IPSec Configuration Command directory

clear crypto sa

crypto dynamic-map

crypto ipsec secure

crypto ipsec transform-set

crypto map (global configuration)

crypto map (interface configuration)

crypto map local-address

debug crypto packet

match address

mode

set peer

set pfs

set security-association {inbound|outbound}

set security-association lifetime

set transform-set

show crypto ipsec sa  

show crypto ipsec transform-set

show crypto map

transform-type

This chapter describes the commands for IPSec configuration. IPSec provides the security for transmitting the sensitive information on the public network, such as Internet. The security solution provided by IPSec is very powerful and is based on the standards. As the supplement to the data confidentiality, IPSec also offers the service of data verification and anti-replay.

 

clear crypto sa

The command “clear crypto sa is used for deleting the related IPSec security association database.

clear crypto sa

clear crypto sa peer ip-address

clear crypto sa map map-name

parameter:

ip-addressDesignating IP address of the opposite terminal.

map-nameDesignating the name of the encrypted map set

Default:

If the keyword of peer, map and others are not used, all the IPSec security association will be deleted.

Command mode:

Supervisor mode

Explanation:

The command is used for clearing (deleting ) IPSec security association. If security association are  set up through IKE, they will be deleted. The later IPSec communication requires a re-negotiation of new security association (When IKE is used, IPSec security association is set up only in the time of need)

If the security association is set up through manual work, the security association will be deleted and will re-established.

If the keyword of peer, map and others are not used, all IPSec security association will be deleted. The use of keyword peer will delete all IPSec security association of designated address of the opposite terminal. The use of keyword map will delete all IPSec security association created by encrypted map set. All the security association can be re-established by using the command clear crypto sa. So these security association can use the latest configuration settings. Under the circumstance of setting up security association by manual work, the command clear crypto sa shall be used before the amendment to map set takes effect

If the router is processing IPSec communication, the contents that are most vulnerable to the effect in the security association database had better be cleared in a purpose of avoid the sudden interruption of the on-going IPSec communication. It shall be noted that the command only clears IPSec security association. The command clear crypto isakmp shall be used for clearing IKE state.

 

Example:

The Example below clears all Ipsec security association on the router.

clear crypto sa

Relevant command:

clear crypto isakmp

crypto dynamic-map

The global configuration command “crypto dynamic-map” can be used for creating or amending a dynamic encrypted map and entering into the configuration status of dynamic encrypted map. The “no” format of the command can be used for deleting a dynamic encrypted map or set.

crypto dynamic-map map-name

no crypto dynamic-map map-name

parameter:

map-name The name of dynamic encrypted map set

Default:

dynamic encrypted map does not exist.

Command mode:

global configuration mode. The command is used for entering into the configuration status of dynamic encrypted map.

Explanation:

The command is used for creating a new dynamic encrypted map or amending the existing dynamic encrypted map.

The functions of dynamic encrypted map and common encrypted map are similar. The major differences lies in:

IP address of the opposite terminal does not need to be set in the dynamic encrypted map and allows IPSec equipment of any address to negotiate, this function can be used for supporting the connection with the mobile users. While common encrypted map shall designate IP address of the opposite terminal and only allows IPSec of the address to negotiate. IP address can be set in dynamic encrypted map. Under such circumstance, the dynamic encrypted map basically equals to the common encrypted map.

Example:

The example below shows the configuration needed for the minimum encrypted map when IKE is used for establishing security association.

crypto dynamic-map aaa

    match address aaa

set transform-set one

Relevant command:

crypto map (global configuration)

match address

set peer

set pfs

set security-association lifetime

set transform-set

show crypto map

crypto ipsec secure

Designating the local router whether it should receive non-IPSec packet or incorrect IPSec packet or not.

crypto ipsec secure

no crypto ipsec secure

parameter:

none

Default:

Non-IPSec packet or incorrect IPSec packet is allowed to pass.

 

Command mode:

global configuration mode.

Explanation:

When packet passes and the user-defined rules are configured and if the packet is not IPSec packet or is incorrect IPSec packet, the router will process the packet as usual in the event that the option is not set at the time. If the option is set at the time, the router will abandon the packet.

Example:

The example below sets the option of the router.

crypto ipsec secure

Relevant command:

crypto map

crypto ipsec transform-set

The global configuration command “crypto ipsec transform-set” is used for defining a ipsec transform set---a feasible mix of security protocol and algorithm. The “no” format of the command can be used for deleting a transform set. 

crypto ipsec transform-set transform-set-name

no crypto ipsec transform-set transform-set-name

parameter:

transform-set-nameDesignating the name of transform set that is to be created (or amended)

Default:

none

Command mode:

global configuration mode .The command is executed for entering the encryption transform configuration status.

Explanation:

Transform set is the mix of security protocols, algorithm and other settings of communications subject to IPSec protection.

The multiple sets can be configured the none or multiple sets can be designated in the encrypted map. The transform set defined in the encrypted map is used for negotiating IPSec security association with a view to protecting the packets of access list set by the matched encrypted map. During the negotiation, the two sides search for the same transform set available to the two sides. When such set is found, the set will be selected as a part of IPSec association of two sides that is to be used on the protected communication.

If IKE is not used for setting up security association, a sole transform set shall be designated. The set shall have a negotiation.

 

Only after the transform set is defined by using the command, the transform set can be set in the encrypted map.

The command “transform-type can be used for configuring the transform type.

Example:

The example below defines a transform set

crypto ipsec transform-set one

transform-type esp-des esp-sha-hmac

Relevant command:

mode

transform-type

set transform-set

show crypto ipsec transform-set

crypto map (global configuration)

The global configuration command can be used for creating or amending an encrypted map and entering into the configuration status of encrypted map. The “no” format of the command can be used for deleting an encrypted map or set.

crypto map map-name seq-num ipsec-manual

crypto map map-name seq-num ipsec-isakmp

crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name

no crypto map map-name seq-num

parameter:

map-name The name of encrypted map set

seq-num   Serial number of encrypted map. The detailed explanation of how to use the parameter can be referred to the part of Direction for Use.

ipsec-manual  IPSec Security Association is set up through manual work for protecting the communication designated by the encrypted map.

ipsec-isakmp IPSec Security Association is set up through IKE for protecting the communication designated by the encrypted map.

dynamic-map-nameThe encrypted map is used as the name of dynamic encrypted map that serves as templete. 

 

Default:

The encrypted map does not exist.

Command mode:

global configuration mode .When there is no dynamic and its parameter, the command shall be used for entering into the configuration status of encrypted map.

Explanation:

The command is used for creating a new encrypted map or amending an existing encrypted map.

After an encrypted map is created, the parameter designated under global configuration mode cannot be changed because these parameters decide which commands can be used in the configuration status of encrypted map. For example, Once a map is created as ipsec-isakmp, it cannot be changed into ipsec-manual. It shall be deleted and changed into ipsec-manual under the configuration status of the encrypted map. After the encrypted map is defined, the command crypto mapinterface configurationcan be used for applying the encrypted map set to the interface.

The function of the encrypted map

The encrypted map bears two functions: Filtrating and classifying the communication that needs to be protected and defining the policy of communication. The encrypted map of IPSec links the definitions below together:

The communications that should be protected.

The opposite terminal of IPSec accessible to the data under protection can set up a security association with the local router.

How to manage and use secret key and security association (or when IKE is not used, what is secret key)

The multiple encrypted maps with the same map name forms a encrypted map set.

The encrypted map set is the gathering composed of the encrypted maps, of which each map has different seq-num and same map-name. Therefore, for the given interface, some security policy can be adopted to the communication transmitted to the opposite terminal of IPSec. The different security policies shall be adopted to other communications transmitted to the same or the different opposite terminals of IPSec. To this end, two encrypted maps shall be created, each map has the same map-name, but has different seq-num.

Seq-num parameter

The numerical value of seq-num cannot be defined at will. The numerical value is used for sequencing the multiple encrypted map in an encrypted map set. The encrypted map with small seq-num is judged before the with big seq-num, which means that the smaller the num numerical value is, the more priority the mapping has.

For instance, Here is the assumption that the encrypted map set contains three encrypted maps: aaa 10,aaa 20 and aaa 30. The encrypted map set named aaa is used on the interface Serial 0. When the communication passes through the interface Serial 0, it shall be judged by aaa 10. If the communication matches with a permit in the extended access list designated by aaa 10, the communication will be processed on the policy defined in aaa 10 (including the IPSec security association established when necessary). If the communication does not matches with aaa 10 access list, aaa 20 will be used, the aaa 30 will judge the communication, till the communication matches with a permit sentence in a map (if the communication does not match with the permit sentence in any encrypted map, the communication will be transmitted directly without any IPSec protection.

 

Example:

The following example shows the required minimum configuration for the encrypted map when the security association is set up through IKE.

 

crypto map aaa 10 ipsec-isakmp

    match address aaa

set transform-set one

set peer 192.2.2.1

The following example shows the required minimum configuration for the encrypted map when the security association is set up through dynamic encrypted map.

crypto dynamic-map aaa

    match address aaa

set transform-set one

crypto map bbb 10 ipsec-isakmp dynamic-map aaa

The following example shows the required minimum configuration for the encrypted map when the security association is set up through manual work.

crypto transform-set one

 transform-type ah-md5-hmac esp-des

crypto map aaa 10 ipsec-manual

match address aaa

set transform-set one

set peer 192.2.2.1

set security-association inbound ah 300 98765432109876543210987654

set security-association outbound ah 300 fedcbafedcbafedcfedcbafedcbafedc

set security-association inbound esp 300 cipher 0123456789012345

set security-association outbound esp 300 cipher abcedfabcdefabcd

Relevant command:

crypto map (interface  configuration)

crypto map local-address

match address

set peer

set pfs

set security-association lifetime

set transform-set

show crypto map

crypto map (interface configuration)

The command “crypto map can be used for applying the encrypted map set defined in advance to the interface. The “no” format of the command can be used for removing the encrypted map set from an interface.

crypto map map-name

no crypto map

parameter:

map-name The name of the set of encrypted maps

Default:

The encrypted map is not configured on the interface.

Command mode:

Interface Configuration mode

Explanation:

The command is used for applying the encrypted map set to the interface. An encrypted map set shall be configured before the interface is able to provide IPSec service. Only an encrypted map set can be set for an interface. If multiple encrypted maps have the same map-name and different seq-num, they will be in the same set and will applied to the same interface. The encrypted map with the smaller Seq-num has the more priority and will be judged beforehand. An encrypted map set is likely to contain the mix of the encrypted maps of ipsec-isakmp and ipsec-manual.

Example:

The example below contributes the encrypted map set aaa to the interface S0. When the packet passes through the interface S0, all the encrypted maps in “mymap” set will be used for judging the packet. When the outbound packet matches with the access list corresponding to a linkage in the encrypted maps of “mymap”, the linkage based on the security association (IPSec supposed) configured by the encrypted map will be established (if there is no existing security association).

interface s0

crypto map aaa

Relevant command:

crypto map (global configuration

crypto map local-address

show crypto map

crypto map local-address

The command “crypto map local-address can be used for designating an interface identifier and designating the identifier to be used for IPSec communication in the encrypted map. The no format of the command can be used for deleting the command from the configuration.

crypto map map-name local-address interface-id

no crypto map map-name local-address

parameter:

map-name  The name of the encrypted map set

interface-id  Designating the interface identifier used by the encrypted map set.

Default:

none

Command mode:

global configuration mode

Explanation:

If the command is configured, the local terminal address of IPSec of the encrypted map in the encrypted map set uses IP address of the designated interface

Example:

none

Relevant command:

crypto map (interface configuration)

debug crypto packet

In the course of process IPSec, the command is used for checking the error information resulting from the upper-layer data processing by IPSec.

parameter:

none

Default:

The related information is not shown under default status.

Command mode:

Supervisor mode

Explanation:

Some important and frequent-occurring information related to IPSec processing is shown in the list below.

Shown Information

Connotation of Information

rec'd IPSEC packet from IPADDR has invalid spi.

Spi value of outbound of the opposite terminal is different from the one of inbound of local terminal, or the configuration policy of configuration is different (esp, ah)

packet missing policy.

The configuration policy of outbound of the opposite terminal is different from the one of the local terminal (esp、ah)

rec'd IPSEC packet from IPADDR has bad pading.

The encryption key of outbound of the opposite terminal is different from the one of inbound of local terminal.

rec'd IPSEC packet mac verify failed.

ESP or AH verification secret key of outbound of the opposite terminal is different from the one of inbound of local terminal.

rec'd IPSEC packet from IPADDR to IPADDR does not agree with policy.

The packet processed by IPSec does not agree with the corresponding access-list. The configuration of access-list of Sub-MAP has problem.

Relevant command:

show crypto ipsec sa

debug crypto isakmp

match address

The command “match address can be used for designating an extended access list for an encrypted map. The no format of the command can be used for canceling the set extended access list from an encrypted map.

match address access-list-name

no match address access-list-name

parameter:

access-list-name  Encryption access list. This name shall match with the name of the configured access list.

Default:

Any access list is configured to the encrypted map.

Command mode:

The configuration mode of the encrypted map

Explanation:

The command is a must for all the encrypted maps.

The command is used for contributing the extended access list to an encrypted map. The command “ip access-list extended is used for defining this access list.

The extended access list designated by the command is used by IPSec for judging which communication should be protected through encryption and which communications shall not be protected through encryption (The communication allowed by the access list will be protected and the communications refused by the access list will be not be protected in the corresponding encrypted map).

Note: The encrypted access list is not used for deciding whether the communication is allowed to pass some interface. The job is done by the access list that works on the interface.

The encrypted access list designated by the command is used for judging inbound communication and is also used for judging outbound communication. The encrypted access list corresponding to the encrypted map of interface will make judgment on the outbound communication to decide whether the communication should be got under encrypted protection and deciding the encryption policy employed if so (the communication configures a permit). After passing the examination of common access list on the interface, the inbound communication will be judged by the encrypted access list designated by the encrypted map set of the interface to determine whether the communication should be got under encryption protection and to decide which encryption policy should be adopted for protecting the communication (In the case of applying IPSec, the unprotected communication will be abandoned because it should be protected by IPSec.).

Example:

The following example is the required minimum configuration of encrypted map created by IKE.

crypto map aaa 100 ipsec-isakmp

match address aaa

set transform-set one

set peer 192.2.2.1

Relevant command:

crypto map(global configuration)

crypto map(interface configuration)

crypto map local-address

ip access-list extended

set peer

set pfs

set security-association lifetime

set transform-set

show crypto map

mode

The command of encryption transform configuration “mode” is used for changing the mode of a transform set. The “no” format of the command can be used for restoring the mode to the default value of tunnel mode.

mode {tunnel | transport}

no mode

parameter:

tunnel|transport Designating the mode of a transform set: tunnel mode or transport mode. If tunnel and transport are not designated, the default value (tunnel mode) will be used.

Default:

Tunnel Mode

Command mode:

Configuration mode of Encryption Transform

Explanation:

The command is used for changing transform mode. Only when the message that is to be protected and two terminals of IPSec have the same IP address value (such kind of communication can be encapsulated under both tunnel mode and transport mode), the setting will be effective and will be ineffective for all the other communications (all the other communications are encapsulated under tunnel mode).

If the communication to be protected and two terminals of IPSec have the same IP address and the transport mode is designated, the router will apply for transport mode during the negotiation. Both transport mode and tunnel mode can be accepted. If tunnel mode is designated, the router will apply for tunnel mode and only the tunnel mode can be accepted.

After defining the transform set, the configuration status of encryption transform will follow. Under the configuration status, the mode can be changed into tunnel mode or transport mode.

If the mode is not set at the time of defining transform set and the mode of the transform set needs to be changed later, the transform set shall be re-accessed and its mode shall be changed.

If the command is used for changing the mode, the change will only affect the setup of the subsequent IPSec security association of the encrypted map designating the transform set. If the configuration of the transform set is needed to take effect as soon as possible, the partial or whole database of security association can be cleared. The more details can be secured by referring to the command “clear crypto sa.

Tunnel Mode

Under tunnel mode, the whole original IP message will be protected (encryption, verification or both two) and is encapsulated by IPSec (ESP, AH or both two). Then the new IP head will be added to the message, the IP head designates IPSec source and destination address.

Any IP communication can be transmitted by tunnel mode. If IPSec is used for protecting the communication of the host linked to the back of two terminals of IPSec, the tunnel mode shall be used.

Under transport mode, only the effective load (data) of IP subgroup is protected (encryption, verification or both two) and is encapsulated by IPSec (ESP, Ah or both two). The original IP message head remains unchanged and is not protected by IPSec. Only when the source of IP subgroup to be protected and destination address are the two terminals of IPSec, the transport mode is used. For instance, the transport mode can be used for protecting router management communication. Designating the transport mode in the application enables the router to negotiate with the remote terminal for deciding the transport mode or tunnel mode should be used.

Example:

The example below defines a transform set and changes the mode into transport mode.

router_config# crypto ipsec transform-set one

router_config_crypto_trans#transform-type esp-des esp-sha-hmac

router_config_crypto_trans # mode transport

router_config_crypto_trans # exit

router_config#

Relevant command:

crypto ipsec transform-set

set peer

The configuration command of encrypted map “set peer” can be used for designating the opposite terminal of IPSec in the encrypted map. The “no” format of the command can be used for deleting the opposite terminal of IPSec from the encrypted map.

set peer ip-address

no set peer ip-address

parameter:

ip-addressThe opposite terminal of IPSec designated by IP address.

Default:

The opposite terminal of IPSec is not designated under default state.

Command mode:

Configuration mode of Encrypted Map

Explanation:

The command is used for designating an opposite terminal of IPSec for the encrypted map. The command is a must for all the encrypted maps. One encrypted map can only designate one opposite terminal of IPSec. If the opposite terminal needs to changed, the new opposite terminal can be designated, which will cover the original settings.

Example:

The example below shows the configuration of an encrypted map at the time IKE is used for creating a security association.

crypto map aaa 100 ipsec-isakmp

match address aaa

set transform-set one

set peer 192.2.2.1

Relevant command:

crypto map(global configuration)

crypto map(interface configuration)

crypto map local-address

match address

set pfs

set security-association lifetime

set transform-set

show crypto map

set pfs

When the new security association is applied for the encrypted map, IPSec shall be designated to  applying for perfect forward system (PFS), or when the application for setting up new security association is received, IPSec will demand PFS that the configuration command of encrypted map “set pfs can be used. The “no” format of the command can be used for determining that IPSec will not apply for PFS

set pfs [group1|group2]

no set pfs

parameter:

group1:When new Diffle-Hellman exchange is organized, the designated IPSec will use 768-digit Diffle-Hellman group.

group2When new Diffle-Hellman exchange is organized, the designated IPSec will use 1024-digit Diffle-Hellman group.

Default:

Under default state, PFS is not required.

Command mode:

The configuration mode of encrypted map

Explanation:

The command is applicable only to the encrypted map of ipsec-isakmp.

During the negotiation period, the command enables IPSec to apply for new security association for the encrypted map and PFS simultaneously. When the local terminal starts negotiation and local configuration designates the use of PFS, the opposite terminals shall organize PFS exchange, otherwise the negotiation will fail. If local configuration does not designate a group, the local router will suggest the use of default value group1 and either group 1 or group 2 provided by the opposite terminal will be accepted. If local configuration designates group 2, the opposite terminal shall provide this group, otherwise the negotiation will fail. If local configuration does not designate PFS, the local router will accept PFS provided by the opposite terminal.

PFS adds the security of another level. If one secret key is attacked or decrypted, only the data that is transmitted under this secret key will be threatened. Without PFS, the data transmitted under other secret key is likely to be threatened. Under the case of using PFS, a new Diffle-Helman exchange will be started at the time of negotiating new security association (this exchange takes extra time for processing).

1024-bite Diffle-Hellman group, namely group 2, offers more security than group 1 does. But it takes more time for processing.

Example:

The following example designates that PFS should be used at any time when encrypted map aaa 100 negotiates new security association.

crypto map aaa 100 ipsec-isakmp

set pfs group2

Relevant command:

crypto map (global configuration)

crypto map (interface configuration)

crypto map local-address

match address

set peer

set security-association lifetime

set transform-set

show crypto map

set security-association lifetime

The configuration command of encrypted map “Set security-association lifetime can be used for setting lifetime value for an encrypted map (this value is used for negotiating IPSec security association). The no format of the command can be used for restoring the lifetime value of an encrypted map to the default value.

set security-association lifetime [seconds seconds | kilobytes kilobytes]

no set security-association lifetime [seconds | kilobytes]

parameter:

seconds seconds Designating the surviving seconds of a security association before the timeout terminates.

kilobytes kilobytes  The communication traffic that can be transmitted by using this security association before the timeout of a security association occurs (calculated on kilobyte)

 

Default:

The security association of encrypted map is negotiated on the default lifetime value.

Default timeout value is 3600 seconds (1 hour), the communication traffic under default state is 4,608,000 kilobyte.

Command mode:

Configuration status of encrypted map

Explanation:

The command is applicable only to the ipsec-isakmp encrypted map.

IPSec security association uses the shared secret keys. These secret keys and their corresponding security association overtimes simultaneously. Given the assumption that the specified encrypted map has been configured with new lifetime when the router applies for new security association in the negotiation of security association, it will use its own lifetime value of encrypted map in the application made to the opposite terminal and use the value as the lifetime value of new security association. When the router receives the application for negotiation transmitted from the opposite terminal, it will take the smaller one of the lifetime values that are suggested by the opposite terminal and configured by the local router respectively as the lifetime of new security association.

The lifetime can be classified into two: one is the seconds lifetime, the other is kilobyte lifetime. Either one of the two lifecycles expires first, the security association will overtime.

The format of the command “set security-association lifetime seconds can be used for changing seconds lifetime that designates that security association and secret key overtimes after the given seconds.

The format of the command “set security-association lifetimekilobytes can be used for changing the kilobyte lifetime that designates that security association and secret key overtimes when the communication traffic (calculated on KB) encrypted by the secret key of security association reaches a set amount.

The shorter the lifetime value is, the more difficult the secret key is attacked or decrypted as the data available to the attacker is less. However, the shorter the lifetime is, the more working time CPU takes for establishing new security association.

The lifetime value will be ignored at the time of setting up security association through manual work (The encrypted map of ipsec-manual is used for creating security association).

How lifetime works

Given the assumption that the specified encrypted map is not configured with new lifetime, when the router applies for new security association, it will use the default lifetime value in the application made to the opposite terminal and will use the value as lifetime value of new security association. When the router receives the application for negotiation transmitted from the opposite terminal, it will take the smaller one of the lifetime values that are suggested by the opposite terminal and configured by the local router respectively as the lifetime value of new security association.

After a period of time (designated by the keyword “seconds”), a given byte of communication traffic is transmitted. Either of the said two events occurs first, the security association (and corresponding secret key) will overtime.

New security association starts negotiation before the lifetime limit of original security association is hit so as to ensure a new security association available when the original security association overtimes. The new security association starts negotiation 30 seconds in advance of the overtime of seconds lifetime  or when the communication traffic transmitted through the tunnel has 256 KB away from kilobytes lifetime (based on the sequence of the occurrence of the events)

If no communication passes through the tunnel during the whole lifetime of a security association, the negotiation of new security association will be carried out when this security association overtimes. Correspondingly, the negotiation of new security association will be conducted only when IPSec gains a subgroup that shall be protected.

Example:

This example of encrypted map sets the shorter lifetime value because the secret key of security association belonging to the encrypted map is likely to be stolen. Kilobyte lifetime value remains unchanged as the communication traffic sharing these security association is not so large. The seconds lifetime value is shortened to 1800 seconds (30 minutes).

crypto map aaa 100 ipsec-isakmp

set security-association lifetime seconds 1800

Relevant command:

crypto map (global configuration)

crypto map (interface configuration)

crypto map local-address

match address

set peer

set pfs

set transform-set

show crypto map

set security-association {inbound|outbound}

The configuration command of encrypted map “set can be used for designating secret key of IPSec through manual work in the encrypted map. The no format of the command can be used for deleting the secret key of IPSec from the encrypted map. The command is applicable only to the encrypted map of ipsec-manual.

set security-association {inbound|outbound} ah spi hex-key-string

set security-association {inbound|outbound} esp spi [cipher hex-key-string] [authenticator hex-key-string]

no set security-association {inbound|outbound} ah

no set security-association {inbound|outbound} esp

parameter:

inbound:Setting secret key of IPSec of message (both the inbound message and outbound message shall be set).

Outbound: Setting secret key of IPSec of message (both the inbound message and outbound message shall be set).

Ah:Setting secret key of IPSec for AH protocol. Only when the transform set of this encrypted map includes AH transform, it works.

Esp: Setting secret key of IPSec for ESP protocol. Only when the transform set of this encrypted map includes ESP transform, it works.

spiSecurity parameter index (SPI) is used for identifying a security association exclusively. SPI is a number give at random between 256 to 4,294,967,295FFFFFFFF. The same SPI can be given to the security association with two directions (inbound and outbound) and two protocols (AH, ESP). The sole SPI value shall be used for a mix with given destination address/protocol. Under the case of inbound, the destination address is the address of local router. Under the case of outbound, the destination address is the address of the opposite terminal.

hex-key-stringSecret key is entered in the format of hex. It is a random hex character string with a length of 8, 16, 20 or 24 bytes. If the transform set of the encrypted maps includes DES algorithm, each secret needs at least 8 bytes. If the transform set of the encrypted maps includes 3DES algorithm, each secret needs at least 24 bytes. If the transform set of the encrypted maps includes MD5 algorithm, each secret needs at least 16 bytes. If the transform set of the encrypted maps includes SHA algorithm, each secret needs at least 20 bytes. The secret key exceeding the said lengths will be truncated simply.

cipher Indicating this character string of secret key is the key of ESP encryption transform.

authenticator:(optional) indicating this character string of secret key is the key of ESP verification transform. This parameter is needed only when the transform set of this encrypted map includes ESP verification algorithm.

Default:

Any secret key of IPSec is not defined under default state.

Command mode:

The configuration mode of encrypted map

Explanation:

The command can be used for designating secret key of IPSec for those security association created by the encrypted map of ipsec-manual (the encrypted map of ipsec-isakmp, security association and corresponding secret key is created through automatically through IKE negotiation.).

If the transform set of encrypted map includes AH protocol, the secret key of IPSe shall be defined for both outbound communication and inbound communication of AH. If the transform set of encrypted map includes the encrypted protocol of ESP, the secret key of IPSe shall be defined for both outbound communication and inbound communication of ESP encryption. If the transform set of encrypted map includes ESP verification protocol, the secret key of IPSe shall be defined for both outbound communication and inbound communication of ESP verification.

When multiple secret keys of IPSec is defined for an encrypted map, the same SPI number can be given to all the secret keys. SPI is used for identifying the security association corresponding to the encrypted map. However, not all the given value of SPI have the same randomness. The same SPI value shall be given only once for ensuring the mix of the same destination address /protocol.

The security association created by this command will not overtime (it is different from the security association created by IKE).

The secret key of local terminal shall match with the one of the opposite terminal. If the secret key is changed, the security association using the secret key will be deleted or re-added.

Example:

The example below is the encrypted map of security association created through manual work. The transform set one includes only one AH protocol.

crypto ipsec transform-set one

transform-set ah-md5-hmac

crypto map aaa 100 ipsec-manual

match address aaa

set transform-set one

set peer 192.2.2.1

set security-association inbound ah 300 11111111111111111111111111111111

set security-association outbound ah 300 22222222222222222222222222222222

The example below is the encrypted map of security association created through manual work. The transform set one includes only one AH protocol and one ESP protocol. So both inbound and outbound communication of AH and ESP need configuring secret keys. This transform set includes the encryption of ESP and verification exchange. The keyword of cipher and authenticator should be used for creating secret key for these two transforms.

crypto ipsec transform-set one

transform-type ah-sha-hmac esp-des esp-sha-hmac

crypto map aaa 100 ipsec-manual

match address aaa

set transform-set one

set peer 192.2.2.1

set association inbound ah 300 9876543210987654321098765432109876543210

set security-association outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedcba

fedc

set security-association inbound esp 300 cipher 0123456789012345

authenticator 0000111122223333444455556666777788889999

set security-association outbound esp 300 cipher abcdefabcdefabcd

authenticator 9999888877776666555544443333222211110000

Relevant command:

crypto map(global configuration)

crypto map(interface configuration)

crypto map local-address

match address

set peer

set transform-set

show crypto map

set transform-set

The configuration command of encrypted map of set transform-set can be used for designating the transform set used by the encrypted map. The “no” format of the command can be used for removing all transform sets from the encrypted map.

set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]

no set transform-set

parameter:

transform-set-name: The name of transform set. Only one transform set can be designated for encrypted map of ipsec-manual. Less than or equal to six transform set sets can be designated for ipsec-isakmp.

Default:

Any transform set is included under default state.

 

Command mode:

Configuration status of encrypted map

Explanation:

The command is a must for all the encrypted maps.

The command is used for designating the transform sets that will be contained in an encrypted map

The command can be used for listing multiple transform sets for encrypted map of ipsec-isakmp. The transform set with top priority will be listed first.

If local router starts negotiation, the transform set will be provided to the opposite terminal on the sequence designated in the encrypted map. If the opposite terminal starts negotiation, the local router will accept the first matchable transform.

The first machable transform set found at the two terminals will be used for creating security association. If no match item is found, IPSec will not set up security association. The message will be abandoned because no security association protect these communications.

The sole transform set can be designated for the encrypted map of ipsec-manual. If this transform set is not able to match with the one of encrypted map of the opposite terminal, the two terminals of IPSec cannot communicate normally as they use different rules for protecting communication.

If the content of transform set needs to be changed, the content of the transform set shall be reset to cover the old one. This change will not affect the existing security association but will be used for creating new security association. If the change is needed to take effect as soon as possible, the command “clear crypto sa can be used for deleting the whole or partial content of security association database.

Any transform set containing in an encrypted map shall be defined first by the command “crypto ipsec transform-set.

Example:

The example below defines two transform sets and designating them to be used in a same encrypted map (the example is used only when IKE is used for creating security association. For the encrypted map used by the security association set up through manual work, a given encrypted map contains only a transform set.).

crypto ipsec transform-set one

transform-type esp-des esp-sha-hmac

crypto ipsec transform-set two

transform-type ah-sha-hmac esp-des esp-sha-hmac

crypto map aaa 100 ipsec-isakmp

match address aaa

set transform-set one two

set peer 192..2.2.1

In this example, when the communication matches with access list aaa, the security association can use transform set one (first priority level) and set 2 (second priority level), which depends on the set and the matching with the transform set on the opposite terminal.

Relevant command:

crypto map (global configuration)

crypto map (interface configuration)

crypto map local-address

match address

set peer

set pfs

set security-association lifetime

set security-association inbound

set security-association outbound

show crypto map

show crypto ipsec sa

The command “show crypto ipsec sa” can be used for checking the settings used by the current security association.

show crypto ipsec sa [map map-name |interface interface-id ] [detail]

parameter:

map map-name(optional): showing the existing security association created by the encrypted map

interface interface-id(optimal) Showing the existing security association created by the encrypted map on the identification interface.

Detail:(optimal) Showing the statistic information of security association

Default:

If no keyword is designated, all the security association will be shown.

Command mode:

Supervisor mode

Explanation:

none

Example:

The following example is an output of the command “show crypto ipsec sa”

router#show crypto ipsec sa detail

Interface: Ethernet0/0

Crypto map name:aaa

local  ident (addr/mask/prot/port): (191.1.1.0/255.255.255.0/0/0)

 remote ident (addr/mask/prot/port): (197.7.7.0/255.255.255.0/0/0)

 local crypto endpt.: 192.2.2.87,  remote crypto endpt.: 192.2.2.86

 inbound esp sas:

   spi:0x190(400)

     transform:  esp-des  esp-sha-hmac

     in use settings ={ Tunnel }

     no sa timing

     #pkts decaps: 0, #pkts decrypt: 0, #pkts auth: 0

     #pkts decaps err: 0, #pkts decrypt err: 0, #pkts auth err: 0

     #pkts replay failed: 0

 inbound ah sas:

   spi:0x12c(300)

     transform:  ah-md5-hmac

     in use settings ={ Tunnel }

     no sa timing

     #pkts decaps: 0, #pkts decrypt: 0, #pkts auth: 0

     #pkts decaps err: 0, #pkts decrypt err: 0, #pkts auth err: 0

     #pkts replay failed: 0

 outbound esp sas:

   spi:0x191(401)

     transform:  esp-des  esp-sha-hmac

     in use settings ={ Tunnel }

     no sa timing

     #pkts encaps: 0, #pkts encrypt: 0, #pkts auth: 0

     #pkts encaps err: 0, #pkts encrypt err: 0, #pkts auth err: 0

     #pkts replay failed: 0

 outbound ah sas:

   spi:0x12d(301)

     transform:  ah-md5-hmac

     in use settings ={ Tunnel }

     no sa timing

     #pkts encaps: 0, #pkts encrypt: 0, #pkts auth: 0

     #pkts encaps err: 0, #pkts encrypt err: 0, #pkts auth err: 0

     #pkts replay failed: 0

Relevant command:

none

show crypto ipsec transform-set

The command “show crypto ipsec transform-set” can be used for checking all the configured transform set

show crypto ipsec transform-set [transform-set-name]

parameter:

transform-set-name(optional) Showing the transform set of the designated transform-set-name

Default:

If the keyword is not used, all the transform set will be shown on the router.

Command mode:

Supervisor mode

Explanation:

none

Example:

The example below is an output of the command “show crypto ipsec transform-set.

router# show crypto ipsec transform-set

Transform set aaa: { esp-des }

     will negotiate ={ Tunnel }

Transform set bbb: { ah-md5-hmac esp-3des }

     will negotiate ={ Tunnel }

Relevant command:

none

show crypto map

The command “show crypto map can be used for checking the configuration of the encrypted map.

show crypto map [map-name]

parameter:

map-name:   (optional) Showing the encrypted map designated by map-name

Default:

If no keyword is designated, all the encrypted map configurations will be shown on the router.

Command mode:

Supervisor mode

Explanation:

none

Example:

The following example is an output of the command “show crypto map.

router_config#show crypto map

Crypto Map aaa 100 ipsec-manual

     Extended IP access list aaa

 permit ip 192.2.2.0 255.255.255.0 193.3.3.0 255.255.255.0

     peer = 192.2.2.1

     Inbound esp spi: 300 ,

      cipher key: 1234567812345678 ,

      auth key  ,

     Inbound ah spi: 301 ,

      key: 000102030405060708090a0b0c0d0e0f ,

     Outbound esp spi: 300 ,

      cipher key: 1234567812345678 ,

      auth key  ,

     Outbound ah spi: 301 ,

      key: 000102030405060708090a0b0c0d0e0f

     Transform sets={ 1}

Crypto Map aaa 101 ipsec-isakmp

     Extended IP access list bbb

         permit ip 191.1.1.0 255.255.255.0 197.7.7.0 255.255.255.0

     peer = 192.2.2.19

     PFS (Y/N): N

     Security association lifetime: 2560 kilobytes/3600 seconds

     Transform sets={ 1, 2,}

Relevant command:

none

transform-type

The command “transform-type” is used for setting transform type under configuration status of encryption transform.

transform-type  transform1 [transform2[transform3]]

parameter:

transform1 Less than 3 transforms can be designated. These transforms define IPSec security protocol and algorithm. The acceptable transform value will be illustrated in “Direction for Use”.

transform2

transform3

Default:

The default transform type is ESP-DES (ESP applies DES encryption algorithm)

Command mode:

Configuration mode of Encryption Transform

Explanation:

Transform set can designate one or two IPSec security protocol (or ESP, or AH or both two) and designate the algorithm used together with the selected security protocol. ESP and AH IPSec security protocol is detailed in the part “IPSecprotocol:Encapsulation Security Protocol and Authentication Head”.

The definition of transform set can designate one to three transforms---each transform represents an IPSec security protocol (ESP or AH) and the mix of the algorithms to be used. When some transform set is used for IPSec security negotiation, the whole transform set (protocol, algorithm and the mix of other settings) shall match with a transform set of the opposite terminal.

In a transform set, AH protocol, ESP or both two can be designated. If an ESP is designated in transform set, only ESP encryption exchange can be defined, and both ESP encryption exchange and ESP verification transform can defined.

 

Choosing Transform for Transform Set: Workable Transform Mix

Choose one from AH transform

Choose one from ESP encryption transform

Choose one from ESP verification transform

Transform

Description

Transform

Description

Transform

Description

ah-md5-hmac

AH verification algorithm with MD5(HMAC variable)

esp-des

ESP Encryption Algorithm employing DES

esp-md5-hmac

ESP verification algorithm with MD5 (HMAC variable)

ah-sha-hmac

AH verification algorithm with SHA (HMAC variable)

esp-3des

Applying ESP encryption algorithm of 3DES

esp-sha-hmac

ESP verification algorithm with SHA (HMAC variable)

IPSecprotocol:ESP and AH

ESP and AH protocol provide security service for IPSec

ESP provides the services of subgroup encryption, the optional data verification and anti-replay.

AH provides the service of data verification and anti-replay.

ESP uses an ESP head and an ESP end to encapsulate the protected data or a complete IP self-search address data packet (or only the effective load). AH is inlaid into the protective data. It inserts an AH head directly into the back of outside IP head, inside IP data packet or the front of effective load. The whole IP data message should be encapsulated and protected in the tunnel mode, while in transport mode only the effective load in IP data message is encapsulated/protected. For further information of these two modes, please refer to the description of mode commands.

Choosing appropriate transform

IPSec transform is relatively complex. The following prompts can help you choose the right transform:

l         If the data confidentiality is needed to provide, ESP encryption transform can be used.

l         If the data verification of outside IP message head and data are needed to provide, AH transform can be used.

l         If an ESP encryption transform is used, ESP verification transform or AH transform can be considered to be used for providing the verification service of transform set.

l         If the function of data verification is needed (or ESP or AH is used), MD5 verification algorithm or SHA algorithm can be chosen. SHA algorithm is more vigorous than MD5 algorithm, but it takes more time.

 

Configuration status of encryption transform

After the command “crypto ipsec transform-set is executed, the configuration status of encryption transform will be accessed. Under this state, the mode can be changed into tunnel mode or transport mode (it is optional change). After these changes are made, global configuration mode can be restored by typing in “exit”. For more information of these optional changes, please refer to the detailed illustration of mode commands.

Changing the existing transform

If one or multiple transforms are designated for a transform set in the command “transform-type, these designated transforms will replace the existing transform of transform set. If the command transform-type is changed, the change will be applied to the encryption map referring to the transform set. But the change will not be applied to the existing security association and will be used for creating new security association. The command clear crypto sa can be used for deleting the partial or whole security association database.

Example:

The example below defines a transform set

crypto ipsec transform-set one

transform-type esp-des esp-sha-hmac

Relevant command:

crypto ipsec transform-set

mode

set transform-set

show crypto ipsec transform-set