This table is used only in MANUAL mode of IPsec port.
The table of IPsec policies can store up to 128 entries, indexed starting from 0 up to 127.
In the table of IPsec policies, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT PO:xxx, where "xxx" is the IPsec port number.
Commands for handling IPsec Policies are described in the IPsec policy table section of the document Commands relating to IPsec.
The available commands are the following:
A IPSEC POLICY:Here is an example of the IPsec policy table:
[21:28:23] CPX_1:D IPsec POLICY
-------------------------------------------------------------------------------
POLICY: NAME: NET-SRC: PORT-SRC:
DIR: BUNDLE: RULE: NET-DST: PORT-DST:
-------------------------------------------------------------------------------
0 CPX_1-to-CPX_2 192.168.001.000/24 *
OUT 0 IPSEC 192.168.003.000/24 *
-------------------------------------------------------------------------------
1 CPX_2-to-CPX_1 192.168.003.000/24 *
IN 1 IPSEC 192.168.001.000/24 *
-------------------------------------------------------------------------------
2 Drop policy 000.000.000.000/0 *
OUT NONE DROP 000.000.000.000/0 *
-------------------------------------------------------------------------------
Here is an example of the single IPsec policy table record 0:
[00:15:04] ABILIS_CPX:D IPsec POLICY:0 Parameter: |Value: ------------------------------------------------------------------------------ POLICY: 0 NAME: CPX_1-to-CPX_2 DIR: OUT BUNDLE: 0 RULE: IPSEC NET-SRC: 192.168.002.001/32 NET-DST: 192.168.002.002/32 PORT-SRC: * PORT-DST: * ------------------------------------------------------------------------------
| POLICY: | Policy record identifier |
| no default | 0-127 |
It is the policy record identifier. The identifier is a numeric value that is assigned by the system to the IPsec policy record when it is added the first time. It can be used for clearing/displaying and setting operations to reference the policy record.
| NAME: | Name for the policy record |
| empty | from 0 up to 32 ASCII printable characters. Spaces are not allowed. Case is preserved. |
Specifies name for the current policy record.
| DIR: | Direction for this policy record |
| OUT | IN, OUT |
Specifies direction for this policy record.
OUT: Outbound direction.
IN: Inbound direction.
| BUNDLE: | Number of SA bundle |
| NONE | NONE, 0-127 |
Specifies number of SA bundle group associated with this policy record.
Value NONE means "not defined". For the IPSEC rule, group number must be present in SA table
| RULE: | Rule for this policy record |
| IPSEC | BYPASS, DROP, IPSEC |
Specifies rule for this policy record.
BYPASS: IP packet will be bypassed by IPsec driver. Outbound direction only.
DROP: IP packet will be dropped by IPsec driver. Outbound direction only.
IPSEC: IP packet will be processed by IPsec.
| NET-SRC: | Source subnet address and mask |
| 0.0.0.0/0 | net: 0.0.0.0, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255 mask: 0-32 |
Specifies network address and mask of the source subnet/host in Slash Notation [x.x.x.x/yy].
| NET-DST: | Destination subnet address and mask |
| 0.0.0.0/0 | net: 0.0.0.0, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255 mask: 0-32 |
Specifies network address and mask of the destination subnet/host in Slash Notation [x.x.x.x/yy].
| PORT-SRC: | Source port of the upper protocol |
| * | 1-65535 |
Specifies source port of the upper protocol (TCP, UDP).
| PORT-DST: | Destination port of the upper protocol |
| * | 1-65535 |
Specifies destination port of the upper protocol (TCP, UDP).
This table is used only in MANUAL mode of IPsec port.
The table of IPsec Security Associations can store up to 128 entries, indexed starting from 0 up to 127.
In the table of IPsec Security Associations, configurations may be added, modified, deleted while the Abilis CPX is working, without needing to restart it. Changes made in the table are immediately actives by executing the command INIT PO:xxx, where "xxx" is the IPsec port number.
Commands for handling Security Associations are described in the IPsec Security Associations table section of the document Commands relating to IPsec.
The available commands are the following:
A IPSEC SA:Here is an example of the IPsec SA table. SA bundle: ESP protocol with MD5 authentication and 3DES encryption, AH protocol with SHA-1 authentication:
[21:25:43] CPX_1:D IPsec SA
-------------------------------------------------------------------------------
SA: NAME: SPI: SRC-IP: PROT: AUTH: CIPHER:
DIR: BUNDLE: TUNNEL: IPP: SIDE: DST-IP: AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
0 CPX_1-to-CPX_2_ESP 00000200 192.168.002.001 ESP MD5 3DES
OUT 0 YES 1 AUTO 192.168.002.002 ******* *******
-------------------------------------------------------------------------------
1 CPX_1-to-CPX_2_AH 00000201 192.168.002.001 AH SHA
OUT 0 NO 1 AUTO 192.168.002.002 *******
-------------------------------------------------------------------------------
2 CPX_2-to-CPX_1_AH 00000401 192.168.002.002 AH SHA
IN 1 NO 1 AUTO 192.168.002.001 *******
-------------------------------------------------------------------------------
3 CPX_2-to-CPX_1_ESP 00000400 192.168.002.002 ESP MD5 3DES
IN 1 YES 1 AUTO 192.168.002.001 ******* *******
-------------------------------------------------------------------------------
Here is an example of the IPsec SA table record 0 (single SA). ESP protocol without authentication and IDEA encryption:
[00:12:22] ABILIS_CPX:D IPsec SA:0 Parameter: |Value: ------------------------------------------------------------------------------ SA: 0 NAME: CPX_1-to-CPX_2_ESP SPI: 00010ABC DIR: OUT BUNDLE: 0 SRC-IP: 192.168.002.001 DST-IP: 192.168.002.002 PROT: ESP AUTH: NONE CIPHER: IDEA ENCKEY: ******** TUNNEL: NO IPP: 1 SIDE: AUTO ------------------------------------------------------------------------------
| SA: | Security Association record identifier |
| no default | 0-127 |
It is the Security Association record identifier. The identifier is a numeric value that is assigned by the system to the IPsec Security Association record when it is added the first time. It can be used for clearing/displaying and setting operations to reference the policy record.
| NAME: | Name of the Security Association record |
| empty | from 0 up to 32 ASCII printable characters. Spaces are not allowed. Case is preserved. |
Specifies name of the current Security Association record.
| SPI: | Security Parameter Index (SPI). |
| NONE | 0x100-0xFFFFFFFF |
Specifies Specifies Security Parameter Index (SPI) for this Security Association record.
Each SA must have unique value of SPI within the table.
| DIR: | Direction for this Security Association record |
| OUT | IN, OUT |
Specifies direction for this Security Association record.
OUT: Outbound direction.
IN: Inbound direction.
| BUNDLE: | Number of SA bundle group |
| NONE | NONE, 0-127 |
Specifies number of Security Association bundle group.
Value NONE means "not defined". All SAs which have identical group number will be grouped to the one bundle with the same number. Group cannot have SAs with different directions
| SRC-IP: | Source IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x |
Specifies source IP address for the this Security Association record.
| DST-IP: | Destination IP address. |
| 0.0.0.0 | 0.0.0.0, 1-126.x.x.x, 128-223.x.x.x |
Specifies destination IP address for the this Security Association record.
| PROT: | IPsec protocol. |
| AH | AH, ESP |
Specifies IPsec protocol for this Security Association record.
AH: IPsec Authentication Header protocol
ESP: IPsec Encapsulating Security Payload protocol.
| AUTH: | Authentication method for the AH or ESP protocols. |
| NONE | NONE, MD5, SHA |
Specifies authentication method for the AH or ESP protocols for this Security Association record.
NONE: No authentication.
MD5: Message Digest Algorithm MD5.
SHA: Message Digest Algorithm SHA-1.
| CIPHER: | Encryption algorithm for the ESP protocol. |
| NONE | NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256 |
Specifies encryption algorithm for ESP protocol for this Security Association record.
NONE: No encryption.
DES: DES encryption algorithm in CBC mode.
3DES: Triple DES encryption algorithm in CBC mode.
IDEA: IDEA encryption algorithm in CBC mode.
CAST: CAST encryption algorithm in CBC mode.
BLOWFISH: BLOWFISH encryption algorithm in CBC mode.
AES128: AES encryption algorithm in CBC mode with 128 bits key length.
AES192: AES encryption algorithm in CBC mode with 192 bits key length.
AES256: AES encryption algorithm in CBC mode with 256 bits key length.
| AUTHKEY: | Manual authentication key for the AH or ESP protocols. |
| empty | ASCII printable string. Case is preserved. Spaces are allowed. For MD5 authentication key: exactly 16 characters are required. For SHA authentication key: exactly 20 characters are required. |
Specifies manual authentication key for the AH or ESP protocols for this Security Association record.
| ENCKEY: | Manual encryption key for the ESP protocol. |
| empty | ASCII printable string. Case is preserved. Spaces are allowed. For DES encryption key: exactly 8 characters are required. For IDEA, CAST, BLOWFISH and AES128 encryption key: exactly 16 characters are required. For 3DES and AES192 encryption key: exactly 24 characters are required. For AES256 encryption key: exactly 32 characters are required. |
Specifies manual encryption key for the ESP protocol for this Security Association record.
| TUNNEL: | Tunnel mode flag. |
| NO | NO, YES |
Specifies tunnel mode for this Security Association record.
NO: Tunnel mode is disabled. Security Association in transport mode.
YES: Tunnel mode is enabled. Security Association in tunnel mode.
| IPP: | Tunnel IP port. |
| # | #, 0-63 |
Specifies IPP used for this record. This information is used to associate current SA record with an IP port
| SIDE: | NAT side type of tunnel. |
| AUTO | NONE, INSIDE, OUTSIDE, AUTO |
Specifies NAT side type of tunnel (when available).
Print this page