Cisco Systems SA-ISA, SM-ISM manual Configuring IPSec, Creating Crypto Access Lists

Page 40

Chapter 4 Configuring the ISA and ISM

Configuring IPSec

Configuring IPSec

After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This section contains basic steps to configure IPSec and includes the tasks discussed in the following sections:

Creating Crypto Access Lists, page 4-4

Defining a Transform Set, page 4-5

For detailed information on configuring IPSec, refer to the “Configuring IPSec Network Security” chapter in the Security Configuration Guide publication. This chapter contains information on the following topics:

Ensure Access Lists Are Compatible with IPSec

Set Global Lifetimes for IPSec Security Associations

Create Crypto Access Lists

Define Transform Sets

Create Crypto Map Entries

Apply Crypto Map Sets to Interfaces

Monitor and Maintain IPSec

Creating Crypto Access Lists

Crypto access lists are used to define which IP traffic will be protected by encryption and which will not. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between subnet A and subnet Y or Telnet traffic between host A and host B.

The access lists themselves are not specific to IPSec—they are no different from what is used for Cisco Encryption Technology (CET). It is the crypto map entry referencing the specific access list that defines whether IPSec or CET processing is applied to the traffic matching a permit entry in the access list.

Crypto access lists associated with IPSec crypto map entries have four primary functions:

Select outbound traffic to be protected by IPSec (permit = protect).

Indicate the data flow to be protected by the new security associations (specified by a single permit entry) when initiating negotiations for IPSec security associations.

Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec.

Determine whether or not to accept requests for IPSec security associations on behalf of the requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only done for ipsec-isakmpcrypto map entries.) In order to be accepted, if the peer initiates the IPSec negotiation, it must specify a data flow that is “permitted” by a crypto access list associated with an ipsec-isakmpcrypto map entry.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection

(for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic. These different access lists are then used in different crypto map entries that specify different IPSec policies.

Integrated Services Adapter and Integrated Services Module Installation and Configuration

4-4

OL-3575-01 B0

 

 

Page 39 Page 41
Image 40
Page 39 Page 41
Contents Corporate Headquarters Text Part Number OL-3575-01 B0Copyright 1999- 2003 Cisco Systems, Inc All rights reserved N T E N T S Configuring the ISA and ISM Preface ObjectivesInstallation Warning AudienceDocument Organization Document ConventionsSection Title Description Boldface fontItalic screen font Indicates a comment lineTerms and Acronyms ViiRelated Documentation ViiiCisco 7100 series routers Obtaining Documentation Cisco.comOrdering Documentation Documentation CD-ROMDocumentation Feedback Obtaining Technical Assistance Technical Assistance CenterObtaining Additional Publications and Information Cisco TAC Escalation CenterXiv Overview ISA and ISM OverviewData Encryption Overview Features Feature DescriptionPort Adapter Slot Locations on the Supported Platforms Cisco 7100 Series Routers Slot NumberingCisco 7200 Series Routers Slot Numbering Port adapter in slot ISM in slotLEDs LEDsBoot LED Label Color State FunctionOL-3575-01 B0 Preparing for Installation Required Tools and EquipmentPlatform Recommended Minimum Cisco IOS Release Safety Guidelines Safety WarningsEncryption mppe command ISA and ISA ISA with VAMPreparing for Installation Safety Guidelines Electrical Equipment Guidelines Preventing Electrostatic Discharge DamageOL-3575-01 B0 Removing and Installing the ISA and the ISM Handling the ISA or the ISMOnline Insertion and Removal Handling the ISMRemoving and Installing the ISA and the ISM ISA or ISM Removal and Installation Cisco 7100 Series-Removing and Installing the ISM StepCisco 7200 Series-Removing and Installing the ISA GuideConfiguring the ISA and ISM OverviewUsing the Exec Command Interpreter Enter controller configuration mode onEnables Mppe encryption Enabling MppeConfiguring IKE Config-isakmp command modeIdentify the policy to create, and enter Specify the encryption algorithmConfiguring IPSec Creating Crypto Access ListsDefining a Transform Set Step Command Purpose Creating Crypto Maps Crypto map configuration mode Specify an extended access list. ThisAccess list determines which traffic is Exit crypto map configuration modeVerifying Configuration Exit interface configuration modeApplying Crypto Maps to Interfaces Apply a crypto map set to an interfaceCommand Purpose Router# show crypto ipsec sa interface Ethernet0 Configuring the ISA and ISM IPSec Example IPSec ExampleRouter B Configuration OL-3575-01 B0 D E IN-2
Top Page Image Contents