beautypg.com

Motorola S2500 User Manual

Page 6

background image

MNR S2500 Security Policy

Version 1.2, Revision Date: 8/8/2008

Page

6

Entering FIPS Mode

To enter FIPS mode, the Crypto Officer must follow the procedure outlined in Table 3 below.
For details on individual router commands, use the online help facility or review the Enterprise
OS Software User Guide, version 15.1 and the Enterprise OS Software Reference Guide, version
15.1.

Step

Description

1.

Configure the parameters for the IKE negotiations using the IKEProfile command. For FIPS

mode, only the following values are allowed: Diffie-Hellman Group (Group 2 or Group 5),
Encryption Algorithm (AES or 3DES), Hash Algorithm (SHA), and Authentication Method
(PreSharedKey).

2.

Manually establish via the local console port the pre-shared key (PSK) to be used for the IKE

protocol using:

ADD –CRYPTO FipsPreSharedKey

The PSK must be at least 80 bits in length with at least 80 bits of entropy.

3.

Configure Ipsec and FRF.17 selector lists using the command

ADD –CRYPTO SelectorLIst

For FIPS mode, the selector list must be configured to encrypt all packets on an encrypted port,
e.g. ADD –CRYPTO SelectorLIst s1 1 Include ANY 0.0.0.0/0 0.0.0.0/0

4.

If Ipsec is used, configure Ipsec transform lists using the ADD –CRYPTO TransformLIst

command. For FIPS mode, only the following values are allowed: Encryption Transform (ESP-
3DES, or ESP-AES) and Authentication Transform (ESP-SHA).

5.

If FRF.17 is used, configure FRF.17 transform lists using the ADD –CRYPTO

TransformLIst command. For FIPS mode, only the following values are allowed: Encryption
Transform (FRF-3DES, or FRF-AES) and Authentication Transform (FRF-SHA).

6.

For each port for which encrypted is required, bind a dynamic policy to the ports using

ADD [!] –CRYPTO DynamicPOLicy
[] [] []

To be in FIPS mode, the selector list and transform list names must be defined as in previous
steps.

7.

For each port for which encryption is required, enable encryption on that port using

SETDefault [!] –CRYPTO CONTrol = Enabled

8.

FIPS-140-2 mode achieved

Table 3 – FIPS Approved mode configuration

To review the cryptographic configuration of the router, use the following command:

See also other documents in the category Motorola Hardware: