Avaya Configuring IPsec Services Uživatelský manuál

BayRS Version 14.00Part No. 308630-14.00 Rev 00September 19994401 Great America ParkwaySanta Clara, CA 95054Configuring IPsec Services

x 308630-14.00 Rev 00Appendix B Definitions of k CommandsAppendix C Configuration ExamplesInbound and Outbound Policies ...

Configuring IPsec ServicesC-16308630-14.00 Rev 00Contivity Extranet Switch InteroperabilityBayRS software IPsec functions interoperate with the IPsec

Configuration Examples308630-14.00 Rev 00C-17 TerminologyContivity uses different terminology than BayRS for some IPsec features. The table below comp

Configuring IPsec ServicesC-18308630-14.00 Rev 00Configuration SpecificsConfiguring a Contivity switch to interoperate with BayRS IPsec requires that

Configuration Examples308630-14.00 Rev 00C-19 Feature Comparison SummaryThis section lists the current support status of additional IPsec interoperabi

Configuring IPsec ServicesC-20308630-14.00 Rev 00Contivity Features Not Supported by BayRSBayRS does not support the following Contivity features:• Ce

Configuration Examples308630-14.00 Rev 00C-21 • Packet capture: Run packet capture on the interface on which IPsec is configured (or on other interfac

Configuring IPsec ServicesC-22308630-14.00 Rev 00• Encryption or network addressing does not have matching values with the remote IPsec gateway config

Configuration Examples308630-14.00 Rev 00C-23 • IPsec SAs are deleted on the local side. This message is likely due to normal operation after IPsec SA

308630-14.00 Rev 00D-1Appendix DProtocol NumbersIPsec policies may include a protocol criterion that references the 1-byte protocol number field in an

308630-14.00 Rev 00 xiFiguresFigure 1-1. IPsec Environment: Unique Security Associations (SAs)Between Routers ...

Configuring IPsec ServicesD-2308630-14.00 Rev 00Assigned Internet Protocol Numbers by NameTable D-1 lists the Internet protocol numbers alphabetically

Protocol Numbers308630-14.00 Rev 00D-3 14 EMCON n/a98 ENCAP Encapsulation Header50 ESP Encapsulating Security Payload97 ETHERIP Ethernet-within-IP Enc

Configuring IPsec ServicesD-4308630-14.00 Rev 0043 IPv6-Route Routing Header for IPv6111 IPX-in-IP IPX in IP28 IRTP Internet Reliable Transaction Prot

Protocol Numbers308630-14.00 Rev 00D-5 27 RDP Reliable Data Protocol46 RSVP Reservation Protocol66 RVD MIT Remote Virtual Disk Protocol64 SAT-EXPAK SA

Configuring IPsec ServicesD-6308630-14.00 Rev 00Assigned Internet Protocol Numbers by NumberTable D-2 lists the Internet Protocol numbers in order.112

Protocol Numbers308630-14.00 Rev 00D-7 14 EMCON n/a15 XNET Cross Net Debugger16 CHAOS Chaos17 UDP User Datagram Protocol18 MUX Multiplexing19 DCN-MEAS

Configuring IPsec ServicesD-8308630-14.00 Rev 0043 IPv6-Route Routing Header for IPv644 IPv6-Frag Fragment Header for IPv645 IDRP Inter-Domain Routing

Protocol Numbers308630-14.00 Rev 00D-9 72 CPNX Computer Protocol Network Executive73 CPHB Computer Protocol Heart Beat74 WSN Wang Span Network75 PVP P

Configuring IPsec ServicesD-10308630-14.00 Rev 00101 IFMP Ipsilon Flow Management Protocol102 PNNI PNNI over IP103 PIM Protocol Independent Multicast1

308630-14.00 Rev 00Index-1Numbers3DES, 1-16AAccess Node (AN) support, 1-3Access Stack Node (ASN) support, 1-3acronyms, xvAdvanced Remote Node (ARN) su

Index-2308630-14.00 Rev 00IIKEdescription, 1-12enabling, 3-1security associations, 3-8Image Builder, 2-2inbound security policies, 1-5, 1-9initializat

308630-14.00 Rev 00Index-3Rrandom number generator (RNG), 2-5random number, generating, 2-6Router Files Manager, 2-2router log, NPK confirmation, 2-8r

308630-14.00 Rev 00 xiiiTablesTable 1-1. Security Policy Specifications ...1-14Table 1-2

308630-14.00 Rev 00 xv PrefaceThis guide describes the Nortel Networks™ implementation of IP Security and how to configure it on a Nortel Networks rou

Configuring IPsec Servicesxvi 308630-14.00 Rev 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indicate th

Preface308630-14.00 Rev 00 xvii AcronymsThis guide uses the following acronyms:screen text Indicates system output, for example, prompts and system me

Configuring IPsec Servicesxviii 308630-14.00 Rev 00ISAKMP/Oakley Internet Security Association and Key Management Protocol (also known as IKE)IV initi

Preface308630-14.00 Rev 00 xix Hard-Copy Technical ManualsYou can print selected technical manuals and release notes free, directly from the Internet.

ii308630-14.00 Rev 00 Copyright © 1999 Nortel NetworksAll rights reserved. Printed in the USA. September 1999.The information in this document is subj

308630-14.00 Rev 001-1 Chapter 1Overview of IPsecThis chapter describes the emerging Internet Engineering Task Force standards for security services o

Configuring IPsec Services1-2308630-14.00 Rev 00About IPsecIP Security (IPsec) is the Internet Engineering Task Force (IETF) set of emerging standards

Overview of IPsec308630-14.00 Rev 001-3 Network Requirements for Nortel Networks RoutersTo install the IP Security (IPsec) software, the router must b

Configuring IPsec Services1-4308630-14.00 Rev 00IPsec ServicesIPsec services consist of confidentiality, integrity, and authentication services for da

Overview of IPsec308630-14.00 Rev 001-5 Additional IPsec ServicesWithin the IPsec framework, additional security services are provided. An access cont

Configuring IPsec Services1-6308630-14.00 Rev 00Figure 1-1 shows how IPsec can protect data communications within an enterprise and from external host

Overview of IPsec308630-14.00 Rev 001-7 IPsec ElementsIPsec has three important constructs:• Security gateways• Security policies• Security associatio

Configuring IPsec Services1-8308630-14.00 Rev 00Security GatewaysA security gateway establishes SAs between router interfaces configured with IPsec so

Overview of IPsec308630-14.00 Rev 001-9 There are two types of IPsec policies: inbound and outbound. An inbound policy is used for data packets arrivi

308630-14.00 Rev 00iiiTHIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO

Configuring IPsec Services1-10308630-14.00 Rev 00If the packet does not match any policy or matches a drop policy, the router rejects the packet. When

Overview of IPsec308630-14.00 Rev 001-11 • IP destination address• ProtocolTo specify the protocol criterion, you must provide the numeric value assig

Configuring IPsec Services1-12308630-14.00 Rev 00Automated Security Associations Using Internet Key Exchange (IKE)Internet Key Exchange (IKE) is an au

Overview of IPsec308630-14.00 Rev 001-13 Figure 1-4. Security Associations for Bidirectional TrafficUnder most circumstances, you will configure the I

Configuring IPsec Services1-14308630-14.00 Rev 00Summarizing Security Policies and SAsTable 1-1 and Table 1-2 provide a framework for understanding IP

Overview of IPsec308630-14.00 Rev 001-15 In Table 1-2, the IP source and destination addresses for the SA are the tunnel end points for the IPsec tunn

Configuring IPsec Services1-16308630-14.00 Rev 00One or more of these security services must be applied whenever ESP is invoked. ESP applies the follo

Overview of IPsec308630-14.00 Rev 001-17 Internet Key Exchange (IKE) ProtocolThe Internet Key Exchange (IKE) protocol negotiates and provides private

308630-14.00 Rev 002-1 Chapter 2Installing IPsecThis chapter describes how to install and prepare to use IPsec. Before you configure IPsec, you need t

iv308630-14.00 Rev 00IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF NORTEL NETWORKS RELAT

Configuring IPsec Services2-2308630-14.00 Rev 00Upgrading Router SoftwareTo install the IPsec software, you must be running BayRS Version 13.20 and Si

Installing IPsec308630-14.00 Rev 002-3 Completing the Installation ProcessTo complete the installation process:1.Open the Image Builder directory:• On

Configuring IPsec Services2-4308630-14.00 Rev 00Securing Your SiteTo enforce IPsec, carefully restrict unauthorized access to the routers that encrypt

Installing IPsec308630-14.00 Rev 002-5 Random Number Generator (RNG)The router software uses the secure random number generator (RNG) to generate init

Configuring IPsec Services2-6308630-14.00 Rev 00To generate an NPK, use a method available at your site to create random 16-digit hexadecimal numbers.

Installing IPsec308630-14.00 Rev 002-7 To enter an initial NPK and a seed for encryption:1.If necessary, create a password for the Technician Interfac

Configuring IPsec Services2-8308630-14.00 Rev 00Changing an NPKTo maintain security, periodically change the NPK on each router.To change an NPK, ente

308630-14.00 Rev 003-1 Chapter 3Starting IPsecThis chapter includes the following information:Enabling IPsec and IKETo enable IPsec, configure an IP i

Configuring IPsec Services3-2308630-14.00 Rev 00When you use Site Manager to configure IPsec on an interface for the first time, configure the menu it

Starting IPsec308630-14.00 Rev 003-3 Specifying an ActionThe action specification in a policy controls how a packet that matches the specified criteri

308630-14.00 Rev 00vThis software contains a DES implementation written by Eric Young ([email protected]). The implementation was written so as to conf

Configuring IPsec Services3-4308630-14.00 Rev 00Creating an Outbound PolicyTo create an outbound policy template and policy, complete the following ta

Starting IPsec308630-14.00 Rev 003-5 Policy9. Click on Add Policy. The Create Outbound Policy window opens.10. Enter the policy name in thePolicy Name

Configuring IPsec Services3-6308630-14.00 Rev 00Creating an Inbound PolicyThe process for creating inbound policies is virtually identical to the proc

Starting IPsec308630-14.00 Rev 003-7 Policy9. Click on Add Policy. The Create Inbound Policy window opens.10. Enter the policy name in thePolicy Name

Configuring IPsec Services3-8308630-14.00 Rev 00Creating Security AssociationsSecurity associations enable you to provide bidirectional protection for

Starting IPsec308630-14.00 Rev 003-9 Creating an Outbound Protect Policy With Automated SAs (IKE)To use IKE to create automated SAs, complete the foll

Configuring IPsec Services3-10308630-14.00 Rev 00About Manual SA CreationTo protect (encrypt or authenticate) data packets leaving the local IPsec int

Starting IPsec308630-14.00 Rev 003-11 Creating a Protect SA ManuallyTo manually create a Protect SA, complete the following tasks: Site Manager Proced

Configuring IPsec Services3-12308630-14.00 Rev 00Creating an Unprotect SA ManuallyTo manually create an Unprotect SA, complete the following tasks: Si

308630-14.00 Rev 004-1 Chapter 4Customizing IPsecThis chapter contains information about changing an IPsec configuration that you have already set up.

Configuring IPsec Services4-2308630-14.00 Rev 00Editing a PolicyTo edit an existing IPsec policy on a router interface, complete the following tasks:S

Customizing IPsec308630-14.00 Rev 004-3 Adding a PolicyThe procedure to add an IPsec policy to a router interface depends on the protocol used on the

Configuring IPsec Services4-4308630-14.00 Rev 00Frame Relay ProtocolTo add an IPsec policy to a router interface configured with frame relay, complete

Customizing IPsec308630-14.00 Rev 004-5 10. If the Choose SA Type dialog opens, choose Automated SA and follow the instructions in “Creating an Outbou

Configuring IPsec Services4-6308630-14.00 Rev 00Reordering PoliciesThe procedure to reorder IPsec policies on a router interface depends on the protoc

Customizing IPsec308630-14.00 Rev 004-7 Frame RelayTo change the order in which existing IPsec policies are applied on a router interface configured w

Configuring IPsec Services4-8308630-14.00 Rev 00Changing Existing Security AssociationsTo ensure the integrity of SAs, vital information such as IKE p

Customizing IPsec308630-14.00 Rev 004-9 Manual SA ModificationsThe procedure to modify manual SAs on a router interface depends on the protocol used o

Configuring IPsec Services4-10308630-14.00 Rev 00Frame RelayTo change or add manual SAs on a router interface configured with frame relay, complete th

Customizing IPsec308630-14.00 Rev 004-11 Disabling IPsecTo disable IPsec on all router interfaces configured for it, complete the following tasks: To

308630-14.00 Rev 00 viiContents PrefaceBefore You Begin ...

Configuring IPsec Services4-12308630-14.00 Rev 004. Click on Values and select Disable from the dialog box.5. Click on OK to close the dialog. The dia

308630-14.00 Rev 00A-1 Appendix ASite Manager ParametersThis appendix describes the Site Manager parameters for:• Creating a node protection key (NPK)

Configuring IPsec ServicesA-2308630-14.00 Rev 00Enabling IPsec ParametersParameter:IP Security EnablePath:Configuration Manager > Protocols > IP

Site Manager Parameters308630-14.00 Rev 00A-3 IPsec Policy ParametersParameter:Policy EnablePath: Configuration Manager > Protocols > IP > IP

Configuring IPsec ServicesA-4308630-14.00 Rev 00Manual Security Association ParametersParameter:SA Source IP AddressPath: Configuration Manager > P

Site Manager Parameters308630-14.00 Rev 00A-5 Parameter:Security Parameter IndexPath: Configuration Manager > Protocols > IP > IP Security &g

Configuring IPsec ServicesA-6308630-14.00 Rev 00Parameter:Cipher Key LengthPath: Configuration Manager > Protocols > IP > IP Security > Ma

Site Manager Parameters308630-14.00 Rev 00A-7 Parameter:Integrity AlgorithmPath: Configuration Manager > Protocols > IP > IP Security > Ma

Configuring IPsec ServicesA-8308630-14.00 Rev 00Parameter:Integrity KeyPath: Configuration Manager > Protocols > IP > IP Security > Manual

Site Manager Parameters308630-14.00 Rev 00A-9 Automated Security Association (IKE) ParametersParameter:SA NamePath: Configuration Manager > Protoco

viii 308630-14.00 Rev 00Security Associations ...1-11Automa

Configuring IPsec ServicesA-10308630-14.00 Rev 00Parameter:Pre-Shared Key (hex)Path: Configuration Manager > Protocols > IP > IKEConfiguratio

Site Manager Parameters308630-14.00 Rev 00A-11 Parameter:Anti-Replay Window SizePath:Configuration Manager > Add Circuit > WAN Protocols > PP

308630-14.00 Rev 00B-1Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the Technician

308630-14.00 Rev 00C-1 Appendix CConfiguration ExamplesThis appendix provides configuration examples for both automated and manual security associatio

Configuring IPsec ServicesC-2308630-14.00 Rev 00Automated SA (IKE) Policy ExamplesAs you review the security policy examples in this section, refer to

Configuration Examples308630-14.00 Rev 00C-3 Example 1: Required Policies, Proposals, and SA Destinations on RTR1 and RTR2 to Protect Data Between RTR

Configuring IPsec ServicesC-4308630-14.00 Rev 00Example 3: Required Policies, Proposals, and SA Destinations on RTR1 and RTR4 to Protect Data Between

Configuration Examples308630-14.00 Rev 00C-5 Manual SA Policy ExamplesAs you review the security policy examples in this section, refer to Figure C-2.

308630-14.00 Rev 00 ixCreating an Outbound Policy ...3-4Creating an I

Configuring IPsec ServicesC-6308630-14.00 Rev 00Example 2: Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR2 Subnet 19

Configuration Examples308630-14.00 Rev 00C-7 Example 3: Required Policies on RTR2 to Protect Data Between RTR2 Subnet 192.28.41.0 and RTR3 Subnet 192.

Configuring IPsec ServicesC-8308630-14.00 Rev 00Example 6: Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing

Configuration Examples308630-14.00 Rev 00C-9 Example 7: Required Policies on RTR3 to Protect Data BetweenRTR3 Subnet 192.131.141.0 and RTR1 192.32.5.0

Configuring IPsec ServicesC-10308630-14.00 Rev 00SA Example 1: Configuring a Single Protect/Unprotect SA PairIn this example, a single Protect/Unprote

Configuration Examples308630-14.00 Rev 00C-11 SA Example 2: Configuring Two Protect/Unprotect SA PairsIn this example, two Protect/Unprotect SA pairs

Configuring IPsec ServicesC-12308630-14.00 Rev 00SA Example 3: Configuring Multiple Protect/Unprotect SA PairsIn this example, multiple Protect/Unprot

Configuration Examples308630-14.00 Rev 00C-13 The following two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR2 (ref

Configuring IPsec ServicesC-14308630-14.00 Rev 00The next two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR3 (refer

Configuration Examples308630-14.00 Rev 00C-15 The final two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR4 (refer t