Security policy considerations, Configuring policy – Enterasys Networks Security Router X-PeditionTM User Manual

Page 345

Advertising
background image

VPN Configuration Overview

XSR User’s Guide 14-23

More than one IKE proposal can be specified on each node. When IKE negotiation begins, it seeks
a common proposal on both peers with identical parameters. IKE policy is configured using the

crypto isakmp peer

command. Specified parameters are effective when a peer address/subnet

matches the IP address of the peer. The wildcard 0.0.0.0 0.0.0.0 may be used to match any peer.
Configurable IKE policy values are:

IKE peer address/subnet

IKE proposal list

Client or server Mode-config

Main or aggressive IKE exchange mode (outbound tunnels only)

User-defined identification (with aggressive mode only)

Enable or disabled NAT automatic options

Transform-sets used for IPSec are created by the

crypto ipsec transform-set

command. You

can choose AH, ESP, or IP compression values as follows:

MD5-HMAC or SHA-HMAC hashing algorithms

3DES, AES or DES encryption

MD-5 or SHA-1 hash algorithms

Security Policy Considerations

Be aware of these considerations when configuring security policy:

DES is a weaker form of encryption than 3DES and provides a lower level of security than the
newer algorithm. We recommend 3DES.

Selecting any Perfect Forward Secrecy (PFS) option will make each generated key used in data
encryption independent of previous keys. If the key is compromised, the next key generated
by Phase 2 exchange cannot be determined by knowing the value of the previous key. This
comes at the cost of slightly lower performance.

Two IPSec encapsulation modes are supported but the default, tunnel mode, is typically used
with VPNs because it is more inclusive.

It is useful to specify a user ID instead of an IP address when configuring an SA in aggressive
mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no ID, its
IP address will be used by default. But, in that case, you will have to re-configure (with a new
entry in the

aaa user

database) both ends of the tunnel every time the address changes. Use

the

user-id

command instead.

Configuring Policy

The following example defines simple IKE Phase I, remote peer and IPSec transform-sets.
Configure the IKE proposal try1:

XSR(config)#crypto isakmp proposal try1
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#encryption aes
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#group 5
XSR(config-isakmp)#lifetime 40000

Advertising
Popular Brands
Popular manuals