© Copyright IBM Corp. 2011 Chapter 17. IPsec with IPv6 209
Note: When configuring a manual policy ESP, the ESP authenticator key is
optional.
3. After you configure the IPSec policy, you need to apply it to the interface to
enforce the security policies on that interface and save it to keep it in place after
a reboot. To accomplish this, enter:
Using a Dynamic Key Policy
When you use a dynamic key policy, the first packet triggers IKE and sets the IPsec
SA and IKEv2 SA. The initial packet negotiation also determines the lifetime of the
algorithm, or how long it stays in effect. When the key expires, a new key is
automatically created. This helps prevent break-ins.
To configure a dynamic key policy:
1. Choose a dynamic policy to configure.
2. Configure the policy.
where the following parameters are used:
– peer’s IPv6 address The IPv6 address of the peer (for example,
3000::1)
– index of traffic-selector A number from1-10
– index of transform-set A number from1-10
– SA lifetime, in seconds The length of time the SA is to remain in effect; an
integer from120-86400
– pfs enable|disable Whether to enable or disable the perfect forward
security feature. The default is disable.
Note: In a dynamic policy, the AH and ESP keys are created by IKEv2.
3. After you configure the IPSec policy, you need to apply it to the interface to
enforce the security policies on that interface and save it to keep it in place after
a reboot. To accomplish this, enter:
RS G8000(config-ip)#interface ip <IP interface number, 1-128>
RS G8000(config-ip-if)#address <IPv6 address>
RS G8000(config-ip-if)#ipsec manual-policy <policy index, 1-10>
RS G8000(config-ip-if)#enable (enable the IP interface)
RS G8000#write (save the current configuration)
RS G8000(config)#ipsec dynamic-policy <policy number>
RS G8000(config-ipsec-dynamic)#peer <peer’s IPv6 address>
RS G8000(config-ipsec-dynamic)#traffic-selector <index of traffic selector>
RS G8000(config-ipsec-dynamic)#transform-set <index of transform set>
RS G8000(config-ipsec-dynamic)#sa-lifetime <SA lifetime, in seconds>
RS G8000(config-ipsec-dynamic)#pfs enable|disable
RS G8000(config-ip)#interface ip <IP interface number, 1-128>
RS G8000(config-ip-if)#address <IPv6 address>
RS G8000(config-ip-if)#ipsec dynamic-policy <policy index, 1-10>
RS G8000(config-ip-if)#enable (enable the IP interface)
RS G8000#write (save the current configuration)
To Next Page
Loading...
Need help?
General
