Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 5 IPSec/9000 Configuration Examples

Example 2: Description
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Scenario.

You have a closed network of systems with the network address 192.6.1.*. All of the systems have IPSec/9000 installed, except for the system potato (192.6.1.222). You want DES encryption for all IP packets between the nodes on this network, except for IP packets to and from the system potato, which you will allow to pass in clear text.

Since you have a closed network, you should not receive packets from any IP addresses outside your network, so you will discard all other packets.

You have a Public Key Infrastructure that all the nodes on the network use, so you are using RSA signatures for ISAKMP primary authentication. The address of the Certificate Authority is 192.6.1.66.

Except for the above specifications, you will use the default values for most parameters (such as Security Association Lifetimes).

Attached are configuration worksheets for the system Carrot (192.6.1.1).

Carrot System Configuration

IPSec Policies

You configure two IPSec policies on carrot.

The first IPSec policy (passPotato) allows all packets to and from system potato to pass in clear text.

The second IPSec policy (DESnet) will apply ESP-DES encryption to all packets in the 192.6.1.* network. Notice how the 192.6.1.* network is specified in the filter: the remote IP address is 192.6.1.0 and the prefix length is 24.The remote IP address and the prefix length are AND'ed together to determine which bits are checked to determine if a packet's IP address matches the filter.

Figure 5-3 Example 2: Network IPSec Policy with Exception

Example 2: Network IPSec Policy with Exception

Policy Order

Note that the passPotato policy order number is 1 and the DESnet policy order number is 2. The passPotato policy MUST have a lower order number (higher priority) than the DESnet policy. This is because packets to and from system potato will match the filters for both the passPotato policy and for the DESnet policy. By giving the passPotato policy a lower order number (higher priority), you ensure thatIPSec/9000 will use the passPotato policy for packets to and from system potato instead of the DESnet policy.

Default IPSec Policy

You modify the default policy to discard all packets, since it will only be used for packets from outside your network (all packets from within your network will match the passPotato or DESnet policies) and you do not want to accept packets from outside your network.

ISAKMP Policy

Note that the (primary) authentication method is RSA signature.

Certificate Worksheet

Note that the IP address of the Certificate Authority is required.



Example 1: Banana Preshared Keys Worksheet
  		 


Example 2: Carrot IPSec Policy Worksheets  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.