![[previous]](../../../graphics/l_arrow.gif){kind=icon}
![[next]](../../../graphics/r_arrow.gif){kind=icon}
This chapter describes how to configure the IP Security Protocol (IPsec) on your IP router. IPsec provides security at the network layer. Because IPsec is integrated into IP itself, IPsec adds security to any link, regardless of the application used.
Before configuring IPsec, you should configure a tunneling protocol like PPTP. See the Configuring L2Tunnel Connections chapter for more information about PPTP.
It is recommended that IPSEC control or the PORT service control be disabled while configuring policies and enabled only after all IPSEC policy and key set configuration has been completed.
For conceptual information, see "How IPsec Works" later in this chapter.
The procedures in this section describe how to configure IPsec.
An IPsec policy consists of an action, the packet types that require the action, and the source and destination addresses between which the action occurs.The following three actions are supported:
To configure a security policy, use:
ADD !<portlist> -IPSEC POLicy <policy_name> <action> <filters> <src_ipaddr/mask>(<dst_ipaddr/mask> | DYNamic) [<encrypt_algorithms>(DesCbc | 3DesCbc | TripleDesCbc | RC5Cbc)][<auth_algorithms>(HmacMd5 | HmacSha)]
<action>: AhEspXport | AhXport | EspXport
<filters>: list of the following values separated by commas:
GRE, ICMP, OSPF, TCP [(<src_port>,<dst_port>)...up to 16 pairs], UDP [(<src_port>,<dst_port>)...up to 16 pairs]
Where <src_port> and <dst_port> = 1-65535 | * | Archie | DNS | Finger | FTP | FTPData | Gopher | HTTP | NFS | NNTP | NTP | POP2 | POP3 | PortMap | RIP | SMTP | SNMP | SNMPTrap | Syslog | Telnet | TFTP | WAIS
The default for encrypt_algorithms is DesCbc. The default for auth_algorithms is HmacMd5.
To create an encryption policy for Telnet traffic using the default encryption algorithm DesCbc from router 1 with IP address 170.0.0.1 to router 2 with IP address 180.0.0.1, follow these steps:
1 . On bridge/router 1, enter:
ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 170.0.0.1 180.0.0.1
2 . On bridge/router, 2 enter:
ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 180.0.0.1 170.0.0.1
To configure an encryption policy for Telnet traffic using the 3DES encryption algorithm from router 1 with IP address 170.0.0.1 to router 2 with IP address 180.0.0.1, follow these steps:
1 . On bridge/router 1, enter:
ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 170.0.0.1 180.0.0.1 TripleDesCbc
2 . On bridge/router, 2 enter:
ADD !1 -IPSEC POLicy esp_pol EspXport tcp(Telnet,*) 180.0.0.1 170.0.0.1 TripleDesCbc
To create a security policy to provide data confidentiality and data integrity for PPTP tunnel traffic between router 1 and router 2, follow these steps:
1 . On bridge/router 1 enter:
ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 170.0.0.1 180.0.0.1
2 . On bridge/router 2, enter:
ADD !1 -IPSEC POLicy ahesp_pol AhEspXport tcp, gre 180.0.0.1 170.0.0.1
To create a key set, use:
ADD -IPSEC KeySet <key_set_name> [EncryptKey ("<encrypt_key>" | "%<encrypt_key>")] [AuthKey ("<auth_key>" | "%<auth_key>")]
The encrypt_key and auth_key must match the values on the peer system at the other end of the security association.
<key_set_name> is a name you assign to the key set you are adding.
<encrypt_key> and <auth_key> can be 1 to 128 bytes entered as either ASCII text strings or as a series of hexadecimal digits. See "Configuring Manual Key Information" for more information about key set usage.
To delete a key set, use:
DELete -IPSEC KeySet [<key_set_name> | ALL]
For example, to create a new encryption key set, enter:
ADD !1 IPSEC KeySet esp_key EncryptKey "hello124"
To create a key set for both encryption and authentication, enter:
ADD !1 IPSEC KeySet ahesp_key EncryptKey "hello124" AuthKey "world236"
The ManualKeyInfo parameter binds manual keying information to an IPsec policy. Only one ManualKeyInfo command can be applied to each policy. To configure manual key information, use:
SETDefault !<portlist> -IPSEC ManualKeyInfo = <policy_name> (<key_set_name> | NONE) [SpiEsp <spi_in> <spi_out>] [SpiAh <spi_in> <spi_out>]
A Security Parameters Index (SPI) value is used in conjunction with the destination address to identify a particular security association which represents a set of agreements between senders and receivers on a key, on an encryption or authentication algorithm, and on SPI numbers.
<spi_in> is a number in the range 256 to 2000. All spi_in values must be unique on a system. A SPI number can be assigned only ONCE to a policy. The same number can not be used by any other policy on the same system. spi_in must match the spi_out value specified at the peer system at the other end of the security association.
<spi_out> is a number in the range 256 to 65535. spi_out must match the spi_in value specified at the peer system at the other end of the security association.
A key is specified using the add -IPSEC keyset command. It is later bound to an IPsec policy when an add IPsec policy command is entered. The keyset and policy command can be used in any order. Binding takes place when the second of the two commands is issued.
When the key is entered no particular length restriction is applied. Keys can be entered as either ASCII text or hex values in the range of 1 to 128 bytes.
When a key is bound, certain length restriction are applied. The required key length depends on the NETBuilder software package used. The xS packages (S=strong encryption) allow key lengths of up to 128 bits for encryption, while the xE packages allow up to 56-bit keys. When you bind the key to the policy during configuration, if the entered key is too long for the package in use the key will be truncated and a warning message is generated. When you specify a key that is too short, the policy binding operation generates an error message informing you of the key length discrepancy and the key is rejected. If this should occur you will need to delete the specified key and reenter a key of the appropriate length.
For compatibility with previous software versions which did not enforce key lengths, it is possible to enter a DES key as an 8-byte hex value with the appropriate number of null characters at the end. For example, a DES key of abcd should now be entered:
%6162636400000000
To change the manual keying information, you must first delete the information using NONE as the key set name, then add the new information using SETDefault.
For example, to create a security association and bind a key set to a corresponding encryption policy, enter:
SETDefault !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501
To create a security association of an encryption and authentication policy, enter:
SETDefault !1 -IPSEC ManualKeyInfo = ahesp_pol ahesp_key SpiEsp 600 601 SpiAh 700 701
When keys are displayed using the SHow -IPSEC Keyset command, the MD5 hash of the key is displayed rather than the key itself. This allows you to compare keys for equality without exposing the actual key value. The length of the key is also displayed, since the hash is always a 32-digit hex value.
During boot, any previously configured policies and keys are bound together. The various length restrictions are applied during this binding, so that you cannot use keys that are longer than the package supports. At boot-time, binding accepts DES keys which are shorter than 8 bytes and the system generates a warning rather than an error.
All packages reject keys that are less than 5 bytes long and generate error messages. The xE packages truncate long keys to 7 bytes, and the xS packages truncate long keys to 16 bytes, with appropriate warning messages.
Enable IPsec policy checking on the port using:
SETDefault !<portlist> -IPSEC CONTrol = Enable
You should only enable IPsec policy checking on ports that need IPsec protection. Enabling IPsec policy checking can decrease the performance of your bridge/router.
For example, to enable IPSEC on port 1, enter:
SETDefault !1 -IPSEC CONTrol = Enable
To disable IPSEC on port 1, enter:
SETDefault !1 -IPSEC CONTrol = Disable
IPsec integrates security directly into IP. IPsec provides three main areas of security: authentication, which validates the communicating parties; integrity, which makes sure the data has not been altered; and privacy, which ensures the data cannot be intercepted and viewed.
IPsec secures the underlying network layer. That way, an IPsec link is secure regardless of the application.
IPsec works with the existing Internet infrastructure using encapsulation. It secures a packet of data by encrypting it before sending it over the Internet. On the receiving end, an IPsec-compliant device decrypts the data.
On each end of the link (systems at both ends comprise a security association), IPsec is configured with the same key set and manual key information. The key set allows each system in the security association to encrypt, decrypt, or authenticate each other's data.
The security protection can be selectively applied to various types of data traffic based on protocols, IP addresses, network addresses, applications (via TCP/UDP port addresses), and network interfaces. System-originated IP traffic (Telnet, OSPF, RIP for example) can be protected by IPSEC directly. SNA traffic can be protected by IPSEC through the DLSw tunnel. Other multiprotocol traffic (IPX, AppleTalk, DECnet for example) and forwarded IP traffic are protected by IPSEC through the PPTP tunnel. See the Configuring L2Tunnel Connections chapter for more information about PPTP/L2TP tunneling.
IPsec policies allow you to protect various types of traffic based on protocols, IP addresses, network addresses, network interfaces, and applications (via port addresses).
ESP is used to provide data confidentiality via encryption using the DES-CBC crypto algorithm. For outbound traffic, it encrypts the IP payload and inserts an ESP header between the IP header and the payload. For inbound traffic, it decrypts the IP payload and removes the ESP header.
DES and RC5 encryption algorithms are supported in the xE packages.
DES-CBC is the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard (DES), which uses an 8 byte key and operates on an eight-byte data block where the output of each block is fed into the next block to avoid repeating the same cipher output for those blocks with the same cleartext data.
RC5 supports a key length of 5 bytes.
3DES has three stages as indicated by the its name. These stages include an encryption stage, a decrypting stage, and another encryption stage. 3DES keys must be at least 16 bytes long for the xS packages. The 3DES key is constructed using the first 8 bytes for each encrypt phase, and the second 8 bytes for the decrypt phase.
Key lengths are enforced when they are entered. Warning messages inform you when the entered key does not meet the requirements.
Entered keys longer than the supported maximum length for the chosen crypto algorithm and the package are truncated as necessary.
DES-CBC CANNOT be exported without a legal export license. See the release notes for your software for export restrictions.
ESP can be applied alone or with authentication headers.
AH is used to provide data integrity and data origin authentication and to provide protection against replays using the HMAC-MD5 or HMAC-SHA1 crypto algorithm. For outbound traffic, AH computes ICV (integrity checksum value) and inserts an authentication header between the IP header and the higher layer protocol header. For inbound traffic, AH verifies the ICV and removes the AH. AH can be applied alone or with ESP.
Both HMAC-MD5 and HMAC-SHA1 are standards-based hash algorithms. In general, HMAC-SHA1 requires more computation and is considered to be more secure but slower.
For example, to protect all TCP and UDP traffic between router 1 (170.0.0.1) and router 2 (180.0.0.1) on port 1 with an IPSEC encryption policy, follow these steps:
1 . Create a encryption policy with an unique policy name by entering:
ADD !1 -IPSEC POLicy esp_pol EspXport tcp,udp 170.0.0.1 180.0.0.1
2 . Create a keyset and specify the encryption key by entering:
ADD -IPSEC KeySet esp_key EncrypKey "hello536 "
3 . Create a manual security association by binding the above policy and keyset. Assuming SPIin is 500 and SPIout are 501, enter:
SETD !1 -IPSEC ManualKeyInfo = esp_pol esp_key SpiEsp 500 501
4 . Finally, enable the ipsec policy by entering:
SETDefault !1 -IPSEC CONTtrol = Enable
The procedure that follows shows how to set up a VPN PPTP tunnel between router 1 (170.0.0.1) and router 2 (180.0.0.1) with an IPSEC policy providing data confidentiality and data integrity.
Figure 140 VPN PPTP Tunnel
On router 1, set up the tunnel from 170.0.0.1 to 180.0.0.1 by following these steps.
1 . Set the system name to "router1" by entering:
SETDefault scid = "router1"
2 . Create a virtual port to accept connection requests from only router 2 by entering:
ADD !v1 -POrt VirtualPort scid "router2"
3 . Assign an IP address to the tunnel virtual port by entering:
SETDefault !v1 -IP NETaddr =20.0.0.1 255.255.0.0
4 . Create a route between the two tunnel endpoints by entering:
ADD -IP ROUte 180.0.0.1 !1 1
5 . Create a router manually to route traffic over a PPTP tunnel by entering the following or turn on routing protocols on the corresponding virtual port:
ADD -IP ROUte 140.0.0.0 255.255.0.0 !v1 1
6 . Assign peer's dial number to PPTP tunnel dial number list by entering:
ADD !v1 -POrt DialNoList"@170.0.0.1" Type=pptp
7 . Optionally, set the dial idle time-out to zero to keep the tunnel from timing out by entering:
SETDefault !v1 -POrt DialIdleTime = 0
8 . Enable Layer 2 Tunnelling by entering:
SETDefault -L2Tunnel CONTrol=Enable
9 . Configure an IPSEC policy/security association by entering:
ADD !1 -IPSEC POLicy pptp_ahesp AhEspXport tcp,gre 170.0.0.1 180.0.0.1
ADD -IPSEC KeySet pptp_key EncryptKey "Hello572" AuthKey "world329"
SETDefault !1 -IPSEC ManualKeyInfo=pptp_ahesp pptp_key SpiEsp 500 501 SpiAh 600 601
SETDefault !1 -IPSEC CONTrol=Enable
On router 2, setup the PPTP tunnel from 170.0.0.1 to 180.0.0.1 by following these steps:
1 . Set the system name of router 2 to "router2" by entering:
SETDefault scid="router2"
2 . Create a virtual port that will accept connection requests from only router1 by entering:
ADD !v1 -POrt VirtualPort scid"router1"
3 . Assign an IP address to the tunnel virtual port by entering:
SETDefault !v1 -IP NETaddr=20.0.0.2 255.255.0.0
4 . Create a route between two tunnel endpoints by entring:
ADD -IP ROUte 170.0.0.1 !1 1
5 . Add a static route to route traffic over a PPTP tunnel by entering the following or turn on routing protocols on the corresponding virtual port:
ADD -IP ROUte 130.0.0.0 255.255.0.0 !v1 1
6 . Assign the peer dial number to the PPTP tunnel dial number list by entering:
ADD !v1 -POrt DialNoList "@170.0.0.1" Type=pptp
7 . Optionally set dial idle time-out to zero to keep tunnel from timing out by entering:
SETDefault !v1 -POrt DialIdleTime=0
8 . Enable Layer 2 Tunnelling (PPTP) by entering:
SETDefault -L2Tunnel CONTrol=Enable
9 . Configure an IPSEC policy/security association by entering:
ADD !1 -IPSEC POLicy pptp_ahesp AhEspXport tcp,gre 170.0.0.1 180.0.0.1
ADD -IPSEC keyset pptp_key EncryptKey "hello124" AuthKey "world678"
SETDefault !1 -IPSEC ManualKeyInfo=pptp_ahesp pptp_key SpiEsp 501 500 SpiAh 601 600
SETDefault !1 -IPSEC CONTrol=Enable
After all the configuration is completed at both ends of the connection, you can dial the PPTP tunnel from either end by entering:
DIal !v1