Overview of the IPsec Features

Similar documents
A-B I N D E X. backbone networks, fault tolerance, 174

Index. Numerics 3DES (triple data encryption standard), 21

Configuring Security for VPNs with IPsec

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

Virtual Tunnel Interface

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T

Implementing Internet Key Exchange Security Protocol

Cisco Exam Questions & Answers

Firepower Threat Defense Site-to-site VPNs

Sharing IPsec with Tunnel Protection

Sample excerpt. Virtual Private Networks. Contents

IPsec NAT Transparency

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Table of Contents 1 IKE 1-1

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

Securing Networks with Cisco Routers and Switches

Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Cisco Catalyst 6500 Series VPN Services Port Adapter

Managing Site-to-Site VPNs: The Basics

Configuring WAN Backhaul Redundancy

Managing Site-to-Site VPNs

Configuring IPsec and ISAKMP

IKE and Load Balancing

Managing Site-to-Site VPNs: The Basics

VPN Overview. VPN Types

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Network Security CSN11111

Virtual Tunnel Interface

Virtual Private Network

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

IPSec Site-to-Site VPN (SVTI)

IPsec NAT Transparency

BCRAN. Section 9. Cable and DSL Technologies

Configuring Internet Key Exchange Version 2

Hillstone IPSec VPN Solution

Advanced Services. IPSec Configuration on IOS Platforms

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

CSCE 715: Network Systems Security

IPv6 over IPv4 GRE Tunnel Protection

LAN-to-LAN IPsec VPNs

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IPsec Virtual Tunnel Interfaces

Configuring Internet Key Exchange Security Protocol

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Cisco Multicloud Portfolio: Cloud Connect

IPsec Direct Encapsulation VPN Design Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Configuring a Hub & Spoke VPN in AOS

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Pre-Fragmentation for IPSec VPNs

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458

Internet Key Exchange

Configuring LAN-to-LAN IPsec VPNs

IPSec. Overview. Overview. Levente Buttyán

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

Configuring L2TP over IPsec

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Virtual Private Network. Network User Guide. Issue 05 Date

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

DMVPN to Group Encrypted Transport VPN Migration

Configuring Internet Key Exchange (IKE) Features Using the IPSec VPN SPA

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Configuring Cache Services Using the Web Cache Communication Protocol

Configuring Web Cache Services By Using WCCP

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

IPsec Dead Peer Detection Periodic Message Option

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS Release 15M&T

Configuring IPSec tunnels on Vocality units

VPN Ports and LAN-to-LAN Tunnels

Intelligent WAN Multiple VRFs Deployment Guide

Cisco Group Encrypted Transport VPN

icmp idle-timeout icmp idle-timeout seconds no icmp idle-timeout seconds Syntax Description seconds ICMP timeout, in seconds. The default is 10.

Configuration of an IPSec VPN Server on RV130 and RV130W

DMVPN for R&S CCIE Candidates

HOME-SYD-RTR02 GETVPN Configuration

Deploying GET to Secure VPNs

Configuring IPsec on Cisco Routers Mario Baldi Politecnico di Torino (Technical University of Torino)

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

IKE. Certificate Group Matching. Policy CHAPTER

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. Multi-Service Business Routers Product Series

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

IPv6 over DMVPN. Finding Feature Information

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Cisco Virtual Office High-Scalability Design

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Secure Extension of L3 VPN s over IP-Based Wide Area Networks

L2TP IPsec Support for NAT and PAT Windows Clients

Transcription:

CHAPTER 2 This chapter provides an overview of the IPsec features of the VSPA. This chapter includes the following sections: Overview of Basic IPsec and IKE Configuration Concepts, page 2-1 Configuring VPs with the VSPA, page 2-3 Overview of the VSPA Features, page 2-4 IPsec Feature Support, page 2-5 Overview of Basic IPsec and IKE Configuration Concepts This section reviews some basic IPsec and IKE concepts that are used throughout the configuration of the VSPA, such as security associations (SAs), access lists (ACLs), crypto maps, transform sets, and IKE policies. The information presented here is introductory and should not be considered complete. ote For more detailed information on IPsec and IKE concepts and procedures, refer to the Cisco IOS Security Configuration Guide. Information About IPsec Configuration IPsec provides secure tunnels between two peers, such as two routers or switches. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated. ote The use of the term tunnel in this subsection does not refer to using IPsec in tunnel mode. Cisco VP Services Port Adapter Configuration Guide 2-1

Overview of Basic IPsec and IKE Configuration Concepts Chapter 2 With IPsec, you define what traffic should be protected between two IPsec peers by configuring ACLs and applying these ACLs to interfaces by way of crypto maps. (The ACLs used for IPsec, or crypto ACLs, are used only to determine which traffic should be protected by IPsec, not which traffic should be blocked or permitted through the interface. Separate ACLs define blocking and permitting at the interface.) If you want certain traffic to receive one combination of IPsec protection (for example, authentication only) and other traffic to receive a different combination of IPsec protection (for example, both authentication and encryption), you must create two different crypto ACLs to define the two different types of traffic. These different ACLs are then used in different crypto map entries, which specify different IPsec policies. Crypto ACLs associated with IPsec crypto map entries have four primary functions: Select outbound traffic to be protected by IPsec (permit = protect). Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when initiating negotiations for IPsec security associations. Process inbound traffic in order to filter out and discard traffic that should have been protected by IPsec. Determine whether or not to accept requests for IPsec security associations on behalf of the requested data flows when processing IKE negotiation from the IPsec peer. egotiation is performed only for ipsec-isakmp crypto map entries. In order to be accepted, if the peer initiates the IPsec negotiation, it must specify a data flow that is permitted by a crypto ACL associated with an ipsec-isakmp crypto map entry. Crypto map entries created for IPsec combine the various parts used to set up IPsec SAs, including: Which traffic should be protected by IPsec (per a crypto ACL) The granularity of the flow to be protected by a set of SAs Where IPsec-protected traffic should be sent (the name of the remote IPsec peer) The local address to be used for the IPsec traffic What IPsec SA should be applied to this traffic (selecting from a list of one or more transform sets) Whether SAs are manually established or are established via IKE Other parameters that might be necessary to define an IPsec SA Crypto map entries are searched in order the switch attempts to match the packet to the access list specified in that entry. Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPsec-protected traffic. ou can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. During IPsec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peers IPsec SAs. (With manually established SAs, there is no negotiation with the peer, so both sides must specify the same transform set.) ote To minimize the possibility of packet loss during rekeying, we recommend using time-based rather than volume-based IPsec SA expiration. By setting the lifetime volume to the maximum value using the set security-association lifetime kilobytes 536870912 command, you can usually force time-based SA expiration. 2-2 Cisco VP Services Port Adapter Configuration Guide

Chapter 2 Configuring VPs with the VSPA Information About IKE Configuration IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard. IKE is enabled by default. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) ou configure IKE by creating IKE policies at each peer using the crypto isakmp policy command. An IKE policy defines a combination of security parameters to be used during the IKE negotiation and mandates how the peers are authenticated. ou can create multiple IKE policies, each with a different combination of parameter values, but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority). If you do not configure any policies, your router uses the default policy, which is always set to the lowest priority, and which contains each parameter s default value. There are five parameters to define in each IKE policy: Encryption algorithm Hash algorithm Authentication method Diffie-Hellman group identifier Security association lifetime For more information about IKE, see the Overview of IKE section on page 7-2. Configuring VPs with the VSPA To configure a VP using the VSPA, you have two basic options: crypto-connect mode or Virtual Routing and Forwarding (VRF) mode. In either mode, you may also configure GRE tunneling to encapsulate a wide variety of protocol packet types, including multicast packets, inside the VP tunnel. ote Switching between crypto-connect mode and VRF mode requires a reload. ote We recommend that you do not make changes to the VP configuration while VP sessions are active. To avoid system disruption, we recommend that you plan a scheduled maintenance time and clear all VP sessions using the clear crypto sessions command before making VP configuration changes. Crypto-Connect Mode Traditionally, VPs are configured on the VSPA by attaching crypto maps to interface VLAs and then crypto-connecting a physical port to the interface VLA. This method, known as crypto-connect mode, is similar to the method used to configure VPs on routers running Cisco IOS software. When you Cisco VP Services Port Adapter Configuration Guide 2-3

Overview of the VSPA Features Chapter 2 configure VPs on the VSPA using crypto-connect mode, you attach crypto maps to VLAs (using interface VLAs); when you configure VPs on switches running Cisco IOS software, you configure individual interfaces. ote With the VSPA, crypto maps are still attached to individual interfaces but the set of interfaces allowed is restricted to interface VLAs. Crypto-connect mode VP configuration is described in Chapter 3, Configuring VPs in Crypto-Connect Mode. VRF Mode The VRF-aware IPsec feature, known as VRF mode, allows you to map IPsec tunnels to VP routing and forwarding instances (VRFs) using a single public-facing address. A VRF instance is a per-vp routing information repository that defines the VP membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VP customer. When you configure a VP on the VSPA using VRF mode, the model of interface VLAs is preserved, but the crypto connect vlan command is not used. Instead, a route must be installed so that packets destined for that particular subnet in that particular VRF are directed to that interface VLA. When configuring a VP using VRF mode, you have these additional tunneling options: tunnel protection (TP) using GRE, and Virtual Tunnel Interface (VTI). With either of these options, you can terminate tunnels in VRFs (normal VRF mode) or in the global context. VRF mode VP configuration is described in Chapter 4, Configuring VPs in VRF Mode. Overview of the VSPA Features The VSPA provides hardware acceleration for policy enforcement and bulk encryption and forwarding. The following features are supported: IPv4 IPv6 crypto maps static VTI GRE/DMVP 16K tunnels static VTI IPv6-in-IPv6 (6in6) tunnels IKE acceleration AES/DES/3-DES encryption algorithms and SHA-1/MD5 hashing algorithms Packet classification in IPv4 2-4 Cisco VP Services Port Adapter Configuration Guide

Chapter 2 IPsec Feature Support IPsec Feature Support The following tables display supported and unsupported IPsec features of the VSPA in each VP mode according to the software release: IPsec Features Common To All VP Modes, page 2-5 IPsec Features in Crypto-Connect Mode, page 2-8 IPsec Features in VRF Mode, page 2-9 ote This configuration guide describes VSPA features and applications that have been tested and are supported. Features and applications that do not explicitly appear in the Feature Table and in the following chapters should be considered unsupported. Contact your Cisco account team before implementing a configuration that is not described in this document. IPsec Features Common To All VP Modes Table 2-1 displays supported and unsupported IPsec features common to all VP modes. Table 2-1 IPsec Feature Support By Release in All VP Modes Feature ame Software Release 12.2 IPsec tunnels using software-based cryptography Enhanced generic router encapsulation (GRE) takeover (if supervisor engine cannot process) Multicast over GRE Multicast over multipoint GRE (mgre) / DMVP Multicast Scalability Enhancement (single SPA mode) Advanced Encryption Standard (AES) ISAKMP keyring Safeet Client support Peer filtering (Safeet Client support) Certificate to ISAKMP profile mapping Encrypted preshared key IKE Aggressive Mode Initiation Call Admission Control (CAC) for IKE Dead Peer Detection (DPD) on-demand DPD periodic message option IPsec prefragmentation (Look-Ahead Fragmentation, or LAF) Reverse Route Injection (RRI) Reverse route with optional parameters Cisco VP Services Port Adapter Configuration Guide 2-5

IPsec Feature Support Chapter 2 Table 2-1 IPsec Feature Support By Release in All VP Modes (continued) Feature ame Software Release 12.2 Adjustable IPsec anti-replay window size IPsec preferred peer Per-crypto map (and global) IPsec security association (SA) idle timers Distinguished name-based crypto maps Sequenced Access Control Lists (ACLs) (crypto ACLs) Deny policy configuration enhancements (drop, clear) Disable volume lifetime per interface VSPA quality of service (QoS) queueing Multiple RSA key pair support Protected private key storage Trustpoint CLI Query mode per trustpoint Local certificate storage location Direct HTTP enroll with CA servers Manual certificate enrollment (TFTP and cut-and-paste) Certificate autoenrollment Key rollover for Certificate Authority (CA) renewal Public-key infrastructure (PKI) query multiple servers Online Certificate Status Protocol (OCSP) Optional OCSP nonces Certificate security attribute-based access control PKI AAA authorization using entire subject name PKI local authentication using subject name Source interface selection for outgoing traffic with certificate authority Persistent self-signed certificates as Cisco IOS CA server Certificate chain verification Multi-tier certificate support Easy VP Server enhanced features Easy VP Server basic features Interoperate with Easy VP Remote using preshared key Interoperate with Easy VP Remote using RSA signature Stateless failover using the Hot Standby Router Protocol (HSRP) 2-6 Cisco VP Services Port Adapter Configuration Guide

Chapter 2 IPsec Feature Support Table 2-1 IPsec Feature Support By Release in All VP Modes (continued) Feature ame Software Release 12.2 Chassis-to-chassis stateful failover using HSRP and SSP in site-to-site IPsec using preshared keys with crypto maps Chassis-to-chassis failover (IPsec stateful failover) with DMVP, GRE/TP, VTI, Easy VP, or PKI Blade-to-Blade stateful failover IPsec VP Monitoring (IPsec Flow MIB) IPsec VP Accounting (start / stop / interim records) Crypto Conditional Debug support show crypto engine accelerator statistic command Other show crypto engine commands clear crypto engine accelerator counter command Crypto commands applied to a loopback interface Asymmetric routing (different outside interfaces for encrypted and decrypted traffic of the same tunnel) Policy Based Routing (PBR) on tunnel interface or interface VLA ACL on tunnel interface MQC QoS on tunnel interface (service policy) mls qos command on all tunnel interfaces: IPsec, GRE, mgre QoS pre-classify CLI AT on crypto VLA or crypto protected tunnel interface 16 K Tunnels (16 K IKE & IPsec tunnels) Switching between VRF and crypto-connect modes requires reboot GRE keepalives on tunnel protection (TP) tunnels GRE keepalives on mgre/dmvp tunnels IPsec etwork Address Translation Transparency (AT-T) (transport mode, ESP only) Dynamic Multipoint VP Phase 2 (DMVP) (mgre; TP & HRP) DMVP Phase 3 DMVP hub router behind a AT gateway tunnel mode DMVP hub router behind a AT gateway transport mode (not spoke-to-spoke) DMVP spoke router behind a AT gateway tunnel mode Cisco VP Services Port Adapter Configuration Guide 2-7

IPsec Feature Support Chapter 2 Table 2-1 IPsec Feature Support By Release in All VP Modes (continued) Feature ame Software Release 12.2 DMVP spoke router behind a AT gateway transport mode (not spoke-to-spoke) Multicast transit traffic over DMVP tunnels on-ip traffic over TP (DMVP, point-to-point GRE, svti) tunnels ip tcp adjust-mss command for IPv4 Support for Supervisor Engine 2 Support for the VPSM All serial PPP interfaces with crypto-connect mode must have ip unnumber null 0 command Manual key Tunnel Endpoint Discovery Transport adjacency and nested tunnels Transit IPsec packets VSPA supported with virtual switching system (VSS) IPv4 header options through IPsec tunnels Invalid SPI recovery IPsec compression Multilink PPP (MLPPP) Multilink or dialer interfaces Group Encrypted Transport VP (GETVP) IPsec Passive Mode ATM PVC bundle IPsec Features in Crypto-Connect Mode Table 2-2 displays supported and unsupported IPsec features in crypto-connect mode. Table 2-2 Features Supported or Unsupported In Crypto-Connect VP Mode Feature ame Software Release 12.2 Point-to-point GRE with tunnel protection and VTI Path MTU discovery (PMTUD) PMTUD with AT-T IPsec static virtual tunnel interface (svti) 2-8 Cisco VP Services Port Adapter Configuration Guide

Chapter 2 IPsec Feature Support Table 2-2 Features Supported or Unsupported In Crypto-Connect VP Mode (continued) Feature ame Software Release 12.2 The use of VRFs in conjunction with crypto features IPX and Appletalk over point-to-point GRE IPsec Features in VRF Mode Table 2-3 displays supported and unsupported IPsec features in VRF mode. Table 2-3 Features Supported or Unsupported In VRF Mode Feature ame Software Release 12.2 Global VRF Front-door VRF (FVRF) FVRF on an mgre tunnel configured on a DMVP hub FVRF on an mgre tunnel configured on a DMVP spoke Overlapping IP address space in VRFs Secondary IP addresses on interfaces MPLS over GRE/IPsec (tag switching on tunnel interfaces) PE-PE encryption (IPsec only) over MPLS PE-PE encryption (tunnel protection) over MPLS MPLS PE-CE encryption (Tag2IP) with GRE/TP MPLS PE-CE encryption (Tag2IP) with svti MPLS PE-CE encryption (Tag2IP) with crypto map Crypto maps in VRF-lite Per-VRF AAA with RADIUS Per-VRF AAA with TACACS IPsec static virtual tunnel interface (svti) Multicast over svti Ingress and egress features (ACL, QOS) on svti, GRE/TP, and mgre tunnel Ingress features (ACL, PBR, inbound service policy) on the outside interface Outbound service policy on the outside interface TP support in the global context IPsec SA using crypto map created in transport mode Path MTU discovery (PMTUD) Cisco VP Services Port Adapter Configuration Guide 2-9

IPsec Feature Support Chapter 2 Table 2-3 Features Supported or Unsupported In VRF Mode (continued) Feature ame Software Release 12.2 IPv6 IPsec svti IPv6-in-IPv6 OSPFv3 with authentication IPv4-in-IPv6, IPv6-in-IPv4 Multicast over IPv6 svti AH encapsulation over IPv6 svti ACL, QOS, AT, VP, MPLS, HSRPv6, tcp adjust-mss command on IPv6 svti Certificates, PMTUD, DPD, PDPD for IPv6 IPv6 extension headers on encrypted packets IPv6 extension headers on cleartext packets 2-10 Cisco VP Services Port Adapter Configuration Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback