Cisco Systems UBR924 IPSec (3DES) Example

3-16

CiscouBR924 Software Configuration Guide

OL-0337-05 (8/2002)

Chapter3 Advanced Data-Only Configurations

IPSec (3DES) Example

IPSec (3DES) Example

The IPSec 3DES encryption feature set is identical to the IPSec encryption feature set except that it

supports the 168-bit Triple DES (3DES) standard in addition to the standard 56-bit IPSec encryption.

The 168-bit encryption feature set requires a CiscoIOS image that supports it and provides a level of

security suitable for highly sensitive and confidential information such as financial transactions and

medical records.

Note Cisco IOS images with strong encryption (including, but not limited to, 168-bit [3DES] data en cryption

feature sets) are subject to United States government export controls and have limited distribution.

Strong encryption images to be installed outside the Unite d States may require an export license.

Customer orders may be denied or subject to delay due to United States governme nt regulations. When

applicable, the purchaser or user must obtain local import and use authorizations for all encryption

strengths. Contact your sales representative or distributor for more informa tion, or send an e-mail to

export@cisco.com.

Configuration for 3DES encryption is identical to that for standard IPSec, except that the transformation

set should specify esp-3des instead of esp-des. For example, the following configuration is identical to

the configuration shown in “IPSec (56-bit) Example” section on page3-11, except for the line in bold:

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

clock timezone - 0 6

ip subnet-zero

no ip domain-lookup

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 5000

crypto isakmp key 1234567890 address 30.1.1.1

crypto isakmp identity hostname

!

crypto ipsec transform-set test-transform ah-md5-hmac esp-3des esp-md5-hmac

!

crypto map test-ipsec local-address cable-modem0

crypto map test-ipsec 10 ipsec-isakmp

set peer 30.1.1.1

set transform-set test-transform

match address 200

!

interface Ethernet0

ip address 192.168.100.1 255.255.255.0

no ip directed-broadcast

!

interface cable-modem0

ip address dhcp

no ip directed-broadcast

no keepalive

no cable-modem compliant bridge

crypto map test-ipsec

router rip

Contents

Main Cisco uBR924 Cable Access Router Software Configuration Guide Page CONTENTS Page Page Page Preface Audience Purpose Organization Document Conventions Page x loss of data. this guide. paragraph. Acronyms and Terms Related Documentation Cisco uBR924 Cable Access Router CMTS Hardware Installation Publications Cisco IOS Publications Configuration Editor and Network Management Publications Subscriber Publications Obtaining Documentation World Wide Web Documentation CD-ROM Ordering Documentation Obtaining Technical Assistance Technical Assistance Center Documentation Feedback Page Overview Cisco IOS Software Release Feature Sets Base IP DOCSIS-Compliant Bridging Home Office (Easy IP) Value Telecommuter Performance Telecommuter Value Small and Branch Office Performance Small and Branch Office Feature Descriptions Cable Monitor Web Diagnostics Tool Cisco Cable Clock Card Support Cisco IOS Firewall DOCSIS-Compliant Bridging DOCSIS Baseline Privacy Interface Dynamic Host Configuration Protocol Server Dynamic Host Configuration Protocol Proxy Support Enhanced IP Bridging Ecosystem Gatekeeper Interoperability Enhancements Fax over IP H.323v2 (Gateway/Gatekeeper) IP Address Negotiation IPsec Network Security Layer 2 Tunneling Protocol Media Gateway Control Protocol V12.1.3T NetRanger SupportCisco IOS Intrusion Detection Network Address Translation and Port Address Translation Network Address Translation Support for NetMeeting Directory (Internet Locator Service) Quality of Service Quality of ServiceDOCSIS 1.0+ Extensions Routing Information Protocol Version 2 Secure Shell Version 1 Simple Gateway Control Protocol Triple Data Encryption Standard VPN IPsec EnhancementDynamic Crypto Map Initial Provisioning Supporting Multiple Classes of Service DOCSIS 1.0 Static Profiles DOCSIS 1.0+ and 1.1 Dynamic Profiles Creating Multiple Profiles User Registrar Modem Registrar Cisco Network Registrar Access Registrar Page DOCSIS-Bridging Configuration DHCP Server Configuration DOCSIS Configuration File Page Page Cisco IOS Software Image Cisco IOS Configuration File Using the Vendor-Specific Information Field 2-8 Sample Configuration for DOCSIS-Compliant Bridging This configuration shows the following requirements for DOCSIS-compliant br idging: Configuring the Attached CPE Devices Reconfiguring DOCSIS-Compliant Bridging Page Advanced Data-Only Configurations Data-Only Routing Page Routing with DHCP Server 3-5 NAT/PAT Configuration Page NAT/PAT Configuration with DHCP Proxy Page Using NAT and DHCP Proxy and Copying Configuration Files IPSec (56-bit) Example Page Sample Configuration 3-14 56-bit DES-CBC encryption (the default) MD5 (HMAC variant) hash algorithm Pre-shared authentication keys 768-bit Diffie-Hellman group (the default) Additional Documentation IPSec (3DES) Example L2TP Example Page 3-19 Page Voice over IP Configurations Overview Introduction Page Voice Handling Quality of Service Support H.323v2 Protocol SGCP and MGCP Protocol Stack H.323v2 Static Bridging Configuration Page 4-9 H.323v2 Static Routing Configuration 4-11 routing mode. H.323v2 Dynamic Mapping Configuration Note The Cisco uBR924 router can use H.323v2 dynamic mapping in either DOCSIS-bridging mode or Page Page Page SGCP Configuration Page 4-17 MGCP Configuration Page 4-20 Command Purpose Step22 uBR924# copy running-config startup-config Step23 uBR924# show startup-config Display the configuration file that was just created. Building configuration... 4-21 Page A Using Cisco IOS Software Accessing the Routers Command-Line Interface Connecting Using Telnet Connecting to the Console Port Understanding the Command-Line Interface Command Modes User EXEC Mode Privileged EXEC Mode Global Configuration Mode Interface Configuration Mode Context-Sensitive Help Command History Features Displaying the Command History Editing Previous Commands Command History Buffer Size Using Output Modifiers Understanding Cisco IOS Configuration Files Downloading the Configuration File Startup and Run-Time Configuration Files Displaying the Configuration Files File Format Useful Commands Page B Using the Cable Monitor Tool Enabling the Cable Monitor Configuration Modes Security Considerations Disabling the Cable Monitor Accessing the Cable Monitor Through the Cable Interface when the Cable Interface is Operational Through the Ethernet Interface when the Cable Interface is Not Operational Sample Pages Page Home Page Page Initialization Information Page Page Voice Ports Information Page CPE State Information Page Cable Interface Information Page Performance Information Page Debug Information Page Page C Using the ROM Monitor Entering the ROM Monitor Command Conventions Commands Page Page Page Page D New and Changed Commands Reference Commands Reserved for DOCSIS Use Page INDEX Symbols Numerics A D E F G H I L O P Q R U V