Avaya Configuring IPsec Services Uživatelský manuál Strana 1

BayRS Version 15.1Part No. 308630-15.1 Rev 00October 2001600 Technology Park DriveBillerica, MA 01821-4130Configuring IPsec Services

Configuring IPsec ServicesD-2308630-15.1 Rev 00Web Browser Configuration of the Contivity VPN SwitchUnlike products that use BayRS software, you confi

Contivity VPN Switch Interoperability308630-15.1 Rev 00D-3 Configuration ConsiderationsWhen you configure a Contivity switch to interoperate with BayR

Configuring IPsec ServicesD-4308630-15.1 Rev 00PerformanceThe BayRS implementation of IPsec is slower than the Contivity implementation. Consider perf

Contivity VPN Switch Interoperability308630-15.1 Rev 00D-5 BayRS Features Not Supported by the Contivity VPN SwitchContivity does not support the foll

Configuring IPsec ServicesD-6308630-15.1 Rev 00Troubleshooting BayRS-Contivity IPsec InteroperabilityUse the following troubleshooting tools to diagno

Contivity VPN Switch Interoperability308630-15.1 Rev 00D-7 Symptoms You May SeeIf traffic does not appear to traverse the IPsec tunnel, first check fo

Configuring IPsec ServicesD-8308630-15.1 Rev 00• IPsec SAs are deleted on the local side. This message is probably due to normal operation after IPsec

308630-15.1 Rev 00E-1Appendix EProtocol NumbersIPsec policies may include a protocol criterion that references the 1-byte protocol number field in an

Configuring IPsec ServicesE-2308630-15.1 Rev 00Assigned Internet Protocol Numbers by NameTable E-1 lists the Internet Protocol numbers alphabetically

Protocol Numbers308630-15.1 Rev 00E-3 8 EGP Exterior Gateway Protocol88 EIGRP N/A14 EMCON N/A98 ENCAP Encapsulation Header50 ESP Encapsulating Securit

308630-15.1 Rev 00 xiTablesTable 1-1. Security Policy Specifications ...1-14Table 1-2. M

Configuring IPsec ServicesE-4308630-15.1 Rev 0041 IPv6 Internet Protocol version 644 IPv6-Frag Fragment Header for IPv658 IPv6-ICMP ICMP for IPv659 IP

Protocol Numbers308630-15.1 Rev 00E-5 103 PIM Protocol Independent Multicast131 PIPE Private IP Encapsulation within IP102 PNNI PNNI over IP21 PRM Pac

Configuring IPsec ServicesE-6308630-15.1 Rev 0077 SUN-ND SUN ND Protocol-Temporary53 SWIPE IP with Encryption87 TCF N/A6 TCP Transmission Control Prot

Protocol Numbers308630-15.1 Rev 00E-7 Assigned Internet Protocol Numbers by NumberTable E-2 lists the Internet Protocol numbers in order by protocol n

Configuring IPsec ServicesE-8308630-15.1 Rev 0026 LEAF-2 Leaf-227 RDP Reliable Data Protocol28 IRTP Internet Reliable Transaction Protocol29 ISO-TP4 I

Protocol Numbers308630-15.1 Rev 00E-9 55 MOBILE IP Mobility56 TLSP Transport Layer Security Protocol using Kryptonet key management57 SKIP N/A58 IPv6-

Configuring IPsec ServicesE-10308630-15.1 Rev 0084 TTP N/A85 NSFNET-IGP N/A86 DGP Dissimilar Gateway Protocol87 TCF N/A88 EIGRP N/A89 OSPFIGP N/A90 Sp

Protocol Numbers308630-15.1 Rev 00E-11 113 PGM PGM Reliable Transport Protocol114 Any 0-hop protocol115 L2TP Layer Two Tunneling Protocol116 DDX D-II

308630-15.1 Rev 00Index-1Numbers3DES, 1-16AAccess Node (AN) support, 1-3Access Stack Node (ASN) support, 1-3acronyms, xvAdvanced Remote Node (ARN) sup

Index-2308630-15.1 Rev 00IIKEdescription, 1-11enabling, 3-1security associations, 3-7Image Builder, 2-1inbound security policies, 1-5, 1-9initializati

308630-15.1 Rev 00Index-3Ssecurityconfiguration, 2-4site considerations, 2-4security associationautomated, 3-7creating, 3-7description, 1-11examples,

308630-15.1 Rev 00xiii PrefaceThis guide describes the Nortel Networks* implementation of IP Security (IPsec) and how to configure it on a Nortel Netw

Configuring IPsec Servicesxiv308630-15.1 Rev 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indicate that

Preface308630-15.1 Rev 00xv AcronymsThis guide uses the following acronyms:screen text Indicates system output, for example, prompts and system messag

Configuring IPsec Servicesxvi308630-15.1 Rev 00Hard-Copy Technical ManualsYou can print selected technical manuals and release notes free, directly fr

Preface308630-15.1 Rev 00xvii How to Get HelpIf you purchased a service contract for your Nortel Networks product from a distributor or authorized res

308630-15.1 Rev 001-1 Chapter 1Overview of IPsecThis chapter describes the emerging Internet Engineering Task Force (IETF) standards for security serv

ii308630-15.1 Rev 00 Copyright © 2001 Nortel NetworksAll rights reserved. October 2001.The information in this document is subject to change without n

Configuring IPsec Services1-2308630-15.1 Rev 00About IPsecIP Security is the IETF set of emerging standards for security services for communications o

Overview of IPsec308630-15.1 Rev 001-3 Network Requirements for Nortel Networks RoutersTo install the IPsec software, the router must be running, at a

Configuring IPsec Services1-4308630-15.1 Rev 00IPsec ServicesIPsec services consist of confidentiality, integrity, and authentication services for dat

Overview of IPsec308630-15.1 Rev 001-5 Additional IPsec ServicesWithin the IPsec framework, additional security services are provided. An access contr

Configuring IPsec Services1-6308630-15.1 Rev 00Figure 1-1 shows how IPsec can protect data communications within an enterprise and from external hosts

Overview of IPsec308630-15.1 Rev 001-7 IPsec ElementsIPsec has three important constructs:• Security gateways• Security policies• Security association

Configuring IPsec Services1-8308630-15.1 Rev 00Security GatewaysA security gateway establishes SAs between router interfaces configured with IPsec sof

Overview of IPsec308630-15.1 Rev 001-9 The criteria (“selectors”) and action specifications used in your inbound and outbound policies are stored in t

Configuring IPsec Services1-10308630-15.1 Rev 00For an inbound security policy, the action can be one or two of the following:• Drop• Bypass• LogThe d

Overview of IPsec308630-15.1 Rev 001-11 To specify the protocol criterion, you must provide the numeric value assigned to the protocol for use over th

308630-15.1 Rev 00iiiNortel Networks Inc. Software License AgreementThis Software License Agreement (“License Agreement”) is between you, the end-user

Configuring IPsec Services1-12308630-15.1 Rev 00To set up these security associations, IKE itself must create a confidential, secure connection betwee

Overview of IPsec308630-15.1 Rev 001-13 Figure 1-4. Security Associations for Bidirectional TrafficUnder most circumstances, you configure the IKE pro

Configuring IPsec Services1-14308630-15.1 Rev 00Examples of Security Policies and Security AssociationsTable 1-1 and Table 1-2 provide examples of how

Overview of IPsec308630-15.1 Rev 001-15 In Table 1-2, the IP source and destination addresses for the SA are the tunnel end points for the IPsec tunne

Configuring IPsec Services1-16308630-15.1 Rev 00ESP applies the following algorithms and transform identifiers to deliver its services:• DES (56-bit)•

Overview of IPsec308630-15.1 Rev 001-17 Internet Key Exchange ProtocolThe IKE protocol negotiates and provides private and authenticated keying materi

Configuring IPsec Services1-18308630-15.1 Rev 00You can optimize performance by using the information in this section to plan and manage CPU resources

308630-15.1 Rev 002-1 Chapter 2Installing IPsecThis chapter describes how to install and prepare to use IPsec. Before you configure IPsec, you must pe

Configuring IPsec Services2-2308630-15.1 Rev 00Installing the IPsec SoftwareBefore you can enable and use IPsec services, you must create an IPsec-cap

Installing IPsec308630-15.1 Rev 002-3 7.Click on Remove.The file capi.exe or capi.ppc is now listed under Available Components.8.Choose File > Save

iv308630-15.1 Rev 004. Generala. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software avail

Configuring IPsec Services2-4308630-15.1 Rev 00Securing Your SiteTo enforce IPsec, carefully restrict unauthorized access to the routers that encrypt

Installing IPsec308630-15.1 Rev 002-5 Random Number GeneratorThe router software uses the secure random number generator (RNG) to generate initializat

Configuring IPsec Services2-6308630-15.1 Rev 00Entering an Initial NPK and a Seed for EncryptionBefore you can enable IPsec on a router, you must ente

Installing IPsec308630-15.1 Rev 002-7 5.Type a random set of keystrokes. The secure shell informs you when you have typed the required number of keyst

Configuring IPsec Services2-8308630-15.1 Rev 005.Enter the following command:kset npk 0x<NPK_value><NPK_value> is the new 16-digit hexadec

308630-15.1 Rev 003-1 Chapter 3Starting IPsecThis chapter provides instructions for configuring IPsec on an interface.Enabling IPsec and IKETo enable

Configuring IPsec Services3-2308630-15.1 Rev 00When you configure IPsec on an interface for the first time, configure the menu items displayed in the

Starting IPsec308630-15.1 Rev 003-3 Specifying an ActionThe action specification in a policy controls how a packet that matches the specified criteria

Configuring IPsec Services3-4308630-15.1 Rev 00Creating an Outbound Policy Template and PolicyTo create an outbound policy template and policy, comple

Starting IPsec308630-15.1 Rev 003-5 11. In the Policy Name field, type a name for the policy.For a description of this parameter, see page A-4.12. Fro

308630-15.1 Rev 00 vContents PrefaceBefore You Begin ...

Configuring IPsec Services3-6308630-15.1 Rev 00Creating an Inbound Policy Template and PolicyThe process for creating inbound policies is almost ident

Starting IPsec308630-15.1 Rev 003-7 Creating Security AssociationsSecurity associations enable you to provide bidirectional protection for data packet

Configuring IPsec Services3-8308630-15.1 Rev 00Creating an Outbound Protect Policy with Automated SAs (IKE)To use IKE to create automated SAs, complet

Starting IPsec308630-15.1 Rev 003-9 About Manual SA CreationTo protect (encrypt or authenticate) data packets leaving the local IPsec interface, creat

Configuring IPsec Services3-10308630-15.1 Rev 00For examples of how to configure manual SAs, see “Manual Protect and Unprotect SA Configuration” on pa

Starting IPsec308630-15.1 Rev 003-11 Creating an Unprotect SA ManuallyTo create an Unprotect SA manually, complete the following tasks: Site Manager P

308630-15.1 Rev 004-1 Chapter 4Customizing IPsecThis chapter provides information about changing an existing IPsec configuration. For information abou

Configuring IPsec Services4-2308630-15.1 Rev 00Editing a PolicyTo edit an existing IPsec policy on a router interface, complete the following tasks:Si

Customizing IPsec308630-15.1 Rev 004-3 Adding a PolicyThe procedure to add an IPsec policy to an existing IPsec interface depends on the connector typ

vi 308630-15.1 Rev 00Security Associations ...1-11Automated

Configuring IPsec Services4-4308630-15.1 Rev 00WAN Interface with Frame RelayTo add an IPsec policy to a router interface configured with frame relay,

Customizing IPsec308630-15.1 Rev 004-5 7. In the Policy Name field, type a name for the policy. Click on Help or see the parameter description on page

Configuring IPsec Services4-6308630-15.1 Rev 00Reordering PoliciesThe procedure to reorder IPsec policies on a router interface depends on the connect

Customizing IPsec308630-15.1 Rev 004-7 WAN Interface with Frame RelayTo change the order in which existing IPsec policies are applied on a router inte

Configuring IPsec Services4-8308630-15.1 Rev 00Changing Existing Security AssociationsTo ensure the integrity of SAs, vital information such as IKE pr

Customizing IPsec308630-15.1 Rev 004-9 Modifying Manual SAsThe procedure to modify manual SAs on a router interface depends on the connector type and

Configuring IPsec Services4-10308630-15.1 Rev 00WAN Interface with Frame RelayTo change or add manual SAs on a router interface configured with frame

Customizing IPsec308630-15.1 Rev 004-11 Disabling IPsecTo disable IPsec on all router interfaces configured for it, complete the following tasks: To d

Configuring IPsec Services4-12308630-15.1 Rev 005. Click on Done. You return to the Circuit Definition window.6. Choose File > Exit. You return to

308630-15.1 Rev 00A-1 Appendix ASite Manager ParametersThis appendix contains the Site Manager parameter descriptions for IPsec and IKE services. You

308630-15.1 Rev 00 viiCreating an Outbound Policy Template and Policy ...3-4Creating an Inbound Policy

Configuring IPsec ServicesA-2308630-15.1 Rev 00The Technician Interface allows you to modify parameters by issuing set and commit commands with the MI

Site Manager Parameters308630-15.1 Rev 00A-3 IPsec ParametersParameter:IP Security EnablePath:Configuration Manager > Protocols > IP > IP Sec

Configuring IPsec ServicesA-4308630-15.1 Rev 00IPsec Policy ParametersParameter:Policy EnablePath: Configuration Manager > Protocols > IP > I

Site Manager Parameters308630-15.1 Rev 00A-5 Manual Security Association ParametersParameter:SA Source IP AddressPath: Configuration Manager > Edit

Configuring IPsec ServicesA-6308630-15.1 Rev 00Parameter:Security Parameter IndexPath: Configuration Manager > Edit Circuit > Protocols > Edi

Site Manager Parameters308630-15.1 Rev 00A-7 Parameter:Cipher Key LengthPath: Configuration Manager > Protocols > IP > IP Security > Manua

Configuring IPsec ServicesA-8308630-15.1 Rev 00Parameter:Integrity AlgorithmPath: Configuration Manager > Protocols > IP > IP Security > M

Site Manager Parameters308630-15.1 Rev 00A-9 Parameter:Integrity Key (16 Byte Hex)Path: Configuration Manager > Protocols > IP > IP Security

Configuring IPsec ServicesA-10308630-15.1 Rev 00Automated Security Association (IKE) ParametersParameter:SA NamePath: Configuration Manager > Proto

Site Manager Parameters308630-15.1 Rev 00A-11 Parameter:Pre-shared Key (hex)Path: Configuration Manager > Protocols > IP > IKEConfiguration M

viii 308630-15.1 Rev 00Appendix B Definitions of k CommandsAppendix C Configuration ExamplesInbound and Outbound Policies ...

Configuring IPsec ServicesA-12308630-15.1 Rev 00Parameter:Anti-Replay Window SizePath:Configuration Manager > Add Circuit > WAN Protocols > P

308630-15.1 Rev 00B-1Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the Technician

308630-15.1 Rev 00C-1 Appendix CConfiguration ExamplesThis appendix provides configuration examples for both automated and manual security association

Configuring IPsec ServicesC-2308630-15.1 Rev 00Automated SA (IKE) Policy ExamplesAs you review the security policy examples in this section, refer to

Configuration Examples308630-15.1 Rev 00C-3 Example 1: Required Policies, Proposals, and SA Destinations on RTR1 and RTR2 to Protect Data Between RTR1

Configuring IPsec ServicesC-4308630-15.1 Rev 00Example 2: Required Policies, Proposals, and SA Destinations on RTR1 and RTR3 to Protect Data Between R

Configuration Examples308630-15.1 Rev 00C-5 Example 3: Required Policies, Proposals, and SA Destinations on RTR1 and RTR4 to Protect Data Between RTR1

Configuring IPsec ServicesC-6308630-15.1 Rev 00Figure C-2. IPsec Manual Outbound PoliciesExample 1: Required Policies on RTR1 to Protect Data Between

Configuration Examples308630-15.1 Rev 00C-7 Example 2: Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR2 Subnet 192.28

308630-15.1 Rev 00 ixFiguresFigure 1-1. IPsec Environment: Unique SAs Between Routers ...1-6Figure 1-2. IPsec Security

Configuring IPsec ServicesC-8308630-15.1 Rev 00Example 4: Required Outbound Policies on RTR3 to Protect DataBetween RTR2 Subnet 192.28.41.0 and RTR3 S

Configuration Examples308630-15.1 Rev 00C-9 Example 6: Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing Upd

Configuring IPsec ServicesC-10308630-15.1 Rev 00Manual Protect and Unprotect SA ConfigurationSAs specify which IPsec services are applied to the data

Configuration Examples308630-15.1 Rev 00C-11 SA Example 1: Configuring a Single Protect/Unprotect SA PairIn this example, a single Protect/Unprotect S

Configuring IPsec ServicesC-12308630-15.1 Rev 00SA Example 2: Configuring Two Protect/Unprotect SA PairsIn this example, two Protect/Unprotect SA pair

Configuration Examples308630-15.1 Rev 00C-13 SA Example 3: Configuring Multiple Protect/Unprotect SA PairsIn this example, multiple Protect/Unprotect

Configuring IPsec ServicesC-14308630-15.1 Rev 00The following two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR2 (r

Configuration Examples308630-15.1 Rev 00C-15 The next two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR3 (refer to

Configuring IPsec ServicesC-16308630-15.1 Rev 00The final two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR4 (refer

308630-15.1 Rev 00D-1 Appendix DContivity VPN Switch InteroperabilityThe BayRS implementation of IPsec can interoperate with the IPsec implementation