter descriptions A 1 version requirements 1 3 2 1 site security 2 4 support Nortel Networks xvii 308630 15 1 Rev 00 System 5000 support 1 3 T technical publications xvi technical support xvii Technician Interface 2 5 2 6 text conventions Xiv triple DES 1 16 trusted hosts description 1 8 tunnel mode 1 6 U unicast configuring policies for 3 3 untrusted hosts description 1 8 V version requirements BayRS 1 3 2 1 Site Manager 1 3 2 1 virtual private networks
61. ghts other than those granted to you under this License Agreement You are responsible for the selection of the Software and for the installation of use of and results obtained from the Software 1 Licensed Use of Software Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level whichever is applicable To the extent Software is furnished for use with designated hardware or Customer furnished equipment CFE Customer is granted a nonexclusive license to use Software only on such hardware or CFE as applicable Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose publish or disseminate Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement Customer shall not a use copy modify transfer or distribute the Software except as expressly authorized b reverse assemble reverse compile reverse engineer or otherwise translate the Software c create derivative works or modifications unless expressly authorized or d sublicense rent or lease the Software Licensors of intellectual property to Nortel Networks are beneficiaries of this provision Upon termination or breach of the license by Customer or in the ev
62. h PFS is disabled by default on BayRS Note To disable PFS on the Contivity switch go to the Profiles gt Groups gt IPsec Configure display Using DES encryption instead of triple DES encryption may be preferable when considering a tradeoff between performance and protection Triple DES computational requirements for encrypting data are higher than those for DES Feature Comparison Summary This section lists the IPsec features supported by both BayRS and Contivity platforms and features supported by the BayRS or Contivity platform only Features Supported by Both Platforms The following features are supported by both the BayRS and Contivity implementations of IPsec e IPsec ESP protocol e IKE preshared keys e IPsec in tunnel mode e Perfect forward secrecy e 3DES key generation by Oakley Group 1 e Vendor ID payload e Delete Payload for IPsec SAs sending and receiving e Delete Payload for IKE SAs receiving only Contivity software also supports sending e Static routes D 4 308630 15 1 Rev 00 Contivity VPN Switch Interoperability BayRS Features Not Supported by the Contivity VPN Switch Contivity does not support the following BayRS features Frame relay interface configured as an IPsec gateway Manual IPsec SAs Source and destination address ranges that contain a partial range of a network as opposed to network only addressing for configuration of accessible network IP addresses Protocol se
63. he router node protection key Also sets protected IPsec MIB objects keys The kset command encrypts the value specified using the NPK and writes the encrypted value to the MIB Example kset ipsec wflpsecEspSaEntry wflpsecEspSaManualCipherKey 100 1 1 1 100 1 1 2 256 0x1234567890abcdef ktranslate lt o d_NPK gt Translates a configuration from an old node protection key NPK value to the current NPK value Example ktranslate lt old_NPK gt 308630 15 1 Rev 00 B 1 Appendix C Configuration Examples This appendix provides configuration examples for both automated and manual security associations Configuration of outbound and inbound policies is similar for both automated and manual SAs Review the section Manual Protect and Unprotect SA Configuration on page C 10 only if you are configuring manual security associations Inbound and Outbound Policies All unicast traffic must be defined by a security policy Traffic traveling from a security gateway is defined by an outbound policy traffic traveling to a security gateway is defined by an inbound policy Inbound protected traffic that is associated with an Unprotect SA configured on the interface does not require a policy If you are using IKE to establish security associations see the next section Automated SA IKE Policy Examples If you are manually configuring security associations see Manual SA Policy Examples on page C 5 308630 15 1 Rev 0
64. hed each policy e Technician Interface Enable IPsec debugging using the Technician Interface command ipsec Enter help ipsec for command usage e Packet capture Run packet capture on the interface on which IPsec is configured or on other interfaces where traffic originates or exits Although encrypted packets are still encrypted when viewed through packet capture you can distinguish IKE packets from IPsec packets and get an idea of how far an SA negotiation gets in the process of establishing IKE and IPsec SAs Contivity Tools Contivity software provides the following troubleshooting tools that may help with interoperability issues e The Admin gt Status gt Event Log display provides a detailed record of all events that take place on the system e The Test button on the Profiles gt Branch Office display allows you to verify that the branch office connection is properly configured and that the remote gateway remains reachable Detailed messages are sent to the event log e The Admin gt Status gt Sessions display provides details of the sessions IPsec tunnels for each active branch office connection These details include the time that each session is expected to expire e The Admin gt Status gt Statistics display provides system level statistics that can help resolve lower level problems with connections D 6 308630 15 1 Rev 00 Contivity VPN Switch Interoperability Symptoms You May See If traffic do
65. hell to change either the router NPK value or the MIB NPK value For more information about changing NPKs see Changing an NPK on page 2 7 To view the router log events specific to an NPK in the Technician Interface enter log ffwidt eKEYMGR 2 8 308630 15 1 Rev 00 Chapter 3 Starting IPsec This chapter provides instructions for configuring IPsec on an interface Topic Page Enabling IPsec and IKE 2 1 Creating Policies 3 2 Creating Security Associations 3 7 Enabling IPsec and IKE To enable IPsec configure an IP interface then add IPsec services to the interface to create a security gateway To enable IPsec and IKE complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the Ethernet or WAN connector on which you want to configure an IPsec interface The Add Circuit window opens Click on OK If you selected a WAN connector the WAN Protocols window opens If you selected an Ethernet interface the Select Protocols window opens go to step 4 In the WAN Protocols window choose PPP or Frame Relay and click on OK The Select Protocols window opens continued 308630 15 1 Rev 00 3 1 Configuring IPsec Services Site Manager Procedure continued You do this System responds 4 Inthe Select Protocols window choose The IP Configuration window
66. her inbound policies repeat steps 10 through 13 15 Click on Done You return to the IPsec Configuration for Interface window Creating Security Associations Security associations enable you to provide bidirectional protection for data packets traveling between two routers Each SA establishes security for data passing in a single direction A pair of SAs a Protect SA and an Unprotect SA are created either automatically by IKE or manually by you for any IPsec policy configured on a security gateway Each SA includes security information such as algorithm and keys Note You should use automated SA creation IKE for greater security and decreased configuration management overhead Automated SA Creation IKE creates automated SAs based on the proposals that you configure for an IPsec outbound policy in Site Manager Each proposal specifies an encryption transform an authentication transform or both for the automated SA You do not need to specify keys for automated SAs because IKE creates them dynamically For examples of how to configure automated SAs see Automated SA IKE Policy Examples on page C 2 You can configure up to four proposals for a policy in order of preference IKE negotiates an automated SA based on the first proposal that matches one configured on the remote security gateway IKE creates both the inbound and the outbound SAs based on the results of the proposal negotiation 308
67. i D 1 Web Browser Configuration of the Contivity VPN Switch ssessssssssseeeerierrrierrrssreeees D 2 PoE el RIDO O aa penne cen cement ute eee tern treeer rrr rece Stet cern er reer ere D 2 OPERATION Considerations cer cia ca irre ener a nice ear aE D 3 Notwoik MOONGSSOS raci memes D 3 L E TE E ENAA E E Sa EE A T VA T tice Sate D 3 ee E E E E E ET D 4 Feature Comparison SUMMAI resanni a ir ieie NE eE ei RN TARTE D 4 Features Supported by Both Platforms sscsacsscscivanisczertenscavecpaugadexdaviastacsepeascennuenrsces D 4 BayRS Features Not Supported by the Contivity VPN Switch ccccceeeeeenes D 5 Contivity VPN Switch Features Not Supported by BayRS sssseesceeeeereerree D 5 Troubleshooting BayRS Contivity IPsec Interoperability c ceeeeeeseeeeeeeeeeeneeeeeeeeees D 6 Baya TOS A N D 6 CORU Fel a mrrceeee et er peetonr errs Meyer rete ree rrr trees rrr D 6 Raia You May GEE seeriana aaie aeaa EE AE AE KERNE D 7 Appendix E Protocol Numbers Assigned Internet Protocol Numbers by Name cccssseceeeeeeeeeeeeeeeseeeeeteees AOR E 2 Assigned Internet Protocol Numbers by Number sesssssssssrsssssrnrsssinnnsnsrnnnnsssnnneseennnenns E 7 Index viii 308630 15 1 Rev 00 Figures Figure 1 1 IPsec Environment Unique SAs Between Routers ceeeeeeereerees 1 6 Figure 1 2 IPsec Security Gateways Security Policies and Security Associations 1 7 Figure 1 3 IPsec Security Gateways and Security Policies
68. ified in security associations SAs A security association is a relationship in which two peers share the necessary information to securely protect and unprotect data The algorithm and key must be identical on both ends of an IPsec SA Integrity Integrity determines whether the data has been altered during transit The ESP protocol ensures that data has not been modified as it passes between the security gateways The ESP protocol uses the HMAC MD5 RFC 2403 or HMAC SHA 1 RFC 2404 transform You set integrity with the integrity algorithm and integrity key parameters The integrity algorithm and integrity key must be identical on both ends of an IPsec SA Authentication Authentication ensures that data has been transmitted by the identified source 1 4 308630 15 1 Rev 00 Overview of IPsec Additional IPsec Services Within the IPsec framework additional security services are provided An access control service ensures authorized use of the network and an auditing service tracks all actions and events IPsec services can be configured on an interface by interface basis Up to 127 inbound and 127 outbound security policies customized are supported on each IPsec interface How IPsec Works IPsec services are bundled as an IP encryption packet The packets resemble ordinary IP packets to Internet routing nodes only the sending and receiving devices are involved in the encryption IPsec packets are delivered over the Int
69. imal numbers Write down the generated number you will need to enter it on the router 308630 15 1 Rev 00 2 5 Configuring IPsec Services Entering an Initial NPK and a Seed for Encryption Before you can enable IPsec on a router you must enter an initial NPK and create a seed for use by IPsec You enter the NPK into a router locally using the console port and the secure shell section of the Technician Interface A password protects access to the secure shell IPsec uses the NPK to encrypt and decrypt the cipher and integrity keys and it uses the seed specified with the kseed command to generate random numbers needed by IPsec and IKE You cannot access the NPK or the password using the MIB or the routine Technician Interface debug commands nor can you invoke the secure shell in a Telnet session Caution Never use a terminal server to enter the NPK Instead use a laptop computer that you can attach directly to the router Protect the file containing NPKs on the laptop To enter an initial NPK and a seed for encryption 1 If necessary create a password for the Technician Interface secure shell by entering the following command at the Technician Interface prompt kpassword lt password gt lt password gt is an alphanumeric string of up to 16 characters When you are prompted for your old password press Enter 2 At the Technician Interface prompt enter the secure shell by entering the following command ksession
70. is System responds 1 In the Configuration Manager window click on the WAN connector on which you want to add an IPsec policy The Edit Connector dialog box opens 2 Click on Edit Circuit The Frame Relay Circuit Definition window opens 3 Click on Services The Frame Relay Service List window opens 4 Select a service record from the list From the Protocols menu choose Edit The IPsec Inbound Policies or the IPsec IP gt IP Security gt Outbound Policies or Outbound Policies window opens Inbound Policies 6 Click on Add Policy The Create Inbound Policy or the Create Outbound Policy window opens continued 308630 15 1 Rev 00 Customizing IPsec Site Manager Procedure continued 7 You do this In the Policy Name field type a name for the policy Click on Help or see the parameter description on page A 4 System responds From the Interfaces list select the interface where you want to add the policy From the Templates list select a template on which to base the policy 10 Click on OK If the policy includes a protect action the Choose SA Type dialog box opens 11 If the Choose SA Type dialog opens do one of the following e Choose Automated SA and follow the instructions in Creating an Outbound Protect Policy with Automated SAs IKE on page 3 8 e Choose Manual SA and follow the instructions in Creating a Pr
71. lectors as defined in RFC 2401 Security Architecture for the Internet Protocol for use as a criterion to allow establishment of an SA PFS support on a per IPsec tunnel basis Contivity uses PFS for all or none of the sessions IPsec SAs over a branch office connection DES only and 3DES only encryption options without integrity transforms Routing broadcast traffic in clear text Contivity VPN Switch Features Not Supported by BayRS BayRS does not support the following Contivity features Certificates public key infrastructure Delete payload for IKE SA sent when terminating IKE SAs IPsec transport mode AH IPsec protocol Vendor ID disable enable vendor ID is always enabled and not configurable on BayRS Routing information protocol inside an IPsec tunnel proprietary 308630 15 1 Rev 00 D 5 Configuring IPsec Services Troubleshooting BayRS Contivity IPsec Interoperability Use the following troubleshooting tools to diagnose and resolve interoperability problems between the BayRS and Contivity implementations of IPsec BayRS Tools BayRS provides the following troubleshooting tools that may help with interoperability issues e Event log Look for IPsec IKE IPsec_Audit and KEYMGR events e Technician Interface show scripts Use Technician Interface show scripts to display information and statistics about IPsec and IKE policies and SAs For example show ipsec selector out displays how many packets matc
72. mmand syntax is show ip interfaces alerts you can enter either show ip interfaces or show ip interfaces alerts Indicates new terms book titles and variables in command syntax descriptions Where a variable is two or more words the words are connected by an underscore Example If the command syntax is show at lt valid_route gt valid_route is one variable and you substitute one value for it xiv 308630 15 1 Rev 00 screen text separator gt vertical line Acronyms Preface Indicates system output for example prompts and system messages Example Set Trap Monitor Filters Shows menu paths Example Protocols gt IP identifies the IP option on the Protocols menu Separates choices for command keywords and arguments Enter only one of the choices Do not type the vertical line when entering the command Example If the command syntax is show ip alerts routes you enter either show ip alerts or show ip routes but not both This guide uses the following acronyms 3DES AH CBC CPU DES ESP HMAC IANA ICMP ICV IETF IKE IP IPsec Triple DES Authentication Header cipher block chaining central processing unit Data Encryption Standard Encapsulating Security Payload Hashing Message Authentication Code Internet Assigned Numbers Authority Internet Control Message Protocol integrity check value Internet Engineering Task Force Internet Key Exchange Internet Protoc
73. n individual interface also disables IKE on that router or interface automatically To disable IPsec on an individual interface complete the following tasks Site Manager Path You do this System responds 1 In the Configuration Manager window click on an existing IPsec interface The Edit Connector window opens Click on Edit Circuit The Circuit Definition window opens From the Protocols menu choose Edit IP gt IP Security gt Enable IPsec The Enable IP Security dialog box opens Set the IP Security Enable parameter to Disable Click on Help or see the parameter description on page A 3 continued 308630 15 1 Rev 00 4 11 Configuring IPsec Services Site Manager Path continued You do this System responds 5 Click on Done You return to the Circuit Definition window 6 Choose File gt Exit You return to the Configuration Manager window 4 12 308630 15 1 Rev 00 Appendix A Site Manager Parameters This appendix contains the Site Manager parameter descriptions for IPsec and IKE services You can display the same information using Site Manager online Help This appendix contains the following information Topic Page Node Protection Key Parameter A 2 IPsec Parameters A 3 IPsec Policy Parameters A 4 Manual Security Association Parameters A 5 Automated Security Association IKE Parameters A 10 F
74. nbound policy template and policy complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface window click on Inbound Policies The IPsec Inbound Policies window opens 2 Click on Template The IPsec Policy Template Management window opens 3 Click on Create The Create IPsec Template window opens 4 Inthe Policy Name field type a name for the template For a description of this parameter see page A 4 5 Use the Criteria menu to specify ranges for the IP source addresses IP destination addresses and protocol criteria 6 Use the Action menu to specify the action that you want applied to traffic with the criteria that you just defined 7 Click on OK You return to the IPsec Policy Template Management window 8 To create other policy templates repeat steps 3 through 7 9 Click on Done You return to the IPsec Inbound Policies window 10 Click on Add Policy The Create Inbound Policy window opens 11 In the Policy Name field type a name for the policy For a description of this parameter see page A 4 continued 308630 15 1 Rev 00 Starting IPsec Site Manager Procedure continued You do this System responds 12 From the Templates list select a template on which to base this policy 13 Click on OK You return to the IPsec Inbound Policies window 14 To create ot
75. nd policy is used for data packets leaving a security gateway Each IPsec interface can support up to 127 inbound and 127 outbound security policies refer to Figure 1 3 1 8 308630 15 1 Rev 00 Overview of IPsec The criteria selectors and action specifications used in your inbound and outbound policies are stored in the security policy database SPD IPsec defaults in favor of more security rather than less If an outbound or inbound packet does not match the criteria of any configured outbound or inbound policy in the SPD the packet is dropped IPsec discards outbound clear text data packets unless you explicitly configure a policy to bypass or protect them Policy Templates Every IPsec policy is based on a policy template A policy template is a predefined policy definition that you can use on any IP interface The template specifies one or more criteria and an action to apply to incoming or outgoing data packets A policy template and every policy based on it must include at least one criterion for example an IP source address and one action for example an outbound policy might specify a protect action A policy template or policy can include two actions if one of the actions is logging The criterion specification determines whether a data packet matches a particular security policy the action specifies how the policy is applied to the packet The action specifications that you can include in inbound and o
76. nfiguration Manager gt Protocols gt IP gt IP Security gt Outbound Policies Configuration Manager gt Protocols gt IP gt IP Security gt Inbound Policies Enabled Enabled Disabled Determines whether the named policy will be used on the IP interface Set this parameter to Enabled to activate the named policy on the IP interface None Policy Name Configuration Manager gt Protocols gt IP gt IP Security gt Outbound Policies Configuration Manager gt Protocols gt IP gt IP Security gt Inbound Policies None Any valid name Specifies the name of the policy or policy template to be created Enter a name to identify the policy or policy template that you are creating None A 4 308630 15 1 Rev 00 Site Manager Parameters Manual Security Association Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID SA Source IP Address Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid IP address Specifies the IP address of the source interface fo
77. ng the Contivity VPN Switch require you to configure IP addresses by subnet and mask Therefore to interoperate with the Contivity implementation of IPsec a BayRS policy must contain source and destination IP address ranges that match the exact ranges of the corresponding Contivity branch office connection s local and remote accessible networks For example if the Contivity side of the IPsec tunnel branch office connection has a remote network of 192 32 54 128 255 255 255 224 and a local network of 192 32 13 128 255 255 255 224 the corresponding BayRS policy must have a source address range of exactly 192 32 54 128 to 192 32 54 159 and a destination address range of exactly 192 32 13 128 to 192 32 13 159 Routing Only static routing is supported between the Contivity switch and BayRS IPsec gateways Although the Contivity switch offers VPN Routing which sends RIP routes through an IPsec tunnel this feature is proprietary to the Contivity switch A BayRS router interface configured with IPsec sends broadcasts out the interface in clear text only The Contivity switch s public interface does not accept these clear text broadcasts 308630 15 1 Rev 00 D 3 Configuring IPsec Services Performance The BayRS implementation of IPsec is slower than the Contivity implementation Consider performance when determining which traffic needs IPsec protection If perfect forward secrecy PFS is unnecessary disable PFS on the Contivity switc
78. not go to step 5 Type the NPK and click on OK The Protect SA List or the Unprotect SA List for Interface window opens To create a new SA click on Add Set one or more of the following parameters e Cipher Algorithm Cipher Key Length Cipher Key 8 Byte Hex Integrity Algorithm Integrity Key 16 Byte Hex Click on Help or see the parameter descriptions beginning on page A 5 The IPsec Manual Protect SA or Unprotect SA window opens 7 Click on Apply and then click on Done 8 Click on Done You return to the Circuit Definition window Choose File gt Exit You return to the Configuration Manager window 308630 15 1 Rev 00 Configuring IPsec Services WAN Interface with Frame Relay To change or add manual SAs on a router interface configured with frame relay complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the WAN connector on which you want to add or change manual SAs The Edit Connector dialog box opens 2 Click on Edit Circuit The Frame Relay Circuit Definition window opens 3 Click on Services The Frame Relay Service List window opens 4 Select a service record from the list From the Protocols menu choose You may be prompted for the node Edit IP gt IP Security gt Manual Protect protection key If not go to step 7 SAs or Manual Unpro
79. ns beginning on page A 10 10 Click on Done You return to the Add Proposal to Policy window continued 308630 15 1 Rev 00 Starting IPsec Site Manager Procedure continued You do this System responds 11 Click on New Proposal to create an The Edit IPsec Proposal window opens encryption type proposal that IKE will use when negotiating SA keys with the SA destination node 12 Type a proposal name choose one or more encryption methods for the proposal choose an Expiry type and change the Expiry Type value if desired 13 Click on Done You return to the Add Proposal to Policy window Repeat steps 9 and 10 to create additional proposals if needed 14 In the Add Proposal to Policy window choose the SA destination you created and then choose from one to four proposals in order of priority from the Proposals menu 15 Click on OK You return to the IPsec Outbound Policies window 16 Click on Done You return to the IPsec Configuration for Interface window About Manual SA Creation To protect encrypt or authenticate data packets leaving the local IPsec interface create a Protect SA and link it to a Protect outbound policy To decrypt or authenticate incoming packets at the local IPsec interface create an Unprotect SA The Unprotect SA does not need to be linked to a policy Then do the same for the IPsec interface on the remote router The ciph
80. nse agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of Conditions In the interest of improving internal design operational function and or reliability Nortel Networks Inc reserves the right to make changes to the products described in this document without notice Nortel Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product may be Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE
81. ol Internet Protocol Security 308630 15 1 Rev 00 XV Configuring IPsec Services ISAKMP Oakley IV MD5 MIB NAT NBMA NPK OSPF PFS RFC SA SAD SPD SPI TCP VPN WAN Internet Security Association and Key Management Protocol with Oakley Key Determination initialization vector Message Digest 5 management information base Network Address Translation nonbroadcast multi access node protection key Open Shortest Path First perfect forward secrecy Request for Comments security association security associations database security policy database security parameter index Transmission Control Protocol virtual private network wide area network Hard Copy Technical Manuals You can print selected technical manuals and release notes free directly from the Internet Go to the www nortelnetworks com documentation URL Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Acrobat Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to Adobe Systems at the www adobe com URL to download a free copy of the Adobe Acrobat Reader You can purchase selected documentation sets CDs and technical publications through the Internet at the www1 fatbrain com documentation nortel URL xvi 308630 15 1 Rev 00 Preface How to Get Help If you purchas
82. opens IKE and click on OK Choosing IKE automatically selects IPSEC and IP 5 Set the following parameters e IP Address e Subnet Mask Click on Help or see Configuring IP ARP RARP RIP and OSPF Services 6 Click on OK The IPsec Configuration for Interface window opens When you configure IPsec on an interface for the first time configure the menu items displayed in the IPsec Configuration for Interface window in sequence starting with the first item Outbound Policies You must set an outbound policy for an IPsec interface before you can link an SA to it Creating Policies You create inbound and outbound policies for an IPsec interface by using a policy template A policy template is a policy definition that you create You can use a policy template on any IPsec interface on the router Each template contains a complete policy specification criteria range and action for the interface so each policy is completely specified by the template You can modify an individual policy to fit the needs of a specific interface independent of the template specifications Specifying Criteria The policy criteria determine the portion of a packet header IP source address IP destination address protocol number that is examined by IPsec For each criterion you specify a range of values The range represents the actual criteria values for example the IP addresses that are compared to the address of a packet 308
83. or each parameter this appendix provides the following information Parameter name Configuration Manager menu path Default setting Valid parameter options Parameter function Instructions for setting the parameter Management information base MIB object ID 308630 15 1 Rev 00 Configuring IPsec Services The Technician Interface allows you to modify parameters by issuing set and commit commands with the MIB object ID This process is equivalent to modifying parameters using Site Manager For more information about using the Technician Interface to access the MIB see Using Technician Interface Software Caution The Technician Interface does not verify the validity of your parameter values Entering an invalid value can corrupt your configuration Node Protection Key Parameter Parameter Path Default Options Function Instructions MIB Object ID Node Protection Key 8 Byte Hex Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Protocols gt IP gt IKE None An 8 byte value Used as a cryptographic key for protecting sensitive MIB objects The NPK value is stored in NVRAM The IPsec software performs a hash of the NPK value which it places in a special MIB attribute The NPK value stored in NVRAM is unique to the router It is used to encrypt the cipher and integrity keys before they are stored in the router MIB Enter
84. otect SA Manually on page 3 10 You return to the IPsec Inbound Policies or IPsec Outbound Policies window 12 Click on Done You return to the Frame Relay Service List window 13 Click on Done You return to the Frame Relay Circuit Definition window 14 Click on Done You return to the Configuration Manager window 308630 15 1 Rev 00 Configuring IPsec Services Reordering Policies The procedure to reorder IPsec policies on a router interface depends on the connector type and the WAN protocol used on a WAN interface Choose the appropriate procedure for Ethernet and PPP or for frame relay Ethernet Interface or WAN Interface with PPP To change the order in which existing IPsec policies are applied on an Ethernet interface or on a WAN interface configured with PPP complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the connector on which you want to reorder IPsec policies The Edit Connector dialog box opens 2 Click on Edit Circuit The Circuit Definition window opens 3 From the Protocols menu choose The IPsec Inbound Policies or the IPsec Edit IP gt IP Security gt Outbound Outbound Policies window opens Policies or Inbound Policies 4 Select the policy that you want to move The Change Precedence dialog box and click on Reorder open
85. oth ends of a connection Security associations apply IPsec services to data packets traveling between the security gateways Figure 1 2 shows the logical relationship between security policies and security associations IPsec gateway Router interface Inbound process Security associations l l I l l I l Unprotect SAs Inbound policies i Source Dest Addr SPI criteria and action ae eos l bypass drop log Security Untrusted ntegrity Algo Key i policy network Outbound policies database Protect SAs i criteria and action i Source Dest Addr SPI _ bypass drop log i Cipher Algo Key i i protect 1 i Integrity Algo Key l 1 i l l E E ee y I I et Outbound process p gt 1 1 l l 1 1 pe Ea tee fa A Sian feo am eek Pah A eh fom Te fe A wt eae IP0087A Figure 1 2 IPsec Security Gateways Security Policies and Security Associations 308630 15 1 Rev 00 1 7 Configuring IPsec Services Security Gateways A security gateway establishes SAs between router interfaces configured with IPsec software A Nortel Networks router becomes a security gateway when you enable IPsec on a WAN or Ethernet interface In this way a Nortel Networks router operating as a security gateway provides IPsec services to its internal hosts and subnetworks Hosts or networks on
86. ound Policies The IPsec Inbound Policies or the IPsec Outbound Policies window opens Click on Add Policy The Create Inbound Policy or the Create Outbound Policy window opens In the Policy Name field type a name for the policy Click on Help or see the parameter description on page A 4 From the Interfaces list select the interface where you want to add the policy From the Templates list select a template on which to base the policy Click on OK If the policy includes a protect action the Choose SA Type dialog box opens continued 308630 15 1 Rev 00 Configuring IPsec Services Site Manager Procedure continued You do this 9 If the Choose SA Type dialog opens do one of the following e Choose Automated SA and follow the instructions in Creating an Outbound Protect Policy with Automated SAs IKE on page 3 8 e Choose Manual SA and follow the instructions in Creating a Protect SA Manually on page 3 10 System responds You return to the IPsec Inbound Policies or IPsec Outbound Policies window 10 Click on Done You return to the Circuit Definition window 11 Choose File gt Exit WAN Interface with Frame Relay You return to the Configuration Manager window To add an IPsec policy to a router interface configured with frame relay complete the following tasks Site Manager Procedure You do th
87. pens 2 Choose IP The IP menu opens 3 Choose IKE The Edit IKE SA Destination window opens A list of SAs specifying source and destination appears 4 Click on the SA that you want to modify 5 Set one or more of the following parameters SA Name e Pre shared Key Type e Pre shared Key ascii e Pre shared Key hex e Expiry Value Minutes Click on Help or see the parameter descriptions beginning on page A 10 6 Click on Apply 7 Click on Done You return to the Configuration Manager window 308630 15 1 Rev 00 Modifying Manual SAs Customizing IPsec The procedure to modify manual SAs on a router interface depends on the connector type and the WAN protocol used on a WAN interface Choose the appropriate procedure for Ethernet and PPP or for frame relay Ethernet Interface or WAN Interface with PPP To change or add manual SAs on an Ethernet interface or on a WAN interface configured with PPP complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the connector on which you want to add or change manual SAs The Edit Connector dialog box opens Click on Edit Circuit The Circuit Definition window opens From the Protocols menu choose Edit IP gt IP Security gt Manual Protect SAs or Manual Unprotect SAs You may be prompted for the node protection key If
88. r this SA For a Protect SA enter the IP address of the local IPsec interface For an Unprotect SA enter the IP address of the remote IPsec interface None SA Destination IP Address Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid IP address Specifies the IP address of the destination interface for this SA For a Protect SA enter the IP address of the remote IPsec interface For an Unprotect SA enter the IP address of the local IPsec interface None 308630 15 1 Rev 00 A 5 Configuring IPsec Services Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Security Parameter Index Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Outbound Policies gt Add Policy gt OK gt Manual SA
89. ration where PFS is enabled and IPsec continuously and unsuccessfully attempts to establish an IPsec SA This problem may also indicate that the traffic load for the router and encryption algorithm may be more than the router can process If triple DES is in use change it to DES where possible 308630 15 1 Rev 00 Configuring IPsec Services IPsec SAs are deleted on the local side This message is probably due to normal operation after Psec SAs expire However if the message is repeated many times during an interval shorter than the expiry time set for IPsec SAs there could be an SA negotiation problem possibly caused by mismatched configurations Sample BayRS error message 969 09 02 1999 16 32 43 441 INFO SLOT 5 IKE Code 153 Delete payload received from peer 144 1 1 133 message ID Ox84dc7aef SPI length 4 Num of SPIs 1 Protocol 3 1st SPI 1248199851 An Informational Exchange Trace message may occasionally appear during normal operation If you see it continuously it could indicate an SA negotiation problem also probably due to mismatched configurations Sample BayRS error message 15 09 02 1999 21 49 07 606 TRACE SLOT 1 IKE Code 31 Informational Exchange received on unknown SA D 8 308630 15 1 Rev 00 Appendix E Protocol Numbers IPsec policies may include a protocol criterion that references the 1 byte protocol number field in an IP packet header To assist you in creating policies this appen
90. rce address 189 132 10 1 189 132 10 1 IP destination 119 68 12 1 119 68 12 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 0x010123040506070890a0 bOcOd0e0f1 11 bOcOd0e0f111 308630 15 1 Rev 00 Configuration Examples The next two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR3 refer to Figure C 4 RTR1 Protect SA RTR3 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 129 43 12 19 129 43 12 19 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0xFADE050403020100 0OxFADE050403020100 Integrity algorithm None None Integrity key None None RTR1 Unprotect SA RTR3 Protect SA IP source address 129 43 12 19 129 43 12 19 IP destination 119 68 12 1 119 68 12 1 address Security parameter 257 257 index SPI Cipher key length DES56 DES56 Cipher key OxFADE050403020100 OxFADE050403020100 Integrity algorithm None None Integrity key None None 308630 15 1 Rev 00 C 15 Configuring IPsec Services The final two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR4 refer to Figure C 4 RTR1 Protect SA RTR4 Unprotect SA
91. re NAT using either the BCC or Site Manager When you configure IPsec and NAT on the same router interface IPsec and NAT operate independently and do not pass traffic to each other When you configure both IPsec and NAT on the same router interface NAT takes precedence over IPsec For example if the destination address of an incoming IP packet does not match any configured NAT public address then the packet is processed by IPsec If the IP packet contains an address that falls within the configured range of an IPsec policy then the packet is either protected bypassed or dropped A packet with a source address not within any IPsec policy range will be dropped Note Router interfaces configured for bidirectional NAT do not support IPsec 1 2 308630 15 1 Rev 00 Overview of IPsec Network Requirements for Nortel Networks Routers To install the IPsec software the router must be running at a minimum BayRS Version 13 10 and Site Manager Version 7 10 To use Internet Key Exchange IKE and automated security associations SAs BayRS Version 13 20 and Site Manager Version 7 20 or later are required Supported Routers Nortel Networks IPsec technologies are implemented on BayRS router interfaces supporting Ethernet and WAN communications IPsec can provide encryption and authentication services to any Ethernet or WAN interface on the following routers e Access Node AN e Access Stack Node ASN e Advanced Remote
92. rekey information In general when you refer to security associations SAs especially if you are troubleshooting a new configuration it is helpful to specify the type of SA that you are referring to an IKE SA or an IPsec SA In addition the BayRS implementation of IPsec uses the term protocol in protocol filtering criteria for an IPsec policy template or policy This term is not comparable to the Contivity filters protocol options BayRS IPsec uses protocol as the value for protocol selector as defined in IETF RFCs for IPsec The Contivity VPN Switch does not support the protocol selector defined in the RFCs D 2 308630 15 1 Rev 00 Contivity VPN Switch Interoperability Configuration Considerations When you configure a Contivity switch to interoperate with BayRS IPsec you must configure the Contivity switch to include a branch office connection with a tunnel type equal to IPsec For detailed instructions on configuring branch office connections see Configuring the Contivity VPN Switch The following sections provide information to help you configure IPsec to interoperate on BayRS and Contivity platforms Network Addresses When you configure IP network addresses note that BayRS lets you configure a network range that can include any number of valid IP addresses The ability to configure address ranges provides flexibility for BayRS to BayRS IPsec implementations However many IPsec platforms includi
93. s 5 Change the order in which the policy is applied e To move the policy up click on Insert Before e To move the policy down click on Insert After 6 Inthe Precedence Number field type the number of the policy before or after which you want to insert the selected policy 7 Click on OK You return to the IPsec Inbound Policies or the IPsec Outbound Policies window The policies reflect the new order that you specified 8 Click on Done You return to the Circuit Definition window 9 Choose File gt Exit You return to the Configuration Manager window 308630 15 1 Rev 00 WAN Interface with Frame Relay Customizing IPsec To change the order in which existing IPsec policies are applied on a router interface configured with frame relay complete the following tasks Site Manager Procedure You do this System responds 1 In the Configuration Manager window click on the WAN connector on which you want to reorder IPsec policies The Edit Connector dialog box opens Click on Edit Circuit The Frame Relay Circuit Definition window opens Click on Services The Frame Relay Service List window opens Select a service record from the list From the Protocols menu choose Edit IP gt IP Security gt Outbound Policies or Inbound Policies The IPsec Inbound Policies or the IPsec Outbound Policies window opens Select the policy that you want to move and click on R
94. t gt Unprotect SA Protect SA Source 132 245 145 205 Source 132 245 145 205 Destination 132 245 145 195 Destination 132 245 145 195 IP0079A Figure 1 4 Security Associations for Bidirectional Traffic Under most circumstances you configure the IKE protocol to negotiate SAs between security gateways automatically You can also manually configure SAs How IKE Negotiates Security Associations The IKE protocol automates the process of IPsec SA configuration by creating an IKE SA for Protect SA and Unprotect SA negotiation Each IKE peer sends IPsec SA parameter negotiation information in a secure IKE packet The peers generate keys based on the agreed parameters and then verify each other s identity After this verification is done the IPsec SA is established The IKE protocol itself is secured through an IKE SA created using the Diffie Hellman algorithm Oakley to determine the key and the authentication methods described in Automated Security Associations Using IKE on page 1 11 The Nortel Networks implementation uses a preshared key Security Parameter Index A security parameter index SPI is an arbitrary but unique 32 bit 4 byte value that when combined with the IP destination address and the numeric value of the security protocol used ESP uniquely identifies the SA for a data packet IPsec discards an incoming ESP packet if the SPI does not match any SA in the inbound security associations database SAD
95. tect SAs 6 Type the NPK and click on OK The Protect SA List or the Unprotect SA List for Interface window opens 7 To create a new SA click on Add The IPsec Manual Protect SA or Unprotect SA window opens 8 Set one or more of the following parameters e Cipher Algorithm e Cipher Key Length e Cipher Key 8 Byte Hex e Integrity Algorithm e Integrity Key 16 Byte Hex Click on Help or see the parameter descriptions beginning on page A 5 9 Click on Apply and then click on Done 10 Click on Done You return to the Frame Relay Service List window 11 Click on Done You return to the Frame Relay Circuit Definition window 12 Click on Done You return to the Configuration Manager window 308630 15 1 Rev 00 Disabling IPsec Customizing IPsec To disable IPsec on all router interfaces configured for it complete the following tasks Site Manager Path You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols menu opens Choose IP The IP menu opens 3 Choose IP Security The IP Security menu opens 4 Choose Globals The Edit IP Security Global Parameters window opens Set the IP Security Enable parameter to Disable Click on Help or see the parameter description on page A 3 Click on Done You return to the Configuration Manager window Note Disabling IPsec on a router or on a
96. ted Software Versions BayRS IPsec software can interoperate with Contivity Version 2 5 software and later BayRS versions earlier than Version 14 00 do not support IPsec interoperability with the Contivity VPN Switch 308630 15 1 Rev 00 D 1 Configuring IPsec Services Web Browser Configuration of the Contivity VPN Switch Unlike products that use BayRS software you configure Contivity products through a Web browser If you are new to Contivity configuration note the following general guidelines when you configure Contivity software using the browser e You must click on OK at the bottom of Contivity configuration screens to continue as you configure the Contivity software If you use your browser navigation buttons your configuration choices will be lost e All configuration changes are dynamic either taking place immediately or taking effect for subsequent IKE IPsec connections made to the peer IPsec Terminology Contivity software uses different terminology than BayRS for some IPsec features Table D 1 lists some of these terms Table D 1 Comparison of BayRS and Contivity IPsec Terminology BayRS Term Contivity Equivalent Security association SA formed by IPsec branch office connection two IKE security gateways or peers IPsec SAs IPsec branch office sessions Policy Branch office connection s remote and local accessible networks Policy proposal Branch office connection s group IPsec encryption and
97. the external side of a security gateway typically the overall Internet are considered untrusted Hosts or subnetworks on the internal side of a security gateway nodes on your local intranet are considered trusted because they are controlled and securely managed by the same network administration Figure 1 3 Trusted Outbound policy Outbound policy Trusted network s network IPsec interface a J Local Security Security Remote host host gateway network gateway i Inbound policy clear text only lEsecinterace Inbound policy clear text only IP0078A Figure 1 3 IPsec Security Gateways and Security Policies When you add IPsec services to a router to create a security gateway its internal hosts and subnetworks can communicate with external hosts that directly operate IPsec services or with a remote security gateway that provides IPsec services for its set of hosts and subnetworks Security Policies When you create an IPsec policy you control which packets a security gateway protects how it handles packets to or from particular addresses or in a particular protocol and whether it logs information about these actions There are two types of IPsec policies inbound and outbound An inbound policy is used for data packets arriving at a security gateway and an outbou
98. tion can be used in combination with any one of the three or it can be used alone Policy Criteria Specification IPsec software inspects IP packet headers based on the specified criteria to determine whether a policy applies to a data packet You must include at least one of the following criteria and you can specify all three criteria in an IPsec policy e IP source address e IP destination address e Protocol 308630 15 1 Rev 00 Overview of IPsec To specify the protocol criterion you must provide the numeric value assigned to the protocol for use over the Internet You can specify only a single protocol value for each policy The protocol number is represented in the 1 byte protocol field in an IP packet header For a list of protocol numbers see Appendix E Protocol Numbers To obtain the most recent list of the numeric values assigned to various protocols see the Internet Assigned Numbers Authority IANA Web site at http www iana org The direct path to the list of legal values that you can specify for an IPsec policy protocol criterion is http www iana org assignments protocol numbers Security Associations A security association SA is a relationship in which two peers share the necessary information to securely protect and unprotect data An IPsec SA is uniquely identified by an IP destination address security parameter index SPD and security protocol identifier for example ESP in tunnel mode
99. tocol using Kryptonet key management 57 SKIP N A 58 IPv6 ICMP ICMP for IPv6 59 IPv6 NoNxt No Next Header for IPv6 60 IPv6 Opts Destination Options for IPv6 61 Any host internal protocol 62 CFTP N A 63 Any local network 64 SAT EXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core 68 Any distributed file system 69 SAT MON SATNET Monitoring 70 VISA VISA Protocol 71 IPCV Internet Packet Core Utility 72 CPNX Computer Protocol Network Executive 73 CPHB Computer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol 76 BR SAT MON Backroom SATNET Monitoring 77 SUN ND SUN ND Protocol Temporary 78 WB MON WIDEBAND Monitoring 79 WB EXPAK WIDEBAND EXPAK 80 ISO IP ISO Internet Protocol 81 VMTP N A 82 SECURE VMTP N A 83 VINES N A continued 308630 15 1 Rev 00 E 9 Configuring IPsec Services Table E 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 84 TTP N A 85 NSFNET IGP N A 86 DGP Dissimilar Gateway Protocol 87 TCF N A 88 EIGRP N A 89 OSPFIGP N A 90 Sprite RPC Sprite RPC Protocol 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 93 AX 25 AX 25 Frames 94 IPIP IP within IP Encapsulation Protocol 95 MICP Mobile Internetworking
100. torpariacasdntaaticcnsveteavanr aes 1 16 internet Key Exehange Prowl seccccssssciicertsceccsueverecocotuenscctoetanccboestuaivcleammeiceneomavesiouees 1 17 PP FONA CE iis Sassen cals tne sapere ena REKARTE RENS E ENAA EEEE 1 17 Ferorman s Considaraions entisiin aa A 1 17 Chapter 2 Installing IPsec Upgrading Router SINAC 5 cu aps3csanedeanascesneriansaacweneiaantieavaceraindaiaal aE ea 2 1 Installing the IF seg SONWANE osaicc aaa araa EE ERA 2 2 Completing the Installation Process s2cccicivcsisenscccecctscteucasdssceeesiarteaceseeesbeecnndnanscaaanas 2 3 SECUN COME ANS sina aiencisean eh ealieseiam a ep eee 2 4 SECU TOUT Conia vate aati aei tea us E i ance ree aut NEA 2 4 EDOTT NO S aera ae ee ee eee eer ne ee teen cere tery cer tere cer enero cen att eerie ty cern tyre 2 4 Rand m Number GeNerator seriinin aaepe RE raaa 2 5 Creating and Uema NPK E sergreinir aa Ee Ea Kea ra 2 5 Genoa ino NET E anai laine dadad einige daa 2 5 Entering an Initial NPK and a Seed for Encryption 0 ccccceeeseeeeeseeeeeeeetetteeeeaes 2 6 Chandio AA NP aia RE 2 7 PPT PRICE NPF Tarai a aa 2 8 Chapter 3 Starting IPsec Empo IPSC aE E aa desatie a tuiecseeanacgelenadeldtscadeede 3 1 GERIDO FOlICIES sirrin aaa E peaedaadeeee 3 2 oTsTe 110 1a Celia snae Eaa aa neta A S E A A rer et 3 2 mae PIN AN ACIO arni a a 3 3 Pillay Consideration ternaria aE EEEE E AER pO 3 3 vi 308630 15 1 Rev 00 Creating an Outbound Policy Template and Policy cccc
101. ual Router Redundancy Protocol 79 WB EXPAK WIDEBAND EXPAK 78 WB MON WIDEBAND Monitoring 74 WSN Wang Span Network 15 XNET Cross Net Debugger 22 XNS IDP XEROX NS IDP 36 XTP N A E 6 308630 15 1 Rev 00 Assigned Internet Protocol Numbers by Number Protocol Numbers Table E 2 lists the Internet Protocol numbers in order by protocol number Table E 2 Internet Protocol Numbers Sorted by Number Number Protocol Acronym Protocol Name Expanded 0 HOPOPT IPv6 Hop by Hop Option 1 ICMP Internet Control Message Protocol 2 IGMP Internet Group Management Protocol 3 GGP Gateway to Gateway Protocol 4 IP IP in IP encapsulation 5 ST Stream 6 TCP Transmission Control Protocol 7 CBT N A 8 EGP Exterior Gateway Protocol 9 IGP Any private interior gateway 10 BBN RCC MON BBN RCC Monitoring 11 NVP II Network Voice Protocol 12 PUP N A 13 ARGUS N A 14 EMCON N A 15 XNET Cross Net Debugger 16 CHAOS Chaos 17 UDP User Datagram Protocol 18 MUX Multiplexing 19 DCN MEAS DCN Measurement Subsystems 20 HMP Host Monitoring Protocol 21 PRM Packet Radio Measurement 22 XNS IDP XEROX NS IDP 23 TRUNK 1 Trunk 1 24 TRUNK 2 Trunk 2 25 LEAF 1 Leaf 1 continued 308630 15 1 Rev 00 E 7 Configuring IPsec Services Table E 2 Internet Protocol Numbers Sort
102. umption and security e MD5 e SHAI e DES e DES with MD5 e DES with SHA1 e 3DES e 3DES with MD5 e 3DES with SHA1 In addition the key generation and periodic rekeying done by IKE Diffie Hellman imposes a CPU burden For example 3DES SHA traffic with aggressive phase 1 IKE and IPsec rekeying for example every 10 minutes can cause significant performance degradation under heavy traffic loads Therefore consider the keying intervals for IKE and for IPsec that you choose during configuration Less frequent rekeying reduces the burden on the CPU Consider rekeying the phase 1 IKE SAs less frequently than the IPsec SAs Finally packet size affects the performance of the router Smaller packet sizes at a given data rate impose a greater processing load than larger packet sizes For example BayRS IPsec on a BN router can fill a 2 Mb s WAN pipe with bidirectional DES encrypted traffic You may experience SNMP timeouts during periods when the router is carrying peak loads of protected traffic 308630 15 1 Rev 00 Chapter 2 Installing IPsec This chapter describes how to install and prepare to use IPsec Before you configure IPsec you must perform the tasks described in this chapter Topic Page Upgrading Router Software 2 1 Installing the IPsec Software 2 2 Securing Your Site 2 4 Securing Your Configuration 2 4 Creating and Using NPKs 2 5 Upgrading Router Software To inst
103. upported WAN PIIGEOlS sis diay de cctciie cn Gece ernie E ANETE 1 3 IP30 SOONG OS ici ssseasiansseroumineime neem ieee ee 1 4 A SOPTTIGS TLS soricina e EA O EEE 1 4 E scl E A A E E E E E T aan 1 4 ne ieS a EEE ET E E T E 1 4 Additional IPsec Servicos suecssissrsssssianai tinin a a baie 1 5 FOW IFSEC N aaa A a E S 1 5 IPsec Proteo iOD cessie aa E Ea 1 5 PSr TUNE M OE aiana AA A ahat 1 6 Ue ie etal aia a ae a 1 7 Secut ae oaie aa AA EA OAE E AEE 1 8 UNE Folies ta css paces a abies aa Ea aa Ta R A EES 1 8 FORS TINERE oa 1 9 EDN FOCOS arua eae E a EEEN 1 9 Ba edrakus 2 POTIS EA E S EA E A E AT T ET 1 10 Polig CO Se CANON serisinin ie aa eaa aaia in 1 10 308630 15 1 Rev 00 v Socu MSS OCIANDNS cscs aed na aR eE 1 11 Automated Security Associations Using IKE cccceeeseeeseeeeeeeeeeeteeeeeeeeeees 1 11 Mantel Security ASSOCIATIONS oct erste cicacreccaicats coed aicessedsen ced eter addinin 1 12 Security Associations for Bidirectional Traffic cccccccsccccsseeeeseeesseeeenteeeee 1 12 How IKE Negotiates Security ASSOCIATIONS eeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeetaees 1 13 SOCUrity Parameter WGK essre e i OREKAN a ER 1 13 Examples of Security Policies and Security Associations eeeeeeeeeeeeee e 1 14 ESPACE PPV UCAS sarasa a aaa a tee ele NaS 1 15 Encapsulating Security Payload ESP Protocol cccccseeeseeeeeeeeeeeeseeeeeneeeees 1 15 Authentication Header AH ProtoCol sscsicescasccsssasiancacsass
104. ur router e Connect the router to the network and create a pilot configuration file see Quick Starting Routers Configuring Remote Access for AN and Passport ARN Routers or Connecting ASN Routers to a Network Make sure that you are running the latest version of Nortel Networks BayRS and Site Manager software For information about upgrading BayRS and Site Manager see the upgrading guide for your version of BayRS 308630 15 1 Rev 00 xiii Configuring IPsec Services Text Conventions This guide uses the following text conventions angle brackets lt gt bold text braces brackets italic text Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example If the command syntax is ping lt p_address gt you enter ping 192 32 10 12 Indicates command names and options and text that you need to enter Example Enter show ip alerts routes Example Use the dinfo command Indicate required elements in syntax descriptions where there is more than one option You must choose only one of the options Do not type the braces when entering the command Example If the command syntax is show ip alerts routes you must enter either show ip alerts or show ip routes but not both Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the co
105. utbound policies are discussed in the following two sections Inbound Policies An inbound policy determines how a security gateway processes data packets received from an untrusted network Every packet arriving at a security gateway is compared with the criteria to determine whether it matches an IPsec policy for that router If the incoming packet matches a bypass policy the router accepts the packet and if the policy is so configured logs it If the packet does not match any policy or matches a drop policy the router rejects the packet When a packet does not match any policy IPsec s default action is to drop the packet 308630 15 1 Rev 00 1 9 Configuring IPsec Services For an inbound security policy the action can be one or two of the following e Drop e Bypass e Log The drop and bypass actions are mutually exclusive The log action can be used alone or it can be used in combination with the drop or bypass action Outbound Policies An outbound policy determines how a security gateway processes data packets for transmission across an untrusted network You must assign an outbound policy for all unicast traffic leaving an IPsec interface For an outbound policy the action specification can be one or two of the following e Protect e Drop e Bypass e Log An outbound policy with a protect action specification is mapped to a Protect SA The drop protect and bypass actions are mutually exclusive The log ac
106. uter A IPsec ote L services A a IP security s a gateway Z 4 k i Security Security associations associations SAs A B i Public SAs C A i network i I Partner Branch office E J X E J Router B amp IP security IP security 4 Router C gateway gateway Host ES ka Host IPsec o tee agaa IPsec services Security associations services SAs B C IP0088A Figure 1 1 IPsec Environment Unique SAs Between Routers IPsec Tunnel Mode When a security gateway exists at each end of a communication the security associations between the gateways are said to be in tunnel mode The tunnel metaphor refers to data being visible only at the beginning and end points of the communication The IP packets protected by IPsec have regular visible IP headers but the packet contents are encrypted and thus hidden All BayRS IPsec communications occur in tunnel mode Tunnel mode is especially effective for isolating and protecting enterprise traffic traveling across a public data network as shown in Figure 1 1 1 6 308630 15 1 Rev 00 Overview of IPsec IPsec Elements IPsec has three important constructs e Security gateways e Security policies e Security associations In the IPsec context hosts communicate across an untrusted network through security gateways routers configured for IPsec interfaces Security policies determine how the IPsec interfaces handle data packets for the hosts on b
107. when you install the Psec software Table 2 1 IPsec Installation Files by Router Platform File Name Routers capi exe AN ARN ASN BN and System 5000 capi ppc Passport 2430 and Passport 5430 To install the IPsec software 1 Insert the IPsec software CD into the CD ROM drive 2 Open or create a directory for your router platform for example BN 3 Copy the files lt platform gt exe for example bn exe for the BN and capi exe or capi ppc from the CD to the platform directory 4 From Site Manager start the Image Builder choose Tools gt Image Builder 5 Open the image for example bn exe in the router platform directory Note that Available Components is empty and that Current Components lists the executables 6 Click on Details Under 4003x Baseline Router Software select capi exe or capi ppc 2 2 308630 15 1 Rev 00 Installing IPsec Click on Remove The file capi exe or capi ppc is now listed under Available Components Choose File gt Save to save the image Exit the Image Builder Completing the Installation Process To complete the installation process 1 8 9 Open the Image Builder directory e Ona PC the default directory is wf builder dir rel lt release_number gt e Ona UNIX platform the default directory is builder_dir rel lt release_number gt Remove the capi exe or capi ppc file from the Image Builder directory and make note of its
108. xes resulting from Customer s use of the Software Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations Neither party may bring an action regardless of form more than two years after the cause of the action arose The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks This License Agreement is governed by the laws of the country in which Customer acquires the Software If the Software is acquired in the United States then this License Agreement is governed by the laws of the state of New York 308630 15 1 Rev 00 Contents Preface Berre WBE ennai ity Coreen cere mre errr nT ieee etree rome te arin rrr E xiii TRUS sea bey rasatisceiautaredaane ieee aad aaa uae xiv PREPOU VIN cic iessieits easier aed ee eee XV Hard Copy Technical Manuals weiss asliees vaso camel eseetaddenccheasaarathawmbadioedia aude ASEE bR ES xvi Hor to Ger Ua aaa ste es wrte cine tas a cepneh cae beecbicaentie dined thee ven dteaniaceeoee dette daere lected xvii Chapter 1 Overview of IPsec USUI IPO fesse ad nccedce scene ds tetas nak poner A A 1 2 Configuring IPsec and NAT on One Interface eee eeseeeseeceeeessnereneeeseereasessneesaeeeseeesaes 1 2 Network Requirements for Nortel Networks Routers cccceeeeeeeeeeeeeeeeenneeeeeeeeeees 1 3 PUIG ROEFS orrai aa patecandersteced sae theca ete E anaE 1 3 S
109. y Outbound Action Protect Criteria IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 28 41 0 192 28 41 255 SA Source 1 1 1 1 Destination 1 1 1 2 SPI 256 RTR1 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP C 6 308630 15 1 Rev 00 Configuration Examples Example 2 Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 28 41 0 RTR 2 Policy Action Criteria SA Interface S21 Outbound Protect IP source address range 192 28 41 0 192 28 41 255 IP destination address range 192 32 5 0 192 32 5 255 Source 1 1 1 2 Destination 1 1 1 1 SPI 256 RTR2 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP Example 3 Required Policies on RTR2 to Protect Data Between RTR2 Subnet 192 28 41 0 and RTR3 Subnet 192 131 141 0 RTR 2 Policy Action Criteria SA Interface S31 Outbound Protect IP source address range 192 28 41 0 192 28 41 255 IP destination address range 192 131 141 0 192 131 141 255 Source 2 2 2 1 Destination 2 2 2 2 SPI 256 308630 15 1 Rev 00 C 7 Configuring IPsec Services Example 4 Required Outbound Policies on RTR3 to Protect Data Between RTR2 Subnet 192 28 41 0 and RTR3 Subnet 192 131 141 0 RTR 3
Download Pdf Manuals
Related Search