Avaya Configuring IP Security Services User's Manual
Contents
1. sessceeeeeeee C 9 Figure C 4 Multiple Protect Unprotect SA Pairs ssesseeeeee C 12 304111 B Rev 00 ix Table 1 1 Table 1 2 Table D 1 Table D 2 304111 B Rev 00 Tables Security Policy Specifications Laus inve kn ie RV hen ug a d 1 14 Manual Security Association SA Configurations 1 15 Internet Protocol Numbers Sorted by Acronym sessen D 2 Internet Protocol Numbers Sorted by Number sss D 6 xi Preface This guide describes the Bay Networks implementation of IP Security and how to configure it on a Bay Networks router Before You Begin Before using this guide you must complete the following procedures For a new router e Install the router see the installation guide that came with your router Connect the router to the network and create a pilot configuration file see Quick Starting Routers or Configuring BayStack Remote Access Make sure that you are running the latest version of Bay Networks BayRS and Site Manager software For information about upgrading BayRS and Site Manager see the upgrading guide for your version of BayRS 304111 B Rev 00 xiii Configuring IPsec Services Text Conventions This guide uses the following text conventions angle brackets lt gt bold text braces brackets italic text Indicate that you choose the text to enter based on t2. Table D 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 43 IPv6 Route Routing Header for IPv6 44 IPv6 Frag Fragment Header for IPv6 45 IDRP Inter Domain Routing Protocol 46 RSVP Reservation Protocol 47 GRE General Routing Encapsulation 48 MHRP Mobile Host Routing Protocol 49 BNA n a 50 ESP Encapsulating Security Payload 51 AH Authentication Header 52 I NLSP Integrated Net Layer Security Protocol 53 SWIPE IP with Encryption 54 NARP NBMA Address Resolution Protocol 55 MOBILE IP Mobility 56 TLSP Transport Layer Security Protocol using Kryptonet key management 57 SKIP n a 58 IPv6 ICMP ICMP for IPv6 59 IPv6 NoNxt No Next Header for IPv6 60 IPv6 Opts Destination Options for IPv6 61 Any host internal protocol 62 CFTP n a 63 Any local network 64 SAT EXPAK SATNET and Backroom EXPAK 65 KRYPTOLAN Kryptolan 66 RVD MIT Remote Virtual Disk Protocol 67 IPPC Internet Pluribus Packet Core 68 Any distributed file system 69 SAT MON SATNET Monitoring 70 VISA VISA Protocol 71 IPCV Internet Packet Core Utility continued D 8 304111 B Rev 00 Protocol Numbers Table D 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 72 CPNX Computer Protocol Network Executive 73 CPHB Co
3. Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 50 ESP Protocol 50 ESP C 8 304111 B Rev 00 Configuration Examples Example 7 Required Policies on RTR3 to Protect Data Between RTR3 Subnet 192 131 141 0 and RTR1 192 32 5 0 RTR 3 Interface S11 Policy Outbound Action Protect Criteria IP source address range 192 131 141 0 192 131 141 255 IP destination address range 192 32 5 0 192 32 5 255 SA Source 2 2 2 2 Destination 1 1 1 1 SPI 257 Manual Protect and Unprotect SA Configuration SAs specify which IPsec services are applied to the data packets traveling between the security gateways An individual SA protects data traveling in one direction A Protect SA is used to apply IPsec services to outbound traffic an Unprotect SA is used to decrypt and or authenticate incoming data packets The examples in this section show how to manually configure both Protect and Unprotect SAs Automated SA configuration is achieved using IKE without user configuration required For SA examples 1 and 2 refer to Figure C 3 for SA example 3 refer to Figure C 4 S31 119 68 12 1 132 10 1 52 Figure C 3 Single Protect Unprotect SA Pair 304111 B Rev 00 C 9 Configuring IPsec Services SA Example 1 Configuring a Single Protect Unprotect SA Pair In this example a single Protect Unprotect SA pair is configured using DES encryption Both ends of the SA pair use the
4. Enabling IPsec and IKE To enable IPsec configure an IP interface using the Configuration Manager Then add IPsec services to that interface to create a security gateway Use the following steps Site Manager Procedure You do this System responds 1 In the Configuration Manager window The Add Circuit window opens click on the WAN connector on which you want to configure an IPsec interface 2 Click on OK The WAN Protocols window opens 3 Choose a WAN protocol PPP or frame The Select Protocols window opens relay continued 304111 B Rev 00 3 1 Configuring IPsec Services Site Manager Procedure continued You do this System responds 4 Choose IP IPSEC and IKE The IP Configuration window opens Choosing IPSEC automatically selects IP choosing IKE automatically selects IPSEC and IP 5 Set the following parameters IP Address Subnetwork Mask Click on Help or see Configuring IP ARP RIP and OSPF Services 6 Click on OK The IPsec Configuration for Interface window opens When you use Site Manager to configure IPsec on an interface for the first time configure the menu items displayed in the IPsec Configuration for Interface window in sequence starting with the top item Outbound Policies You must set an outbound policy for an IPsec interface before you can link an SA to it Creating Policies You create inbound and outbound policies for an I
5. Hashing Message Authentication Code 1 16 HMAC 1 16 HMAC MDS 1 3 1 16 A 7 Index 1 IKE description 1 11 enabling 3 1 security associations 3 8 Image Builder 2 2 inbound security policies 1 3 1 9 initialization vectors IVs 2 5 installation 2 2 integrity algorithm considerations 3 8 integrity key 2 4 integrity service 1 2 1 3 Internet Assigned Numbers Authority IANA 1 10 D 1 Internet Engineering Task Force IETF role in IPsec development 1 2 Internet Key Exchange IKE description 1 11 explained 1 17 negotiating security associations 1 13 using 3 9 3 10 IP destination address 1 11 IP interface 1 4 IP Security about 1 2 enabling A 2 IPsec about 1 2 disabling 3 13 enabling 3 1 installating 2 2 key constructs 1 5 ISAKMP Oakley 1 11 K k commands 2 6 B 1 Index 2 L log policy criterion 3 3 router log NPK confirmation 2 8 management information base MIB 2 5 2 8 Message Digest 5 MD5 1 3 1 16 A 7 N Node Protection Key NPK configuration considerations 2 4 Site Manager parameters A 1 usage 2 5 O outbound security policies 1 3 1 9 P perfect forward secrecy 1 17 policies See security policy policy template creating inbound 3 6 creating outbound 3 4 defined 1 8 usage 3 2 PPP support 1 18 pre shared key IKE use 1 17 product support xvii protocol policy criterion 1 10 protocols supported 1 18 public data network tunnel mode
6. Outbound Protect IP source address range IP destination address range 119 68 12 1 Oxabba1234daba1234 SDES MD5 192 32 5 0 192 32 5 255 192 32 10 0 192 32 10 255 192 32 10 0 192 32 10 255 192 32 5 0 192 32 5 255 Example 2 Required Policies Proposals and SA Destinations on RTR1 and RTR3 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR3 subnet 192 32 20 0 RTR 1 Policy Action Criteria SA Destination Pre Shared Key Proposal Interface S31 Outbound Protect IP source address range IP destination address range 129 43 12 19 Oxbeef1234daba1234 DES 192 32 5 0 192 32 5 255 192 32 20 0 192 32 20 255 304111 B Rev 00 C 3 Configuring IPsec Services RTR 3 Policy Action Criteria SA Destination Pre Shared Key Proposal Example Interface S28 Outbound Protect IP source address range 192 32 20 0 192 32 20 255 IP destination address range 192 32 5 0 192 32 5 255 119 68 12 1 Oxbeef1234daba1234 DES 3 Required Policies Proposals and SA Destinations on RTR1 and RTR4 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR4 Subnet 192 32 30 0 RTR 1 Policy Action Criteria SA Destination Pre Shared Key Proposal RTR 4 Policy Action Criteria SA Destination Pre Shared Key Proposal Interface S31 Outbound Protect IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 32 30 0 192 32 30 255 192 32
7. Configuring IPsec Services BayRS Version 13 20 Site Manager Software Version 7 20 Part No 304111 B Rev 00 April 1999 NORTEL NETWORKS Bay Networks Inc 4401 Great America Parkway Santa Clara CA 95054 Copyright 1999 Bay Networks Inc All rights reserved Printed in the USA April 1999 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Bay Networks Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license A summary of the Software License is included in this document Trademarks AN BN and Bay Networks are registered trademarks and Advanced Remote Node ARN ASN BayRS BayStack and System 5000 are trademarks of Bay Networks Inc All other trademarks and registered trademarks are the property of their respective owners Restricted Rights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithst
8. Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Site Manager Parameters Security Parameter Index Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs viewing only Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA 256 256 to 65535 The security parameter index SPI is an arbitrary 32 bit value that when combined with the destination IP address and the numeric value of the security protocol being used ESP identifies the SA for the data packet Enter a value from 256 to the value configured for the Maximum SPI parameter None Cipher Algorithm Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA DES CBC None DES CBC Identifies
9. However this does not change the hashed NPK value in the MIB To change the NPK value used by the MIB 1 Atthe Technician Interface prompt enter the secure shell by issuing the following command ksession 2 Enter your password 3 Enter the following command ktranslate old NPK value old NPK value is the original NPK value The older hashed NPK in the MIB is decrypted and the new NPK is hashed and stored in the MIB The MIB now has the same NPK as the router 4 Savethe configuration file Monitoring NPKs If the NPK on a router does not match the NPK in the MIB IPsec services do not work This situation usually occurs when you change a CPU board in a router slot and the slot now lacks the current NPK or you revert to an older configuration that is protected by an older NPK View the router log to make sure that the NPK for each slot matches the NPK value in the MIB If the values do not match use the secure shell to change either the router NPK value or the MIB NPK value For more information about changing NPKs see Changing an NPK on page 2 8 To view the router log events specific to an NPK in the Technician Interface enter log ffwidt eKEYMGR 2 8 304111 B Rev 00 Chapter 3 Configuring IPsec This chapter includes the following information Topic Page Enabling IPsec and IKE g i Creating Policies 3 2 Creating Security Associations 3 8 Disabling IPsec 3 13
10. The direct path to the list of legal values that you can specify for an IPsec policy protocol criterion is http www isi edu in notes iana assignments protocol numbers 304111 B Rev 00 D 1 Configuring IPsec Services Assigned Internet Protocol Number by Name Table D 1 lists the Internet protocol numbers alphabetically by their acronyms Table D 1 Internet Protocol Numbers Sorted by Acronym Number Protocol Acronym Protocol Name Expanded 61 Any host internal protocol 63 Any local network 68 Any distributed file system 99 Any private encryption scheme 114 Any 0 hop protocol 34 3PC Third Party Connect 107 A N Active Networks 51 AH Authentication Header 13 ARGUS n a 104 ARIS n a 93 AX 25 AX 25 Frames 10 BBN RCC MON BBN RCC Monitoring 49 BNA n a 76 BR SAT MON Backroom SATNET Monitoring 7 CBT n a 62 CFTP n a 16 CHAOS Chaos 110 Compaq Peer Compaq Peer Protocol 738 CPHB Computer Protocol Heart Beat 72 CPNX Computer Protocol Network Executive 19 DCN MEAS DCN Measurement Subsystems 37 DDP Datagram Delivery Protocol 116 DDX DD II Data Exchange 86 DGP Dissimilar Gateway Protocol 8 EGP Exterior Gateway Protocol 88 EIGRP n a continued D 2 304111 B Rev 00 Protocol Numbers Table D 1 Internet Protocol Numbers Sorted by Acronym co
11. SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid 8 byte value Specifies the key for an SA cipher algorithm This key value must match on both sides of an SA to enable the encryption and decryption of data packets according to the Data Encryption Standard DES algorithm Enter a 16 digit 8 byte hexadecimal value Enter the prefix 0x before the 16 digits 1 3 6 1 4 1 18 3 5 3 26 5 1 7 A 6 304111 B Rev 00 Parameter Path Default Options Function Instructions MIB Object ID Site Manager Parameters Integrity Algorithm Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA None None HMAC MD5 Enables implementation of the HMAC MD5 algorithm which determines whether a data packet was changed between the source and destination To implement the security integrity level select the HMAC MD5 algorithm If y
12. The IPsec Policy Template Management window opens 3 Click on Create The Create IPsec Template window opens Click on Help or see the parameter description on page A 3 4 Enter a name in the Policy Name field 5 Use the Criteria menu to specify the applicable range for the IP source addresses IP destination addresses and protocol criteria Policy Template 6 Use the Action menu to add the action that you want applied to traffic with the criteria that you just defined 7 Click on OK You return to the IPsec Policy Template Management window 8 Click on Done You return to the IPsec Outbound Policies window continued 304111 B Rev 00 Configuring IPsec Site Manager Procedure continued You do this System responds 9 Click on Add Policy The Create Outbound Policy window opens 10 Enter the policy name in the Policy Name field Click on Help or see the parameter description on page A 3 11 Select a template on which to base this policy 12 Click on OK If the policy does not include a Protect action you return to the IPsec Outbound Policies window If the policy includes a Protect action the Choose SA Type dialog opens 13 Click on either Manual SA or Manual SA lets you choose from a list Automated SA of manual Protect SAs or create a new manual Protect SA Automated SA opens the Add Proposal to Policy window If a range of IP
13. defined 1 7 V Version requirements BayRS 1 18 Site Manager 1 18 Virtual private networks VPNs with IPsec 1 2 WwW WAN interface security gateway 1 7 WAN protocols supported 1 18 WEP Key Manager 2 6 Index 3
14. Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs viewing only Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid IP address Specifies the IP address of the source interface for this SA For a Protect SA enter the IP address of the local IPsec interface For an Unprotect SA enter the IP address of the remote IPsec interface None SA Destination IP Address Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs viewing only Configuration Manager Edit Circuit Protocols Edit IP Manual Protect SAs Add Configuration Manager Edit Circuit Protocols Edit IP Manual Unprotect SAs gt Add Configuration Manager Edit Circuit Protocols Edit IP Outbound Policies Add Policy OK Manual SA None Any valid IP address Specifies the IP address of the destination interface for this SA For a Protect SA enter the IP address of the remote IPsec interface For an Unprotect SA enter the IP address of the local IPsec interface None A 4 304111 B Rev 00 Parameter Path Default Options
15. LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties ii 304111 B Rev 00 Bay Networks Inc Software License Agreement NOTICE Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre enabled software each of which is referred to as Software in this Agreement BY COPYING OR USING THE SOFTWARE YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE If you do not accept these terms and conditions return the product unused and in the original shipping container within 30 days of purchase to obtain a credit for the full purchase price 1 License Grant Bay Networks Inc Bay Networks grants the end user of the Software Licensee a personal nonexclusive nontransferable license a to use the Software either on a single computer or if applicable on a single authorized device identified by host ID for which it was originally acquired b to copy the Software solely for backup purposes in support of authorized use of the Software and
16. Manager Procedure You do this System responds 1 Inthe IPsec Configuration for Interface window click on Manual Protect SA The Protect SA List for Interface window opens 2 Click on Add The IPsec Manual Protect SA window opens where the parameters from the Protect SA List for Interface window become active 3 Set the following parameters SA Source IP Address SA Destination IP Address e Security Parameter Index Cipher Algorithm Cipher Key Length Cipher Key Integrity Algorithm Integrity Key Position the cursor in a field and click on Values to display a menu of valid options if applicable Click on Help or see the parameter descriptions beginning on page A 4 for more information 4 Click on OK You return to the Protect SA List for Interface window 5 Repeat steps 2 to 4 if necessary to create additional Protect SAs Click on Done when finished You return to the IPsec Configuration for Interface window 304111 B Rev 00 3 11 Configuring IPsec Services Creating an Unprotect SA Manually To manually create an Unprotect SA complete the following tasks Site Manager Procedure You do this System responds 1 Inthe IPsec Configuration for Interface window click on Manual Unprotect SA The Unprotect SA List for Interface window opens 2 Click on Add The IPsec Manual Unprotect SA window opens where the parameters from th
17. NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT SPECIAL INDIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE EVEN IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE 5 Government Licensees This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government The Software and documentation are commercial products licensed on the open market at market prices and were developed entirely at private expense and without the use of any U S Government funds The license to the U S Government is granted only with restricted rights and use duplication or disclosure by the U S Government is subject to the restrictions set forth in subparagraph c 1 of the Commercial Computer Software Restricted Rights clause of FAR 52 227 19 and the limitations set out in this license for civilian agencies and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause of DFARS 252 227 7013 for agencies of the Department of Defense or their successors whichever is applicable 6 Use of Software in the European Communit
18. Security Security E J ue host gateway gateway F ost Inbound policy clear text only Kes ec mntehiate Inbound policy clear text only IP0078A Figure 1 3 IPsec Security Gateways and Security Policies When you add IPsec services to a router to create a security gateway its internal hosts and subnetworks can communicate with external hosts that directly operate IPsec services or with a remote security gateway that provides IPsec services for its set of hosts and subnetworks 304111 B Rev 00 1 7 Configuring IPsec Services Security Policies When you create an IPsec policy you control which packets a security gateway protects how it handles packets to or from particular addresses or in a particular protocol and whether it logs information about these actions There are two types of IPsec policies inbound and outbound An inbound policy is used for data packets arriving at a security gateway and an outbound policy is used for data packets leaving a security gateway Each IPsec interface can support up to 127 inbound and 127 outbound security policies refer to Figure 1 3 on page 1 7 The criteria selectors and action specifications used in your inbound and outbound policies are stored in the security policy database SPD IPsec defaults in favor of more security rather than less If an outbound or inbound packet does not match the criteria of any configured outbound or inbound policy in the SPD the packet is dro
19. Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Bay Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accordance with the terms of this license 3 Limited warranty Bay Networks warrants each item of Software as delivered by Bay Networks and properly installed and operated on Bay Networks hardware or other equipment it is originally licensed for to function substantially as described in its accompanying user manual during its warranty period which begins on the date Software is first shipped to Licensee If any item of Software fails to so function during its warranty period as the sole remedy Bay Networks will at its discretion provide a suitable fix patch or workaround for the problem that may be included in a future Software release Bay Networks further warrants to Licensee that the media on which the Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days from the date Software is first shipped to Licensee Bay Networks will replace defective media at no charge if it is returned to Bay Networks during the warranty period along with proof of the date of shipment This warranty does not apply if the media has been damaged as a result
20. allow you to create an SA if both the Cipher Algorithm and the Integrity Algorithm parameters are set to None 3 8 304111 B Rev 00 Configuring IPsec Creating a Protect SA Automatically Using IKE To use IKE to create automated Protect SAs complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface window click on Outbound Policies The IPsec Outbound Policies window appears 2 Click on Add Policy The Create Outbound Policy window appears 3 Type a name for the policy choose a If the policy includes a protect action the template and click OK Choose SA Type dialog box opens 4 Click on Automated SA The Add Proposal to Policy window opens Note If a node protection key has not yet been set the Node Protection Key dialog box opens before the Add Proposal to Policy window Enter an NPK and click on OK See Creating a Node Protection Key NPK on page 2 5 for more information 5 Click on Add to specify the SA Destination The Add IKE SA Destination window address and pre shared key for IKE SAs appears Enter the IP address and Click on Help or see the parameter pre shared key and click on Done to descriptions beginning on page A 4 for return to the Add Proposal to Policy more information window 6 Click on New Proposal to create an The Edit IPsec Proposal window appears encryption ty
21. not used in the Bay Networks implementation of IPsec 304111 B Rev 00 Overview of IPsec Internet Key Exchange IKE Protocol The Internet Key Exchange IKE protocol negotiates and provides private and authenticated keying material for security associations Before providing keying material the IKE protocol itself must be authenticated that is something must create an IKE security association between the security gateways IKE is servicing BayRS software creates an IKE SA through a pre shared authentication key IKE creates and changes IPsec SAs dynamically with no user intervention necessary making them faster and more frequently than they might otherwise be made for greater security To negotiate a security association IKE peers form a security association an IKE SA between them The IKE SA protects the negotiation of the IPsec SA parameters and key exchange The IKE protocol can change IPsec and IKE SA keys based on preconfigured criteria such as elapsed time or number of bytes sent Perfect Forward Secrecy Perfect forward secrecy PFS disassociates each IPsec SA key from others in the same IKE negotiated security association To obtain PFS IKE uses the Diffie Hellman algorithm to exchange keys for each SA This means that as IKE and IPsec SAs are automatically re keyed over the course of IPsec peer communication old keys if compromised cannot be used to derive previous or future keys used for other SAs With P
22. of accident misuse or abuse The Licensee assumes all responsibility for selection of the Software to achieve Licensee s intended results and for the installation use and results obtained from the Software Bay Networks does not warrant a that the functions contained in the software will meet the Licensee s requirements b that the Software will operate in the hardware or software combinations that the Licensee may select c that the operation of the Software will be uninterrupted or error free or d that all defects in the operation of the Software will be corrected Bay Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release These warranties do not apply to the Software if it has been i altered except by Bay Networks or in accordance with its instructions ii used in conjunction with another vendor s product resulting in the defect or iii damaged by improper environment abuse misuse accident or negligence THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Licensee is responsible for the security of 304111 B Rev 00 iii its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files data or programs 4 Limitation of liability IN
23. parameter index SPI value for manually configured SAs Enter an integer which represents the maximum SPI value required for manual SAs for this interface 1 3 6 1 4 1 18 3 5 3 26 1 5 A 2 304111 B Rev 00 Site Manager Parameters IPsec Policy Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Policy Enable Configuration Manager gt Protocols gt IP gt IP Security gt Outbound Policies Configuration Manager gt Protocols gt IP gt IP Security gt Inbound Policies Enable Enable Disable Determines whether the named policy will be used on the IP interface Set this parameter to Enable to activate the named policy on the IP interface None Policy Name Configuration Manager gt Protocols gt IP gt IP Security gt Outbound Policies Configuration Manager gt Protocols gt IP gt IP Security gt Inbound Policies None Any valid name Specifies the name of the policy to be created using the IPsec policy template Enter a name to identify any policy you create using the IPsec policy template None 304111 B Rev 00 A 3 Configuring IPsec Services Manual Security Association Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID SA Source IP Address
24. same cipher algorithm cipher key and integrity key see Figure C 3 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 bOcOd0e0f1 1 0x010123040506070890a0 bOcOd0e0f1 1 RTR1 Unprotect SA RTR2 Protect SA IP source address 189 132 10 1 189 132 10 1 IP destination 119 68 12 1 119 68 12 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 bOcOd0e0f1 1 0x010123040506070890a0 bOcOd0e0f1 1 304111 B Rev 00 Configuration Examples SA Example 2 Configuring Two Protect Unprotect SA Pairs In this example two Protect Unprotect SA pairs are configured using DES encryption Both ends of the SA pair use the same cipher algorithm and key The integrity algorithm is set to None refer to Figure C 3 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 256 256 index SPI Cipher key
25. source addresses and IP destination addresses was not configured in the template the Add Policy Ranges dialog box appears first Policy 14 If you chose Manual SA see the instructions for manual configuration in Creating Security Associations on page 3 8 15 If you chose Automated SA complete the Add Proposal to Policy screen to associate one or more encryption methods with a negotiated SA to a particular IP address 16 Click on Done You return to the IPsec Configuration for Interface window 304111 B Rev 00 3 5 Configuring IPsec Services Creating an Inbound Policy The process for creating inbound policies is virtually identical to the process for creating outbound policies with the exception that you cannot specify a protect action for an inbound policy To create an inbound policy template and policy complete the following tasks Site Manager Procedure You do this System responds 1 Inthe IPsec Configuration for Interface window click on Inbound Policies The IPsec Inbound Policies window opens 2 Click on Template The IPsec Policy Template Management window opens 3 Click on Create Click on Help or see the parameter description on page A 3 4 Enter a name in the Policy Name field The Create IPsec Template window opens 5 Use the Criteria menu to specify the applicable range for the IP source addresses IP destination addre
26. static symmetric keys on communicating hosts or security gateways As such you must coordinate within your organization and with outside parties to configure keys that will protect your information Security Associations for Bidirectional Traffic An SA specifies the security services that are applied to data packets traveling in one direction between security gateways To secure the traffic in both directions the security gateway must have a Protect SA for data transmitted from the local IPsec interface and an Unprotect SA for data received by the local IPsec interface Figure 1 4 Protect SA Unprotect SA Source 132 245 145 195 Source 132 245 145 195 Ses nty gateway Destination 132 245 145 205 Destination 132 245 145 205 security gateway Networks Figure 1 4 A c E Network p 132 245 145 195 132 245 145 205 See E Unprotect SA Protect SA Source 132 245 145 205 Source 132 245 145 205 Destination 132 245 145 195 Destination 132 245 145 195 IP0079A Security Associations for Bidirectional Traffic Under most circumstances you will configure the Internet Key Exchange IKE protocol to negotiate SAs between security gateways automatically You can also manually configure SAs 304111 B Rev 00 Overview of IPsec How IKE Negotiates Security Associations The Internet Key Exchange IKE protocol automates the process of IPsec SA configuration by c
27. 1 5 Oxabba1579daba1234 SHAt expiry minutes 1440 Interface S33 Outbound Protect IP source address range 192 32 30 0 192 32 30 255 IP destination address range 192 32 5 0 192 32 5 255 119 68 12 1 Oxabba1579daba1234 SHAt expiry minutes 1440 C4 304111 B Rev 00 Configuration Examples Manual SA Policy Examples As you review the security policy examples in this section refer to Figure C 2 All of the routers have OSPF interfaces configured for type NBMA transmit unicast frames An outbound and an inbound bypass policy protect all unicast traffic for the specified router subnetworks Security policy examples 1 and 2 show how to configure outbound policies to protect all unicast traffic between RTR1 and RTR2 examples 3 and 4 show how to configure outbound policies to protect all unicast traffic between RTR2 and RTR3 and examples 5 6 and 7 show how to configure outbound policies to protect all traffic between RTR1 and RTR3 A bypass inbound policy is in effect for all incoming traffic to the routers so that no SAs are required Protect Unprotect SA RTR1 to RTR2 Protect Unprotect SA RTR2 to RTR3 SPI 256 192 28 41 0 192 32 5 0 SPI 256 192 131 141 0 IP IPsec OSPF Type NBMA IP IPsec RIP Typ Sep L ID 1 7 5 2 2 RTR2 21 11 LIE ETE RTR1 1 1 1 2 2 1 2 2 2 2 RTR3 1 1 1 1 Protect Unprotect SA RTR1 to RTR3 SPI 257 Figure
28. 1 B Rev 00 Preface Bay Networks Technical Publications You can now print Bay Networks technical manuals and release notes free directly from the Internet Go to support baynetworks com library tpubs Find the Bay Networks product for which you need documentation Then locate the specific category and model or version for your hardware or software product Using Adobe Acrobat Reader you can open the manuals and release notes search for the sections you need and print them on most standard printers You can download Acrobat Reader free from the Adobe Systems Web site www adobe com You can purchase Bay Networks documentation sets CDs and selected technical publications through the Bay Networks Collateral Catalog The catalog is located on the World Wide Web at support baynetworks com catalog html and is divided into sections arranged alphabetically e The CD ROMs section lists available CDs The Guides Books section lists books on technical topics e The Technical Manuals section lists available printed documentation sets Make a note of the part numbers and prices of the items that you want to order Use the Marketing Collateral Catalog description link to place an order and to print the order form How to Get Help For product assistance support contracts information about educational services and the telephone numbers of our global support offices go to the following URL http www baynetworks com
29. 5 L2TP Layer Two Tunneling Protocol 116 DDX DD II Data Exchange 117 IATP Interactive Agent Transfer Protocol 118 ST Schedule Transfer 119 SRP SpectraLink Radio Protocol 120 254 Unassigned 255 Reserved 304111 B Rev 00 Numbers 3DES 1 16 A Access Node AN support 1 18 Access Stack Node ASN support 1 18 acronyms xv Advanced Remote Node ARN support 1 18 anti replay service explained 1 15 auditing service 1 3 authentication 1 3 authentication header AH 1 15 authentication service 1 2 Backbone Node BN support 1 18 BayRS version requirements 1 18 BayStack support 1 18 bidirectional traffic with security associations 1 12 C capi exe file 2 2 cipher algorithm considerations 3 8 Site Manager parameters A 5 usage 1 2 cipher block chaining CBC 1 2 1 16 cipher key 1 2 2 4 confidentiality service 1 2 Configuration Manager enabling IPsec 3 1 configuration security 2 4 304111 B Rev 00 Index D Data Encryption Standard DES 1 16 data integrity explained 1 15 data origin authentication explained 1 15 dial services support 1 18 Diffie Hellman protocol use in perfect forward secrecy 1 17 disabling IPsec 3 13 E educational services xvii enabling IKE 3 1 IPsec 3 1 Encapsulating Security Payload ESP 1 15 encryption 1 16 export limitations 1 16 generating a seed 2 7 limitations 2 4 F frame relay support 1 18 H
30. Associations SAs Between Routers 1 4 304111 B Rev 00 Overview of IPsec IPsec Tunnel Mode When there is a security gateway at each end of a communication the security associations between the gateways are said to be in tunnel mode The tunnel metaphor refers to data being visible only at the beginning and end points of the communication The IP packets protected by Psec have regular visible IP headers but the packet contents are encrypted and thus hidden All BayRS IPsec communications occur in tunnel mode Tunnel mode is especially effective for isolating and protecting enterprise traffic traveling across a public data network as shown in Figure 1 1 Elements of IPsec IPsec has three important constructs e Security gateways e Security policies e Security associations SAs In the IPsec context hosts communicate across an untrusted network through security gateways routers configured for Psec interfaces Security policies determine how the IPsec interfaces handle data packets for the hosts on both ends of a connection Security associations apply IPsec services to data packets traveling between the security gateways Figure 1 2 shows the logical relationship between security policies and security associations 304111 B Rev 00 Configuring IPsec Services Unprotect SAs Source Dest Addr SPI Cipher Algo Key Integrity Algo Key Protect SAs Source Dest Addr SPI Cipher Algo Key Integrity Al
31. C 2 IPsec Manual Outbound Policies for RTR1 RTR2 and RTR3 Example 1 Required Policies on RTR1 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 28 41 0 RTR 1 Interface S21 Policy Outbound Action Protect Criteria IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 28 41 0 192 28 41 255 SA Source 1 1 1 1 Destination 1 1 1 2 SPI 256 304111 B Rev 00 C 5 Configuring IPsec Services RTR1 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP RTR 2 Policy Action Criteria SA Example 2 Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 28 41 0 Interface S21 Outbound Protect IP source address range 192 28 41 0 192 28 41 255 IP destination address range 192 32 5 0 192 32 5 255 Source 1 1 1 2 Destination 1 1 1 1 SPI 256 RTR2 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP C 6 304111 B Rev 00 RTR 2 Policy Action Criteria SA RTR 3 Policy Action Criteria SA RTR 1 Policy Action Criteria SA Configuration Examples Example 3 Required Policies on RTR2 to Protect Data Between RTR2 Subnet 192 28 41 0 and RTR3 Subnet 192 131 141 0 Interface S31 Outbound Protect IP source add
32. FS if an intruder manages to break an encryption key they gain access to a limited amount of data packets protected by a single SA 304111 B Rev 00 1 17 Configuring IPsec Services Network Requirements for Bay Networks Routers To install the IP Security IPsec software the router must be running BayRS Version 13 10 or later and Site Manager Version 7 10 or later To use IKE and automated SAs BayRS Version 13 20 and Site Manager Version 7 20 or later are required Supported Routers Bay Networks IP technologies are implemented on BayRS router interfaces supporting synchronous communications IPsec can provide encryption and authentication services to any serial interface on the following routers BayStack Access Node AN BayStack Access Stack Node ASN BayStack Advanced Remote Node ARN Backbone Node BN System 5000 router modules Supported WAN Protocols The Bay Networks implementation of IPsec supports PPP and frame relay WAN protocols The Bay Networks IPsec implementation also supports dial services which provide backup and demand services for PPP and frame relay 304111 B Rev 00 Chapter 2 Getting Started With IPsec This chapter describes how to start using IPsec Before you configure IPsec you need to e Upgrade router software if necessary e Install IPsec software e Secure your site e Secure your configuration e Use the Technician Interface secure shell to enter a n
33. Gateway Protocol 9 IGP any private interior gateway 10 BBN RCC MON BBN RCC Monitoring 11 NVP II Network Voice Protocol 12 PUP n a 138 ARGUS n a continued D 6 304111 B Rev 00 Protocol Numbers Table D 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 14 EMCON n a 15 XNET Cross Net Debugger 16 CHAOS Chaos 17 UDP User Datagram Protocol 18 MUX Multiplexing 19 DCN MEAS DCN Measurement Subsystems 20 HMP Host Monitoring Protocol 21 PRM Packet Radio Measurement 22 XNS IDP XEROX NS IDP 23 TRUNK 1 Trunk 1 24 TRUNK 2 Trunk 2 25 LEAF 1 Leaf 1 26 LEAF 2 Leaf 2 27 RDP Reliable Data Protocol 28 IRTP Internet Reliable Transaction Protocol 29 ISO TP4 ISO Transport Protocol Class 4 30 NETBLT Bulk Data Transfer Protocol 31 MFE NSP MFE Network Services Protocol 32 MERIT INP MERIT Internodal Protocol 33 SEP Sequential Exchange Protocol 34 3PC Third Party Connect 35 IDPR Inter Domain Policy Routing 36 XTP n a 37 DDP Datagram Delivery Protocol 38 IDPR CMTP IDPR Control Message Transport Protocol 39 TP TP Transport Protocol 40 IL IL Transport Protocol 41 IPv6 Internet Protocol version 6 42 SDRP Source Demand Routing Protocol continued 304111 B Rev 00 D 7 Configuring IPsec Services
34. IP IPX in IP 28 IRTP Internet Reliable Transaction Protocol 80 ISO IP ISO Internet Protocol 29 ISO TP4 ISO Transport Protocol Class 4 65 KRYPTOLAN Kryptolan 115 L2TP Layer Two Tunneling Protocol 91 LARP Locus Address Resolution Protocol 25 LEAF 1 Leaf 1 26 LEAF 2 Leaf 2 32 MERIT INP MERIT Internodal Protocol 31 MFE NSP MFE Network Services Protocol 48 MHRP Mobile Host Routing Protocol 95 MICP Mobile Internetworking Control Protocol 55 MOBILE IP Mobility 92 MTP Multicast Transport Protocol 18 MUX Multiplexing 54 NARP NBMA Address Resolution Protocol 30 NETBLT Bulk Data Transfer Protocol 85 NSFNET IGP n a 11 NVP II Network Voice Protocol 89 OSPFIGP n a 113 PGM PGM Reliable Transport Protocol 103 PIM Protocol Independent Multicast 102 PNNI PNNI over IP 21 PRM Packet Radio Measurement 12 PUP n a 75 PVP Packet Video Protocol 106 QNX n a continued 304111 B Rev 00 Protocol Numbers Table D 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 27 RDP Reliable Data Protocol 46 RSVP Reservation Protocol 66 RVD MIT Remote Virtual Disk Protocol 64 SAT EXPAK SATNET and Backroom EXPAK 69 SAT MON SATNET Monitoring 96 SCC SP Semaphore Communications Security Protocol 105 SCPS n a 42 SDRP Source Demand Routing Protocol 82 SECURE VMTP n a 33 SEP Sequential Exchange Pr
35. Psec Services IPsec Protection To configure a router with IPsec you first configure the router interface as an IP interface Then you add the IPsec software to the IP interface creating a security gateway A security gateway is a router between a trusted network for example the enterprise intranet and an untrusted network the Internet that provides a security service such as IPsec The router interface is secured with inbound and outbound security policies that filter traffic to and from the router module The data packets themselves are protected by IPsec protocol processing specified by security associations SAs Figure 1 1 shows how IPsec can protect data communications within an enterprise and from external hosts Corporate headquarters Server 1 El J Router A IPsec es ees services P a IP security rd gateway 4 2 N Security Security associations associations SAs A B Public SAs C A network 1 I Partner s Branch office EL J v KEL J ERouter BB IP security IP security Router C gateway gateway Host nce 2 Host IPsec eee di IPsec services Security associations services SAs B C IPO088A Figure 1 1 IPsec Environment Unique Security
36. Psec interface by using a policy template A policy template is a policy definition that you create You can use a policy template on any IPsec interface Each template contains a complete policy specification criteria range and action for the interface This means that each policy itself is completely specified by the template You can modify an individual policy to fit the needs of a specific interface independent of the template specifications Specifying Criteria The criteria determine the portion of a packet header IP source address IP destination address protocol number that is examined by IPsec For each criterion you must specify a range of values The range represents the actual criteria values that is the IP addresses that are compared to the address of a packet 304111 B Rev 00 Configuring IPsec Specifying an Action The action specification in a policy controls how a packet that matches the specified criteria and criteria range is processed You decide how you want packets to be processed and apply a policy to implement your decision With IPsec a packet can be processed in one of three ways e The packet can be dropped e The packet can be transmitted or received without alteration e The packet can be protected outbound only In this case an SA is linked to the policy In addition to processing a packet or in the absence of a processing action packet receipt or transmission can be recorded in a
37. Rev 00 A 9 Appendix B Definitions of k Commands This appendix contains definitions of the k commands that you use to work in the Technician Interface secure shell Command System Response kexit Exits the secure shell kpassword Changes the password of the secure shell kseed Initializes the cryptographic random number generator while in the secure shell ksession Initiates a secure shell session kset lt subcommand gt Sets parameter values in the secure shell flags Example kset npk value sets the router node protection key Also sets protected IPsec MIB objects keys The kset command encrypts the value specified using the NPK and writes the encrypted value to the MIB Example kset ipsec wflpsecEspSaEntry wflpsecEspSaManualCipherKey 100 1 1 1 100 1 1 2 256 0x1234567890abcdef ktranslate old NPK Translates a configuration from an old node protection key NPK value to the current NPK value Example ktranslate old NPK 304111 B Rev 00 B 1 Appendix C Configuration Examples This appendix provides configuration examples for both automated and manual security associations Configuration of outbound and inbound policies is similar for both automated and manual SAs Details for configuring the Protect and Unprotect SAs are needed only if you are using the manual process Inbound and Outbound Policies All unicast traffic must be defined by a security policy Traffic traveling from a secu
38. SEE WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST BAY NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT iv 304111 B Rev 00 Contents Preface nin pede iei nsus I NN eee er NE EE T xiii NH npe IURI smati S D TET xiv PACU diaesk testis bu penso paid pre sa inate patat Gra da daa D uc br Ha a p RU a p REA XV Bay Networks Technical PUDIGAHOMS 1 ueauiccenuiece suis inconnu omo tota boca hona teo eta cuoco xvii Fonto Ger HEI Meme e xvii Chapter 1 Overview of IPsec PE ce aaa 1 2 Psoe GOTICO saia 1 2 Sec EMA ENTE TOES 1 2 luco Mee 1 3 FTIIT gi ez UTE 0 S SD SEEMS 1 3 Adomonal Peec SSCS e ie RRE 1 3 w o rrian iiiaae a Ea E E 1 3 las d UIT EATA LT OE T 1 4 IPsec Tunnel Mode seein saaTi an ents REN PF AGa sul Teepe oi x E ITO TITIUS 1 5 espe dU sitos Eos Mn te ner US ERR DSL LC NUN alt Teme nee meres NEA QUEEN UE 1 7 Gecul POlCIES Ree Ciia 1 8 x ceu MT TAN 1 8 Inbound Policies E e bete T TU re te 1 9 Sel ol gull ie Meee eee T 1 9 POMC y Criteria SS CHICANO T TT 1 10 exclu HT 1 11 Automated Security Associations Using Internet Key Exchange IKE 1 11 Mantal Security ASSOCIANO sunita cudues
39. anding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Networks Inc reserves the right to make changes to the products described in this document without notice Bay Networks Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product may be Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT
40. ata Encryption Standard DES algorithm or the Triple DES 3DES algorithm for encryption ESP uses Hashing Message Authentication Code Message Digest 5 HMAC MD5 or HMAC SHA transform identifiers for authentication ESP uses the cipher block chaining CBC mode of the DES encryption algorithm CBC is considered the most secure mode of DES A 56 bit or 40 bit number known as a key controls encryption and decryption Key management is automated through IKE or can be controlled manually Both sides of an SA must use the same encryption service Normally you should use the stronger 56 bit DES key for greater security or triple DES if appropriate However if you are communicating with a security gateway that is limited to a 40 bit DES key due to cryptography export restrictions you must use the 40 bit key When ESP protection is used in tunnel mode an outer IP header specifies the IPsec processing destination and an inner IP header specifies the actual target destination for the packet The security protocol header appears after the outer IP header and before the inner one Only the tunneled packet is protected not the outer header Authentication Header The AH protocol provides data integrity data origin authentication and optional anti replay services It provides encryption services to the header only not to the entire IP packet The AH protocol uses HMAC MD5 and HMAC SHAI transform identifiers The AH protocol is
41. c to use and copy the associated user manual solely in support of authorized use of the Software by Licensee This license applies to the Software only and does not extend to Bay Networks Agent software or other Bay Networks software products Bay Networks Agent software or other Bay Networks software products are licensed for use under the terms of the applicable Bay Networks Inc Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software 2 Restrictions on use reservation of rights The Software and user manuals are protected under copyright laws Bay Networks and or its licensors retain all title and ownership in both the Software and user manuals including any revisions made by Bay Networks or its licensors The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals Licensee may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or user manuals or any copy in whole or in part Except as expressly provided in this Agreement Licensee may not copy or transfer the Software or user manuals in whole or in part The Software and user manuals embody Bay Networks and its licensors confidential and proprietary intellectual property Licensee shall not sublicense assign or otherwise disclose to any third party the
42. cal Solutions Center for assistance Save the modified image that includes IPsec to a new file and exit the Image Builder Copy this new image to the router and reboot Installing Triple DES Encryption To use Triple DES 3DES encryption with IPsec you must purchase the 3DES IPsec Option CD and install the capi exe file from it The version of capi exe on this optional CD includes both 56 bit DES encryption and the stronger 3DES encryption 304111 B Rev 00 2 3 Configuring IPsec Services Securing Your Site To enforce IPsec carefully restrict unauthorized access to the routers that encrypt data and the workstations that you use to configure IPsec Keep in mind that the encryption standards that IPsec uses are public Your data is secure only if you properly protect the encryption and authentication keys The configuration files that contain these keys include safeguards to prevent unauthorized access Securing Your Configuration Store any files containing encryption keys on diskettes or other removable media and keep the media in a secure place Physically protecting your equipment is always a good strategy and the easiest way to prevent unauthorized access to these files Always configure your node protection keys NPKs locally not over a network When you connect a PC or a workstation to a router console port to configure encryption use a machine that is not connected to any other equipment Be sure to also protect t
43. carnndss aaae aa pida dc b da DERE Fd 1 12 Security Associations for Bidirectional Traffio ceci eere csittanenenin 1 12 304111 B Rev 00 v How IKE Negotiates Security Associations sssssssssesess 1218 Security Parameter Index SPI ibid TO leteentudd ee re selene aie TS Summarizing Security Policies and GAG irais 1 14 oec PEOIOEGIS usus cn nu poeti ka Eon Tomer Serene Trent re x COS GUB EURO GU UR nt tr 1 15 Encapsulaling Securty Payload ice despite pee op NOU pP Rae rd rau E ppl de UE eines 1 15 Putli ndcallbn Header 5 ossaspurii re toca ard AA 1 16 internet Key Exchange IKE Protool iiia desinam seed emu akku cruise xxr iae 1 17 x cMari ciue cri M 1 17 Network Requirements for Bay Networks Routers cccssccceeeeseeeeeeeseeeeeeeeneeeeees 1 18 Supported Routers e eem T T T tes mi Supported WAN erre eme 1 18 Chapter 2 Getting Started With IPsec Upgrading Routa SONATE Meet T 2 2 Vocal me IP See Sonwa criin ia N Na 2 2 Completing the Installation Process Bana T TRU Tm 2 3 cum ercd8eBziciqe lem 2 3 BOUE OUr ONE Seda d sidan sues REO a ec A aeos Fb EO rs amp ROB RERO Me pad Ud 2 4 Securing Your Configuration eiti RPTE Pere eee T TET T anoni 2 4 Segui t WT TUUS 2 4 Random Number Generator RNG scssat sss cien oir pocckut cep tine aoia 2 5 Creating a Node Proteetisi Key NPG Luuccccccaseecaccsute cadousdseieasdenn
44. chnician Interface For detailed information see Configuring Data Encryption Services Entering an Initial NPK and a Seed for Encryption Before you can enable IPsec on a router you must enter an initial NPK and create a seed for use by IPsec You enter the NPK into a router locally using the console port and the secure shell section of the Technician Interface A password protects access to the secure shell IPsec uses the NPK to encrypt and decrypt the cipher and integrity keys and it uses the seed specified with the kseed command to generate random numbers needed by IPsec and IKE You cannot access the NPK or the password using the MIB or the routine Technician Interface debug commands nor can you invoke the secure shell in a Telnet session Caution Never use a terminal server to enter the NPK Instead use a laptop computer that you can attach directly to the router Protect the file containing NPKs on the laptop 2 6 304111 B Rev 00 Getting Started With IPsec To enter an initial NPK and a seed for encryption 1 If necessary create a password for the Technician Interface secure shell by entering kpassword lt password gt lt password gt is an alphanumeric string of up to 16 characters At the Technician Interface prompt enter the secure shell by issuing the following command ksession If you issue the ksession command before setting a password you will be prompted to do so Use the kpasswor
45. corporate contacts In the United States and Canada you can dial 800 2LANWAN for assistance 304111 B Rev 00 xvii Chapter 1 Overview of IPsec This chapter describes the emerging Internet Engineering Task Force standards for security services over public networks commonly referred to as IP Security or IPsec The chapter also includes information specific to the Bay Networks implementation of IPsec and requirements for that implementation This chapter includes the following information Topic Page About IPsec 1 2 IPsec Services 1 2 How IPsec Works 1 3 Elements of IPsec 1 5 Security Gateways 1 7 Security Policies 1 8 Security Associations 1 1 Summarizing Security Policies and SAs 1 14 Security Protocols 1 1 Internet Key Exchange IKE Protocol 1 17 Network Requirements for Bay Networks Routers 1 18 304111 B Rev 00 1 1 Configuring IPsec Services About IPsec IP Security IPsec is the Internet Engineering Task Force IETF set of emerging standards for security services for communications over public networks The standards are documented in the IETF Requests for Comments RFCs 2401 through 2412 Additional RFCs may be relevant as well These standards were developed to ensure secure private communications for the remote access extranet and intranet virtual private networks VPNs used in enterprise communications They are the security architecture for the ne
46. ctory for your router platform for example BN 3 Copy the files bn exe and capi exe to the platform directory 4 From Site Manager start the Image Builder choose Tools Image Builder 5 Open the image in the router platform directory for example bn exe Note that Available Components is empty and that Current Components lists the executables 6 Click on Details Under 4003x Baseline Router Software select capi exe 7 Click on Remove The file capi exe is now listed under Available Components 8 Choose File Save to save the image 9 Exit the Image Builder 2 2 304111 B Rev 00 Getting Started With IPsec Completing the Installation Process To complete the installation process 1 Open the Image Builder directory e Ona PC the default directory is wf builder dir vel lt release_number gt e Ona UNIX platform the default directory is builder rel release number Remove the file capi exe from the Image Builder directory This file is a 1 byte stub file Copy the new capi exe file from the router platform directory for example BN to the Image Builder directory Restart the Image Builder and open the image from which you removed capi exe Click on Details in the Available Components box Select capi exe and click on Add Check the size of the capi exe file If itis less than 1 KB you have not loaded the IPsec software Repeat this procedure or call the Bay Networks Techni
47. d SA creation for greater security and decreased configuration management overhead About Automated SA Creation IKE creates automated SAs based on the proposals you configure for an IPsec policy in Site Manager Each proposal specifies an encryption and or authentication transform for the automated SA You do not need to specify keys for automated SAs because IKE creates them dynamically You can configure up to four proposals for a policy in order of preference IKE will negotiate an automated SA based on the first proposal that matches one configured on the remote security gateway About Manual SA Creation To protect encrypt or authenticate data packets leaving the local IPsec interface create a Protect SA and link it to a Protect outbound policy To decrypt or authenticate incoming packets at the local IPsec interface create an Unprotect SA The Unprotect SA does not need to be linked to a policy Then do the same for the IPsec interface on the remote router The cipher and integrity algorithms and keys that you specify in SAs must be identical on both ends of a connection You must select either the cipher or the integrity service or both within the Protect and Unprotect SA parameters For example the cipher key in a Protect SA on the local IP interface must match the cipher key in the Unprotect SA on the remote router IP interface Note Manual SAs must be configured to encrypt authenticate or both Site Manager does not
48. d command in step 1 The prompt changes to SSHELL Begin generating the encryption seed by entering kseed The secure shell prompts you for a random seed value Type a random set of keystrokes The secure shell informs you when you have typed the required number of keystrokes Enter the following command kset npk 0x lt NPK_value gt lt NPK_value gt is the 16 digit hexadecimal NPK value that you assigned to the router that you are configuring For more information see Generating NPKs on page 2 5 The kset npk command stores your NPK value in the router NVRAM and calculates a hash of this value that it stores in the router MIB Save the configuration by entering save config lt config_file_name gt config file name is the name you want to assign to the configuration file You cannot exit the secure shell without saving the configuration This is necessary so that upon rebooting the router with the saved configuration file the hash of the NPK in the MIB corresponds with the NPK in NVRAM Exit the secure shell by entering kexit 304111 B Rev 00 2 7 Configuring IPsec Services Changing an NPK To maintain security periodically change the NPK on each router To change an NPK enter the kset NPK command using the steps you used to create the initial NPK see Entering an Initial NPK and a Seed for Encryption on page 2 6 The new NPK overwrites the original and IPsec uses the new NPK value
49. e Unprotect SA List for Interface window become active 3 Set the following parameters SA Source IP Address SA Destination IP Address e Security Parameter Index Cipher Algorithm Cipher Key Length Cipher Key Integrity Algorithm Integrity Key Position the cursor in a field and click on Values to display a menu of valid options if applicable Click on Help or see the parameter descriptions beginning on page A 4 for more information 4 Click on OK You return to the Unprotect SA List for Interface window 5 Repeat steps 2 to 4 if necessary to create additional Unprotect SAs Click on Done when finished You return to the IPsec Configuration for Interface window 3 12 304111 B Rev 00 Disabling IPsec Configuring IPsec To disable IPsec on all router interfaces configured for it complete the following tasks Site Manager Path You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols menu opens 2 Choose IP The IP menu opens 3 Choose IP Security The IP Security menu opens 4 Choose Globals The Edit IP Security Global Parameters window opens 5 Set the IP Security Enable parameter to Disable Click on Help or see the parameter description on page A 2 for more information 6 Click on Done You return to the Configuration Manager window Note Disabling IPsec on a router or ind
50. estination Key Address Address Algorithm Length Key Algorithm Key IP address IP address 270 DES 40 Hex value HMAC MD5 Hex value IP address IP address 260 DES 56 Hex value MD5 Hex value Security Protocols IPsec uses two protocols to provide traffic security e Encapsulating Security Payload ESP e Authentication Header AH You can use either protocol or both to protect data packets on a VPN Generally only one protocol is necessary The Bay Networks IPsec implementation uses ESP only Bay Networks does not implement the AH protocol because the same functions are available from ESP Encapsulating Security Payload The ESP protocol provides confidentiality encryption services It can also provide data integrity data origin authentication and an anti replay service e Data integrity ensures that the data has not been altered e Data origin authentication validates the sending and receiving parties e Anti replay service ensures that the receiver only receives and processes each packet once One or more of these security services must be applied whenever ESP is invoked ESP applies the following algorithms and transform identifiers to deliver its services 304111 B Rev 00 Configuring IPsec Services e Data Encryption Standard DES 56 bit e 40 bit DES manual keying only e Triple DES 3DES 3DES IPsec Option only e HMAC Message Digest 5 MD5 e HMAC SHA1 ESP uses the D
51. go Key M bypass drop log IPsec gateway Inbound policies criteria amp action bypass drop log Security policy Outbound policies database criteria amp action protect v WAN interface Untrusted l Li Li L LI I l I L i L 1 L l L network L 1 L l l Li Li l L L Outbound process SS Figure 1 2 eee IP00087A IPsec Concepts Security Gateways Security Policies and SAs 1 6 304111 B Rev 00 Overview of IPsec Security Gateways A security gateway establishes SAs between router interfaces configured with IPsec software A Bay Networks router becomes a security gateway when you enable Psec on a WAN interface In this way a Bay Networks router operating as a security gateway provides IPsec services to its internal hosts and subnetworks Hosts or networks on the external side of a security gateway typically the overall Internet are considered untrusted Hosts or subnetworks on the internal side of a security gateway nodes on your local intranet are considered trusted because they are controlled and securely managed by the same network administration Figure 1 3 Trusted Outbound policy Outbound policy Trusted k network iia N IPsec interface A al MS N E E Local
52. grity algorithm None None Integrity key None None 304111 B Rev 00 Configuration Examples The final two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR4 refer to Figure C 4 RTR1 Protect SA RTR4 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 192 32 1 5 192 32 1 5 address Security parameter 256 256 index SPI Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x090a0bbbOcOdOe0f11011 0x090a0bbb0cOd0e0f1 101 1 02030405060708 02030405060708 RTR1 Unprotect SA RTR4 Protect SA IP source address 119 68 12 1 119 68 12 1 IP destination 192 832 1 5 192 32 1 5 address Security parameter 258 258 index SPI Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x090a0bbbOcOdOe0f11011 0x090a0bbb0cOd0e0f1 101 1 02030405060708 02030405060708 304111 B Rev 00 Appendix D Protocol Numbers IPsec policies may include a protocol criterion that references the 1 byte protocol number field in an IP packet header To assist you in creating policies this appendix lists the values that apply to each protocol To obtain the most recent list of the numeric values assigned to various protocols see the Internet Assigned Numbers Authority LANA Web site at http www iana org
53. gth DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 bOcOd0e0f1 1 0x010123040506070890a0 bOcOd0e0f1 1 RTR1 Unprotect SA RTR2 Protect SA IP source address 189 132 10 1 189 132 10 1 IP destination 119 68 12 1 119 68 12 1 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity key 0x010123040506070890a0 bOcOd0e0f1 1 0x010123040506070890a0 bOcOd0e0f1 1 304111 B Rev 00 Configuring IPsec Services The next two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR3 refer to Figure C 4 RTR1 Protect SA RTR3 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 129 43 12 19 129 43 12 19 address Security parameter 256 256 index SPI Cipher key length DES56 DES56 Cipher key OxFADE0504030201 00 OxFADEO050403020100 Integrity algorithm None None Integrity key None None RTR1 Unprotect SA RTR3 Protect SA IP source address 129 43 12 19 129 43 12 19 IP destination 119 68 12 1 119 68 12 1 address Security parameter 257 257 index SPI Cipher key length DES56 DES56 Cipher key OxFADE050403020100 OxFADEO050403020100 Inte
54. he description inside the brackets Do not type the brackets when entering the command Example If the command syntax is ping ip address you enter ping 192 32 10 12 Indicates command names and options and text that you need to enter Example Enter show ip alerts routes Example Use the dinfo command Indicate required elements in syntax descriptions where there is more than one option You must choose only one of the options Do not type the braces when entering the command Example If the command syntax is show ip alerts routes you must enter either show ip alerts or show ip routes but not both Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ip interfaces alerts you can enter either show ip interfaces or show ip interfaces alerts Indicates file and directory names new terms book titles and variables in command syntax descriptions Where a variable is two or more words the words are connected by an underscore Example If the command syntax is show at valid route valid routeis one variable and you substitute one value for it xiv 304111 B Rev 00 Acronyms screen text separator gt vertical line Preface Indicates system output for example prompts and system messages Example Set Bay Networks Trap Monitor Filters Shows menu paths Example Protocol
55. he routers on which the NPKs reside Encryption Keys IPsec uses a hierarchy of keys to protect and transmit data e Node protection key NPK encrypts the manual cipher and integrity keys for storage on the router or transfer from Site Manager Cipher key encrypts data that travels across the network in the IKE or ESP payload IKE cipher and integrity keys are not stored on the router Integrity key calculates the integrity check value ICV which is used at the data packet destination to detect any unauthorized modification of the ESP or IKE data e Pre shared authentication key authenticates the IKE SA used to protect the negotiation and rekeying of IPsec SAs Caution The NPK is the most critical key in the hierarchy If the NPK is compromised all encrypted data on the router can be compromised 2 4 304111 B Rev 00 Getting Started With IPsec Random Number Generator RNG The router software uses the secure random number generator RNG to generate initialization vectors IVs that are used in the ESP DES encryption transformation These values are statistically random As its source the RNG uses a seed that you supply from the Technician Interface secure shell See Entering an Initial NPK and a Seed for Encryption on page 2 6 Creating a Node Protection Key NPK The NPK encrypts manually configured IPsec ESP cipher and integrity keys or IKE pre shared authentication keys for manage
56. iaesenedsaneecagatersonedaantatte 2 5 PARRA NPS duas in n pola oO pL ae b ra ene aupra o RS 2 5 Entering an Initial NPK and a Seed for Encryption oe RH theta seis eai 2 6 Chandiq Am m 2 8 OA TAP Oe PEE EDO DE NEUE 2 8 Chapter 3 Configuring IPsec retin Pee 2 1 Hl d dem c 3 1 Creating Policies TT oeat T T Mentis MT TE aaret E e POH NAGS CMON er a a A E 3 2 rele rs IW an ACUO orainn RE SETS 3 3 Policy Considerations A vonina utes T TUE pneu iene Greatly an Ouibound POE uiridi eros pecp d AS a D Fd ees 3 4 vi 304111 B Rev 00 Greating an Inbound PONG 3 oorr rt bn REP erica ap n a etl a ood c c o d SD Creating Securty ASSOCANONE MNT 3 8 About Automated SA CEGSUON emisiis ee 3 8 About Manual SA Creation siga terni ai sd e e RE ERO RE ER desu F 3 8 Creating a Protect SA Automatically Using IKE TT meee Mm ds Creating an Unprotect SA Automatically Using IKE seeessss 3 10 Greating a Protect SA MOUSE asinos eDxed ro darn PoDOR dU erc caderas dar as us 3 11 Creating an Unprotect SA Manually aoai T ere T TR ET mele Brod pRll ctetur e rs cubis A 3 13 Appendix A Site Manager Parameters Node Protection Key Parameter ccsciscsccacaissctseranss iatecenniaccnemuiscomemnmetsoacamsicatmmatacesemiees A 1 Eri nines WP See POIAIGIDER cuiuieienssui Steps Fide xasck li eu Dept xu dud ER D xe ERNEA A 2 IPsec Policy Parameters rae T t RA E siete atm
57. identifier Automated Security Associations Using Internet Key Exchange IKE Internet Key Exchange IKE is an automated protocol to establish security associations over the Internet IKE is also referred to as the Internet Security Association Key Management Protocol with Oakley Key Determination or ISAKMP Oakley IKE handles negotiating establishing modifying and deleting security associations To set up these security associations IKE itself must create a confidential secure connection between the sender and receiver Authentication is accomplished with one or more of the following e Pre shared keys These are set up ahead of time at each node in a transaction e Public key cryptography Using the RSA public key algorithm each member of a transaction authenticates itself to the other using the other member s public key to encrypt an authentication value Digital signature Each member of a transaction sends a digital signature to the other The signatures are authenticated using the member s public key obtained via an X 509 digital certificate The BayRS implementation of IKE uses pre shared keys only 304111 B Rev 00 1 11 Configuring IPsec Services Manual Security Associations Manually configuring security associations is a more cumbersome and labor intensive process than using IKE If possible IKE should be used to make large scale secure communications practical Manually configured SAs often rely on
58. ividual interface also disables IKE automatically To disable IPsec on an individual interface do the following Site Manager Path You do this System responds 1 In the Configuration Manager window click on an existing IPsec interface The Circuit Definition screen opens In the Circuit Definition screen choose Edit IP from the Protocols menu and select IP Security gt Enable Ipsec The Enable IP Security screen opens Click in the IP Security Enable field continued 304111 B Rev 00 3 13 Configuring IPsec Services Site Manager Path continued You do this System responds 4 Click on Values and select Disable from the dialog box 5 Click on OK to close the dialog The dialog box closes 6 Click on Done You return to the Configuration Manager window 3 14 304111 B Rev 00 Appendix A Site Manager Parameters This appendix describes the Site Manager parameters for e Creating a node protection key NPK e Enabling IPsec e Configuring IPsec policies e Manually configuring IPsec security associations e Using IKE to create security associations Node Protection Key Parameter Parameter Path Default Options Function Instructions MIB Object ID Node Protection Key Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Protocols gt IP g
59. length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity key None None RTR1 Unprotect SA RTR2 Protect SA IP source address 189 132 10 1 189 132 10 1 IP destination 119 68 12 1 119 68 12 1 address Security parameter 257 257 index SPI Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity key None None 304111 B Rev 00 Configuring IPsec Services SA Example 3 Configuring Multiple Protect Unprotect SA Pairs In this example multiple Protect Unprotect SA pairs are configured between RTR1 and RTR2 RTR3 and RTR4 e The SA pair between RTR1 and RTR2 uses DES56 and HMAC MDS e The SA pair between RTR1 and RTR3 uses only HMAC MDS e The SA pair between RTR1 and RTR4 uses only DES56 As you review the tables in this example refer to Figure C 4 189 132 10 1 S52 RTR2 129 43 12 19 31 119 68 12 1 192 32 1 5 Figure C 4 Multiple Protect Unprotect SA Pairs C 12 304111 B Rev 00 Configuration Examples The following two tables show the settings for the Protect Unprotect SA pairs between RTR1 and RTR2 refer to Figure C 4 RTR1 Protect SA RTR2 Unprotect SA IP source address 119 68 12 1 119 68 12 1 IP destination 189 132 10 1 189 132 10 1 address Security parameter 257 257 index SPI Cipher key len
60. log The corresponding policy actions are e Drop e Bypass e Protect outbound only Log a message will be written to the router log The drop bypass and protect actions are mutually exclusive You can specify a logging action for any of these or in their absence Note that if an incoming packet that does not match any configured policy arrives at an IPsec interface it is dropped by default Policy Considerations When you configure a WAN interface with IPsec all inbound and outbound traffic on that interface is processed by IPsec including traffic being forwarded For unicast traffic containing routing or control information consider configuring policies that allow such traffic to bypass IPsec For example to allow ICMP traffic such as ping or destination unreachable messages to bypass IPsec processing configure the first policy for the interface with the protocol criterion set to number 1 ICMP and the action specification set to bypass If a data packet matches the criteria for more than one policy the first matching policy is used 304111 B Rev 00 3 3 Configuring IPsec Services Creating an Outbound Policy To create an outbound policy template and policy complete the following tasks Site Manager Procedure You do this System responds 1 Inthe IPsec Configuration for Interface window click on Outbound Policies The IPsec Outbound Policies window opens 2 Click on Template
61. ment information base MIB storage Note that it does not encrypt decrypt or authenticate data The NPK is stored in the router nonvolatile random access memory NVRAM Its fingerprint which is a 128 bit version of the NPK generated by a hash algorithm is stored in the MIB For encryption to occur the NPK and its fingerprint in the MIB must match Create and configure a different NPK for each secure router on your network The NPK should be different on every router because if an NPK is compromised the security gateway for the router is compromised If the same NPK is used for all secure routers the entire network could be compromised Caution Be very careful to protect all files where NPKs are stored You should store your NPKs on removable media for example diskettes and keep the media in a secure location Generating NPKs You create NPKs using the Technician Interface secure shell You must then enter the same NPKSs into the Site Manager NPK parameter for that router 304111 B Rev 00 2 5 Configuring IPsec Services To generate an NPK use a method available at your site to create random 16 digit hexadecimal numbers Note You can use the NPK Key Manager to generate NPKs The NPK Key Manager is available from the WEP Key Manager To access it open the main window in Site Manager and choose Tools gt WEP Key Manager gt NPK Manager During IPsec processing you can manually enter the same NPKs in the Te
62. mputer Protocol Heart Beat 74 WSN Wang Span Network 75 PVP Packet Video Protocol 76 BR SAT MON Backroom SATNET Monitoring 77 SUN ND SUN ND Protocol Temporary 78 WB MON WIDEBAND Monitoring 79 WB EXPAK WIDEBAND EXPAK 80 ISO IP ISO Internet Protocol 81 VMTP n a 82 SECURE VMTP n a 83 VINES n a 84 TTP n a 85 NSFNET IGP n a 86 DGP Dissimilar Gateway Protocol 87 TCF n a 88 EIGRP n a 89 OSPFIGP n a 90 Sprite RPC Sprite RPC Protocol 91 LARP Locus Address Resolution Protocol 92 MTP Multicast Transport Protocol 93 AX 25 AX 25 Frames 94 IPIP IP within IP Encapsulation Protocol 95 MICP Mobile Internetworking Control Protocol 96 SCC SP Semaphore Communications Security Protocol 97 ETHERIP Ethernet within IP Encapsulation 98 ENCAP Encapsulation Header 99 Any private encryption scheme 100 GMTP n a continued 304111 B Rev 00 D 9 Configuring IPsec Services Table D 2 Internet Protocol Numbers Sorted by Number continued Number Protocol Acronym Protocol Name Expanded 101 IFMP Ipsilon Flow Management Protocol 102 PNNI PNNI over IP 103 PIM Protocol Independent Multicast 104 ARIS n a 105 SCPS n a 106 QNX n a 107 A N Active Networks 108 IPPCP IP Payload Compression Protocol 109 SNP Sitara Networks Protocol 110 Compaq Peer Compaq Peer Protocol 111 IPX in IP IPX in IP 112 VRRP Virtual Router Redundancy Protocol 113 PGM PGM Reliable Transport Protocol 114 Any 0 hop protocol 11
63. ntinued Number Protocol Acronym Protocol Name Expanded 14 EMCON n a 98 ENCAP Encapsulation Header 50 ESP Encapsulating Security Payload 97 ETHERIP Ethernet within IP Encapsulation 3 GGP Gateway to Gateway Protocol 100 GMTP n a 47 GRE General Routing Encapsulation 20 HMP Host Monitoring Protocol 0 HOPOPT IPv6 Hop by Hop Option 52 I NLSP Integrated Net Layer Security Protocol 117 IATP Interactive Agent Transfer Protocol 1 ICMP Internet Control Message Protocol 35 IDPR Inter Domain Policy Routing 38 IDPR CMTP IDPR Control Message Transport Protocol 45 IDRP Inter Domain Routing Protocol 101 IFMP Ipsilon Flow Management Protocol 2 IGMP Internet Group Management Protocol 9 IGP Any private interior gateway 40 IL IL Transport Protocol 4 IP IP in IP encapsulation 71 IPCV Internet Packet Core Utility 94 IPIP IP within IP Encapsulation Protocol 67 IPPC Internet Pluribus Packet Core 108 IPPCP IP Payload Compression Protocol 41 IPv6 Internet Protocol version 6 44 IPv6 Frag Fragment Header for IPv6 58 IPv6 ICMP ICMP for IPv6 59 IPv6 NoNxt No Next Header for IPv6 60 IPv6 Opts Destination Options for IPv6 continued 304111 B Rev 00 Configuring IPsec Services Table D 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 43 IPv6 Route Routing Header for IPv6 111 IPX in
64. ocol uses the HMAC MD5 RFC 2403 or HMAC SHA 1 RFC 2404 transform You set integrity with the integrity algorithm and integrity key parameters The integrity algorithm and integrity key must be identical on both ends of an IPsec SA Authentication Authentication ensures that data has been transmitted by the identified source Additional IPsec Services Within the IPsec framework additional security services are provided An access control service ensures authorized use of the network and an auditing service tracks all actions and events IPsec services can be configured on an interface by interface basis Up to 127 inbound and 127 outbound security policies customized are supported on each IPsec interface How IPsec Works IPsec services are bundled as an Internet Protocol IP encryption packet The packets resemble ordinary IP packets to Internet routing nodes only the sending and receiving devices are involved in the encryption IPsec packets are delivered over the Internet like ordinary IP packets to branch offices corporate partners or other remote organizations in a secure encrypted and private manner Several well established technologies provide encryption and authentication at the application layer IPsec adds security at the underlying network layer providing a higher degree of security for all applications including those without any security features of their own 304111 B Rev 00 1 3 Configuring I
65. ode protection key NPK and seed kseed and then enter the same NPK in Site Manager This chapter contains the following information Topic Page Upgrading Router Software 2 2 Installing the IPsec Software 2 2 Securing Your Site 2 4 Securing Your Configuration 2 4 Creating a Node Protection Key NPK 2 5 Entering an Initial NPK and a Seed for Encryption 2 8 304111 B Rev 00 2 1 Configuring IPsec Services Upgrading Router Software To install the IPsec software you must be running BayRS Version 13 20 and Site Manager Software Version 7 20 If you are upgrading your router software copy the router image from the upgrade CD to a directory on your hard drive To modify an existing image first use the Router Files Manager to transfer the image to a directory on your hard drive For instructions on upgrading router software see Upgrading Routers to Version 13 xx For information about the Image Builder the Router Files Manager and booting routers see Configuring and Managing Routers with Site Manager Installing the IPsec Software Before you can enable and use IPsec services you must create an IPsec capable router image You create this image during the installation process The installation instructions that appear on the IPsec software CD are included in this section To install the IPsec software 1 Insert the IPsec software CD into the CD ROM drive 2 Open or create a dire
66. other governmental approvals Without limiting the foregoing Licensee on behalf of itself and its subsidiaries and affiliates agrees that it will not without first obtaining all export licenses and approvals required by the U S Government i export re export transfer or divert any such Software or technical data or any direct product thereof to any country to which such exports or re exports are restricted or embargoed under United States export control laws and regulations or to any national or resident of such restricted or embargoed countries or ii provide the Software or related technical data or information to any military end user or for any military end use including the design development or production of any chemical nuclear or biological weapons 9 General If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction the remainder of the provisions of this Agreement shall remain in full force and effect This Agreement will be governed by the laws of the state of California Should you have any questions concerning this Agreement contact Bay Networks Inc 4401 Great America Parkway PO Box 58185 Santa Clara California 95054 8185 LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT UNDERSTANDS IT AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND LICEN
67. otocol 57 SKIP n a 109 SNP Sitara Networks Protocol 90 Sprite RPC Sprite RPC Protocol 119 SRP SpectraLink Radio Protocol 5 ST Stream 118 ST Schedule Transfer 77 SUN ND SUN ND Protocol Temporary 53 SWIPE IP with Encryption 87 TCF n a 6 TCP Transmission Control Protocol 56 TLSP Transport Layer Security Protocol using Kryptonet key management 39 TP TP Transport Protocol 23 TRUNK 1 Trunk 1 24 TRUNK 2 Trunk 2 84 TTP n a 17 UDP User Datagram Protocol 83 VINES n a 70 VISA VISA Protocol 81 VMTP n a continued 304111 B Rev 00 D 5 Configuring IPsec Services Table D 1 Internet Protocol Numbers Sorted by Acronym continued Number Protocol Acronym Protocol Name Expanded 112 VRRP Virtual Router Redundancy Protocol 79 WB EXPAK WIDEBAND EXPAK 78 WB MON WIDEBAND Monitoring 74 WSN Wang Span Network 15 XNET Cross Net Debugger 22 XNS IDP XEROX NS IDP 36 XTP n a Assigned Internet Protocol Numbers by Number Table D 2 lists the Internet Protocol numbers in order Table D 2 Internet Protocol Numbers Sorted by Number Number Protocol Acronym Protocol Name Expanded 0 HOPOPT IPv6 Hop by Hop Option 1 ICMP Internet Control Message Protocol 2 IGMP Internet Group Management Protocol 3 GGP Gateway to Gateway Protocol 4 IP IP in IP encapsulation 5 ST Stream 6 TCP Transmission Control Protocol 7 CBT n a 8 EGP Exterior
68. ou select None this level of security will not be applied to data packets processed according to this SA that is IP security cannot determine whether a data packet was changed between the source and destination 1 3 6 1 4 1 18 3 5 3 26 5 1 9 304111 B Rev 00 A 7 Configuring IPsec Services Parameter Path Default Options Function Instructions MIB Object ID Integrity Key Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA None Any valid 16 byte value Specifies the key for an SA integrity algorithm This key value must match on both sides of an SA to enable the integrity algorithm to determine whether a data packet was changed between the source and destination To establish the integrity level of IP security enter a 32 digit hexadecimal value Enter the prefix 0x before the 32 digits 1 3 6 1 4 1 18 3 5 3 26 5 1 10 A 8 304111 B Rev 00 Site Manager Parameters Automated Security Association IKE Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Pa
69. pe proposal that IKE will use when negotiating SA keys with the SA destination node 7 Type a proposal name choose one or You return to the Edit IPsec Proposal more encryption methods for the proposal window Repeat steps 6 and 7 to create choose an Expiry type change the Expiry additional proposals if needed value if desired and click on Done 8 Inthe Edit IPsec Proposal window choose You return to the IPsec Outbound Policies the SA destination you created from the window pull down menu choose one to four proposals in order of priority from the Proposals pull down menus and click on OK 9 Click on Done You return to the IPsec Configuration for Interface window 304111 B Rev 00 3 9 Configuring IPsec Services Creating an Unprotect SA Automatically Using IKE To use IKE to create automated Unprotect SAs complete the following tasks Site Manager Procedure You do this System responds 1 In the IPsec Configuration for Interface The IPsec Inbound Policies window window click on Inbound Policies appears 2 Click on Add Policy The Create Inbound Policy window appears 3 Type a name for the policy choose a template and click OK 4 Click on Done You return to the IPsec Configuration for Interface window 3 10 304111 B Rev 00 Creating a Protect SA Manually Configuring IPsec To manually create a Protect SA complete the following tasks Site
70. pped IPsec discards any outbound clear text data packet unless you explicitly configure a policy to bypass or protect it Policy Templates Every IPsec policy is based on a policy template A policy template is a predefined policy definition that you can use on any IP interface The template specifies one or more criteria and an action to apply to incoming or outgoing data packets A policy template and every policy based on it must include at least one criterion for example an IP source address and one action For example an outbound policy might specify a protect action A policy template or policy may include two actions if one of the actions is logging The criterion specification determines whether a data packet matches a particular security policy and the action specifies how the policy is applied to the packet The action specifications that you can include in inbound and outbound policies are listed in the two sections that follow 304111 B Rev 00 Overview of IPsec Inbound Policies An inbound policy determines how a security gateway processes data packets received from an untrusted network Every packet arriving at a security gateway is compared with the criteria to determine whether it matches an IPsec policy for that router If the incoming packet matches a bypass policy the router accepts the packet and if the policy is so configured logs it If the packet does not match any policy or matches a drop policy the
71. reating an IKE SA for Protect SA and Unprotect SA negotiation Each IKE peer sends IPsec SA parameter negotiation information in a secure IKE packet The peers generate keys based on the agreed parameters and then verify each other s identity Once this is done the IPsec SA is established The IKE protocol itself is secured through an IKE SA created using the Diffie Hellman algorithm Oakley to determine the key and the authentication methods described in Automated Security Associations Using Internet Key Exchange IKE on page 1 11 The Bay Networks implementation uses a pre shared key Security Parameter Index SPI A security parameter index SPI is an arbitrary but unique 32 bit 4 byte value that when combined with the IP destination address and the numeric value of the security protocol used ESP uniquely identifies the SA for a data packet IPsec discards any incoming ESP packet if the SPI does not match any SA in the inbound security associations database SAD 304111 B Rev 00 Configuring IPsec Services Summarizing Security Policies and SAs Table 1 1 and Table 1 2 provide a framework for understanding IPsec policies and SAs They provide examples of how policies and SAs might be implemented but are not meant to be comprehensive In Table 1 1 each row defines the policy specification for the policy named in the first column For example the blue policy specifies two criteria IP source add
72. ress and IP destination address and the drop action This might be used to discard all traffic from an undesirable site The yellow and green policies specify a Protect SA action The yellow policy covers traffic in just one protocol TCP to a particular subnet while the green policy covers all traffic to particular addresses The black policy specifies the Protocol criterion only and the bypass action In this case the ICMP protocol typically used for PING functions is passed through the security gateway without IPsec encryption You may define SA parameters automatically or manually for a policy immediately after you specify the policy using them Table 1 2 Table 1 1 Security Policy Specifications IP Source IP Destination Policy Name Protocol Address Address Action Blue any IP address IP address Drop Yellow 6 TCP IP subnet IP subnet Protect SA Green any Range of Range of Protect SA IP addresses IP addresses Black 1 ICMP Any IP address Bypass 304111 B Rev 00 Overview of IPsec In Table 1 2 the IP source and destination addresses for the SA are the tunnel end points for the IPsec tunnel through which the traffic passes Intermediate routers are unaware that the traffic is encrypted and pass it along just like any other packets Table 1 2 Manual Security Association SA Configurations Security Association SPI Cipher Integrity Source D
73. ress range 192 28 41 0 192 28 41 255 IP destination address range 192 131 141 0 192 131 141 255 Source 2 2 2 1 Destination 2 2 2 2 SPI 256 Example 4 Required Outbound Policies on RTR3 to Protect Data Between RTR2 Subnet 192 28 41 0 and RTR3 Subnet 192 131 141 0 Interface S11 Outbound Protect IP source address range 192 131 141 0 192 131 141 255 IP destination address range 192 28 41 0 192 28 41 255 Source 2 2 2 2 Destination 2 2 2 1 SPI 256 Example 5 Required Outbound Policies on RTR1 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR3 Subnet 192 131 141 0 Interface S21 Outbound Protect IP source address range 192 32 5 0 192 32 5 255 IP destination address range 192 131 141 0 192 131 141 255 Source 1 1 1 1 Destination 2 2 2 2 SPI 257 304111 B Rev 00 C 7 Configuring IPsec Services RTR2 Interface S21 Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP Example 6 Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing Updates Between RTR1 and RTR2 RTR2 Interface S21 Security Policy Security Policy Outbound Inbound Action Bypass Bypass Criteria Protocol 89 OSPFIGP Protocol 89 OSPFIGP Outbound Inbound Action Bypass Bypass Criteria Protocol 50 ESP Protocol 50 ESP RTR2 Interface S31
74. rity gateway is defined by an outbound policy traffic traveling to a secure gateway is defined by an inbound policy Inbound protected traffic that is associated with an Unprotect SA configured on the interface does not require a policy 304111 B Rev 00 C 1 Configuring IPsec Services Automated SA IKE Policy Examples As you review the security policy examples in this section refer to Figure C 1 189 132 10 1 S52 RTR2 ss 129 43 12 19 S31 119 68 12 1 192 32 1 5 S33 192 32 5 0 Figure C 1 IPsec Automated Outbound Policies for RTR1 RTR2 and RTR3 192 32 10 0 192 32 20 0 192 32 30 0 e The SA pair between RTR1 and RTR2 use both 3DES and HMAC MDS and a default SA expiry time of 8 hours e The SA pair between RTR1 and RTR3 use only DES and a default SA expiry time of 8 hours e The SA pair between RTR1 and RTR4 use only SHAI and an SA expiry time of 24 hours C 2 304111 B Rev 00 Configuration Examples Example 1 Required Policies Proposals and SA Destinations on RTR1 and RTR2 to Protect Data Between RTR1 Subnet 192 32 5 0 and RTR2 Subnet 192 32 10 0 RTR 1 Policy Action Criteria SA Destination Pre Shared Key Proposal RTR 2 Policy Action Criteria SA Destination Pre Shared Key Proposal Interface S31 Outbound Protect IP source address range IP destination address range 189 132 10 1 Oxabba1234daba1234 3DES MD5 Interface S52
75. router rejects the packet When a packet does not match any policy Psec s default action is to drop it For an inbound security policy the action may be e Drop e Bypass Log Drop and bypass are mutually exclusive The log action may be added to either or used alone Outbound Policies An outbound policy determines how a security gateway processes data packets for transmission across an untrusted network You must assign an outbound policy for all unicast traffic leaving an IPsec interface For an outbound policy the action specification may be e Protect e Drop e Bypass Log Any outbound policy with a protect action specification is mapped to a Protect SA See Summarizing Security Policies and SAs on page 1 14 for detailed information about Protect and Unprotect SAs Drop protect and bypass are mutually exclusive The log action may be added to any of the three or used alone 304111 B Rev 00 1 9 Configuring IPsec Services Policy Criteria Specification IPsec software inspects IP packet headers based on the specified criteria to determine whether a policy applies to a data packet You must include at least one of the following criteria and you may specify all three criteria in an IPsec policy e P source address P destination address e Protocol To specify the protocol criterion you must provide the numeric value assigned to the protocol for use over the Internet You can specify only a
76. s gt IP identifies the IP option on the Protocols menu Separates choices for command keywords and arguments Enter only one of the choices Do not type the vertical line when entering the command Example If the command syntax is show ip alerts routes you enter either show ip alerts or show ip routes but not both This guide uses the following acronyms 3DES AH CBC DES ESP HMAC IANA ICMP ICV IETF IKE IP IPsec Triple DES authentication header cipher block chaining Data Encryption Standard Encapsulating Security Payload Hashing Message Authentication Code Internet Assigned Numbers Authority Internet Control Message Protocol integrity check value Internet Engineering Task Force Internet Key Exchange protocol Internet Protocol Internet Protocol Security 304111 B Rev 00 XV Configuring IPsec Services ISAKMP Oakley IV MD5 MIB NPK NVRAM PPP RNG RSA SA SAD SHA SPD SPI VPN WAN Internet Security Association and Key Management Protocol also known as IKE initialization vector Message Digest 5 management information base node protection key nonvolatile random access memory Point to Point Protocol random number generator RSA Data Security Inc s public key encryption algorithm security association security associations database Secure Hash Algorithm security policy database security parameter index virtual private network wide area network xvi 30411
77. s AS Manual Security Association Parameters esses eene tnn A 4 Automated Security Association IKE Parameters sse A 9 Appendix B Definitions of k Commands Appendix C Configuration Examples inbound and Oubound Rly el oi cient ascia ccs Du a eo Le en ete meee a enr NER C 1 Automated SA IKE Policy Examples entr edunt merenti C 2 Manual SA Policy Examples E EHE S T teas TS ROUEN C 5 Manual Protect and Unprotect SA Configuration c cccceeeeseeeeeceeeeeneeeseeeeeesaeeenenees C 9 Appendix D Protocol Numbers Assigned Internet Protocol Number by Name ccccscceeceeeseececeeeseneeeeeeeeeeeeeeeeneneees D 2 Assigned Internet Protocol Numbers by Number seen D 6 Index 304111 B Rev 00 vii Figures Figure 1 1 IPsec Environment Unique Security Associations SAs Between Routers sss TU Marcius PE QN Epic did bos up ES 1 4 Figure 1 2 IPsec Concepts Security Gateways Security Policies and SAs 1 6 Figure 1 3 IPsec Security Gateways and Security Policies sssss 1 7 Figure 1 4 Security Associations for Bidirectional Traffic sssesssssse 1 12 Figure C 1 IPsec Automated Outbound Policies for RTR1 RTR2 and RTRS C 2 Figure C 2 IPsec Manual Outbound Policies for RTR1 RTR2 and RTR3 C 5 Figure C 3 Single Protect Unprotect SA Pair
78. single protocol value for each policy The protocol number is represented in the 1 byte protocol field in an IP packet header Refer to Appendix D for a list of protocol numbers To obtain the most recent list of the numeric values assigned to various protocols see the Internet Assigned Numbers Authority LANA Web site at http www iana org The direct path to the list of legal values that you can specify for an IPsec policy protocol criterion as of this printing is http www isi edu in notes iana assignments protocol numbers 1 10 304111 B Rev 00 Overview of IPsec Security Associations A security association SA is a relationship in which two peers share the necessary information to securely protect and unprotect data An IPsec SA is uniquely identified by an IP destination address security parameter index SPI and security protocol identifier for example ESP in tunnel mode An IPsec policy determines which packets will be handled An IPsec SA specifies which IPsec security service for example confidentiality IPsec will apply to the packets You can apply one or more IPsec security services SAs themselves must be created and shared in a secure manner There are two ways of achieving this by using the automated security negotiation process provided by the Internet Key Exchange IKE protocol or by manually configuring the sending and receiving devices with a shared secret A shared secret is a unique security
79. sses and protocol criteria Policy Template 6 Use the Action menu to add the action that you want applied to traffic with the criteria that you just defined 7 Click on OK You return to the IPsec Policy Template Management window 8 Click on Done You return to the IPsec Inbound Policies window continued 3 6 304111 B Rev 00 Configuring IPsec Site Manager Procedure continued Policy You do this 9 Click on Add Policy System responds The Create Inbound Policy window opens 10 Enter the policy name in the Policy Name field Click on Help or see the parameter description on page A 3 11 Select a template on which to base this policy 12 Click on OK You return to the IPsec Inbound Policies window If the policy includes a protect action the Choose SA Type dialog box opens 13 Click on Done You return to the IPsec Configuration for Interface window 304111 B Rev 00 3 7 Configuring IPsec Services Creating Security Associations Security associations enable you to provide bidirectional protection for data packets traveling between two routers Each SA establishes security for data passing in a single direction A pair of SAs are created either automatically or manually for any IPsec policy configured on a security gateway Each SA includes security information such as algorithm and keys You should use automate
80. t IKE None An 8 byte value Used as a cryptographic key for protecting sensitive MIB objects The NPK value is stored in nonvolatile random access memory NVRAM The IPsec software performs a hash of the NPK value which it places in a special MIB attribute The NPK value stored in NVRAM is unique to the router It is used to encrypt the cipher and integrity keys before they are stored in the router MIB Enter a 16 digit hexadecimal value Enter the prefix Ox before the digits None 304111 B Rev 00 A 1 Configuring IPsec Services Enabling IPsec Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID IP Security Enable Configuration Manager gt Protocols gt IP gt IP Security gt Globals global setting Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IP Security gt Enable IPsec individual IPsec interface setting Enable Enable Disable Enables or disables IPsec on a router If this parameter is set to Disable you cannot implement IPsec To implement IP security on a router set this parameter to Enable 1 3 6 1 4 1 18 3 5 3 26 1 2 global 1 3 6 1 4 1 18 3 5 3 2 1 24 1 59 individual IPsec interface Maximum SPI Configuration Manager gt Protocols gt IP gt IP Security gt Globals 384 256 through 65535 Specifies the maximum acceptable security
81. th Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Pre Shared Key Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE None Any 8 byte value Used as a cryptographic key for creating IKE SAs between routers IKE is then used to create automated SAs for data packets Enter a 16 digit hexadecimal number Enter the prefix Ox before the digits Configure the same pre shared key on the destination router 1 3 6 1 4 1 18 3 5 27 1 1 9 Expiry Value Minutes Configuration Manager gt Protocols gt IP gt IKE Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE 480 Any integer Specifies when an SA key will expire Enter a value that is appropriate for your site 1 3 6 1 4 1 18 3 5 27 1 1 10 SA Destination Configuration Manager gt Add Circuit gt WAN Protocols gt PPP Frame Relay gt Select Protocols gt IKE gt IPsec Configuration for Interface gt Outbound Policies Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt IKE gt Add None Any valid IP address Specifies the IP address of the destination interface for this automated SA Enter the IP address of the remote IPsec interface that will negotiate automated SAs using the specified pre shared key 1 3 6 1 4 1 18 3 5 27 1 1 3 304111 B
82. the cipher algorithm for this SA To implement the cipher or confidential encrypted level of security select the Data Encryption Standard DES algorithm If you select None this level of security will not be applied to data packets processed according to this SA that is the data packets will not be encrypted 1 3 6 1 4 1 18 3 5 3 26 5 1 6 304111 B Rev 00 A 5 Configuring IPsec Services Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Cipher Key Length Configuration Manager gt Protocols gt IP gt IP Security gt Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Unprotect SAs gt Add Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Outbound Policies gt Add Policy gt OK gt Manual SA DES56 DES40 DES56 Identifies the cipher key length strength for this SA Select a cipher key length of either 40 or 56 bits The longer key length strength provides greater security 1 3 6 1 4 1 18 3 5 3 26 5 1 8 Cipher Key Configuration Manager Protocols IP IP Security Manual Security Associations SAs Configuration Manager gt Edit Circuit gt Protocols gt Edit IP gt Manual Protect
83. use 1 5 publications Bay Networks xvii 304111 B Rev 00 R random number generator RNG 2 5 random number generating 2 6 Router Files Manager 2 2 router log NPK confirmation 2 8 routers supported 1 18 S security configuration 2 4 site considerations 2 4 security association automated 3 8 creating 3 8 definition 1 11 examples 1 14 IKE use 3 9 3 10 manual 3 8 manual creation 3 11 3 12 protect 1 9 3 8 Site Manager parameters A 4 unprotect 3 8 security associations database SAD IPsec usage 1 13 security gateway creating 1 4 1 7 encryption strength 1 16 security parameter index SPD 1 11 1 13 A 2 security policy action 1 9 3 3 C 5 creating 3 2 criteria 1 8 1 10 3 2 examples 1 14 C 5 inbound 1 3 1 8 1 9 number 1 8 outbound 1 3 1 8 1 9 3 4 3 6 A 3 Site Manager parameters A 3 unicast traffic 3 3 security policy database SPD 1 8 seed for encryption generating 2 7 SHAI 1 3 1 16 shared secret description 1 11 304111 B Rev 00 Site Manager enabling IPsec 3 1 parameter descriptions A 1 version requirements 1 18 site security 2 4 support Bay Networks xvii System 5000 support 1 18 T technical publications xvii technical support xvii Technician Interface 2 5 2 7 text conventions xiv Triple DES 1 16 trusted hosts defined 1 7 tunnel mode 1 5 U unicast configuring policies for 3 3 policy considerations C 1 untrusted hosts
84. xt generation of IP called IPv6 but are available for the current IPv4 Internet as well The Bay Networks implementation of the IETF standards provides network layer 3 security services for wide area network WAN communications on Bay Networks routers IPsec Services IPsec services consist of confidentiality integrity and authentication services for data packets traveling between security gateways e Confidentiality ensures the privacy of communications e The integrity service detects modification of data packets e Authentication services verify the origin of every data packet Confidentiality Confidentiality is accomplished by encrypting and decrypting data packets The Encapsulating Security Payload ESP protocol uses the Data Encryption Standard DES algorithm in cipher block chaining CBC mode to encrypt and decrypt data packets You set confidentiality with the cipher algorithm and cipher key parameters The cipher algorithm and cipher key are specified in security associations SAs A security association is a relationship in which two peers share the necessary information to securely protect and unprotect data The algorithm and key must be identical on both ends of an IPsec SA 304111 B Rev 00 Overview of IPsec Integrity Integrity determines whether the data has been altered during transit The ESP protocol ensures that data has not been modified as it passes between the security gateways The ESP prot
85. y This provision applies to all Software acquired for use within the European Community If Licensee uses the Software within a country in the European Community the Software Directive enacted by the Council of European Communities Directive dated 14 May 1991 will apply to the examination of the Software to facilitate interoperability Licensee agrees to notify Bay Networks of any such intended examination of the Software and may procure support and assistance from Bay Networks 7 Term and termination This license is effective until terminated however all of the restrictions with respect to Bay Networks copyright in the Software and user manuals will cease being effective at the date of expiration of the Bay Networks copyright those restrictions relating to use and disclosure of Bay Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any reason Licensee will immediately destroy or return to Bay Networks the Software user manuals and all copies Bay Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license 8 Export and Re export Licensee agrees not to export directly or indirectly the Software or related technical data or information without first obtaining any required export licenses or
Download Pdf Manuals
Related Search