IPsec Configuration
Fixed Switch Configuration Guide 26-5
• IPsec and IKE (Internet Key Exchange protocol) are defined for the RADIUS host application
only. This implementation supports the creation of Security Associations (SAs) with servers
configured for RADIUS, and the RADIUS application helps define the IPsec flow.
• Only the Encapsulating Security Payload (ESP) mode of operation is supported.
Authentication Header (AH) mode is not supported.
• Currently, IKEv1 is supported, and the RADIUS shared secret is used as the IKE pre-shared
key.
• HMAC-SHA1 is the default IKE integrity mechanism.
• 3DES and the Advanced Encryption Standard (AES) encryption algorithms are supported.
AES supports key lengths of 128, 192, and 256 bits. The default IPsec encryption algorithm is
AES-128.
• IPsec does not prevent the independent simultaneous use of MSCHAP-V2 style encryption of
user passwords between the switch and the RADIUS server.
IPsec Defaults
IPsec Configuration
Procedure 26-2 lists the commands to configure IPsec parameters and enable or disable IPsec on
one or all RADIUS servers. The set and clear commands listed below require super user access
rights if the security mode setting is C2. Refer to the CLI Reference for your platform for details
about using the commands listed.
Note: Although the use of certificates will be supported for IPsec in future releases, in the current
release only use of a shared secret is supported.
Table 26-5 IPsec Defaults
Parameter Default
IPsec status for RADIUS transactions Disabled
Authentication protocol HMAC-SHA1
Encryption method AES128
IKE Diffie-Hellman key exchange group Group-1 (768 bits)
IKE lifetime main mode interval 60 minutes
IKE lifetime quick mode interval 5 minutes
IKE lifetime bandwidth 100000 bytes
IKE protocol Main
Authentication method Secret
To Next Page
Loading...
Need help?
General