4.1 Using IPsec to configure a secure channel

The IPsec component provides the capability of establishing an end-to-end channel between two hosts. IPv6 supports only transport mode IPsec connections. Secure connections have the following properties:

In short, AH adds authentication, and ESP adds encryption to ensure that the communication is with the right peer and that it is secure. In a NovellĀ® IPv6 stack, you can configure AH alone or AH and ESP together. ESP provides both Authentication and Encryption features.

The following configurations are possible while providing secure end-to-end connections:

Table 4-1 Configurable Parameters for AH and ESP

Configuration Settings

Property

Description and Usage

AH

  • hmac96-sha

  • hmac96-md5

Specifies the type of service required in authentication.

Authenticating algorithms.

Either can be used.

ESP

  • V2-3des-cbc

  • V2-des-cbc

Specifies the type of service required for encryption.

Encryption algorithms.

Either can be used.

IN|OUT

Packet

Specifies the service required for inbound or outbound connections.

Incoming or Outgoing.

Source and destination address

Identifier

Specifies the source and destination address of the end-to-end hosts where authentication or encryption is required.

Security Parameter Index(SPI)

Index

Specifies the index of the security association specified at the other end of a secure connection.

hmac96-md5

64 byte key

Shared Secret 64 byte value for authentication at both the ends which can be either hmac96-md5 or hmac96-sha.

Random number.

hmac96-sha

64 byte key

Shared Secret 64 byte value for authentication at both the ends which can be either hmac96-md5 or hmac96-sha.

Random number.

DES-CBC key

16 byte key

The 16 byte key for encryption.

Random number.

3DES-CBC key

48 byte key

The 48 byte key for encryption.

Random number.

Table 4-2 Parameter Settings for IPsec

Configuration Setting

Property

Description and Usage

Set enable IPsec6 for IPv6

=on

Switch to enable IPsec6.

Set enable IPsec6 logging

=on

Switch to enable logging.

4.1.1 Configuring an End-to-End Secure Connection with AH

  1. Configure the secure connection by modifying the ipseckey.cfg file. For the configuration to take effect this file should be manually copied to the sys:\system folder.

    The configuration settings of the file must be in following manner:

    AH in SPI Source address Destination address Authentication type key

    A typical end-to-end inbound AH configuration might look as follows:

    AH in 0x10001 3ffe::1 3ffe::2 hmac96-sha 414141414141414141414141414141414141414141414141AH out 0x20002 3ffa::2 3ffa::1 hmac96sha       414141414141414141414141414141414141414141414141

    This specifies that all incoming traffic coming on 3ffe::1 from destination 3ffe::2 needs to be authenticated using hmac96-sha with secret 4141---41(64byte). The SPI id is 0x10001.The outgoing traffic on 3ffa::1 to destination 3ffa::2 needs to contain AH using hmac96-sha using secret 4141---41(64byte). The SPI id is 0x20001.

    The SPI value of the outgoing connection must be the SPI value of the incoming connection and vice versa.

  2. Configure ipseckey.cfg at the other end as follows:

    AH in 0x20002 3ffa::2 3ffa::1 hmac96-sha 414141414141414141414141414141414141414141414141AH out 0x10001 3ffa::1 3ffa::2 hmac96sha       414141414141414141414141414141414141414141414141

    NOTE:The SPI value of the outgoing connection must be the SPI value of the incoming connection and vice versa.

  3. Load IPv6 at both ends.

  4. To enable IPsec, set Enable IPsec6 for IPv6 to On.

  5. To track statistics and get help with troubleshooting, set Enable IPsec6 logging to On.

    Any packets going from 3ffa::1 to 3ffa::2 are authenticated by using hmac96-sha with secret configured in the file.

4.1.2 Configuring and End-to-End Secure Connection by using ESP

  1. Configure the secure connection by modifying the ipseckey.cfg file. For the configuration to take effect this file should be manually copied to the sys:\system folder.

    The configuration settings of the file must be in following manner:

    AH in SPI Source address Destination address Authentication type key

    A typical end-to-end inbound AH configuration might look as follows:

    ESP in 0x10001 3ffe::1 3ffe::2 v2-3des-cbc 41414141414141414111111hmac96-md5 414141414141ESP out 0x20001 3ffa::2 3ffa::1 v2-3des-cbc       41414141414141414141441hmac96-md5 414141414141

    This indicates incoming traffic on 3ffe::1 from destination 3ffe::2 needs to be authenticated using hmac96-md5 using secret 4141---41(64byte) and decrypted using 3DES using 4141414(48byte). The SPI id is 0x10001.

    The outgoing traffic on 3ffa::1 to destination 3ffa::2 must contain AH using hmac96-md5 using secret 4141---41(64byte) and encrypted using 3DES. The SPI id is 0x20001.

    NOTE:The SPI value of the outgoing connection must be the SPI value of the incoming connection and vice versa.

  2. Configure ipseckey.cfg at the other end as follows:

    ESP in 0x20001 3ffa::2 3ffa::1 v2-3des-cbc 41414141414141414111111hmac96-md5 414141414141ESP out 0x10001 3ffa::1 3ffa::2 v2-3des-cbc       41414141414141414141441hmac96-md5 414141414141

    NOTE:The SPI value of the outgoing connection must be the SPI value of the incoming connection and vice versa.

  3. Load IPv6 at both the ends.

  4. To enable IPsec, set Enable IPsec6 for IPv6 to On.

  5. To track statistics and get help with troubleshooting, set Enable IPsec6 logging to On

    IPsec logging can be enabled for the following purposes:

    • Connections made and broken.

    • Reasons for authentication and encryption failures and the possible reasons are replay attacks and invalid SA because of invalid SP1 configurations.:

    Any packets going from 3ffa:2 are authenticated and encrypted by using hmac96-md5 and 3DES-CBC with secret or key configured in the file.