Chapter 4 Configuring the VSA
Configuration Tasks
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slightly slower.
•Note that some transforms might not be supported by the IPSec peer.
Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning message will be displayed immediately after the crypto ipsec
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the
Suggested transform combinations follow:
•
•
The Crypto Transform Configuration Mode
After you issue the crypto ipsec
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
|
| ||
|
|
