Send documentation comments to mdsfeedback-doc@cisco.com.
29-4
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 29 IPsec and IKE
Configuring IPsec Network Security
Data origin authentication—The IPsec receiver can authenticate the source of the IPsec packets sent.
This service is dependent upon the data integrity service.
Anti-replay protection—The IPsec receiver can detect and reject replayed packets.
Note The term data authentication is generally used to mean data integrity and data origin authentication.
Within this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification,
or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets,
extranets, and remote user access.
IPsec as implemented in Cisco SAN-OS software supports the Encapsulating Security Payload (ESP)
protocol. This protocol encapsulates the data to be protected and provides data privacy services, optional
data authentication, and optional anti-replay services.
Note The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption

About IKE

IKE automatically negotiates IPsec security associations and generates keys for all switches using the
IPsec feature. Specifically, IKE provides these benefits:
Allows you to refresh IPsec SAs.
Allows IPsec to provide anti-replay services.
Supports a manageable, scalable IPsec configuration.
Allows dynamic authentication of peers.
Two versions of IKE are used in the SAN-OS implementation: IKE version 1 (IKEv1) and IKE version 2.

IPsec and IKE Terminology

The terms used in this chapter are explained in this section.
Security association (SA)— An agreement between two participating peers on the entries required
to encrypt and decrypt IP packets. Two SAs are required for each peer in each direction (inbound
and outbound) to establish bidirectional communication between the peers. Sets of bidirectional SA
records are stored in the SA database (SAD). IPsec uses IKE to negotiate and bring up SAs. Each
SA record includes the following information:
Security parameter index (SPI)—A number which, together with a destination IP address and
security protocol, uniquely identifies a particular SA. When using IKE to establish the SAs, the
SPI for each SA is a pseudo-randomly derived number.
Peer—A switch or other device that participates in IPsec. For example, a Cisco MDS switch or
other Cisco routers that support IPsec.