Configuring Network Integration Features : Configuring IPsec encryption
  
Configuring IPsec encryption
You configure IPsec encryption to allow data to be communicated securely between peer SteelHeads in the Optimization > SSL: Secure Peering (IPSEC) page.
Enabling IPsec encryption makes it difficult for a third party to view your data or pose as a computer you expect to receive data from. To enable IPsec, you must specify at least one encryption and authentication algorithm. Only optimized data is protected, pass-through traffic isn’t.
Enabling IPsec support is optional.
RiOS doesn’t support IPsec over IPv6.
In RiOS 9.0 and later, IPsec secure peering and the secure transport service are mutually exclusive. The secure transport service is enabled by default. Before you enable IPsec secure peering, you must disable the secure transport service by entering the no stp-client enable command at the system prompt.
RiOS provides support for SSL peering beyond traditional HTTPS traffic. For details, see Configuring secure peers.
You must set IPsec support on each peer SteelHead in your network for which you want to establish a secure connection. You must also specify a shared secret on each peer SteelHead.
If you NAT traffic between SteelHeads, you can’t use the IPsec channel between the SteelHeads because the NAT changes the packet headers, causing IPsec to reject them.
To enable IPsec encryption
1. Choose Optimization > SSL: Secure Peering IPsec to display the Secure Peering IPsec page.
2. Under General Settings, complete the configuration as described in this table.
Control
Description
Enable Authentication and Encryption
Enables authentication between SteelHeads. By default, this option is disabled.
Enable Perfect Forward Secrecy
Enables additional security by renegotiating keys at specified intervals. If one key is compromised, subsequent keys are secure because they’re not derived from previous keys. By default, this option is enabled.
IKE Encryption Policy
Specify the Internet Key Exchange (IKE) encryption policy:
DES—The Data Encryption Standard. This is the default value.
3DES—Triple DES encryption algorithm.
AES—The AES 128-bit encryption algorithm.
AES256—The AES 256-bit encryption algorithm.
Internet Key Exchange (IKE) is the protocol that ensures a secure, authenticated communications channel between two peers.
IKE Authentication Policy
Specify the IKE authentication policy:
MD5—Enables MD5 security protocol.
SHA-1—Enables SHA security protocol.
SHA-256—Enables the SHA-256 cryptographic hash function.
SHA-384—Enables the SHA-384 cryptographic hash function.
SHA-512—Enables the SHA-512 cryptographic hash function.
ESP Encryption Policy
Select one of these Encapsulating Security Payload (ESP) encryption methods from the drop-down list:
DES—Encrypts data using the Data Encryption Standard algorithm. DES is the default value.
NULL—Specifies the null encryption algorithm.
None—Doesn’t apply an encryption policy.
3DES—Appears when a valid Enhanced Cryptography License Key is installed on the appliance. Encrypts data using the Triple Digital Encryption Standard with a 168-bit key length. This standard is supported for environments where AES hasn’t been approved, but is both slower and less secure than AES.
AES—Appears when a valid Enhanced Cryptography License Key is installed on the appliance. Encrypts data using the Advanced Encryption Standard (AES) cryptographic key length of 128 bits.
AES256—Appears when a valid Enhanced Cryptography License Key is installed. Encrypts data using the Advanced Encryption Standard (AES) cryptographic key length of 256 bits. Provides the highest security.
Optionally, select an algorithm from the method 2, 3, 4, or 5 drop-down lists to create a prioritized list of encryption policies for negotiating between peers.
Peer appliances must both have a valid Enhanced Cryptography License Key installed to use 3DES, AES, or AES256. When an appliance has the valid Enhanced Cryptography License Key installed and an IPsec encryption level is set to 3DES or AES, and a peer SCC doesn’t have a valid Enhanced Cryptography License Key installed, the appliances uses the highest encryption level set on the appliance without the key.
ESP Authentication Policy
Select one of these ESP authentication methods from the drop-down list:
MD5—Specifies the Message-Digest 5 algorithm, a widely-used cryptographic hash function with a 128-bit hash value. This is the default value.
SHA-1—Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA-1 is considered to be the successor to MD5.
SHA-256—Enables the SHA-256 cryptographic hash function.
SHA-384—Enables the SHA-384 cryptographic hash function.
SHA-512—Enables the SHA-512 cryptographic hash function.
Optionally, select an algorithm from the method 2 drop-down list to create a secondary policy for negotiating the authentication method to use between peers. If the first authentication policy negotiation fails, the peer appliances use the secondary policy to negotiate authentication
Time Between Key Renegotiations
Specify the number of minutes between quick-mode renegotiation of keys using the Internet Key Exchange (IKE) protocol. IKE uses public key cryptography to provide the secure transmission of a secret key to a recipient so that the encrypted data can be decrypted at the other end. The default value is 240 minutes.
Enter the Shared Secret/Confirm the Shared Secret
Specify and confirm the shared secret. All the SteelHeads in a network for which you want to use IPsec must have the same shared secret.
Add a New Secure Peer
Displays the controls to add a new secure peer.
Peer IP Address—Specify the IP address for the peer SteelHead (in-path interface) for which you want to make a secure connection.
Add
Adds the peer specified in the Peer IP Address text box.
If a connection has not been established between the two SteelHeads that are configured to use IPsec security, the peers list doesn’t display the peer SteelHead status as mature.
Adding a peer causes a short service disruption (3 to 4 seconds) to the peer that is configured to use IPsec security.
Remove Selected
Select the check box next to the name and click Remove Selected.
3. Click Save to Disk to save your settings permanently.
4. If you have changed an IPsec encryption setting, you must restart the optimization service. For details, see Starting and stopping the optimization service.
The peered SteelHeads don’t establish the IPsec channel until they’re optimizing traffic.
About the Secure Peers list
The Secure Peers list displays the peers with the encryption and authentication policies and one of these states:
Mature—The IPsec connection is established and usable.
Larval—The IPsec connection is being established.
Disconnected—The IPsec connection isn’t yet established or isn’t usable.