768
IPSec
N0008589 3.3
Both SHA1 and MD5 use Hashed Message Authentication Code (HMAC) to improve
authentication. HMAC is a technique that uses a secret key and a message digest function to create
a secret message authentication code.
IPSec capacity restrictions
The Business Communications Manager performs all IPSec processing using software. To prevent
overloading the Business Communications Manager processor with IPSec traffic processing, the
network traffic that requires IPSec processing should not exceed 6Mbps. This is based on using
3DES encryption with SHA authentication.
The maximum number of concurrent tunnels the Business Communications Manager supports is
16. However, this number could be less depending on the configuration. The following are the
factors to consider when determining maximum IPSec capacity:
•
Tunnel negotiation
Since tunnel negotiation requires a significant amount of processing time, the number of
tunnels that are negotiated at one time should be limited. The tunnels are re-negotiated based
on either the Rekey Timeout or the Rekey Data Count. If a number of tunnels will be running
concurrently, you should stagger these values.
•
Interface throughput
The maximum throughput of the interfaces of the IPSec endpoints must also be considered. It
is much easier to overload the Business Communications Manager if IPSec is being used over
a fast LAN interface rather than a slower WAN interface. This is due to the faster speed of the
data packets transferred over the LAN interface.
Settings required for IPSec tunnels
The data packets that pass through IPSec tunnels interact with other routing features in Business
Communications Manager. As a result, there are several settings you must make in other features
for IPSec tunnels to operate.
NAT (Network Address Translation)
Business Communications Manager does not support NAT on the Local Endpoint of an IPSec
Tunnel.
Packets can be sent through an IPSec tunnel with or without NAT applied. To send packets
through the tunnel with NAT applied, configure the Local Accessible Networks to include only a
network for the endpoint itself. For example, if the Local Endpoint is 10.10.13.2, then the Local
Accessible Network would be 10.10.13.2 with a mask of 255.255.255.255. To send packets
through the tunnel without NAT applied, configure the Local Accessible Networks with the local
Private IP network(s) and the Remote Accessible Networks with the networks on the other side of
the Remote Endpoint. Using the above example, we know that the other interfaces on the local
Business Communications Manager have IP addresses of 10.10.10.1 and 10.10.11.1. The remote
Business Communications Manager has a subnet of 12.12.12.1. Therefore, the Local Accessible
Summary of Contents for BCM 3.7
Page 4: ...4 Software licensing N0008589 3 3...
Page 32: ...32 Contents N0008589 3 3 W 937 Index 939...
Page 46: ...46 Tables N0008589 3 3...
Page 64: ...64 How to get help N0008589 3 3...
Page 90: ...90 Manually activating Telnet N0008589 3 3...
Page 116: ...116 Delayed system restart N0008589 3 3...
Page 194: ...194 Configuring a data module N0008589 3 3...
Page 276: ...276 Setting line telco features N0008589 3 3...
Page 310: ...310 Using COS passwords N0008589 3 3...
Page 364: ...364 Enhanced 911 E911 configuration N0008589 3 3...
Page 380: ...380 Renumbering DNs N0008589 3 3...
Page 398: ...398 Saving wizard pages on your computer N0008589 3 3...
Page 458: ...458 Voice Mail settings N0008589 3 3...
Page 488: ...488 Setting system telco features N0008589 3 3...
Page 508: ...508 Other programming that affects public networking N0008589 3 3...
Page 522: ...522 PRI networking using Call by Call services N0008589 3 3...
Page 592: ...592 Monitoring Hunt groups N0008589 3 3...
Page 636: ...636 Configuring Double Density N0008589 3 3...
Page 640: ...640 Using the Network Update Wizard N0008589 3 3...
Page 666: ...666 Importing and Exporting DHCP data N0008589 3 3...
Page 722: ...722 Restarting the router N0008589 3 3...
Page 726: ...726 Important Web Cache considerations N0008589 3 3...
Page 748: ...748 Configuring an Interface with NAT N0008589 3 3...
Page 794: ...794 IPSec N0008589 3 3...
Page 818: ...818 Configuring the Policy Agent characteristics N0008589 3 3...
Page 832: ...832 Firewall rules for Business Communications Manager with Dialup interfaces N0008589 3 3...
Page 876: ...876 ISDN Programming N0008589 3 3...
Page 1004: ...1004 Index N0008589 3 3...