Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI, Руководство администратора

Страница: 115 / 156

crypto 115
Media Flow Manager Administrator’s Guide CHAPTER 5 CLI Commands
crypto
Media Flow Manager
only. Configure IPSec cryptographic settings.
crypto ipsec peer <IP_address> local <IP_address> keying ike [preshared-key
<string> | prompt-preshared-key]
[mode {transport|tunnel}] [exchange-mode {main|aggressive|base}]
[pfs_group <group #>] [lifetime <seconds>]
[encrypt {3des|aes-cbc|none}] [auth {hmac-md5|hmac-sha1}]
no crypto ipsec peer <IP_address> local <IP_address>
Add an IPSec peering relationship to the address specified, using a specified local address;
the
no
variant removes the relationship. This pair of IP addresses uniquely define an IPSec
peering entry. The IPSec peering relationship is keyed using IKE. Notes:
•
preshared-key | prompt-preshared-key
—The specified preshared-key is used for the
initial IKE exchange; it is used in the initial setup for both ESP (encapsulating security
payload) and AH (authentication header). If prompt-preshared-key is chosen, the user is
prompted for the preshared key rather than entering it on the command line.
•
mode
—If
transport
is used, only the payload (the data you transfer) of the IP packet is
encrypted and/or authenticated; this is used for host-to-host communications. If
tunnel
is
used, the entire IP packet (data and IP header) is encrypted and/or authenticated; this is
used to create Virtual Private Networks for network-to-network communications (e.g.
between routers to link sites), host-to-network communications (e.g. remote user access),
and host-to-host communications (e.g. private chat).
•
exchange_mode
—Allows a gateway to download an IP address (and other network level
configuration)to the client as part of an IKE negotiation. Choose aggressive for the highest
security.
•
pfs_group
—Enter an IPv4 address. If perfect forward secrecy (PFS) is specified in the
IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode,
providing keying material that has greater entropy (key material life) and thereby greater
resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large
exponentiations, thereby increasing CPU use and exacting a performance cost.
•
lifetime
—The lifetime of the IKE SA (security association) in seconds.
•
encrypt
—The encryption algorithm used can be specified as either
3des
(for triple DES)
(default),
aes-cbc
(for AES), or none (a.k.a. NULL encryption).
•
auth
—The authentication method used can be specified as either
hmac-md5
(MD5
HMAC variant) (default), or
hmac-sha1
(SHA1 HMAC variant).
show crypto [configured]
Display various run-time cryptographic states. Use the
configured
subcommand to display
various cryptographic settings.
There are many good references on IPSEC on the Internet, here’s one:
IPSec Overview Part
Four: Internet Key Exchange (IKE) .