22
Internet Protocol Security (IPSec)Internet protocol security (IPSec) is an end-to-end security scheme for securing IP communications by
authenticating and encrypting all packets in a session. Use IPSec between hosts, gateways, or hosts and
gateways.
IPSec uses a series of protocol functions to achieve information security:
•Authentication Headers (AH) — Connectionless integrity and origin authentication for IP packets.
•Encapsulating Security Payloads (ESP) — Confidentiality, authentication, and data integrity for IP
packets.
•Security Associations (SA) — Algorithm-provided parameters required for AH and ESP protocols.
IPSec capability is available on control (protocol) and management traffic; end-node support is required.
IPSec supports two operational modes: Transport and Tunnel.
• Transport is the default mode for IPSec and encrypts only the payload of the packet. Routing
information is unchanged.
• Tunnel mode is used to encrypt the entire packet, including the routing information in the IP header.
Tunnel mode is typically used in creating virtual private networks (VPNs).
Transport mode provides IP packet payload protection using ESP. You can use ESP alone or in
combination with AH to provide additional authentication. AH protects data from modification but does
not provide confidentiality.
SA is the configuration information that specifies the type of security provided to the IPSec flow. The SA is
a set of algorithms and keys used to authenticate and encrypt the traffic flow. The AH and ESP use SA to
provide traffic protection for the IPSec flow.
NOTE:
Due to performance limitations on the control processor, you cannot enable IPSec on all packets in
a communication session.
crypto ipsec transform-set
Create a transform set, or combination of security algorithms and protocols, of cryptos.
Z9500
Syntax crypto ipsec transform-set name {ah-authentication {md5|sha1|
null} | esp-authentication {md5|sha1|null} | esp-encryption
{3des|cbc|des|null}}
Internet Protocol Security (IPSec) 915