Black Box EncrypTight Appliance Trim Kit User Manual


 
Working with Policies
EncrypTight User Guide 337
deploy management port IPsec polices while in Layer 2 point-to-point mode, use manual key policies
to encrypt management port traffic.
We recommend setting the time on the ETEPs before setting up the Layer 2 point-to-point policy.
Changing the clocks after the policy is established may cause traffic to be dropped.
Related topics:
“Selecting a Role” on page 337
“Using Preshared Keys for IKE Authentication” on page 337
“Using Group IDs” on page 337
“Selecting the Traffic Handling Mode” on page 338
“EncrypTight Settings” on page 333
“Encryption Policy Settings” on page 334
“How the ETEP Encrypts and Authenticates Traffic” on page 338
Selecting a Role
The appliance role is used in the process of establishing a security association (SA) between ETEP peers.
The ETEP can assume one of two appliance roles when it is configured for point-to-point operation. One
of the appliances must be assigned the primary role and the other the secondary role. The ETEPs will not
function properly if both appliances are configured with the same role.
Using Preshared Keys for IKE Authentication
In point-to-point Layer 2 networks, the ETEPs use IKE negotiations to establish security associations
(SAs) between peer appliances. The ETEP uses the preshared key string to authenticate its peer’s identity
before the ETEPs begin to negotiate the SAs. The same key value must be entered in both appliances.
We recommend that you change the key from its default value of 01234567 prior to deploying the ETEP.
Note the following conventions when creating a preshared key:
The key is a case-sensitive alphanumeric string from 8-255 characters in length
Valid characters are upper and lower alpha characters, numbers 0-9
All special characters are allowed except the following: ? “ { } [ ] ( ) = \ < > & and #
To include a space, enclose it in double quotes.
Using Group IDs
In a point-to-point network, the two ETEPs must be configured with the same group ID in order to
communicate properly with each other. If you are using only one pair of ETEPs in the same subnet you
can use the default group ID.
If more than one pair of ETEPs is used within the same Layer 2 network, the group ID isolates the traffic
from one pair of ETEPs from any other pair. Each appliance can belong to only one group.