Enterasys Networks XSR CLI Router User Manual


  Open as PDF
of 684
 
IPSec Commands
14-106 Configuring the VPN
Parameters Descriptions
Main Mode Exchange
Aggressive Mode Exchange
Quick Mode Exchange
IPSec Commands
ThissectiondescribescommandsthatconfiguretheIPSecprotocolwhichprovidesantireplay
protectionaswellasdataauthenticationand encryption.
access-list
ThiscommandcreatesanaccesslistwhichisusedtodefinewhichIPtrafficwillandwillnotbe
protectedbythecryptoprocess.ACLsassociatedwithIPSeccryptomapentrieshavethese
primaryfunctions:
•SelectoutboundtraffictobeprotectedbyIPSec:thekeywordpermitequateswithprotected
traffic.
Indicatethe
dataflowtobeprotectedbythenewSecurityAssociations(SAs)‐sp ecifiedbya
singlepermitentry‐wheninitiatingnegotiationsforIPSecSAs.
•Processinboundtraffictofilteroutanddiscardtrafficthatshouldhavebeenprotectedby
IPSec.
DeterminewhetherornottoacceptrequestsforIPSecSAsonbehalf
oftherequesteddata
flowswhenprocessingIKEnegotiationfromtheIPSecpeer(negotiationisdoneonlyforipsec
isakmpcryptomapentries.)Inordertobeaccepted,ifthepeerinitiatesIPSecnegotiation,it
mustspecifyadataflowthatis“permitted”byacryptoaccesslistassociatedwithan
ipsec
isakmpcryptomapentry.
MM_NO_STATE ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished.
MM_SA_SETUP PeershaveagreedonsettingsfortheISAKMPSA.
MM_KEY_EXCH PeershaveexchangedDiffieHellmanpublickeysandbuiltasharedsecret.
TheISAKMPSAisnotauthenticated.
MM_KEY_AUTH ISAKMPSAisauthenticated.If
theXSRbeganthisexchange,thisstate
transitionsimmediatelytoQM_IDLEandaQuickModeexchangebegins.
AG_NO_STATE ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished.
AG_INIT_EXCH PeershavemadethefirstexchangeinAggressiveModebuttheSAis
notauthenticated.
AG_AUTH ISAKMPSAhasbeenauthenticated.IftheXSRbeganthisexchange,
thisstatetransiti onsimmediatelytoQM_IDLEandaQuickMode
exchange
begins.
QM_IDLE ISAKMPSAisquiescent.Itremainsauthenticatedwithitspeerand
maybeusedforlaterQuickModeexchanges.
 previous next