Avaya Configuring IP Security Services Manual do Utilizador Página 1

Configuring IPsec ServicesPart No. 304111-B Rev 00April 1999BayRS Version 13.20Site Manager Software Version 7.20

304111-B Rev 00 xiTablesTable 1-1. Security Policy Specifications ...1-14Table 1-2. Manu

304111-B Rev 00 xiii PrefaceThis guide describes the Bay Networks® implementation of IP Security and how to configure it on a Bay Networks router.Befo

Configuring IPsec Servicesxiv 304111-B Rev 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indicate that y

Preface304111-B Rev 00 xv AcronymsThis guide uses the following acronyms:screen text Indicates system output, for example, prompts and system messages

Configuring IPsec Servicesxvi 304111-B Rev 00ISAKMP/Oakley Internet Security Association and Key Management Protocol (also known as IKE)IV initializat

Preface304111-B Rev 00 xvii Bay Networks Technical PublicationsYou can now print Bay Networks technical manuals and release notes free, directly from

304111-B Rev 001-1 Chapter 1Overview of IPsecThis chapter describes the emerging Internet Engineering Task Force standards for security services over

ii304111-B Rev 00Bay Networks, Inc.4401 Great America ParkwaySanta Clara, CA 95054Copyright © 1999 Bay Networks, Inc.All rights reserved. Printed in t

Configuring IPsec Services1-2304111-B Rev 00About IPsecIP Security (IPsec) is the Internet Engineering Task Force (IETF) set of emerging standards for

Overview of IPsec304111-B Rev 001-3 IntegrityIntegrity determines whether the data has been altered during transit. The ESP protocol ensures that data

Configuring IPsec Services1-4304111-B Rev 00IPsec ProtectionTo configure a router with IPsec, you first configure the router interface as an IP interf

Overview of IPsec304111-B Rev 001-5 IPsec Tunnel ModeWhen there is a security gateway at each end of a communication, the security associations betwee

Configuring IPsec Services1-6304111-B Rev 00Figure 1-2. IPsec Concepts: Security Gateways, Security Policies, and SAsIP00087AInbound processSecurity a

Overview of IPsec304111-B Rev 001-7 Security GatewaysA security gateway establishes SAs between router interfaces configured with IPsec software. A Ba

Configuring IPsec Services1-8304111-B Rev 00Security PoliciesWhen you create an IPsec policy, you control which packets a security gateway protects, h

Overview of IPsec304111-B Rev 001-9 Inbound PoliciesAn inbound policy determines how a security gateway processes data packets received from an untrus

Configuring IPsec Services1-10304111-B Rev 00Policy Criteria SpecificationIPsec software inspects IP packet headers based on the specified criteria to

Overview of IPsec304111-B Rev 001-11 Security AssociationsA security association (SA) is a relationship in which two peers share the necessary informa

304111-B Rev 00 iiiBay Networks, Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using the acco

Configuring IPsec Services1-12304111-B Rev 00Manual Security AssociationsManually configuring security associations is a more cumbersome and labor-int

Overview of IPsec304111-B Rev 001-13 How IKE Negotiates Security AssociationsThe Internet Key Exchange (IKE) protocol automates the process of IPsec S

Configuring IPsec Services1-14304111-B Rev 00Summarizing Security Policies and SAsTable 1-1 and Table 1- 2 provide a framework for understanding IPsec

Overview of IPsec304111-B Rev 001-15 In Table 1-2, the IP source and destination addresses for the SA are the tunnel end points for the IPsec tunnel t

Configuring IPsec Services1-16304111-B Rev 00• Data Encryption Standard (DES) (56-bit)• 40-bit DES (manual keying only)• Triple DES (3DES) (3DES IPsec

Overview of IPsec304111-B Rev 001-17 Internet Key Exchange (IKE) ProtocolThe Internet Key Exchange (IKE) protocol negotiates and provides private and

Configuring IPsec Services1-18304111-B Rev 00Network Requirements for Bay Networks RoutersTo install the IP Security (IPsec) software, the router must

304111-B Rev 002-1 Chapter 2Getting Started With IPsecThis chapter describes how to start using IPsec. Before you configure IPsec, you need to:• Upgra

Configuring IPsec Services2-2304111-B Rev 00Upgrading Router SoftwareTo install the IPsec software, you must be running BayRS Version 13.20 and Site M

Getting Started With IPsec304111-B Rev 002-3 Completing the Installation ProcessTo complete the installation process:1.Open the Image Builder director

iv 304111-B Rev 00its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files,

Configuring IPsec Services2-4304111-B Rev 00Securing Your SiteTo enforce IPsec, carefully restrict unauthorized access to the routers that encrypt dat

Getting Started With IPsec304111-B Rev 002-5 Random Number Generator (RNG)The router software uses the secure random number generator (RNG) to generat

Configuring IPsec Services2-6304111-B Rev 00To generate an NPK, use a method available at your site to create random 16-digit hexadecimal numbers. Ent

Getting Started With IPsec304111-B Rev 002-7 To enter an initial NPK and a seed for encryption:1.If necessary, create a password for the Technician In

Configuring IPsec Services2-8304111-B Rev 00Changing an NPKTo maintain security, periodically change the NPK on each router.To change an NPK, enter th

304111-B Rev 003-1 Chapter 3Configuring IPsecThis chapter includes the following information:Enabling IPsec and IKETo enable IPsec, configure an IP in

Configuring IPsec Services3-2304111-B Rev 00When you use Site Manager to configure IPsec on an interface for the first time, configure the menu items

Configuring IPsec304111-B Rev 003-3 Specifying an ActionThe action specification in a policy controls how a packet that matches the specified criteria

Configuring IPsec Services3-4304111-B Rev 00Creating an Outbound PolicyTo create an outbound policy template and policy, complete the following tasks:

Configuring IPsec304111-B Rev 003-5 Policy9. Click on Add Policy. The Create Outbound Policy window opens.10.Enter the policy name in thePolicy Name f

304111-B Rev 00 vContents PrefaceBefore You Begin ...

Configuring IPsec Services3-6304111-B Rev 00Creating an Inbound PolicyThe process for creating inbound policies is virtually identical to the process

Configuring IPsec304111-B Rev 003-7 Policy9. Click on Add Policy. The Create Inbound Policy window opens.10.Enter the policy name in thePolicy Name fi

Configuring IPsec Services3-8304111-B Rev 00Creating Security AssociationsSecurity associations enable you to provide bidirectional protection for dat

Configuring IPsec304111-B Rev 003-9 Creating a Protect SA Automatically Using IKETo use IKE to create automated Protect SAs, complete the following ta

Configuring IPsec Services3-10304111-B Rev 00Creating an Unprotect SA Automatically Using IKETo use IKE to create automated Unprotect SAs, complete th

Configuring IPsec304111-B Rev 003-11 Creating a Protect SA ManuallyTo manually create a Protect SA, complete the following tasks: Site Manager Procedu

Configuring IPsec Services3-12304111-B Rev 00Creating an Unprotect SA ManuallyTo manually create an Unprotect SA, complete the following tasks: Site M

Configuring IPsec304111-B Rev 003-13 Disabling IPsecTo disable IPsec on all router interfaces configured for it, complete the following tasks. To dis

Configuring IPsec Services3-14304111-B Rev 004. Click on Values and select Disable from the dialog box.5. Click on OK to close the dialog. The dialog

304111-B Rev 00A-1 Appendix ASite Manager ParametersThis appendix describes the Site Manager parameters for:• Creating a node protection key (NPK)• En

vi 304111-B Rev 00How IKE Negotiates Security Associations ...1-13Security Parameter Index (

Configuring IPsec ServicesA-2304111-B Rev 00Enabling IPsec ParametersParameter:IP Security EnablePath:Configuration Manager > Protocols > IP >

Site Manager Parameters304111-B Rev 00A-3 IPsec Policy ParametersParameter:Policy EnablePath: Configuration Manager > Protocols > IP > IP Sec

Configuring IPsec ServicesA-4304111-B Rev 00Manual Security Association ParametersParameter:SA Source IP AddressPath: Configuration Manager > Proto

Site Manager Parameters304111-B Rev 00A-5 Parameter:Security Parameter IndexPath: Configuration Manager > Protocols > IP > IP Security > M

Configuring IPsec ServicesA-6304111-B Rev 00Parameter:Cipher Key LengthPath: Configuration Manager > Protocols > IP > IP Security > Manual

Site Manager Parameters304111-B Rev 00A-7 Parameter:Integrity AlgorithmPath: Configuration Manager > Protocols > IP > IP Security > Manual

Configuring IPsec ServicesA-8304111-B Rev 00Parameter:Integrity KeyPath: Configuration Manager > Protocols > IP > IP Security > Manual Sec

Site Manager Parameters304111-B Rev 00A-9 Automated Security Association (IKE) ParametersParameter:Pre-Shared KeyPath: Configuration Manager > Prot

304111-B Rev 00B-1Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the Technician Int

304111-B Rev 00 viiCreating an Inbound Policy ...3-6Creating Securi

304111-B Rev 00C-1 Appendix CConfiguration ExamplesThis appendix provides configuration examples for both automated and manual security associations.

Configuring IPsec ServicesC-2304111-B Rev 00Automated SA (IKE) Policy ExamplesAs you review the security policy examples in this section, refer to Fig

Configuration Examples304111-B Rev 00C-3 Example 1: Required Policies, Proposals, and SA Destinations on RTR1 and RTR2 to Protect Data Between RTR1 Su

Configuring IPsec ServicesC-4304111-B Rev 00Example 3: Required Policies, Proposals, and SA Destinations on RTR1 and RTR4 to Protect Data Between RTR1

Configuration Examples304111-B Rev 00C-5 Manual SA Policy ExamplesAs you review the security policy examples in this section, refer to Figure C-2. All

Configuring IPsec ServicesC-6304111-B Rev 00Example 2: Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR2 Subnet 192.28

Configuration Examples304111-B Rev 00C-7 Example 3: Required Policies on RTR2 to Protect Data Between RTR2 Subnet 192.28.41.0 and RTR3 Subnet 192.131.

Configuring IPsec ServicesC-8304111-B Rev 00Example 6: Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing Upd

Configuration Examples304111-B Rev 00C-9 Example 7: Required Policies on RTR3 to Protect Data BetweenRTR3 Subnet 192.131.141.0 and RTR1 192.32.5.0Manu

Configuring IPsec ServicesC-10304111-B Rev 00SA Example 1: Configuring a Single Protect/Unprotect SA PairIn this example, a single Protect/Unprotect S

Configuration Examples304111-B Rev 00C-11 SA Example 2: Configuring Two Protect/Unprotect SA PairsIn this example, two Protect/Unprotect SA pairs are

Configuring IPsec ServicesC-12304111-B Rev 00SA Example 3: Configuring Multiple Protect/Unprotect SA PairsIn this example, multiple Protect/Unprotect

Configuration Examples304111-B Rev 00C-13 The following two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR2 (refer t

Configuring IPsec ServicesC-14304111-B Rev 00The next two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR3 (refer to

Configuration Examples304111-B Rev 00C-15 The final two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR4 (refer to Fi

304111-B Rev 00D-1Appendix DProtocol NumbersIPsec policies may include a protocol criterion that references the 1-byte protocol number field in an IP

Configuring IPsec ServicesD-2304111-B Rev 00Assigned Internet Protocol Number by NameTable D-1 lists the Internet protocol numbers alphabetically by t

Protocol Numbers304111-B Rev 00D-3 14 EMCON n/a98 ENCAP Encapsulation Header50 ESP Encapsulating Security Payload97 ETHERIP Ethernet-within-IP Encapsu

304111-B Rev 00 ixFiguresFigure 1-1. IPsec Environment: Unique Security Associations (SAs)Between Routers ...

Configuring IPsec ServicesD-4304111-B Rev 0043 IPv6-Route Routing Header for IPv6111 IPX-in-IP IPX in IP28 IRTP Internet Reliable Transaction Protocol

Protocol Numbers304111-B Rev 00D-5 27 RDP Reliable Data Protocol46 RSVP Reservation Protocol66 RVD MIT Remote Virtual Disk Protocol64 SAT-EXPAK SATNET

Configuring IPsec ServicesD-6304111-B Rev 00Assigned Internet Protocol Numbers by NumberTable D-2 lists the Internet Protocol numbers in order.112 VRR

Protocol Numbers304111-B Rev 00D-7 14 EMCON n/a15 XNET Cross Net Debugger16 CHAOS Chaos17 UDP User Datagram Protocol18 MUX Multiplexing19 DCN-MEAS DCN

Configuring IPsec ServicesD-8304111-B Rev 0043 IPv6-Route Routing Header for IPv644 IPv6-Frag Fragment Header for IPv645 IDRP Inter-Domain Routing Pro

Protocol Numbers304111-B Rev 00D-9 72 CPNX Computer Protocol Network Executive73 CPHB Computer Protocol Heart Beat74 WSN Wang Span Network75 PVP Packe

Configuring IPsec ServicesD-10304111-B Rev 00101 IFMP Ipsilon Flow Management Protocol102 PNNI PNNI over IP103 PIM Protocol Independent Multicast104 A

304111-B Rev 00Index-1Numbers3DES, 1-16AAccess Node (AN) support, 1-18Access Stack Node (ASN) support, 1-18acronyms, xvAdvanced Remote Node (ARN) supp

Index-2304111-B Rev 00IIKEdescription, 1-11enabling, 3-1security associations, 3-8Image Builder, 2-2inbound security policies, 1-3, 1-9initialization

304111-B Rev 00Index-3Rrandom number generator (RNG), 2-5random number, generating, 2-6Router Files Manager, 2-2router log, NPK confirmation, 2-8route