Avaya Configuring Integrated IP Security Manuale Utente

Part No. 304111-A Rev 00November 1998BayRS Version 13.10Site Manager Software Version 7.10 Configuring IP Security Services

304111-A Rev 00 xiTablesTable 2-1. Security Policy Specifications ...2-8Table 2-2. Sec

304111-A Rev 00 xiii PrefaceThis guide describes the Bay Networks® implementation of IP Security and how to configure it on a Bay Networks router.Befo

Configuring IP Security Servicesxiv 304111-A Rev 00Text ConventionsThis guide uses the following text conventions:angle brackets (< >) Indicate

Preface304111-A Rev 00 xv AcronymsThis guide uses the following acronyms:screen text Indicates system output, for example, prompts and system messages

Configuring IP Security Servicesxvi 304111-A Rev 00Bay Networks Technical PublicationsYou can now print Bay Networks technical manuals and release not

Preface304111-A Rev 00 xvii How to Get HelpFor product assistance, support contracts, information about educational services, and the telephone number

304111-A Rev 001-1 Chapter 1OverviewIP Security (IPsec) is the Bay Networks implementation of the Internet Engineering Task Force (IETF) set of standa

ii 304111-A Rev 004401 Great America Parkway 8 Federal StreetSanta Clara, CA 95054 Billerica, MA 01821Copyright © 1998 Bay Networks, Inc.All rights re

Configuring IP Security Services1-2304111-A Rev 00Supported RoutersBay Networks IP technologies are implemented on BayRS router interfaces supporting

Overview304111-A Rev 001-3 Figure 1-1. IPsec Environment: Unique Security Associations (SAs) Between RoutersIPsec Tunnel ModeWhen there is a security

Configuring IP Security Services1-4304111-A Rev 00Security Protocols OverviewIPsec uses two protocols to provide traffic security: • Encapsulating Sec

Overview304111-A Rev 001-5 IPsec ServicesIPsec services include the confidentiality, integrity, and authentication services for data packets traveling

304111-A Rev 002-1 Chapter 2Getting Started with IPsecIPsec has three key constructs:• Security gateways• Security policies• Security associations (SA

Configuring IP Security Services2-2304111-A Rev 00Figure 2-1. IPsec Concepts: Security Gateways, Security Policies, and Security Associations (SAs)Sec

Getting Started with IPsec304111-A Rev 002-3 Figure 2-2. IPsec Security GatewaysWhen you add IPsec services to a security gateway, its internal hosts

Configuring IP Security Services2-4304111-A Rev 00IPsec PoliciesWhen you create an IPsec policy, you control which packets a security gateway protects

Getting Started with IPsec304111-A Rev 002-5 Inbound PoliciesAn inbound policy determines how a security gateway processes clear-text data packets rec

304111-A Rev 00 iiiBay Networks, Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using the acco

Configuring IP Security Services2-6304111-A Rev 00Figure 2-3. Outbound and Inbound PoliciesSecurity Policy Database (SPD)The criteria (“selectors”) an

Getting Started with IPsec304111-A Rev 002-7 Security Associations for Bidirectional TrafficA security association provides security services to data

Configuring IP Security Services2-8304111-A Rev 00Summarizing Security Policies and SAsTable 2-1 and Table 2-2 provide a framework for understanding I

Getting Started with IPsec304111-A Rev 002-9 Security ProtocolsIPsec uses the following encryption services:• Data Encryption Standard (DES)• Message

Configuring IP Security Services2-10304111-A Rev 00IPsec ServicesIPsec services consist of confidentiality, integrity, and authentication.Confidential

Getting Started with IPsec304111-A Rev 002-11 Installing IP Security (IPsec) SoftwareBefore you can enable and use IPsec services, you must create an

Configuring IP Security Services2-12304111-A Rev 00To complete the installation process:1.Open the Image Builder directory:• On a PC, the default dire

304111-A Rev 003-1 Chapter 3Configuring IPsecBefore you configure IPsec, you need to:• Install IP Security (IPsec) software (see “Installing IP Securi

Configuring IP Security Services3-2304111-A Rev 00Always configure your NPKs locally, not over a network. When you connect a PC or a workstation to a

Configuring IPsec304111-A Rev 003-3 Create and configure a different NPK for each secure router on your network. The NPK should be different on every

iv 304111-A Rev 00its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files,

Configuring IP Security Services3-4304111-A Rev 00Entering the NPK on the RouterYou enter the NPK into a router locally, using the console port and th

Configuring IPsec304111-A Rev 003-5 The kset npk command stores your NPK_value in the router NVRAM, and it calculates a hash of this value that it sto

Configuring IP Security Services3-6304111-A Rev 00Monitoring NPKsIf the NPK on a router does not match the NPK in the MIB, IPsec services do not work.

Configuring IPsec304111-A Rev 003-7 When you use Site Manager to configure IPsec on an interface for the first time, configure the menu items displaye

Configuring IP Security Services3-8304111-A Rev 00The corresponding policy actions are:•Drop• Bypass• Protect • Log (a message will be written to the

Configuring IPsec304111-A Rev 003-9 To create an outbound policy template and policy, complete the following tasks:Site Manager ProcedureYou do this S

Configuring IP Security Services3-10304111-A Rev 00Policy9. Click on Add Policy. The Create Outbound Policy window opens.10.Enter the policy name in t

Configuring IPsec304111-A Rev 003-11 Creating Security AssociationsSecurity associations enable you to provide bidirectional protection for data packe

Configuring IP Security Services3-12304111-A Rev 00To create a protect SA, complete the following tasks: Site Manager ProcedureYou do this System resp

Configuring IPsec304111-A Rev 003-13 Disabling IPsecTo disable IPsec on all router interfaces configured for it, complete the following tasks. (You ca

304111-A Rev 00vContents PrefaceBefore You Begin ...

304111-A Rev 00A-1 Appendix ASite Manager ParametersThis appendix describes the Site Manager parameters for:• Creating a node protection key (NPK)• En

Configuring IP Security ServicesA-2304111-A Rev 00Enabling IPsec ParametersIPsec Policy ParametersParameter:IP Security EnablePath:Configuration Manag

Site Manager Parameters304111-A Rev 00A-3 Security Association ParametersParameter:Policy NamePath: Configuration Manager > Protocols > IP >

Configuring IP Security ServicesA-4304111-A Rev 00Parameter:Security Parameter IndexPath: Configuration Manager > Protocols > IP > IP Securit

Site Manager Parameters304111-A Rev 00A-5 Parameter:Cipher KeyPath: Configuration Manager > Protocols > IP > IP Security > Security Associ

Configuring IP Security ServicesA-6304111-A Rev 00Parameter:Integrity KeyPath: Configuration Manager > Protocols > IP > IP Security > Secu

304111-A Rev. 00B-1Appendix BDefinitions of k CommandsThis appendix contains definitions of the “k” commands that you use to work in the Technician In

304111-A Rev 00C-1 Appendix CSecurity Policy and SecurityAssociation ExamplesThis appendix provides examples of outbound and inbound policies and prot

vi 304111-A Rev 00Security Policy Database (SPD) ...2-6Security Associati

Configuring IP Security ServicesC-2304111-A Rev 00Figure C-1. IPsec Outbound Policies for Routers 1, 2, and 3Example 1: Required Policies on RTR 1 to

Security Policy and Security Association Examples304111-A Rev 00C-3 Example 2: Required Policies on RTR 2 to Protect Data Between RTR 1 Subnet 192.32.

Configuring IP Security ServicesC-4304111-A Rev 00Example 4: Required Outbound Policies on RTR 3 to Protect DataBetween RTR 2 Subnet 192.28.41.0 and R

Security Policy and Security Association Examples304111-A Rev 00C-5 Example 6: Required Policies on RTR 2 to Allow ESP Traffic to Pass Through and OSP

Configuring IP Security ServicesC-6304111-A Rev 00Protect and Unprotect Security Associations (SAs)Security associations (SAs) specify which IPsec ser

Security Policy and Security Association Examples304111-A Rev 00C-7 SA Example 1: Configuring a Single Protect/Unprotect SA PairIn this example, a sin

Configuring IP Security ServicesC-8304111-A Rev 00SA Example 2: Configuring Two Protect/Unprotect SA PairsIn this example, two protect/unprotect SA pa

Security Policy and Security Association Examples304111-A Rev 00C-9 SA Example 3: Configuring Multiple Protect/Unprotect SA PairsIn this example, mult

Configuring IP Security ServicesC-10304111-A Rev 00The following two tables show the settings for the protect/unprotect SA pairs between RTR 1 and RTR

Security Policy and Security Association Examples304111-A Rev 00C-11 The next two tables show the settings for the protect/unprotect SA pairs between

304111-A Rev 00viiAppendix A Site Manager ParametersNode Protection Key Parameter ...

Configuring IP Security ServicesC-12304111-A Rev 00The final two tables show the settings for the protect/unprotect SA pairs between RTR 1 and RTR 4 (

304111-A Rev 00Index-1Numbers40-bit DES key, 2-956-bit DES key, 2-9Aacronyms, xvAH, 1-4auditing, 1-5authentication, 1-5Bbidirectional traffic, 2-7Ccap

Index-2304111-A Rev 00NNPK, 3-2, A-1NVRAM, 3-5, A-1Ppassword, 3-4policy template, 2-3, 3-7, 3-9PPP, 1-2product support, xviiprotocol, 1-2, 2-4public d

304111-A Rev 00ixFiguresFigure 1-1. IPsec Environment: Unique Security Associations (SAs)Between Routers ............