beautypg.com

Motorola Series Switch WS5100 User Manual

Page 268

background image

6-44 WS5100 Series Switch System Reference Guide

security parameters in the Crypto Maps at both peers. Allows you to specify a lifetime for the IPSec
security association. Allows encryption keys to change during IPSec sessions. Permits Certification
Authority
(CA) support for a manageable, scalable IPSec implementation. Allows dynamic authentication
of peers. If you do not want IKE to be used with your IPSec implementation, you can disable it for IPSec
peers. You cannot have a mix of IKE-enabled and IKE-disabled peers within your IPSec network. Manually
specify IPSec session keys.

• Configure security associations parameters

The use of manual security associations is a result of a prior arrangement between switch users and the
IPSec peer. If IKE is not used for establishing security associations, there is no negotiation of security
associations, so the configuration information in both systems must be the same for traffic to be
processed successfully by IPSec.

• Define transform sets

A transform set represents a combination of security protocols and algorithms. During the IPSec security
association negotiation, peers agree to use a particular transform set for protecting data flow.

With manually established security associations, there is no negotiation with the peer, so both sides
must specify the same transform set. If you change a transform set definition, the change is only applied
to Crypto Map entries that reference the transform set. The change is not applied to existing security
associations, but is used in subsequent negotiations to establish new security associations.

• Create Crypto Map entries

When IKE is used to establish security associations, the IPSec peers can negotiate the settings they use
for the new security associations. Therefore, you can specify lists (such as lists of acceptable transforms)
within the Crypto Map entry.

• Apply Crypto Map sets to Interfaces

You must assign a Crypto Map set to each interface through which IPSec traffic flows. The security
appliance supports IPSec on all interfaces. Assigning the Crypto Map set to an interface instructs the
security appliance to evaluate all the traffic against the Crypto Map set and to use the specified policy
during connection or SA negotiation. Assigning a Crypto Map to an interface also initializes run-time data
structures, such as the SA database and the security policy database. Reassigning a modified Crypto
Map to the interface resynchronizes the run-time data structures with the Crypto Map configuration.
Also, adding new peers through the use of new sequence numbers and reassigning the Crypto Map does
not tear down existing connections. With the WS5100 switch, a Crypto Map cannot get applied to more
than one interface at a time.

• Monitor and maintain IPSec tunnels

New configuration changes will only take effect when negotiating subsequent security associations. If
you want the new settings to take immediate effect, you must clear the existing security associations so
that they will be re-established with the changed configuration.

For manually established security associations, clear and reinitialize the security associations or the
changes will not take effect.

For more information on configuring IPSec VPN, refer to the following:

Defining the IPSec Configuration

Defining the IPSec VPN Remote Configuration

Configuring IPSEC VPN Authentication

Configuring Crypto Maps