If no proposals are defined, the default settings (shown in the following table) are applied.
Table 12-4: Default IPSec/IKE Proposals
Proposal Encryption Authentication DH Group
Proposal 0
3DES SHA1 Group 2 (1024 bit)
Proposal 1
3DES MD5 Group 2 (1024 bit)
Proposal 2
3DES SHA1 Group 1 (786 bit)
Proposal 3
3DES MD5 Group 1 (786 bit)
12.4.3 Configuring IP Security Associations Table
The IP Security Associations Table page allows you to configure up to 20 peers (hosts or
networks) for IP security (IPSec)/IKE. Each of the entries in this table controls both Main
and Quick mode configuration for a single peer. Each row in the table refers to a different
IP destination. IPSec can be applied to all traffic to and from a specific IP address.
Alternatively, IPSec can be applied to a specific flow, specified by port (source or
destination) and protocol type.
The destination IP address (and optionally, destination port, source port and protocol type)
of each outgoing packet is compared to each entry in the table. If a match is found, the
device checks if an SA already exists for this entry. If no SA exists, the IKE protocol is
invoked and an IPSec SA is established and the packet is encrypted and transmitted. If a
match is not found, the packet is transmitted without encryption.
This table can also be used to enable Dead Peer Detection (RFC 3706), whereby the
device queries the liveliness of its IKE peer at regular intervals or on-demand. When two
peers communicate with IKE and IPSec, the situation may arise in which connectivity
between the two goes down unexpectedly. In such cases, there is often no way for IKE and
IPSec to identify the loss of peer connectivity. As such, the Security Associations (SA)
remain active until their lifetimes naturally expire, resulting in a "black hole" situation where
both peers discard all incoming network traffic. This situation may be resolved by
performing periodic message exchanges between the peers. When no reply is received,
the sender assumes SA’s are no longer valid on the remote peer and attempts to
renegotiate.
Notes:
• Incoming packets whose parameters match one of the entries in the IP
Security Associations table but is received without encryption, is rejected.
• If you change the device's IP address on-the-fly, you must then reset the
device for IPSec to function properly.
• The proposal list must be contiguous.
• For security, once the IKE pre-shared key is configured, it is not
displayed in any of the device's management tools.
• You can also configure the IP Security Associations table using the table
ini file parameter IPsecSATable (see 'Security Parameters' on page 446).
To Next Page
Loading...
Need help?
General
