Avaya IPsec User Manual

BayRS Version 14.00 Part No. 308630-14.00 Rev 00

September 1999 4401 Great America Parkway

Santa Clara, CA 95054

Configuring IPsec Services

and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must t ak e full re sponsib ility fo r th eir a pplic atio ns o f a ny products specified in this document. The information in this document is proprietary to Nortel Networks NA Inc.

The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license. A summary of the Software License is included in this document.

Trademarks

NORTEL NETWORKS is a trademark of Nortel Networks. Bay Networks, ACE, AFN, AN, BCN, BLN, BN, BNX, CN, FRE, LN, Optivity, Optivity Policy Services, and PPX

are regi ster ed t rade mark s and Adv an ced Remo te Nod e, A NH, AR N, ASN, B ayRS , Ba ySecu re, BaySt ack , BaySt rea m, BCC, BCNX, BLNX, FN, Passport, SN, SPEX, Switch Node, Sy stem 5000, and T ok enSpeed are trademarks of Nortel Networks.

Microsoft, MS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. All other trademarks and registered trademarks are t he property of their respective owners.

Restricted Rights Legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Sof tware clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights cl ause at FAR 52.227-19.

Statement of Conditions

In the interest of improvi ng internal design, operational fun ction , a n d/o r relia bi lity, No rtel Ne tworks NA Inc. re serv e s the right to make changes to the products described in this document without notice.

Nortel Networks NA Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any docu mentation, advertising materials, and other materials related to such distribution and use acknowledge that su ch portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information containe d herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Nortel Networks NA Inc. Software License Agreement

NOTICE: Please carefully read this license agre ement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF

308630-14.00 Rev 00

THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

1. License Grant. Nortel Networks NA Inc. (“Nortel Networks”) grants the end user of the Software (“Licensee”) a personal, nonex clusive, nontransfera ble lic ense: a) to u se the Softw are eit her on a single compute r or, if applicable, on a single authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely for backup purposes in support of authorized use of t he Software; and c) to use and copy the associated user manual solely in support of authoriz ed use of th e Softwa re b y Licen see. Thi s license applies t o the So ftware o nly and d oes not extend to Nortel Networks Agent software or other Nortel Networks software products. Nortel Networks Agent software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel Networks NA Inc. Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software.

2. Restrictions on use; reservation of rights. The Software and user manuals are protected und er copyright laws. Nortel Networks and/or its licensors retain all title and ownership in both the Software and user manuals, including any revisions made by Nortel Networks or it s licensors. The copyright notice must be repr oduced and included wit h any copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use for any competitive analysis, reverse engineer, distribute, or create derivative works from the Software or user manuals or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer the Software or user manuals, in whole or in part. The Software and user manuals embody Nortel Networks’ and its licensors’ confidential and propriet ary in telle c tu al pro p erty. Licensee shall not sublicense, assign, or ot he rwise disclose to any third party the Software, or any information about the operation, design, performance, or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors; however, Licensee may grant permission to its consultants, subcontractors, a nd agents to use the Softw are at Licensee’s facility, provided they have agreed to use the Software only in accordance with the terms of this license.

3. Limited warranty . Nortel Networks warrants each item of Software, as delivered by Nortel Networks and properly installed and operated on Nortel Networks hardware or other equipment it is originally licensed for, to function substantially as described in its accompanying user manual during its warranty period, which begins on the date Software is first shipped to Licensee. If an y item of S oftware f ails to so function d uring its w arranty period, as the sole remedy Nortel Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be included in a future Software release. Nortel Networks further warrants to Licensee that the media on which the Software is provided will be free from defec ts in materials and wo rkman ship under no rmal use for a peri od of 90 da ys from the date Software is first shipped to Licensee. Nortel Networks will replace defective media at no charge if it is returned to Nortel Netw orks during the warranty period along with proof of the date of ship ment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse. The Licensee assumes all responsibility for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained from the Software. Nortel Networks does not warrant a) that the functions contained in the software will meet the Licensee’s requirements, b) that the Software will operate in the hardware or software combinations that the Licensee may select, c) that the operation of the Software will be uninterrupted or error free, or d) that all defects in the operation of the Softw are will be corrected . Nortel Network s is not obligated to remedy any Software de fect that cannot be reproduced with the latest Software release. These warranties do not apply to the Software if it has been (i) altered, except by Nortel Networks or in accordance with i ts instructions; (ii) used in conjunction with another vendor’s product, resulting in the de fect; or (iii) damage d by improper environment, abuse, misuse, accident, or negligence. THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITA TION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs.

4. Limitation of liability. IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN

308630-14.00 Rev 00

iii

IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF NORTEL NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE.

5. Government Licensees. This provision applies to a ll Softwa re and docum entation acquired d irectly or i ndirectly by or on behalf of the United States Government. The Software and documentation are commercial products, licensed on the open market at market prices, and were developed entirely at private expense and without th e use of any U.S. Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial Computer Software––Restricte d Rig hts cla u se o f FAR 52.227-19 and the limitations set o ut in this license for ci vilian agencies, and subparagraph (c)(1)(ii ) of the Rights in Technical Data and Computer Software clause of DFARS

252.227-7013, for agencies of t he Department of Defense or their successors, whichever is applicable.

6. Use of Software in the European Community. This provision applies to all Software acquired for use within the European Community. If Licensee uses the Software within a country in the European Community, the Software Directive enacted by the Council of European Communities Directive dated 14 May, 1991, will apply to the examination of the Software to facilitate interoperability. Licensee agrees to notify Nortel Networks of any such intended examination of the Software an d may procure support and assistance from Nortel Networks.

7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Nortel Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the Nortel Networks copyright; those restrictions relating to use and disclosure of Nortel Networks’ confidential information shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason, Licensee will immediat ely destroy or return to Nortel Networks the Software, user manuals, and all copies. Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.

8. Export and Re-export. Licensee agrees not to export, directly or indirectly, the Software or related technical data or information without first obtaining any required export licenses or other governmental approvals. Without limiting the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricte d or em b argoed under Un ite d Sta t e s e xport control law s an d r egulations, or to any national or resident of such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any military end user or for any military end use, including the design, development, or production of any chemical, nuclear, or biological weapons.

9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement will be governed by the laws of the state of California.

Should you have any questions concerning this Agreement, contact Nortel Networks, 4401 Great America Par kwa y, P.O. Box 58185, Santa Clara, California 9505 4-8185.

LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.

DES Code Software License Agreement

Portions of the software code for BayRS IPsec were written by Eric Young, and carry the following copyright:

308630-14.00 Rev 00

This software contains a DES implementation written by Eric Young (eay@mincom.oz.au). The implementation was written so as to conform with MIT's libdes.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution.

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of that the SSL library. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and /or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by Eric Young (eay@mincom.oz.au)

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAU SED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

308630-14.00 Rev 00

Preface

Before You Begin ............................................................................................................. xv

Text Conventions .............................................................................................................xvi

Acronyms ........................... .......................... .......................... ......................... ................xvii

Hard-Copy Technical Manuals ........................................................... ....... ...... ....... ...... ....x ix

How to Get Help ..............................................................................................................xix

Chapter 1 Overview of IPsec

About IPsec ............................. ....... ...... ....... ...... ....... ...... ....... ...... ...... .............................1-2

Note Regarding IPsec and NAT ......................................................................................1-2

Network Requirements for Nortel Networks Routers ......................................................1-3

Supported Routers ...................................................................................................1-3

Supported WAN Protocols .......................................................................................1-3

IPsec Services ................................................................................................................1-4

Confidentiality ....... ....... ...... ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ...... ....... ...... ...1-4

Integrity ....................................................................................................................1-4

Authentication ..........................................................................................................1-4

Additional IPsec Services ........................................................................................1-5

How IPsec Works ...........................................................................................................1-5

IPsec Protection .......................................................................................................1-5

IPsec Tunnel Mode ...................................................................................................1-6

IPsec Elements ...............................................................................................................1-7

Security Gateways ...................................................................................................1-8

Security Policies .......................................................................................................1-8

Policy Templates ................................................................................................1-9

Inbound Policies ................................................................................................1-9

Outbound Policies ............................................................................................1-10

Policy Criteria Specification .............................................................................1-10

308630-14.00 Rev 00 vii

Security Associations .............................................................................................1-11

Automated Security Associations Using Internet Key Exchange (IKE) ...........1-12

Manual Security Associations ..........................................................................1-12

Security Associations for Bidirectional Traffic ..................................................1-12

How IKE Negotiates Security Associations .....................................................1-13

Security Parameter Index (SPI) .......................................................................1-13

Summarizing Security Policies and SAs ................................................................1-14

Security Protocols .........................................................................................................1-15

Encapsulating Security Payload .............................................................................1-15

Authentication Header ............................................................................................1-16

Internet Key Exchange (IKE) Protocol ..........................................................................1-17

Perfect Forward Secrecy ........................................................................................1-17

Chapter 2 Installing IPsec

Upgrading Router Software ............................................................................................2-2

Installing the IPsec Software ................ ....... ...... ....... ...... ....... ...... ...... ....... ...... ....... .........2-2

Completing the Installation Process .........................................................................2-3

Installing Triple DES Encryption ...............................................................................2-3

Securing Your Site ..........................................................................................................2-4

Securing Your Configuration ...........................................................................................2-4

Encryption Keys .......................................................................................................2-4

Random Number Generator (RNG) .........................................................................2-5

Creating and Using Node Protection Keys (NPKs) .........................................................2-5

Generating NPKs .....................................................................................................2-5

Entering an Initial NPK and a Seed for Encryption ..................................................2-6

Changing an NPK ....................................................................................................2-8

Monitoring NPKs ......................................................................................................2-8

Chapter 3 Starting IPsec

Enabling IPsec and IKE .................. ...... ....... ............................................. ...... ....... .........3-1

Creating Policies .............................................................................................................3-2

Specifying Criteria ....................................................................................................3-2

Specifying an Action .................................................................................................3-3

Policy Considerations ...............................................................................................3-3

viii 308630-14.00 Rev 00

Creating an Outbound Policy ...................................................................................3-4

Creating an Inbound Policy ......................................................................................3-6

Creating Security Associations .......................................................................................3-8

About Automated SA Creation .................................................... ....... ...... ....... ...... ...3-8

Creating an Outbound Protect Policy With A utomated SAs (IKE) ............................3-9

About Manual SA Creation .....................................................................................3-10

Creating a Protect SA Manually .............................................................................3-11

Creating an Unprotect SA Manually .......................................................................3-12

Chapter 4 Customizing IPsec

Changing Existing Policies .............................................................................................4-1

Editing a Policy ......................... ...... ....... ...... ....... ...... ....... ...... ...... .............................4-2

Adding a Policy .........................................................................................................4-3

PPP Protocol .............. ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ......................4-3

Frame Relay Protocol ........................................................................................4-4

Reordering Policies ..................................................................................................4-6

PPP Protocol .............. ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ......................4-6

Frame Relay ......................................................................................................4-7

Changing Existing Security Associations .......................................................................4-8

Automated SA (IKE) Modifications ...........................................................................4-8

Manual SA Modifications ..........................................................................................4-9

PPP Protocol .............. ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ......................4-9

Frame Relay ....................................................................................................4-10

Disabling IPsec .................. ...... ....... ...... ....... ...... ....... ...... ....... ...... .................................4-11

Appendix A Site Manager Parameters

Node Protection Key Para meter .................................................................................... A-1

Enabling IPsec Parameters ........................................................................................... A-2

IPsec Policy Parameters ................................................................................................ A-3

Manual Security Association Parameters ...................................................................... A-4

Automated Security Association (IKE) Parameters ....................................................... A-9

308630-14.00 Rev 00 ix

Appendix B Definitions of k Commands

Appendix C Configuration Examples

Inbound and Outbound Policies ..................................................................................... C-1

Automated SA (IKE) Policy Examples ..................................................................... C-2

Manual SA Policy Examples ................................................................................... C-5

Manual Protect and Unprotect SA Configuration ........................................................... C-9

Contivity Extranet Switch Interoperability ....................................................................C-16

Supported Versions ...............................................................................................C-16

Configuring Through a Browser ............................................................................ C-16

Termin ology .............................................................. ............................................. C -17

Configuration Specifics ......................................................................................... C-18

Feature Comparison Summary ............................................................................. C-19

Features Supported by Both Platforms ........................................................... C-19

BayRS Features Not Supported by Contivity .................................................. C-19

Contivity Features Not Supported by BayRS .................................................. C-20

BayRS IPsec and NAT .................................................................................... C-20

Troubleshooting Tips ............................. ...... ............................................. ....... ...... C -2 0

BayRS Tools ...................................................................................................C-20

Contivity Tools ................................................................................................. C-21

Symptoms You May See ................................................................................. C-21

Appendix D Protocol Numbers

Assigned Internet Protocol Numbers by Name .............................................................D-2

Assigned Internet Protocol Numbers by Number ..........................................................D-6

Index

x 308630-14.00 Rev 00

Figures

Figure 1-1. IPsec Environment: Unique Security Associations (SAs)

Between Routers .....................................................................................1-6

Figure 1-2. IPsec Concepts: Security Gateways, Security Policies, and SAs ............1-7

Figure 1-3. IPsec Security Gateways and Security Policies .......................................1-8

Figure 1-4. Security Associations for Bidirectional Traffic .........................................1-13

Figure C-1. IPsec Automated Outbound Policies for RTR1, RTR2, and RTR3 ..........C-2

Figure C-2. IPsec Manual Outbound Policies for RTR1, RTR2, and RTR3 ...............C-5

Figure C-3. Single Protect/Unprotect SA Pair ............................................................ C-9

Figure C-4. Multiple Protect/Unprotect SA Pairs ...................................................... C-12

308630-14.00 Rev 00 xi

Tables

Table 1-1. Security Policy Specifications ................................................................1-14

Table 1-2. Manual Security Association (SA) Configurations .................................1-15

Table C-1. Comparison of BayRS and Contivity Terminology ................................C-17

Table D-1. Internet Protocol Numbers, Sorted by Acronym ....................................D-2

Table D-2. Internet Protocol Numbers, Sorted by Number ...................................... D-6

308630-14.00 Rev 00 xiii

This guide describes the Nortel Networks™ implementation of IP Securi ty and how to configure it on a Nortel Networks router.

Before You Begin

Before using this guide, you must complete the following procedures. For a new router:

• Install the router (see the installation guide that came with your router).

• Connect the router to the network and create a pilot configuration file (see

Quick-Starti ng Router s , Conf igur ing BaySt ac k Remote Acc ess , or Connecting ASN Routers to a Network).

Preface

Make sure that you are runni ng the lates t versio n of Nortel Netw orks BayRS Site Manager software. For information about upgrading BayRS and Site Manager, see the upgrading guide for your version of BayRS.

308630-14.00 Rev 00 xv

™

and

Configuring IPsec Services

Text Conventions

This guide uses the following text conventions:

angle brackets (< >) Indicate that you choose the text to enter based on the

description inside the brackets. Do not type the brackets when entering the command.

Example: If the command syntax is:

ping

ip_address

ping 192.32.10.12

>, you enter:

bold text

Indicates command names and options and text that you need to enter.

Example: Enter

show ip {alerts | routes

Example: Use the

dinfo

command.

braces ({}) Indicate required elements in syntax descriptions

where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

Example: If the command syntax is:

show ip {alerts | routes show ip alerts or show ip routes

}

, you must enter either:

, but not both.

brackets ([ ]) Indicate optional elements in syntax descriptions. Do

not type the brackets when entering the command. Example: If the command syntax is:

show ip interfaces [-alerts show ip interfaces

]

, you can enter either:

show ip interfaces -alerts

italic text Indicates file and directory names, new terms, book

titles, and variables in command syntax descriptions. Where a variable is two or mor e words, the words are connected by an underscore.

Example: If the command syntax is:

show at

valid_route

is one variable and you substitute one value

for it.

xvi 308630-14.00 Rev 00

Preface

screen text Indicates system output, for example, prompts and

system messages.

Acronyms

Example:

Set Trap Monitor Filters

separator ( > ) Shows menu paths.

Example: Protocols > I P ide nti fies the I P opt ion on the Protocols menu.

vertical line (

) Separates choices for command keywords and

arguments. Enter only one of the choices. Do not type the vertical line when enteri ng the command.

Example: If the command syntax is:

show ip {alerts | routes show ip alerts

show ip routes

This guide uses the following acronyms:

3DES Triple DES AH Authentication Header CBC cipher block chaining

}

, you enter either:

, but not both.

CES Contivity Extranet Switch DES Data Encryption Standard ESP Encapsulating Security Payload HMAC Hashing Message Authentication Code IANA Internet Assigned Numbers Authority ICMP Internet Control Me ssage Protocol ICV integri ty check value IETF Internet Engineering Task Force IKE Internet Key Exchange protocol IP Internet P rotocol IPsec Internet Protocol Security

308630-14.00 Rev 00 xvii

Configuring IPsec Services

ISAKMP/Oakley Internet Security Association and Key Management

IV initialization vector MD5 Message Digest 5 MIB management information base NAT Network Address Translation NPK node protection key NVRAM nonvolatile random access memory PFS Perfect Forward Secrecy PPP Point-to-Point Protocol RFC Request for Comments RNG random number generator RSA RSA Data Security, Inc.’s public-key encryption

SA security association

Protocol (also known as IKE)

algorithm

SAD security association database SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SPD security policy database SPI security parameter index VPN virtual private network WAN wide area network WEP WAN Encryption Protocol

xviii 308630-14.00 Rev 00

Hard-Copy Technical Manuals

You can print selected technical manuals and release notes free, directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the product for which you need documentation. Then locate the specific category and model or version for your hardw are or soft ware product . Usi ng Adobe Ac robat Re ader, you can open the manuals and releas e notes, search for the sections you ne ed, and print them on most standard printers. You can download Acrobat Reader free from the Adobe Systems Web site, www.adobe.com.

You can purchase selected documentation sets, CDs, and technical publications through the collateral catalog. The catalog is located on the World Wide Web at

support.baynetworks.com/catalog.html and is divided into sections arranged

alphabetically:

• The “CD ROMs” section lists available CDs.

• The “Guides/Books” section lists books on technical topics.

• The “Technical Manuals” section lists available printed documentation sets.

Preface

How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nort el Net wor ks ser vice pr ogram, c ontact one of the f ollowing Nortel Networks Technical Solutions Centers:

Technical Solutions Center Telephone Number

Billerica, MA 800-2LANWAN (800-252-6926) Santa Clara, CA 800-2LANWAN (800-252-6926) Valbonne, France 33-4-92-96-69-68 Sydney, Australia 61-2-9927-8800 Tokyo, Japan 81-3-5402-7041

308630-14.00 Rev 00 xix

Chapter 1

Overview of IPsec

This chapter descr ibes the emer ging Inte rnet Engineer ing Task Force standard s for security services over publ ic networks, commonly referred to as IP Security or IPsec. The chapter also includes information specific to the Nortel Networks implementation of IPsec and requirements for that implementation.

This chapter includes the following information:

Topic Page

™

About IPsec 1-2 Note Regarding IPsec and NAT 1-2 Network Requirements for Nortel Networks Routers 1-3 IPsec Services 1-4 How IPsec Works 1-5 IPsec Elements 1-7 Security Gateways 1-8 Security Policies 1-8 Security Associations 1-11 Summarizing Security Policies and SAs 1-14 Security Protocols 1-15 Internet Key Exchan ge (IKE) Protocol 1-17

308630-14.00 Rev 00

1-1

Configuring IPsec Services

About IPsec

IP Security (I Psec) is the Internet Enginee ring Task Force (IETF) set of emerging standards for security services for communications over public networks. The standards are documented in the IETF Requests for Comments (RFCs) 2401 through 2412. Additional RFCs may be relevant as well.

These standards were developed to ensure secure, private communications for the remote access, extranet, and intranet v irtual private networks (VPNs) used in enterprise communications. They are the security architecture for the next generation of IP, cal led IPv6, but are available for the current IPv4 Internet as well.

The Nortel Networks implementation of the IETF standards provides network (layer 3) security services for wide area network (WAN) communications on Nortel Networks routers.

Note Regarding IPsec and NAT

IPsec and Network Addr ess Translation (NA T) are not support ed to w ork t ogethe r on a BayRS platform. NAT or IPsec can process a packet, but not by both. If a packet matches the NAT source address range, NAT takes precedence over IPsec and IPsec will not see the packet.

1-2

308630-14.00 Rev 00

Overview of IPsec

Network Requirements for Nortel Networks Routers

To install the IP Security (IPsec) software, the router must be running BayRS Version 13.10 or later and Site Manager Version 7.10 or later. To use IKE and automated SAs, BayRS Version 13.20 and Site Manager Version 7.20 or later are required.

Supported Routers

Nortel Networks IP technologies are implemented on BayRS router interfaces supporting synchronous communications.

IPsec can pro vid e enc rypti on and a ut hentic atio n serv ice s to an y s erial int erf ace o n the following routers:

•BayStack

• BayStack Access Stack Node (ASN

• BayStack Advanced Remote Node

• Backbone Node (BN

• System 5000

™

Access Node (AN®)

)

™

router modules

™

)

™

(ARN™)

™

Contivity

Extranet Switch™ (CES) hardware also supports IPsec. CES does not use BayRS software, but can be configured to interoperate with it. Refer to

“Contivity Extranet Switch Interoperability” on page C-16

documentation for more inform ation.

Supported WAN Protocols

The Nortel Networks implementation of IPsec supports PPP and frame relay WAN protocols. The Nortel Networks IPsec implementation also supports dial services, which provide backup and demand services for PPP and frame relay.

308630-14.00 Rev 00

and the Contivity

1-3

Configuring IPsec Services

IPsec Ser vices

IPsec serv ices consist of confidential ity, integrity, and authentication servi ces for data packets traveling between sec urity gatew a ys.

• Confidentiality ensures the privacy of communications.

• The integrity service detects modification of data packets.

• Authentication services verify the origin of every data packet.

Confidentiality

Confidentiality is accomplished by encrypting and decrypting data packets. The Encapsulating Security Payload (ESP) protocol uses the Data Encrypt ion Standard (DES) algorithm in cipher block chaining (CBC) mode to encrypt and decrypt data packets.

You set confidentiality with the cipher algorithm and cipher key parameters. The cipher algorithm and cipher key are specified in security associations (SAs). A security association is a relationship in which two peers share the necessary information to secur ely prote ct and unpr otect data. Th e algori thm and ke y must b e identical on both ends of an IPsec SA.

Integrity

Integrity determines whether the data has been altered d uring transit. T he ESP protocol ensures that data has not been modified as it passes between the security gateways . The ESP protoco l uses the HMAC MD5 (RFC 2403) or HMAC SHA-1 (RFC 2404) transform.

You set integrity with the integrity algorithm and integrity key parameters. The integrity algorithm and integrity key must be identic al on both ends of an IPsec SA.

Authentication

Authentication ensures that data has been transmitted by the identified source.

1-4

308630-14.00 Rev 00

Additional IPsec Services

Within the IPsec framework, additional security services are provided. An access control service ensures authorized use of the network, and an auditing service tracks all actions and events.

IPsec services can be configured on an interface-by-interface basis. Up to 127 inbound and 127 outbound security policies (customized) are supported on each IPsec interface.

How IPsec Works

IPsec services are bundled as an Internet Protocol (IP) encryption packet. The packets resemble ordinary IP packets to Internet routing nodes; only the sending and receiving devices are involved in the encryption. IPsec packets are delivered over the Internet like ordinary IP packets to branch offices, corporate partners, or other remote organizations in a secure, encrypted, and private manner.

Sever al well-est ablished tech nologies pro vide enc ryption and aut henticatio n at the application laye r. IPsec adds security at the underl ying network layer, providing a higher degree of secur ity fo r all a ppl icati ons, inc luding those wit hou t an y secur ity features of their own.

Overview of IPsec

IPsec Protection

To configure a router with IPsec, you first configure the router interface as an IP interface. Then you add the IPsec software to the IP interface, creating a security gateway. A security gateway is a router between a trusted network (for example, the enterprise intranet) and an untrusted network (the Internet) that provides a security service such as IPsec.

The router interface is secured with inbound and outbound security policies that filter traffic to and from the router module. The data packets themselves are protected by IPsec protocol processing specified by security associations (SAs).

308630-14.00 Rev 00

1-5

Configuring IPsec Services

Figure 1-1 sho ws ho w IPsec can prote ct data c ommunication s within a n enterpr ise and from external hosts.

Corporate

headquarters

Server

Router A

IP security

gateway

Security

associations

(SAs A,B)

Partner

Router B Router C

Host Host

IP security

gateway

IPsec

services

Public

network

Security associations

(SAs B,C)

IPsec

services

Security

associations

(SAs C,A)

Branch office

IP security

gateway

IPsec

services

IP0088A

Figure 1-1. IPsec Environment: Unique Security Associations (SAs)

Between Routers

IPsec Tunnel Mode

When there is a security gateway at each end of a communication, the security associations between the gateways are said to be in tunnel mode. The tunnel metaphor refers to data being visible only at the beginning and end points of the communication. The IP packets protected by IPsec have regular, “visible” IP headers, but the packet contents are encrypted, and thus hidden. All BayRS IPsec communications occur in tunnel mode. Tunnel mode is especially effective for isolating and prot ecting enterp rise traf f ic tra veli ng across a publ ic data net work, as shown in Figure 1-1.

1-6

308630-14.00 Rev 00

IPsec Elements

IPsec has three important constructs:

• Security gateways

• Security policies

• Security associations (SAs) In the IPsec context, hosts communicate across an untrusted network through

security gateways (routers configured for IPsec interfaces). Security policies determine ho w the IPsec interfaces handle data packets fo r the host s on both ends of a connection. Security associations apply IPsec services to data packets traveling between the security gateways.

Overview of IPsec

Figure 1-2

associations.

Security associations

Unprotect SAs Source/Dest Addr, SPI Cipher Algo/Key, Integrity Algo/Key

Protect SAs Source/Dest Addr, SPI Cipher Algo/Key, Integrity Algo/Key

shows the logical relationship between security policies and security

IPsec gateway WAN interface

Inbound process

Inbound policies

criteria & action

(bypass, drop, log)

Outbound policies

criteria & action

(bypass, drop, log,

protect)

Outbound process

Security

policy

database

Untrusted

network

Figure 1-2. IPsec Concepts: Security Gateways, Security Policies, and SAs

308630-14.00 Rev 00

IP0087A

1-7

Configuring IPsec Services

Security Gateways

A security gateway establishes SAs between router interfaces configured with IPsec software. A Nortel Networks router becomes a security gateway when you enable IPsec on a WAN interface . In t his w a y, a Nortel Networks router opera ti ng as a security gateway provides IPsec services to its internal hosts and subnetworks.

Hosts or networks on th e e xte rnal si de of a sec urit y ga te w ay (typic ally, the overall Internet) are considered “untrusted.” Hosts or subnetworks on the internal side of a security gat e w ay (nodes on your l ocal i ntra net) are consi dered “trus te d” beca use they are controlled and securely managed by the same network administration (Figure 1-3

Trusted network

Local host

Outbound policy

Security gateway

Inbound policy (clear text only)

IPsec interface

Untrusted

network

IPsec interface

Outbound policy

Security gateway

Inbound policy (clear text only)

Figure 1-3. IPsec Security Gateways and Security Policies

When you add IPsec services to a router to create a security gateway, its internal hosts and subnetworks can communicate with external hosts that directly operate IPsec services, or with a remote security gateway that provides IPsec services for its set of hosts and subnetworks.

Security Policies

When you create an IPsec policy, you control which packets a security gateway protects, how it handles packets to or from particular addresses or in a particular protocol, and whether it logs information about these actions.

Trusted network

Remote host

IP0078A

1-8

308630-14.00 Rev 00

Overview of IPsec

There are two types of IPsec policies: inbound and outbound. An inbound policy is used for data packets arriving at a security gateway, and an outbound policy is used for data pa ck ets leaving a security gateway. Each I Psec interface c an support up to 127 inbound and 127 outbound security policies (refer to Figure 1-3

page 1-8

The criteria (“selectors”) and action specifications used in your inbound and outbound policies are stored in the security policy database (SPD).

IPsec defaults i n fa v or of more securit y rather th an less. I f an outbou nd or inbou nd packet does not match the criteria of any configured outbound or inbound policy in the SPD, the packet is dropped.

IPsec discards an y out bound clear-text da ta pack et u nle ss you explicitly conf i gure a policy to bypass or protect it.

Po licy Templates

Every IPsec polic y is ba sed on a policy template. A policy template is a pr edef ined policy definition that you can use on any IP interface. The template specifies one or more criteria and an action to apply to incoming or outgoing data packets.

A policy template and every poli cy based on it must include at least one criterion, for example, an IP source address, and one action. For example, an outbound policy might specify a pr otect ac tion. A poli cy t emplate or po lic y may inc lude tw o actions if one of the actions is logging. The criterion specification determines whether a data pack et matches a pa rticula r securit y polic y, and the action specifi es how the policy is applied to the packet.

The action specifications that you can include in inbound and outbound policies are listed in the two sections that follow.

Inbound Polici es

An inbound policy determines how a security gateway processes data packets receiv ed from a n u ntrus ted ne tw ork. Ev ery pack e t ar ri v ing at a secu rity g ateway is compared with the criteria to determine whether it matches an IPsec policy for that router. If the incoming packet matches a bypass policy, the router accepts the packet and, if the policy is so configured, logs it.

308630-14.00 Rev 00

1-9

Configuring IPsec Services

If the packet d oes n ot mat ch an y poli cy o r matches a drop poli c y, the router rejects the packet. When a packet does not match any policy, IPsec’s default action is to drop it.

For an inbound security policy, the action may be:

•Drop

• Bypass

•Log Drop and bypass are mutua lly e xc lusive. The log action may be added to ei ther, or

used alone.

Outbound Policies

An outbound policy determines ho w a se curity gat e way proces ses data pac kets f or transmission across an untrust ed netwo rk. You must assign an out bound poli cy fo r all unicast traffic leaving an IPsec interface.

For an outbound policy, the action specification may be:

• Protect

1-10

•Drop

• Bypass

•Log Any outbound policy with a protect action specification is mapped to a Protect

SA. See “

Summarizing Security Policies and SAs” on page 1-14 for detailed

information about Protect and Unprotect SAs. Drop, protect, and bypass are mutually exclusive. The log action may be added to

any of the three, or used alone.

Policy Criteria Specification

IPsec software inspects IP packet headers based on the specified criteria to determine whether a policy applies to a data packet.

You must include at least one of the following criteria, and you may specify all three criteria in an IPse c policy:

• IP source address

308630-14.00 Rev 00

Overview of IPsec

• IP destination address

• Protocol To specify the protocol criterion, you must provide the numeric value assigned to

the protocol for use o v er the I ntern et. You can specif y only a single pr otocol value for each policy. The protocol number is represented in the 1-byte pro toc ol field in an IP packet header.

Refer to Appendix D of the numeric values assigned to various protocols, see the Internet Assigned Numbers Authority (IANA) Web site at:

http://www.iana.org The direct path to the list of legal values that you can specify for an IPs ec policy

protocol criterion as of this printing is:

http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

Security Associations

A security association (SA) is a relationship in which two peers share the necessary information to securely protect and unprotect data. An IPsec SA is uniquely identified by an IP destination address, security parameter index (SPI), and security protocol identifier (for example, ESP in tunnel mode).

An IPsec policy deter mine s which pack et s will be hand le d. An IPsec SA spe cif i es which IPsec security service (for example, confidentiality) IPsec will apply to the packets. You can apply one or more IPsec security services.

SAs themselves must be created and shared in a secure manner. There are two ways of achieving this: by using the automated security negotiation process provided by the Internet Key Exchange (IKE) protocol; or by manually configuring the sending and receiving devices with a shared secret. A shared secret is a unique security identifier.

for a list of protocol numbers. To obtain the most recent list

308630-14.00 Rev 00

1-11

Configuring IPsec Services

Automated Securit y Associat ions Using Internet Key Exc hange (IKE)

Internet Key Exchange (IKE) is an au tomated protocol to establish security associations over the Internet. (IKE is also referred to as the Internet Security Association Key Management Protocol with Oakley Key Determination, or ISAKMP/Oakley.) IKE handles negotiating, esta blishing, modifying, and deleting security associations.

To set up these security associations, IKE itself must create a confidential, secure connection between the sender and receiver. Authentication is accomplished with one or more of the following:

• Pre-shared keys: These are set up ahea d of ti me at eac h node in a tr ansact ion.

• Public key cryptography: Using the RSA public key algorithm, each

member of a transaction authenticates itself to the other using the other member’s public key to encrypt an authentication value.

• Digital signature: Each member of a transaction sends a digital signature to

the other. The signatures are authenticated using the member’s public key, obtained via an X.509 digital certificate.

The BayRS implementation of IKE uses pre-shared keys only.

1-12

Manual Security Associations

Manually configuring security associations is a more cumbersome and labor-intensive process than using IKE. If possible, IKE should be used to make large-scale secure communications practical.

Manually configured SAs often rely on static, symmetric keys on communicating hosts or security gate w ays. As suc h, you must coordina te wit hin your or ga nization and with outside parties to configure keys that will protect your information.

Security Associations for Bidirectional Traffic

An SA specifies the security services that are applied to data packets traveling in one direction between security gateways. To secure the traffic in both directions, the security gateway must have a Protect SA for data transmitted from the local IPsec interface and an Unprotect SA for data received by the local IPsec interface

(Figure 1-4)

308630-14.00 Rev 00

Overview of IPsec

Protect SA Source: 132.245.145.195

Security gateway Security gateway

132.245.145.195

Destination: 132.245.145.205

Network

Unprotect SA Source: 132.245.145.205 Destination: 132.245.145.195

Unprotect SA Source: 132.245.145.195 Destination: 132.245.145.205

Protect SA Source: 132.245.145.205 Destination: 132.245.145.195

Figure 1-4. Security Associations for Bidirectional Traffic

Under most circumstances, you will configure the Internet Key Exchange (IKE) protocol to negotiate SAs between security gateways automatically. You can also manually config ure SAs.

How IKE Negotiates Security Associations

The Internet Key Exchange (IKE) protocol automates the process of IPsec SA configuration by creating an IKE SA for Protect SA and Unprotect SA negotiatio n. Each IKE peer sends IPsec SA para meter ne gotiation in formation in a secure IKE packet. The peers generate keys based on the agreed parameters and then verify each other’s identity. Once this is done, the IPsec SA is established.

132.245.145.205

IP0079A

The IKE protocol itself is secured through an IKE SA created using the Diffie-Hellman algorithm (Oakley) to determine the key, and the authenti cation methods described in “

Exchange (IKE)” on page 1-12. The Nortel Networks implementation uses a

pre-shared key.

Security Parameter Index (SPI)

A security parameter index (SPI) is an arbitrary but unique 32-bit (4 byte) value that, when combined with the IP destination address and the numeric value of the security protocol used (ESP), uniquely identifies the SA for a data packet.

IPsec discards any incoming ESP packet if the SPI does not match any SA in the inbound security associations database (SAD).

308630-14.00 Rev 00

Automated Security Associations Using Internet Key

1-13

Configuring IPsec Services

Summarizing Security Policies and SAs

Table 1-1 and Table 1-2 provide a framew ork for un derstandi ng IPse c policie s and

SAs. They provide examples of how policies and SAs might be implemented, but are not meant to be comprehensive.

In Table 1-1

, each row defines the policy specificat i on f or t he policy named in th e first column. For example, the “blue” policy specifies two criteria -- IP source address and IP destinat ion addr ess -- and the “drop” acti on. Thi s mig ht be used to discard all traffic from an undesirable site.

The “yello w” a nd “gre en” policies specify a Protect SA action. The yel low policy covers traffic in just one protocol (TCP) to a particular subnet, while the green policy covers all traffic to particular addresses.

The “black” policy specifies the Protocol criterion only and the “bypass” action. In this case the ICMP protocol (typically used for PING functions) is passed through the security gateway without IPsec encryption.

You may define SA parameters (automatically or manually) for a policy immediately after you specify the policy using them (Table 1-2)

Table 1-1. Security Policy Specifications

IP Source

Policy Name Protocol

Blue (any) IP address IP address Drop Yellow 6 (TCP) IP subnet IP subnet Protect SA Green (any) Range of

Black 1 (ICMP) Any IP address Bypass

Address

IP addresses

IP Destination Address Action

Range of IP addresses

Protect SA

1-14

308630-14.00 Rev 00

In Table 1-2, the IP source and destination addre sses fo r t he SA are the tunnel end points for the IPsec tunnel through which the traffic passes. Intermediate routers are unaware that the traffic is encrypted, and pass it along just like any other packets.

Table 1-2. Manual Security Association (SA) Configurations

Security Association SPI Cipher Integrity

Overview of IPsec

Source Address

IP address IP address 270 DES 40 Hex value HMAC MD5 Hex value IP address IP address 260 DES 56 Hex value HMAC MD5 Hex value

Destination Address Algorithm

Key Length Key Algorithm Key

Security Protocols

IPsec uses two protocols to provide traffic security:

• Encapsulating Security Payload (ESP)

• Authentication Header (AH) You can use either protocol or both to protect data packets on a VPN. Generally,

only one protocol is necessary. The Nortel Networks I Pse c impl ement at io n uses ESP only. Nortel Networks does

not implement the AH protocol because the same functions are available from ESP.

Encapsulating Security Payload

The ESP protocol provides confidentiality (encryption) services. It can also provide data integrity, data origin authentication, and an anti-replay service.

• Data integrity ensures that the data has not been altered.

• Data origin authentication validates the sending and receiving parties.

• Anti-replay servi ce ensures that the receiver only receives and processes each

308630-14.00 Rev 00

packet once.

1-15

Configuring IPsec Services

One or more of these security services must be applied whenever ESP is invoked. ESP applies the following algorithms and transform identifiers to deliver its services:

• Data Encryption Standard (DES) (56-bit)

• 40-bit DES (manual keying only)

• Triple DES (3DES) (3DES IPsec Option only)

• HMAC Message Digest 5 (MD5)

•HMAC SHA1 ESP uses the Data Encryption Standard (DES) algorithm or the Triple DES

(3DES) algorithm for encryption. ESP uses Hashing Message Authentication Code Message Digest 5 (HMAC MD5) or HMAC SHA1 transform identifiers for authentication.

ESP uses the cipher block chaining (CBC) mode of the DES encryption algorithm. CBC is considered the most secure mode of DES. A 56-bit or 40-bit number, known as a key, controls encryption and decryption. Key management is automated through IKE, or can be controlled manually.

Both sides of an SA must use the same encryption service. Normally, you should use the stronger 56-bit DES key for greater security, or triple DES if appropriate. However, if you are communicating with a security gateway that is limited to a 40-bit DES key due to cryptography export restrictions, you must use the 40-bit key.

When ESP protection is used in tunnel mode, an “outer” IP header specifies the IPsec processing des tinat io n, and an “in ner” IP he ader spe ci f ies t he (act ual) t ar ge t destination for the packet. The security protocol header appears after the outer IP header and before the inner one. Only the tunneled packet is protected, not the outer header.

Authentication Header

The AH protocol provides data integrity, data origin authentication, and optional anti-replay services. It provides encryption services to the header only, not to the entire IP packet.

The AH protocol uses HMAC MD5 and HMAC SHA1 transform identifiers. The AH protocol is not used in the Nortel Networks implementation of IPsec.

1-16

308630-14.00 Rev 00

Internet Key Exchange (IKE) Protocol

The Internet Key Exchange (IKE) protocol negotiates and provides private and authenticated keying material for security associations. Before providing keying material, the IKE protocol itself must be a uthenticated, that is, somet hing must create an IKE secur ity as socia tion be twe en the s ecuri ty gateways IK E is ser vici ng.

BayRS software creates an IKE SA through a pre-shared authentication key. IKE creates and changes IPsec SAs dynamically, with no user intervention necessary, making them faster and more frequently than they might otherwise be made, for greater security.

To negotiate a security association, IKE pee rs fo rm a security associ ation (an IKE SA) between them. The IKE SA protects the negotiation of the IPsec SA parameters and key exchange.

The IKE protocol can change IPsec and IKE SA keys based on preconfigured criteria such as elapsed time or number of bytes sent.

Perfect Forward Secrecy

Overview of IPsec

Perfect forward secre cy (PFS) disassociates each IPs ec SA key from others in the same IKE-negotiated security association. To obtain PFS, IKE uses the Diffie-Hellman algorithm to exchange keys fo r each SA. This means that as IKE and IPsec SAs are automatically re-keyed over the course of IPsec peer communication, old keys, if compromised, cannot be used to derive previous or future keys used for other SAs.

With PFS , if an i ntrud er manages t o br eak an e ncrypt ion k e y, they gain acces s to a limited amount of data (packets protected by a single SA).

308630-14.00 Rev 00

1-17

Chapter 2

Installing IPsec

This chapter describes how to install and prepare to use IPsec. Before you configure IPsec, you need to:

• Upgrade router software, if necessary.

• Install IP sec software.

• Secure your site.

• Secure your configuration.

• Use the Technician Interface secur e shell to ent er a node prot ection ke y (NPK)

and seed (kseed), and then enter the same NPK in Site Manager.

This chapter contains the following inf ormation:

Topic Page

Upgrading Route r Software 2-2 Installing the IPsec Software 2-2 Securing Your Site 2-4 Securing Your Configuration 2-4 Creating and Using Node Protection Keys (NPKs) 2-5 Entering an Initial NPK and a Seed for Encryption 2-6

308630-14.00 Rev 00

2-1

Configuring IPsec Services

Upgrading Router Software

To install the IPsec software, you must be running BayRS Version 13.20 and Site Manager Software Version 7.20.

If you are upgradi ng your rout er softw are , copy th e route r image fr om the upgrad e CD to a directory on your hard drive. To modify an existing image, first use the Router Files Manager to transfer the image to a directory on your hard drive.

For instructions on upgrading router software, see Upgrading Routers to Version

13.xx. For information about the Image Builder, the Router Files Manager, and booting routers, see Configuring and Managing Routers with Site Manager.

Installing the IPsec Software

Before you can enable and use IPsec services, you must create an IPsec-capable router image. You create this image during the installation process. The installation instructions that appear on the IPsec software CD are included in this section.

2-2

To install the IPsec software:

Insert the IPsec software CD into the CD-ROM drive.

Open or create a directory for your router platform (for example, BN).

Copy the files

From Site Manager, start the Image Builder (choose Tools > Image

bn.exe

and

capi.exe

to the platform directory.

Builder).

Open the image in the router platform directory (for example,

bn.exe

Note that “Available Components” is empty and that “Current Components” lists the executables.

Click on Details.

4003x Baseline Router Software, select capi.e xe.

Under

Click on Remove.

The file capi.exe

Choose File > Save to save the image.

Exit the Image Builder.

is now listed under Available Components .

308630-14.00 Rev 00

Completing the Installation Process

To complete the installation process:

Open the Image Builder directory:

• On a PC, the default directory is wf\builder.dir\rel<release_number>.

• On a UNIX platform, the default directory is ~.builder/rel<release_number>.

Installing IPsec

Remove the file

capi.exe

1-byte stub file.

Copy the new

capi.exe

example, BN) to the Image Builder directory.

Restart the Image Builder and open the image from which you removed

capi.exe

Click on Details in the Available Components box.

Select

Check the size of the

capi.exe

and click on Add.

If it is less than 1 KB, you have not loaded the IPsec software. Repeat this procedure or call the Nortel Networks Technical Solutions Center for assistance.

Save the modified image that includes IPsec to a new file and exit the Image Builder.

Copy this new image to the router and reboot.

Installing Triple DES Encryption

To use Triple DES (3DES) encryption with IPsec, you must purchase the 3DES IPsec Option CD, and install the capi.exe file from it. The version of capi.exe on

this optional CD includes both 56-bit DES encryption and the stronger 3DES encryption.

from the Image Builder directory. This file is a

file from the router platform directory (for

capi.exe

file.

308630-14.00 Rev 00

2-3

Configuring IPsec Services

Securing Your Site

To enforce IPsec, carefully restrict unauthorized access to the routers that encrypt data and the workstations that you use to configure IPsec. Keep in mind that the encryption standards that IPsec uses are public. Your data is secure only if you properly protect the encryption and authentication keys. The configuration files that contain these keys include safeguards to prevent unauthorized access.

Securing Your Configuration

Store any files containing encryption keys on diskettes or other removable media, and keep the media in a secure place. Physically protecting your equipment is always a good str ate gy and th e easiest way to pr e vent unauthoriz ed acces s to these files.

Always configure your node protection keys (NPKs) locally, not over a network. When you connect a PC or a workstation to a router console port to configure encryption, use a machine that is not connected to any other equi pment. Be su re to also protect the routers on which the NPKs resid e.

Encryption Keys

IPsec uses a hierarchy of keys to protect and transmit data:

• Node protection key (NPK) -- encrypts the manual cipher and integrity keys for storage on the router or transfer from Site Manager.

-- Cipher key -- encrypts data that travels across the network in the IKE or

-- Integrity key -- calculates the integrity check value (ICV), which is used

• Pre-shared authentication key -- authenticates the IKE SA used to protect the negotiation and rekeying of IPsec SAs.

Caution:

compromised, all encrypted data on the router can be compromised.

2-4

ESP payload. (IKE cipher and integrity keys are not stored on the router.)

at the data packet destination to detect any unauthorized modification of the ESP or IKE data.

The NPK is the most critical key in the hierarchy. If the NPK is

308630-14.00 Rev 00

Random Number Generator (RNG)

The router software uses the secure random number generator (RNG) to generate initialization vectors (IVs) that are used in the ESP DES encryption transformation. These v al ues are stati sticall y random. As its so urce, the RNG uses a seed that you supply from the Technician Interface secure shell. See “

an Initial NPK and a Seed for Encryption” on page 2-6.

Creating and Using Node Protection Keys (NPKs)

The NPK encrypts manually configured IPsec ESP cipher and integrity keys or IKE pre-shared authentication keys for management information base (MIB) storage. Note that it does not encrypt, decrypt, or authenticate data.

The NPK is stored in the rou ter non v olatile r andom access memo ry (NVRAM). Its fingerprint, which is a 128-bit version of the NPK generated by a hash algorithm, is stored in the MIB. For encryption to occur, the NPK and its fingerprint in the MIB must match.

Installing IPsec

Entering

Create and confi gure a different NPK for eac h secur e rout er on you r netw or k. The NPK should be different on every router because, if an NPK is compromised, the security gateway for the router is compromised. If the same NPK is used for all secure routers, the entire network could be compromised.

Caution:

should store your NPKs o n remo vable media ( for e xample, disk ette s) a nd k eep the media in a secure location.

Generating NPKs

You create NPKs using the Technician Interface sec ure shell. You must then enter the same NPKs into the Site Manag er NPK parameter for that router.

Be very careful to protect all files where NPKs are stored. You

308630-14.00 Rev 00

2-5

Configuring IPsec Services

To generat e an NPK, use a method available at your site to c re ate r an dom 16-digit hexadecimal numbers.

Note:

You can use the NPK Key Manager to generate NPKs. The NPK Key Manager is available from t he WEP Key Manager. T o ac cess it, open the main window in Site Manager and choose Tools > WEP Key Manager > NPK Manager. During IPsec processing, you can manually enter the same NPKs in the Technician Interface. For detailed information, see Configuring Data Encryption Services.

Entering an Initial NPK and a Seed for Encryption

Before you can enable I Psec on a router, you must enter an initial NPK and create a seed for use by IPsec. You enter the NPK into a router lo cal ly, using the console port and the secure shell section of the Technician Interface. A password protects access to the secure shell.

IPsec uses the NPK to encrypt and decrypt the cipher and integrity keys, and it uses the seed specified with the needed by IPsec and IKE.

kseed

command to generate random numbers

2-6

You cannot access the NPK or the password using the MIB or the routine Technician Interface debug commands, nor can you invoke the secure shell in a Telnet session.

Caution:

Never use a terminal server to enter the NPK. Instead, use a laptop computer that you can attach directly to the router. Protect the file containing NPKs on the laptop.

308630-14.00 Rev 00

Installing IPsec

To enter an initial NPK and a seed for encryption:

If necessary, create a password for the Technician Interface secure shell by entering:

kpassword

At the Technician Interface prompt, enter the secure shell by issuing the

is an alphanumeric string of up to 16 characters.

following command:

ksession

If you issue the ksession command before setting a password, you will be prompted to do so. Use the

The prompt changes to

Begin generating the encryption seed by entering:

kseed

kpassword command in step 1.

SSHELL.

The secure shell prompts you for a random seed value.

Type a random set of keystrokes. The secure shell informs you when you have typed the required number of keystrokes.

Enter the following command:

kset npk 0x

<NPK_value>

router that you are configuring. For more information, see “

<NPK_value>

is the 16-digit he xadecimal NPK val ue that you assigned to the

Generating

NPKs” on page 2-5.

308630-14.00 Rev 00

kset npk command stores your NPK value in the router NVRAM and

The calculates a hash of this value that it stores in the router MIB.

Save the configuration by entering:

save config

config_file_name

<config_file_name>

> is the name you want to assign to the configuration file. You cannot exit the secure shell without saving the configuration. This is necessary so that upon rebooting the router with the saved configuration file, the hash of the NPK in the MIB corresponds with the NPK in NVRAM.

Exit the secure shell by entering:

kexit

2-7

Configuring IPsec Services

Changing an NPK

To maintain security, periodically change the NPK on each router. To change an NPK, enter the

create the initial NPK (see “

kset NPK

Entering an Initial NPK and a Seed for Encryption”

command, using the steps you used to

on page 2-6).

The new NPK overwrites the original, and IPsec uses the new NPK value. However, this does not change the hashed NPK value in the MIB.

To change the NPK value used by the MIB:

At the Technician Interface prompt, enter the secure shell by issuing the following command:

ksession

Enter your password.

Enter the following command:

ktranslate

old_NPK_value

<old_NPK_value>

> is the original NPK value.

The older hashed NPK in the MIB is decrypted, and the new NPK is hashed and stored in the MIB. The MIB now has the same NPK as the router.

Save the configuration file.

Monitoring NPKs

If the NPK on a router does not match the NPK in the MIB, IPsec services do not work. This situatio n usually o ccurs when you change a CPU boar d in a route r slot, and the slot now lacks the current NPK, or you revert to an older configuration that is protected by an older NPK.

View the router log to make sure that the NPK for each slot matches the NPK value in the MIB. If the values do not match use the secure shell to change either the router NPK value or the MIB NPK value. For more information about changing NPKs, see “

To view the router log e v en ts speci f ic t o an NPK in th e Technician Interface, ent er:

log -ffwidt -eKEYMGR

2-8

Changing an NPK” on page 2-8.

308630-14.00 Rev 00

Chapter 3

Starting IPsec

This chapter includes the following information:

Topic Page

Enabling IPsec and IKE 3-1 Creating Policies 3-2 Creating Security Associations 3-8

Enabling IPsec and IKE

To enable IPsec, conf igur e an IP inte rf ace usin g the Conf i gurati on Manag er. Then add IPsec servi ces to that interf ace to create a security gateway. Use the follow ing steps.

You do this System responds

1. In the Configuration Manager window, click on the WAN connector on which you want to configure an IPsec interface.

2. Click on OK. The WAN Protocols window opens.

3. Choose a WAN protocol (PPP or frame relay).

308630-14.00 Rev 00

Site Manager Procedure

The Add Circuit window opens.

The Select Protocols window opens.

(continued)

3-1

Configuring IPsec Services

You do this System responds

4. Choose (Choosing

choosing and IP.)

5. Set the following parameter s:

• IP Address

•

Subnetwork Mask

Click on

RARP, RIP, and OSPF Services

6. Click on OK. The IPsec Configuration for Interface

When you use Site Manager to configure IPsec on an interface for the first time, configure the menu items displayed in the IPsec Configuration for Interface window in sequence, starting with the top item, Outbound Policies. You must set an outbound policy for an IPsec interface before you can link an SA to it.

Creating Policies

Site Manager Procedure

IP, IPSEC, and IKE

automatically selects IP;

IPSEC

automaticall y select s

IKE

or see

Help

Configuring IP, ARP,

(continued)

IPSEC

The IP Configuration window opens.

window opens.

You create inbound and out boun d policies for an IPsec interface by using a policy template. A policy template is a policy definition that you create. You can use a policy template on any IPsec interface.

Each template contains a complete policy specification (criteria, range, and action) for the interface. This means that each policy itself is completely specified by the template. You can modify an individual policy to fit the needs of a specific interface, independent of the template specifications.

Specifying Criteria

The criteria determine the portion of a packet header (IP source address, IP destination address, protocol number) that is examined by IPsec. For each criterion, you must specify a range of values. The range represents the actual criteria values (that is, the IP addresses that are compared to the address of a packet).

3-2

308630-14.00 Rev 00

Specifying an Action

The action specification in a policy controls how a packet that matches the specified criteria (and criteria range) is processed. You decide how you want packets to be processed and apply a policy to implement your decision.

With IPsec, a packet can be processed in one of three ways:

• The packet can be dropped.

• The packet can be transmitted or received without alteration.

• The packet can be protected (outbound only). In this case, an SA is linked to the policy.

In addition to processing a packet or in the absence of a processing action, packet receipt or trans missio n ca n be reco rded i n a l og. The cor respon ding polic y actio ns are:

•Drop

• Bypass

Starting IPsec

• Protect (outbound only)

• Log (a message will be written to the router log)

The drop, bypass, and protect actions are mutually exclusive. You can specify a logging action for any of these, or in their absence. Note that if an incoming packet that do es not ma tch an y configured policy arriv es at an I Psec in te rf ace, it is dropped by default.

Policy Considerations

When you confi gure a WAN interf ace wit h IPsec, a ll inbou nd and outb ound traf f ic on that interface is processed by IPsec, including traffic being forwarded.

For unicast traffi c c ont ai ni ng r outing or control inf ormat i on, c onsi der configuring policies that all o w such traf fic to bypass IPsec. For e xample, to a llo w ICMP traffic (such as “ping” or “destination unreachable” messages) to bypass IPsec processing, configure the first policy for the interface with the protocol criterion set to number 1 (ICMP) and the action specification set to bypass.

If a data packet matches the criteria for more than one policy, the first matching policy is used.

308630-14.00 Rev 00

3-3

Configuring IPsec Services

Creating an Outbound Policy

To create an outbound policy template and policy, complete the following tasks:

You do this System responds

Site Manager Procedure

1. In the IPsec Configur ati on for Interf a ce window, click on

2. Click on

3. Click on

4. Enter a name in the Click on description on page A-3 .

5. Use the applicable range for the IP source addresses, IP destination addresses, and protocol criteria.

Policy Template

6. Use the that you want applied to traffic with the criteria that you just defined.

7. Click on OK. You return to the IPsec Policy

8. Click on

Template

Create

Help

Criteria

Action

Done

Outbound Policies

. The IPsec Policy Template

. The Create IPsec Template window

Policy Name

or see the parameter

menu to specify the

menu to add the action

. You return to the IPsec Outbound

The IPsec Outbound Policies window

opens.

Management window opens.

opens.

field.

Template Management window.

Policies window.

(continued)

3-4

308630-14.00 Rev 00

Starting IPsec

Site Manager Procedure

You do this System responds

9. Click on

10.Enter the policy name in the

Policy Name

see the parameter description on

page A-3

11.Select a template on w hich to base this policy.

12.Click on OK. If the policy does not inclu de a Protec t

13. Click on either Manual SA or Automated SA.

Add Polic y

. The Create Outbound Policy window

field. Click on

Help

Policy

14. If you chose Manual SA, see the instructions f or manual con figuration in

Creating Security Associations” on

“ page 3-8.

(continued)

opens.

action, you return to the IPsec Outbound Policies window.

If the policy includes a Protect action, the Choose SA Type dialog opens.

Manual SA lets you choose from a list of manual Protect SAs or create a ne w manual Protect SA.

Automated SA opens the Add Proposal to Policy window. If a range of IP source addresses and IP destination addresses was not configured in the template, the Add Policy Ranges dialog box appears first.

308630-14.00 Rev 00

15.If you chose Automated SA, complete the Add Proposal to Policy screen to associate one or more encryption methods with a negotiated SA to a particular IP address.

16.Click on

. You return to the IPsec Configuration

Done

for Interface window.

3-5

Configuring IPsec Services

Creating an Inbound Policy

The process for creating inbound policies is virtually identical to the process for creating outbound policies, with the exception that you cannot specify a protect action for an inbound polic y.

To create an inbound policy template and policy, complete the following tasks:

You do this System responds

Site Manager Procedure

1. In the IPsec Configur ati on for Interf a ce window, click on

2. Click on

3. Click on

4. Enter a name in the Click on description on page A-3 .

5. Use the applicable range for the IP source addresses, IP destination addresses, and protocol criteria.

Policy Template

6. Use the that you want applied to traffic with the criteria that you just defined.

7. Click on OK. You return to the IPsec Policy

8. Click on

Template

Create

Help

Criteria

Action

Done

Inbound Policies

. The IPsec Policy Template

. The Create IPsec Template window

Policy Name

or see the parameter

menu to specify the

menu to add the action

. You return to the IPsec Inbound

The IPsec Inbound Policies window

opens.

Management window opens.

opens.

field.

Template Management window.

Policies window.

(continued)

3-6

308630-14.00 Rev 00

Starting IPsec

Site Manager Procedure

You do this System responds

9. Click on

10.Enter the policy name in the

Policy Name

see the parameter description on

page A-3

11.Select a template on w hich to base this policy.

Policy

12.Click on OK. You return to the IPsec Inbound

13.Click on

Add Polic y

Done

. The Create Inbound Policy window

field. Click on

. You return to the IPsec Configuration

Help

(continued)

opens.

Policies window. If the policy includes a protect action,

the Choose SA Type dialog bo x opens .

for Interface window.

308630-14.00 Rev 00

3-7

Configuring IPsec Services

Creating Security Associations

Security associations enable you to provide bidirectional protection for data packets traveling between two routers. Each SA establishes security for data passing in a single direction. A pair of SAs (Protect SA and Unprotect SA) are created, eith er automatica lly by IKE or manually by you, for any IPsec policy configured on a security gateway. Each SA includes security information such as algorithm and keys.

You should use automated SA creation (IKE) for greater security and decreased configuration management overhead.

About Automated SA Creation

IKE creates automated SAs, based on the proposals you configure for an IPsec policy in Site Manager. Each proposal specifies an encryption and/or authentication transform for the automated SA. You do not need to specify keys for automated SAs, because IKE creates them dynamically.

You can configure up to four proposals for a policy, in order of preference. IKE will negotiate an automated SA, based on the first proposal that matches one configured on the remote security gateway. Both the inbound and the outbound SAs are created by IKE based on the results of the proposal negotiation.

3-8

308630-14.00 Rev 00

Starting IPsec

Creating an Outbound Protect Policy With Automated SAs (IKE)

To use IKE to create automated SAs, complete the following tasks:

Site Manager Procedure

You do this System responds

1. In the IPsec Configuration for Interface window, click on

2. Click on Add Policy. The Create Outbound Policy window

3. Type a name for the policy, choose a template containing a Protect action, and click OK.

4. Click on

Note: If a node protection key has not yet been set, the Node Protection Key dialog box opens before the Add Proposal to Policy window. Enter an NPK and click on OK. See

“Creating and Using Node Protection Keys (NPKs)” on page 2-5

5. Choose Enabled or Disabled from the PFS pull-down menu to set perfect forward secrecy settings.

6. Choose a Disabled or a packet size from the Anti-Replay Window Size pull-down menu.

7. Click on Add to specify the SA D est in ati on address and pre-shared key for IKE SAs. Click on descriptions beginning on page A-4 more information.

8. Click on New Proposal to create an encryption type proposal that IKE will use when negotiating SA keys with the SA destination node.

9. Type a proposal name, choose one or more encryption methods f or the p roposal, choose an Expiry type, change the Expiry value if desired, and click on

Automated SA

Help

Outbound Policies

. The Add Proposal to Policy window

or see the parameter

Done

for

The IPsec Outbound Policies window

appears.

appears. If the policy includes a protect action, the

Choose SA Type dialog box opens.

opens.

for more information.

The Add IKE SA Destination window appears. Enter the IP address and pre-shared key, and click on Done to return to the Add Proposal to Policy window.

The Edit IPsec Proposal w indow appe ars.

You return to the Edit IPsec Proposal window. Repeat steps 6 and 7 to create additional proposals if needed.

(continued)

308630-14.00 Rev 00

3-9

Configuring IPsec Services

You do this System responds

10.In the Edit IPsec Pro posal windo w , choo se the SA destination you created from the pull-down menu, choose one to four proposals (in order of priority) from the Proposals pull-down menus, and click on

11. Click on

. You return to the IPsec Configuration for

Done

About Manual SA Creation

To protect (encrypt or authenticate) data packets leaving the local IPsec interface, create a Protect SA and link it to a Protect outbound policy. To decrypt or authenticate inc oming pack ets at the loca l IPsec inter face, crea te an Unprote ct SA. (The Unprotect SA does not need to be linked to a policy.) Then, do the same for the IPsec interface on the remote router.

The cipher and integrity algorithms and keys that you specify in SAs must be identical on both ends of a connection. You must select either the cipher or the integrity service or both with in the Protect and Unprotec t SA parameters . For example, the cipher key in a Protect SA on the local IP interface must match the cipher key in the Unprotect SA on the remote router IP interface.

Site Manager Procedure

You return to the IPsec Outbound P o licies window .

Interface wind o w.

(continued)

3-10

Note:

Manual SAs must be configured to encrypt, authenticate, or both. Site Manager does not allow you to create an SA if both the Cipher Algorithm and the Integrity Algorithm parameters are set to None.

308630-14.00 Rev 00

Creating a Protect SA Manually

Starting IPsec

To manually create a Protect SA, complete the following tasks:

Site Manager Procedure

You do this System responds

1. In the IPsec Configuration for Interface window, click on

2. Click on

3. Set the following parameter s:

• SA Source IP Address

• SA Destination IP Address

• Security Parameter Index

• Cipher Algorithm

• Cipher Key Length

• Cipher Key

• Integrity Algorithm

• Integrity Key

Position the cursor in a field and click on

Values

if applicable. Click on parameter descriptions beginning on

page A-4

4. Click on OK. You return to the Protect SA List for

5. Repeat steps 2 to 4 if necessary to create additional Protect SAs. Click on when finished.

Add

to display a menu of valid options,

for more information.

Manual Protect SA

. The IPsec Manua l Protect SA wi ndow

, or see the

Help

Done

The Protect SA List for Interface window

opens.

opens, where the parameters from the Protect SA List for Interface window become active.

Interface wind o w. You return to the IPsec Configuration for

Interface wind o w.

308630-14.00 Rev 00

3-11

Configuring IPsec Services

Creating an Unprotect SA Manually

To manually create an Unprotect SA, complete the following tasks:

Site Manager Procedure

You do this System responds

1. In the IPsec Configuration for Interface window, click on

2. Click on

3. Set the following parameter s:

• SA Source IP Address

• SA Destination IP Address

• Security Parameter Index

• Cipher Algorithm

• Cipher Key Length

• Cipher Key

• Integrity Algorithm

• Integrity Key

Position the cursor in a field and click on

Values

if applicable. Click on parameter descriptions beginning on

page A-4

4. Click on OK. You return to the Unprotect SA List for

5. Repeat steps 2 through 4, if necessary, to create additional Unprotect SAs. Click on

Done

Add

to display a menu of valid options,

for more information.

when finished.

Manual Unprotect SA

. The IPsec Manual Unprotect SA window

, or see the

Help

The Unprotect SA List for Interface

window opens.

opens, where the parameters from the Unprotect SA List for Interface window become active.

Interface wind o w. You return to the IPsec Configuration for

Interface wind o w.

3-12

308630-14.00 Rev 00

Chapter 4

Customizing IPsec

This chapter contains information about cha ngi ng a n IPsec configura ti on tha t y ou have already set up. After initial configuration, this may be your most common task.

This chapter includes the following information:

Topic Page

Changing E xisting Policies 4-1 Changing Existing Security Associations 4-8 Disabling IPsec 4-11

Changing Existing Policies

You may find it necessary to change which policies are applied to data in a security association, change the order in which multiple policies are applied, or remove policies.

308630-14.00 Rev 00

4-1

Configuring IPsec Services

Editing a Policy

To edit an existing IPsec policy on a router interface, complete the following tasks:

You do this System responds

Site Manager Procedure

1. In the Configuration Manager window, click on the WAN connector on which you want to change an IPsec policy.

2. Click on

3. From the

IP > IP Security > [Outbound Po licies Inbound Policies

4. Click on

5. Change items by selecti ng them in the

Policy Information

• To remove an action or criterion, select it and click on

• To add an act ion , c hoose

Bypass

• To add criteria, choose

Address, IP Destination Address Protocol

• To change Source Address, Destination Address, or Protocol criteria, select the appropriate line. The range values app ear in the below the text field. Make changes in these boxes and click on

6. Click on OK. You return to the IPsec [Inbound |

7. Click on

8. Click on

File

Edit Circuit

Protocols

Edit Policy

Delete

from the

Range Min.

Done

menu.

. The Circuit Definition window opens.

menu, choos e

text field:

Log, Protect

menu.

Action

IP Source

Criteria

and

. You return to the Circuit Definition

or choose

menu.

Range Max.

Modify

Exit

Edit

, or

box es

from the

The Edit Connector dialog box opens.

The IPsec [Inbound | Outbound] Policies

window opens.

The Edit IPsec [Inbound | Outbound] Policies window opens.

, or

Outbound] Policies window.

window. You return to the Configuration Manager

main window.

4-2

308630-14.00 Rev 00

Adding a Policy

The procedure to add an I Psec polic y t o a rou ter in terf ace depe nds on the protoc ol used on the interface. Choose the appropriate procedure that follows for PPP or frame relay.

PPP Protocol

To add an IPsec policy to a router interface configured with PPP, complete the following tasks:

You do this System responds

Customizing IPsec

Site Manager Procedure

1. In the Configuration Manager window, click on the WAN connector on which you want to change an IPsec policy.

2. Click on

3. From the

IP> IP Security > [Outbound Policies Inbound Policies

4. Click on

5. In the the policy.

6. From the interface where the policy should be added.

7. From the on which to base the policy.

8. Click on OK. If the policy includes a protect action, the

9. If the Choose SA Type dialog opens, choose instructions in “Creating an Outbound

Protect Policy With Automated SAs (IKE)” on page 3-9, or choose

follow the instructions in “Creating a

Protect SA Manually” on page 3-11.

Edit Circuit

Protocols

Add Policy

Policy Name

Interfaces

Te mplates

Automated SA

. The Circuit Definition window opens.

menu, choose

]

field, type a name for

list, select the

list, select a template

and follow the

Manual SA

Edit

and

The Edit Connector dialog box opens.

The IPsec [Inbound | Outbound] Policies

window opens.

The Create [Inbound | Outbound] Policy window opens.

Choose SA Type dialog box opens. You return to the IPsec [Inbound |

Outbound] Policies window.

(continued)

308630-14.00 Rev 00

4-3

Configuring IPsec Services

Site Manager Procedure

You do this System responds

10. Click on

11.Choose

. You return to the Circuit Definition

Done

Exit

from the

menu. You return to the Configuration Manager

File

(continued)

window.

main window.

Frame Relay Protocol

To add an IPsec policy to a rout er interface configured with fra me re la y, complete the following tasks:

Site Manager Procedure

You do this System responds

1. In the Configuration Manager window, click on the WAN connector on which you want to change an IPsec policy.

2. Click on

3. Click on

4. Select a service record. From the

Protocols Security > [Outbound Policies Inbound Policies

5. Click on

6. In the the policy.

7. From the interface where the policy should be added.

8. From the on which to base the policy.

9. Click on OK. If the policy includes a protect action, the

Edit Circuit

Services

menu, choose

Add Policy

Policy Name

Interfaces

Te mplates

. The Frame Relay Circuit Definition

. The Frame Relay Servic e List window

Edit IP > IP

field, type a name for

list, select the

list, select a template

The Edit Connector dialog box opens.

window opens.

opens. The IPsec [Inbound | Outbound] Policies

window opens.

The Create [Inbound | Outbound] Policy window opens.

Choose SA Type dialog box opens.

(continued)

4-4

308630-14.00 Rev 00

Customizing IPsec

Site Manager Procedure

You do this System responds

10.If the Choose SA Type dialog opens, choose instructions in “Creating an Outbound

Protect Policy With Automated SAs (IKE)” on page 3-9, or choose

follow the instructions in “Creating a

Protect SA Manually” on page 3-11.

11. Click on

12. Click on

13. Click on

Automated SA

. You return to the Frame Relay Service

Done

. You return to the Circuit Definition

Done

. You return to the Configuration Manager

Done

and follow the

Manual SA

and

(continued)

You return to the IPsec [Inbound | Outbound] Policies window.

List window.

window.

main window.

308630-14.00 Rev 00

4-5

Configuring IPsec Services

Reordering Policies

The procedure to reorder IPsec policies on a router interface depends on the protocol used on the interface. Choose the appropriate procedure that follows for PPP or frame relay.

PPP Protocol

To change the order in which existing IPsec policies are applied on a router interface configu red with PPP, complete the fo llowing tasks:

You do this System responds

Site Manager Procedure

1. In the Configuration Manager window, click on the WAN connector on which you want to reorder IPsec policies.

2. Click on

3. From the

IP > IP Security > [Outbound Po licies Inbound Policies

4. Choose the policy you want to move and click on

5. Change the order in which the pol icy is applied:

• To move the policy up, click on the

Before

• To move the policy down, click on the

Insert After

6. In the policy number before or after which you are inserting the current policy.

7. Click on OK. You return to the IPsec [Inbound |

8. Click on

9. Choose

Edit Circuit

Protocols

Reorder Policies

radio button.

Precedence Number

Done

from the

Exit

. The Circuit Definition window opens.

menu, choose

. You return to the Circuit Definition

menu. You return to the Configuration Manager

File

Edit

Insert

field, type the

The Edit Connector dialog box opens.

The IPsec [Inbound | Outbound] Policies

window opens.

The Change Precedence dialog box opens.

Outbound] Policies window. The policies reflect the new order you specified.

window.

main window.

4-6

308630-14.00 Rev 00

Customizing IPsec

Frame Relay

To change the order in which existing IPsec policies are applied on a router interface configured with frame relay, complete the following tasks:

Site Manager Procedure

You do this System responds

1. In the Configuration Manager window, click on the WAN connector on which you want to reorder IPsec policies.

2. Click on

Note

dialog box, the Reorder button is not available in the resulting window.

3. Cilck on

4. From the

IP > IP Security > [Outbound Po licies Inbound Policies

5. Choose a policy you want to move and click on

6. Change the order in which the pol icy is applied:

• To move the policy up, click on the

Before

• To move the policy down, click on the

Insert After

7. In the policy number before or after which you are inserting the current policy.

8. Click on OK. You return to the IPsec [Inbound |

9. Click on

10. Click on

Edit Circuit

: Although IP Security is available from submenus of the Protocols menu in this

Services

Protocols

Reorder Policies

radio button.

Precedence Number

Done

. The Circuit Definition window opens.

. The Frame Relay Servic e List window

menu, choose

. You return to the Circuit Definition

. You return to the Configuration Manager

Edit

Insert

field, type the

The Edit Connector dialog box opens.

opens. The IPsec [Inbound | Outbound] Policies

window opens.

The Change Precedence dialog box opens.

Outbound] Policies window. The policies reflect the new order you specified.

window.

main window.

308630-14.00 Rev 00

4-7

Configuring IPsec Services

Changing Existing Security Associations

To ensure the integrity of SAs, vital information such as IKE pre-shared keys or manual SA shared secrets need to be changed from time to time. You may also want to change other settings associated with an SA.

Automated SA (IKE) Modifications

To change the IKE set tings for a utomate d SAs on a route r, complete the following tasks:

Site Manager Procedure

You do this System responds

1. From the

IKE.

2. Click on the SA you want to modify The SA’s current values appear in the

3. Type a name for the SA in the field, if the SA does not already have a name. You cannot apply changes without an SA name.

4. Place the cursor in the

Type

key type of either HEX or ASCII.

5. Select a value and click on OK. The ap propriate Pre-Share d Key field

6. Type a new key in the

(hex)

7. Type a new value in the

Minutes

8. Click on

9. Click on

Protocols

field and click on

Pre-Shared Key (ascii)

field, if desired.

Apply Done

menu, choose

Pre-Shared Key

Values

Pre-Shared Key

Expiry Value

. You return to the Configuration Manager

IP >

SA Name

to select a

field.

The Edit IKE SA Destination window opens. A list of SAs specifying source and destination appears.

fields below the list of SAs.

A Values Selection dialog box opens.

becomes active.

main window.

4-8

308630-14.00 Rev 00

Manual SA Modifications

The procedure to modify manual SAs on a router interface depends on the protocol used on the interface. Choose the appropriate procedure that follows for PPP or frame relay.

PPP Protocol

To change or add man ual SAs on a router in terf ace conf i gured with PPP, complete the following tasks:

You do this System responds

Customizing IPsec

Site Manager Procedure

1. In the Configuration Manager window, click on the WAN connector on which you want to add or change manual SAs.

: Although the menu path IP > IP Security > Manual SAs is available from the

Note

Protocols menu wi thout clic kin g on a connec tor , th e Add bu tton is not a v ailab l e unless y ou choose a specific connector.

2. Click on

3. From the

IP> IP Security > [Manual Protect SAs Manual Unprotect SAs

4. Enter the NPK and click on OK. The [Protect | Unprotect] SA List for

5. Change or add an SA:

• If you are changing an e xistin g SA, choose the SA you want to alter from the list. Change the five Cipher and Integrity fields by typing new information or clicking on the Values button. Click on finished.

• To add an SA, click on Manual SA Configuration screen as usual, and click on

6. Click on

7. Choose

Edit Circuit

Protocols

Done

from the

Exit

. The Circuit Definition window opens.

menu, choose

]

Apply

. Complete the

Add

when finished to return.

. You return to the Circuit Definition

menu. You return to the Configuration Manager

File

Edit

when

The Edit Connector dialog box opens.

You may be prompted for the Node

Protection Key. If not, go to step 5.

Interface window opens.

window.

main window.

308630-14.00 Rev 00

4-9

Configuring IPsec Services

Frame Relay

To change or add manual SAs on a router interface configured with frame relay, complete the following tasks:

You do this System responds

Site Manager Procedure

1. In the Configuration Manager window, click on the WAN connector on which you want to add or change manual SAs.

: Although the menu path IP > IP Security > Manual SAs is available from the

Note

Protocols menu wi thout clic kin g on a connec tor , th e Add bu tton is not a v ailab l e unless y ou choose a specific connector.

2. Click on

3. Cilck on

4. From the

> IP Security > [Manual Protect SAs Manual Unprotect SAs

5. Enter the NPK and click on OK. The [Protect | Unprotect] SA List for

6. Change or add an SA:

• To add an SA, click on Manual SA Configuration screen as usual, and click the [Protect | Unprotect SA List for Interface wind o w.

7. Click on

8. Click on

9. Click on

Edit Circuit Services

Protocols

Done

. The Circuit Definition window opens.

. The Frame Relay Servic e List window

menu, choose

]

Apply

. Complete the

Add

when finished to return to

. You return to the Frame Relay Services

. You return to the Circuit Definition

. You return to the Configuration Manager

Edit IP

when

The Edit Connector dialog box opens.

opens. You may be prompted for the Node

Protection Key. If not, go to step 6.

Interface window opens.

List window.

window.

main window.

4-10

308630-14.00 Rev 00

Disabling IPsec

To disable IPsec on all router interfaces configured for it, complete the following tasks:

You do this System responds

Customizing IPsec

Site Manager Path

1. In the Configuration Manager window, choose

2. Choose IP. The IP menu opens.

3. Choose

4. Choose

5. Set the

Disable

parameter description on page A-2 more information.

6. Click on

Note:

Protocols

IP Security Globals

IP Security Enable

. Click on

Done

Disabling IPsec on a router or individual interface also disables IKE on

. The IP Security menu opens.

. The Edit IP Security Global Parameters

parameter to

or see the

Help

for

. You return to the Configuration Manager

The Protocols menu opens.

window opens.

window.

that router or interface automatically.

To disable IPsec on an individual interface, do the following:

Site Manager Path

You do this System responds

1. In the Configuration Manager window,

2. In the Circuit Definition screen, choose

3. Click in the IP Security Enable field.

308630-14.00 Rev 00

The Circuit Definition screen opens.

click on an existing IPsec interface.

The Enable IP Security screen opens. Edit IP from the Protocols menu, and select IP Security > Enable Ipsec.

(continued)

4-11

Configuring IPsec Services

Site Manager Path

You do this System responds

4. Click on Values and select Disable from the dialog box.

5. Click on OK to close the dialog. The dialog box closes.

6. Click on

. You return to the Configuration Manager

Done

(continued)

window.

4-12

308630-14.00 Rev 00

Appendix A

Site Manager Pa rameters

This appendix describes the Site Manager parameters for:

• Creating a node protection key (NPK)

• Enabling IPsec

• Configuring IPsec policies

• Manually configuring IPsec security associations

• Using IKE to create security associations

Node Protection Key Parameter

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

308630-14.00 Rev 00

Node Protection Key

Associations (SAs) Configuration Manager > Protocols > IP > IKE None An 8-byte value Used as a cryptographic key for protecting sensitive MIB objects. The NPK

value is stored in nonvolatile random access memory (NVRAM). The IPsec software performs a hash of the NPK value, which it places in a special MIB attribute. The NPK value stored in NVRAM is unique to th e rou ter. It is used to encrypt the cipher and integrity keys before they are stored in the router MIB.

Enter a 16-digit hexadecimal value. (Enter the prefix 0x before the digits.) None

A-1

Configuring IPsec Services

Enabling IPsec Parameters

Parameter:

Path:

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path:

Default:

Options:

Function:

Instructions:

MIB Object ID:

IP Security Enable

Configurat ion Manag er > Prot ocols > IP > IP Securi ty > Gl oba ls (g lobal set ting ) Configuration Manager > Edit Circuit > Protocols > Edit IP > IP Security >

Enable IPse c (individual IPsec interface setting) Enable Enable Enables or disables IPsec on a router. If this parameter is set to Disable, you

cannot implement IPsec. To implement IP security on a router, set this parameter to Enable.

1.3.6.1.4.1.18.3.5.3.26.1.2 (global)

1.3.6.1.4.1.18.3.5.3.2.1.24.1.59 (individual IPsec interface)

Maximum SPI

Configuration Manager > Protocols > IP > IP Security > Globals 384 256 through 65535 Specifies the maximum acceptable security parameter index (SPI) value for

manually config ure d SAs. Enter an integer which represents the maximum SPI value required for manual

SAs for this interface.

1.3.6.1.4.1.18.3.5.3.26.1.5

Disable

A-2

308630-14.00 Rev 00

IPsec Policy Parameters

Site Manager Parameters

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Outbound Policies

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Outbound Policies

Default:

Options:

Function:

Instructions:

MIB Object ID:

Policy Enable

Configuration Manager > Protocols > IP > IP Security > Inbound Policies Enable Enable Determines whether the named policy will be used on the IP interface. Set this parameter to Enable to activate the named policy on the IP interface. None

Policy Name

Configuration Manager > Protocols > IP > IP Security > Inbound Policies None Any valid name Specifies the name of the policy to be created using the IPsec policy template. Enter a name to identify any policy you create using the IPsec policy template. None

Disable

308630-14.00 Rev 00

A-3

Configuring IPsec Services

Manual Security Ass ociation Parameters

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

SA Source IP Address

Associations (SAs) (viewing only) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA None Any valid IP address Specifies the IP address of the source interface for this SA. For a Protect SA, enter the IP address of the local IPsec interface. For an

Unprotect SA, enter the IP address of the remote IPsec interface. None

SA Destination IP Address

Associations (SAs) (viewing only) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA None Any valid IP address Specifies the IP address of the destination interface for this SA. For a Protect SA, enter the IP address of the remote IPsec interface. For an

Unprotect SA, enter the IP address of the local IPsec interface. None

A-4

308630-14.00 Rev 00

Site Manager Parameters

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Security Parameter Index

Associations (SAs) (viewing only) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA 256 256 to 65535 The security parameter index (SPI) is an arbitrary 32-bit value that, when

combined with the destination IP address and the numeric value of the security protocol being used (ESP), identifies the SA for the data packet.

Enter a value fr om 256 to the value c onfigured for t he Maxi mum SPI p ar amet er. None

Cipher Algorithm

Associations (SAs) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA DES CBC None

DES CBC

Identifies the cipher algorith m for this SA. To implement the cipher (or confidential/encrypted) level of security, select the

Data Encryption Standard (DES) algorithm. If you select None, this level of security will not be applied to data packets processed accord ing to this SA; that is, the data packets will not be encrypted.

1.3.6.1.4.1.18.3.5.3.26.5.1.6

308630-14.00 Rev 00

A-5

Configuring IPsec Services

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Cipher Key Length

Associations (SAs) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA DES56 DES40

DES56

Identifies the cipher key length (strength) for this SA. Select a cipher key length of either 40 or 56 bits. The longer key length

(strength) provides grea ter security.

1.3.6.1.4.1.18.3.5.3.26.5.1.8

Cipher Key

Associations (SAs) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA None Any valid 8-byte value Specifies the key for an SA cipher algorithm. This key value must match on

both sides of an SA to enable the encryption and decryption of data packets according to the Data Encryption Standard (DES) algorithm.

Enter a 16- digit (8-byte) hexadecimal value. (Enter the pr efix

before the

16 digits.)

1.3.6.1.4.1.18.3.5.3.26.5.1.7

A-6

308630-14.00 Rev 00

Site Manager Parameters

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Integrity Algorithm

Associations (SAs) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA None None

HMAC MD5

Enables imple mentation of the HMAC MD5 algorithm, which determines whether a data packet was changed between the source and destination.

To implement the security integrity level, select the HMAC MD5 algorithm. If you select None, this level of security will not be applied to data packets processed according to this SA; that is, IP security cannot determine whether a data packet was changed between the source and destination.

1.3.6.1.4.1.18.3.5.3.26.5.1.9

308630-14.00 Rev 00

A-7

Configuring IPsec Services

Parameter:

Path: Configuration Manager > Protocols > IP > IP Security > Manual Security

Default:

Options:

Function:

Instructions:

MIB Object ID:

Integrity Key

Associations (SAs) Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual Protect

SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Manual

Unprotect SAs > Add Configuration Manager > Edit Circuit > Protocols > Edit IP > Outbound

Policies > Add Policy > OK > Manual SA None Any valid 16-byte value Specifies the key for an SA integrity algorithm. This key value must match on

both sides of an SA to ena ble the integrity algorithm to determin e whether a data packet was changed between the source and destination.

T o estab lish the i nte grity level of IP security, enter a 32-digit hexadecimal va lue. (Enter the prefi x

before the 32 digits.)

1.3.6.1.4.1.18.3.5.3.26.5.1.10

A-8

308630-14.00 Rev 00

Site Manager Parameters

Automated Security Association (IKE) Parameters

Parameter:

Path: Configuration Manager > Protocols > IP > IKE

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IKE

Default:

Options:

Function:

Instructions:

MIB Object ID:

SA Name

Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE None Any text string Used to iden tify various IKE SAs as you alter them. Enter a meaningful alphanumeric st ring to identify the SA.

1.3.6.1.4.1.18.3.5.27.1.1.8

Pre-Shared Key Type

Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE ASCII ASCII Determines which type of pre-shared key is used, acti v ating the appropriate f ield

for you to enter a pre-shared key. Choose the pre-shared key type. Configure the same pre-shared key type as the

destination router. N/A

HEX

Parameter:

Path: Configuration Manager > Protocols > IP > IKE

Default:

Options:

Function:

Instructions:

MIB Object ID:

308630-14.00 Rev 00

Pre-Shared Key (ascii)

Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE None Any ASCII value Used as a cryptographic key for creating IKE SAs between routers. IKE is then

used to create automated SAs for data packets. Enter an ASCII string. Configure the same pre-shared key on the destination

router. N/A

A-9

Configuring IPsec Services

Parameter:

Path: Configuration Manager > Protocols > IP > IKE

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path: Configuration Manager > Protocols > IP > IKE

Default:

Options:

Function:

Instructions:

MIB Object ID:

Pre-Shared Key (hex)

Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE None Any hexadecimal value Used as a cryptographic key for creating IKE SAs between routers. IKE is then

used to create automated SAs for data packets. Enter a hexadecimal number. (Enter the prefix

before the digits.) Configure

the same pre-shared key on the destination router.

1.3.6.1.4.1.18.3.5.27.1.1.9

Expiry Value Minutes

Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE 480 Any integer Specifies when an SA key will expire. Enter a value that is appropriate for your site.

1.3.6.1.4.1.18.3.5.27.1.1.10

Parameter:

Path:

Default:

Options:

Function:

Instructions:

MIB Object ID:

A-10

SA Destination

Configuration Manage r > Add Cir cuit > WAN Protocols > PPP

Frame Relay >

Select Protocols > IKE > IPsec Configuration for Interface > Outbound Policies Configuration Manager > Edit Circuit > Protocols > Edit IP > IKE > Add None Any valid IP address. Specifies the IP address of the destination interface for this automated SA. Enter the IP a ddress of the remote IPsec interface that will negotiate automated

SAs using the specified pre - shared key.

1.3.6.1.4.1.18.3.5.27.1.1.3

308630-14.00 Rev 00

Site Manager Parameters

Parameter:

Path:

Default:

Options:

Function:

Instructions:

MIB Object ID:

Parameter:

Path:

Default:

Options:

Function:

Instructions:

MIB Object ID:

Anti-Replay Window Size

Configuration Manage r > Add Cir cuit > WAN Protocols > PPP Select Protocols > IKE > IPsec Configuration for Interface > Outbound Policies

Configuration Manager > Edit Circuit > Protocols > Edit IP > IP Security > Outbound Policies

64 Packets Disabled Specifies the number of packets that are used for repl ay checking. Anti-replay

checking examines the sequence number of encrypted packets received and determines if the packet has been received before.

Choose a number of packets to track for anti-replay checking, or choose Disabled to turn this featu re off.

N/A

PFS (Perfect F o rward Secrecy)

Configuration Manage r > Add Cir cuit > WAN Protocols > PPP Select Protocols > IKE > IPsec Configuration for Interface > Outbound Policies

Configuration Manager > Edit Circuit > Protocols > Edit IP > IP Security > Outbound Policies

Enabled Enabled Specifies whether perfect forward secrecy is used for this SA. Choose Enabled or Disabled from the drop-down list box. N/A

Inbound Policies > Add Policy

Inbound Policies > Edit Proposal

32 Packets | 64 Packets | 128 Packets

Inbound Policies > Add Policy

Inbound Policies > Edit Proposal

Disabled

Frame Relay >

308630-14.00 Rev 00

A-11

Appendix B

Definitions of k Commands

This appendix contains definitions of the “k” commands that you use to work in the Technician Interface secure shell.

Command System Response

kexit kpassword kseed

ksession kset

<flags>

[

]

ktranslate

<old_NPK>

Exits the secure shell. Changes the pass word of the secure shell. Initializes the cryptographi c rand om number generator while in

the secure shell. Initiates a secure shell session.

Sets parameter values in the secure shell. Example: kset npk key.

Also sets protected IPsec MIB objects (keys). The command encrypts the value specified using the NPK, and writes the encrypted value to the MIB. Example:

kset ipsec

<value>

sets the router node protection

kset

wfIpsecEspSaEntry.wfIpsecEspSaManualCipherKey .100.1.1.1.100.1.1.2.256 0x1234567890abcdef

Translates a configuration from an old node protection key (NPK) value to the current NPK value. Example: ktranslate

<old_NPK>

308630-14.00 Rev 00

B-1

This appendix provides configuration examples for both automated and manual security associations. Configuration of outbound and inbound policies is similar for both automated and manual SAs. Details for configuring the Protect and Unprotect SAs are needed only if you are using the manual process.

Inbound and Outbound Policies

All unicast traffic must be defined by a security policy. Traffic traveling from a security gateway is defined by an outbound policy; traffic traveling to a secure gateway is defined by an inbound policy. Inbound protected traffic that is associated with an Unprotect SA configured on the interface does not require a policy.

Appendix C

Configuration Examples

308630-14.00 Rev 00

C-1

Configuring IPsec Services

Automated SA (IKE) Policy Examples

As you review the security policy examples in this section, refer to Figure C-1.

RTR1

S32

192.32.5.0

S31 - 119.68.12.1

INET

189.132.10.1 - S52

129.43.12.19 - S28

192.32.1.5 - S33

RTR2

RTR3

RTR4

Figure C-1. IPsec Automated Outbound P olicies for RTR1, RTR2, and RTR3

• The SA pair between RTR1 and RTR2 use both 3DES and HMAC MD5, and a default SA expiry time of 8 hours.

• The SA pair between RTR1 and RTR3 use only DES and a default SA expiry time of 8 hours.

• The SA pair between RTR1 and RTR4 use only SHA1 a nd an SA expiry time of 24 hours.

192.32.10.0

S51

192.32.20.0

S27

192.32.30.0

S31

C-2

308630-14.00 Rev 00

Configuration Examples

Example 1: Required Policies, Proposals, and SA Destinations on RTR1 and RTR2 to Prot ect Data Between RTR1 Subnet 192.32. 5.0 and RTR2 Subnet 192.32.10.0

RTR 1 Interface S31 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

RTR 2 Interface S52 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

Outbound Protect IP source address range: 192.32.5.0 - 192.32.5.255 IP destination address range: 192.32.10.0 - 192.32.10.255

189.132.10.1 0xabba1234daba1234

3DES-MD5

Outbound Protect IP source address range: 192.32.10.0 - 192.32.10.255 IP destination address range: 192.32.5.0 - 192.32.5.255

119.68.12.1 0xabba1234daba1234

3DES-MD5

Example 2: Required Policies, Proposals, and SA Destinations on RTR1 and RTR3 to Prot ect Data Between RTR1 Subnet 192.32. 5.0 and RTR3 subnet 192.32.20.0

RTR 1 Interface S31 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

308630-14.00 Rev 00

Outbound Protect IP source address range: 192.32.5.0 - 192.32.5.255 IP destination address range: 192.32.20.0 - 192.32.20.255

129.43.12.19 0xbeef1234daba1234

DES

C-3

Configuring IPsec Services

RTR 3 Interface S28 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

Example 3: Required Policies, Proposals, and SA Destinations on RTR1 and RTR4 to Prot ect Data Between RTR1 Subnet 192.32. 5.0 and RTR4 Subnet 192.32.30.0

RTR 1 Interface S31 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

Outbound Protect IP source address range: 192.32.20.0 - 192.32.20.255 IP destination address range: 192.32.5.0 - 192.32.5.255

119.68.12.1 0xbeef1234daba1234

DES

Outbound Protect IP source address range: 192.32.5.0 - 192.32.5.255 IP destination address range: 192.32.30.0 - 192.32.30.255

192.32.1.5 0xabba1579daba1234

SHA1, expiry minutes 1440

C-4

RTR 4 Interface S33 Policy

Action Criteria

SA Destination Pre Shared Key

Proposal

Outbound Protect IP source address range: 192.32.30.0 - 192.32.30.255 IP destination address range: 192.32.5.0 - 192.32.5.255

119.68.12.1 0xabba1579daba1234

SHA1, expiry minutes 1440

308630-14.00 Rev 00

Manual SA Policy Examples

As you review the security policy examples in this section, refer to Figure C-2. All of the routers have OSPF interfaces configured for type NBMA transmit

unicast frames. An outbound and an inbound bypass policy protect all unicast traffic for the specified router subnetworks.

Security policy examples 1 and 2 show how to configure outbound policies to protect all unic ast tr af f ic betwee n RTR1 and RTR2; e xamples 3 and 4 sho w ho w to configure o utbound polic ies to pr otect all un icast traf f ic betwee n R T R2 and RTR3; and examples 5, 6, and 7 show how to configure outbound policies to protect all traffic between RTR1 and RTR3. A bypass inbound policy is in effect for all incoming traffic to the routers so that no SAs are required.

Configuration Examples

192.32.5.0

RTR1

Protect / Unprotect SA

RTR1 to RTR2

SPI 256

IP / IPsec / OSPF(Type: NBMA)

S21

1.1.1.1

S21

1.1.1.2 Protect / Unprotect SA

RTR1 to RTR3

192.28.41.0

RTR2

SPI 257

Protect / Unprotect SA

RTR2 to RTR3

SPI 256

IP / IPsec / RIP

S31

2.2.2.1

S11

2.2.2.2

192.131.141.0

RTR3

Figure C-2. IPsec Manual Outbound Policies for RTR1, RTR2, and RTR3

Example 1: Required Policies on RTR1 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR2 Subnet 192. 28.41.0

RTR 1 Interface S21 Policy

Action Criteria

Outbound Protect IP source address range: 192.32.5.0 - 192.32.5.255 IP destination address range: 192.28.41.0 - 192.28.41.255 Source: 1.1.1.1

Destination: 1.1.1.2 SPI 256

308630-14.00 Rev 00

C-5

Configuring IPsec Services

RTR1 Interface S21

Security Policy Action Criteria

Example 2: Required Policies on RTR2 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR2 Subnet 192. 28.41.0

RTR 2 Interface S21 Policy

Action Criteria

Security Policy Action Criteria

Outbound Protect IP source address range: 192.28.41.0 - 192.28.41.255 IP destination address range: 192.32.5.0 - 192.32.5.255 Source: 1.1.1.2

Destination: 1.1.1.1 SPI 256

Outbound Inbound Bypass Bypass Protocol 89 (OSPFIGP) Protocol 89 (OSPFIGP)

RTR2 Interface S21

Outbound Inbound Bypass Bypass Protocol 89 (OSPFIGP) Protocol 89 (OSPFIGP)

C-6

308630-14.00 Rev 00

Configuration Examples

Example 3: Required Policies on RTR2 to Protect Data Between RTR2 Subnet 192.28.41.0 and RTR3 Subnet 192. 131.141.0

RTR 2 Interface S31 Policy

Action Criteria

Outbound Protect IP source address range: 192.28.41.0 - 192.28.41.255 IP destination address range: 192.131.141.0 - 192.131.141.255 Source: 2.2.2.1

Destination: 2.2.2.2 SPI 256

Example 4: Required Outbound Policies on RTR3 to Protect Data Between RTR2 Subnet 192.28.41.0 and RTR3 Subnet 192.131.141.0

RTR 3 Interface S11 Policy

Action Criteria

Outbound Protect IP source address range: 192.131.141.0 - 192.131.141.255 IP destination address range: 192.28.41.0 - 192.28.41.255 Source: 2.2.2.2

Destination: 2.2.2.1 SPI 256

Example 5: Required Outbound Policies on RTR1 to Protect Data Between RTR1 Subnet 192.32.5.0 and RTR3 Subnet 192.131.141.0

RTR 1 Interface S21 Policy

Action Criteria

308630-14.00 Rev 00

Outbound Protect IP source address range: 192.32.5.0 - 192.32.5.255 IP destination address range: 192.131.141.0 - 192.131.141.255 Source: 1.1.1.1

Destination: 2.2.2.2 SPI 257

C-7

Configuring IPsec Services

RTR2 Interface S21

Security Policy Action Criteria

Outbound Inbound Bypass Bypass Protocol 89 (OSPFIGP) Protocol 89 (OSPFIGP)

Example 6: Required Policies on RTR2 to Allow ESP Traffic to Pass Through and OSPF to Exchange Routing Updates Between RTR1 and RTR2

RTR2 Interface S21

Security Policy Action Criteria Security Policy Action Criteria

Outbound Inbound Bypass Bypass Protocol 89 (OSPFIGP) Protocol 89 (OSPFIGP) Outbound Inbound Bypass Bypass Protocol 50 (ESP) Protocol 50 (ESP)

C-8

Security Policy Action Criteria

RTR2 Interface S31

Outbound Inbound Bypass Bypass Protocol 50 (ESP) Protocol 50 (ESP)

308630-14.00 Rev 00

Configuration Examples

Example 7: Required Policies on RTR3 to Protect Data Between RTR3 Subnet 192.131.141.0 and RTR1 192.32.5.0

RTR 3 Interface S11 Policy

Action Criteria

Outbound Protect IP source address range: 192.131.141.0 - 192.131.141.255 IP destination address range: 192.32.5.0 - 192.32.5.255 Source: 2.2.2.2

Destination:1.1.1.1 SPI 257

Manual Protect and Unprotect SA Configuration

SAs specify which IPsec ser vices are appl ied to the data pa ckets tra v eling between the security gateways. An individual SA protect s data tra v eling in one dir ection. A Protect SA is used to apply IPse c se rvi ces to outbound traf fic; an Unprotect SA is used to decrypt and/or authenticate incoming data packets.

The examples in this section show how to manually configure both Protect and Unprotect SAs. Automated SA configuration is achieved using IKE without user configuration required.

For SA examples 1 and 2, refer to Figure C-3

Figure C-4.

RTR1

S31 - 119.68.12.1

Figure C-3. Single Protect/Unprotect SA Pair

308630-14.00 Rev 00

INET

; for SA example 3, refer to

RTR2

189.132.10.1 - S52

C-9

Configuring IPsec Services

SA Example 1: Configuring a Single Protect/Unprotect SA Pair

In this example, a single Protect/Unprotect SA pair is configured using DES encryption. Both ends of the SA pair use the same cipher algorithm, cipher key, and integrity key (see Figure C-3

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x010123040506070890a0

RTR1 Protect SA RTR2 Unprotect SA

189.132.10.1 189.132.10.1

256 256

0x01012304050607 089 0a 0

b0c0d0e0f11

C-10

RTR1 Unprotect SA RTR2 Protect SA

IP source address 189.132.10.1 189.132.10.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x010123040506070890a0

119.68.12.1 119.68.12.1

256 256

0x01012304050607 089 0a 0

b0c0d0e0f11

308630-14.00 Rev 00

Configuration Examples

SA Example 2: Configuring Two Prot ect/Unprotect SA P airs

In this example, two Protect/Unprotect SA pairs are configured using DES encryption. Both ends of the SA pair use the same cipher algorithm and key. The integrity algorithm is set to None (refer to Figure C-3

RTR1 Protect SA RTR2 Unprotect SA

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity ke y None None

189.132.10.1 189.132.10.1

256 256

IP source address 189.132.10.1 189.132.10.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm None None Integrity ke y None None

308630-14.00 Rev 00

RTR1 Unprotect SA RTR2 Protect SA

119.68.12.1 119.68.12.1

257 257

C-11

Configuring IPsec Services

SA Example 3: Configuring Multiple Protect/Unprotect SA Pairs

In this example, multiple Protect/Unprotect SA pairs are configured between RTR1 and RTR2, RTR3, and RTR4.

• The SA pair between RTR1 and RTR2 uses DES56 and HMAC MD5.

• The SA pair between RTR1 and RTR3 uses only HMAC MD5.

• The SA pair between RTR1 and RTR4 uses only DES56. As you review the tables in this example, refer to Figure C-4

189.132.10.1 - S52

RTR1

S31 - 119.68.12.1

INET

Figure C-4. Multiple Protect/Unprotect SA Pairs

129.43.12.19 - S28

192.32.1.5 - S33

RTR2

RTR3

RTR4

C-12

308630-14.00 Rev 00

Configuration Examples

The following two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR2 (refer to Figure C-4).

RTR1 Protect SA RTR2 Unprotect SA

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x010123040506070890a0

189.132.10.1 189.132.10.1

257 257

0x01012304050607 089 0a 0

b0c0d0e0f11

IP source address 189.132.10.1 189.132.10.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0x0101230405060708 0x0101230405060708 Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x010123040506070890a0

308630-14.00 Rev 00

RTR1 Unprotect SA RTR2 Protect SA

119.68.12.1 119.68.12.1

256 256

0x01012304050607 089 0a 0

b0c0d0e0f11

C-13

Configuring IPsec Services

The next two tables show the settings for the Protect/Unprotect SA pairs between RTR1 and RTR3 (refer to Figure C-4

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0xFADE050403020100 0xFADE050403020100 Integrity algorithm None None Integrity ke y None None

RTR1 Protect SA RTR3 Unprotect SA

129.43.12.19 12 9.43.12.19

256 256

RTR1 Unprotect SA RTR3 Protect SA

C-14

IP source address 129.43.12.19 129.43.12.19 IP destination

address Security parameter

index (SPI) Cipher key length DES56 DES56 Cipher key 0xFADE050403020100 0xFADE050403020100 Integrity algorithm None None Integrity ke y None None

119.68.12.1 119.68.12.1

257 257

308630-14.00 Rev 00

Configuration Examples

The final two tables show the settings for the Protect/Un protect SA pairs between RTR1 and RTR4 (refer to Figure C-4

RTR1 Protect SA RTR4 Unprotect SA

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x090a0bbb0c0d0e0f11011

192.32.1.5 192.32.1.5

256 256

02030405060708

0x090a0bbb0c0d0e0f11011 02030405060708

IP source address 119.68.12.1 119.68.12.1 IP destination

address Security parameter

index (SPI) Cipher key length None None Cipher key None None Integrity algorithm HMAC MD5 HMAC MD5 Integrity ke y 0x090a0bbb0c0d0e0f11011

308630-14.00 Rev 00

RTR1 Unprotect SA RTR4 Protect SA

192.32.1.5 192.32.1.5

258 258

0x090a0bbb0c0d0e0f11011

02030405060708

C-15

Configuring IPsec Services

Contivity Extranet Switch Interoperability

BayRS software IPsec functions interoperate with the IPsec implementation on Nortel Networks Contivity Extranet Switche s (CESs). T his sec tion pr o vid es some configuration consideratio ns for this interoperability. Refer to the Contivity documentation for more inform ation.

Supported Versions

BayRS IPse c software supports intero perability w ith Contivity software version

2.5 or later. Earlier versions are not supported. BayRS software before version

14.00 does not support IPsec interoperability.

Configuring Through a Browser

Unlike products that use BayRS software, you configure Contivity products through a Web browser. If you are new to Contivity configuration, note the following general considerations while using the browser:

• You must click on OK at the bottom of Contivity configuration screens to continue as you configure the Contivity software. If you use your browser navigation buttons, your configuration choices will be lost.

C-16

• All configuration changes are dynamic, either taking place immediately or taking effect for subsequent IKE/IPsec connections made to the peer.

308630-14.00 Rev 00

Avaya IPsec User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Configuring IPsec Services

Contents

Figures

Tables

Before You Begin

Preface

Text Conventions

Acronyms

Hard-Copy Technical Manuals

How to Get Help

About IPsec

Note Regarding IPsec and NAT

Network Requirements for Nortel Networks Routers

Supported Routers

Supported WAN Protocols

IPsec Ser vices

Confidentiality

Integrity

Authentication

Additional IPsec Services

How IPsec Works

IPsec Protection

IPsec Tunnel Mode

IPsec Elements

Security Gateways

Security Policies

Po licy Templates

Inbound Polici es

Outbound Policies

Policy Criteria Specification

Security Associations

Automated Securit y Associat ions Using Internet Key Exc hange (IKE)

Manual Security Associations

Security Associations for Bidirectional Traffic

How IKE Negotiates Security Associations

Security Parameter Index (SPI)

Summarizing Security Policies and SAs

Security Protocols

Encapsulating Security Payload

Authentication Header

Internet Key Exchange (IKE) Protocol

Perfect Forward Secrecy

Upgrading Router Software

Installing the IPsec Software

Completing the Installation Process

Installing Triple DES Encryption

Securing Your Site

Securing Your Configuration

Encryption Keys

Random Number Generator (RNG)

Creating and Using Node Protection Keys (NPKs)

Generating NPKs

Entering an Initial NPK and a Seed for Encryption

Changing an NPK

Monitoring NPKs

Enabling IPsec and IKE

Creating Policies

Specifying Criteria

Specifying an Action

Policy Considerations

Creating an Outbound Policy

Creating an Inbound Policy

Creating Security Associations

About Automated SA Creation

Creating an Outbound Protect Policy With Automated SAs (IKE)

About Manual SA Creation

Creating a Protect SA Manually

Creating an Unprotect SA Manually

Changing Existing Policies

Editing a Policy

Adding a Policy

PPP Protocol

Frame Relay Protocol

Reordering Policies

PPP Protocol

Frame Relay