Cisco Systems C7200 manual IPSec Protocols AH and ESP, Selecting Appropriate Transforms

Page 41

Chapter 4 Configuring the VSA

Configuration Tasks

IPSec Protocols: AH and ESP

Both the AH and ESP protocols implement security services for IPSec.

AH provides data authentication and antireplay services.

ESP provides packet encryption and optional data authentication and antireplay services.

ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, refer to the mode (IPSec) command description.

Selecting Appropriate Transforms

The following tips may help you select transforms that are appropriate for your situation:

If you want to provide data confidentiality, include an ESP encryption transform.

If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)

If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.

If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slightly slower.

Note that some transforms might not be supported by the IPSec peer.

Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning message will be displayed immediately after the crypto ipsec transform-setcommand is entered.

In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-nulltransform.

Suggested transform combinations follow:

esp-aes and esp-sha-hmac

ah-sha-hmac and esp-aes and esp-sha-hmac

The Crypto Transform Configuration Mode

After you issue the crypto ipsec transform-setcommand, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, refer to the match address (IPSec) and mode (IPSec) command descriptions.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

OL-9129-02

4-7

 

 

 

Page 40 Page 42
Image 41
Page 40 Page 42
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightThis section describes the VSA features, as listed in Table FeaturesFeature Description/Benefit Hardware RequiredPerformance Supported Standards, MIBs, and RFCsStandards MIBsEnabling/Disabling the VSA Command PurposeDisabling the VSA during Operation Enabling/Disabling SchemeLEDs Condition System is ConfiguredCommand Description of VSA Behavior See -2for the VSA connectors ConnectorsSlot Locations Cisco 7204VXR RouterCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentHardware Requirements Software RequirementsRestrictions PlatformOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterConfig-isakmp mode Key Management Protocol Isakmp policy configurationOptional Specifies the authentication method within an IKE Signatures as the authentication methodDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Ensuring That Access Lists Are Compatible with IPSec Configuring IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsAuthenticator keys if the transform set includes an Only one transform set can be specified when IKE isESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Extended access list. This access list determines Optional Accesses list number or name of anIf this is configured, the data flow identity proposed For this crypto access listApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuring IKE Policies Example Configuration ExamplesConfiguring IPSec Configuration Example This section provides the following configuration examplesCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4
Top Page Image Contents