IPSec Configuration Command directory
show crypto
ipsec transform-set
This chapter describes the commands for IPSec configuration. IPSec provides the security for transmitting the sensitive information on the public network, such as Internet. The security solution provided by IPSec is very powerful and is based on the standards. As the supplement to the data confidentiality, IPSec also offers the service of data verification and anti-replay.
The command “clear crypto sa” is
used for deleting the related IPSec security association database.
clear crypto sa
clear crypto sa peer
ip-address
clear crypto sa map
map-name
ip-address:Designating IP
address of the opposite terminal.
map-name:Designating the name of the encrypted
map set
If the keyword of peer, map and others
are not used, all the IPSec security association will be deleted.
Supervisor
mode
The command is used for clearing
(deleting ) IPSec
security association. If security association are set up through IKE, they will be deleted. The later IPSec
communication requires a re-negotiation of new security association (When IKE
is used, IPSec security association is set up only in the time of need)
If the security association is set up
through manual work, the security association will be deleted and will
re-established.
If the keyword of peer, map and others
are not used, all IPSec
security association will be deleted. The use of keyword peer will delete all
IPSec security association of designated address of the opposite terminal. The
use of keyword map will delete all IPSec security association created by
encrypted map set. All the security association can be re-established by using
the command “clear crypto sa”. So these security association can use the
latest configuration settings. Under the circumstance of setting up security
association by manual work, the command “clear crypto sa” shall be used
before the amendment to map set takes effect
If the router is processing IPSec communication, the contents
that are most vulnerable to the effect in the security association database had
better be cleared in a purpose of avoid the sudden interruption of the on-going
IPSec communication. It shall be noted that the command only clears IPSec
security association. The command “clear crypto isakmp” shall be used
for clearing IKE state.
The Example below
clears all Ipsec security association on the router.
clear crypto sa
clear crypto
isakmp
The global configuration command “crypto
dynamic-map” can be used for creating or amending a dynamic encrypted map and
entering into the configuration status of dynamic encrypted map. The “no”
format of the command can be used for deleting a dynamic encrypted map or set.
crypto dynamic-map map-name
no crypto dynamic-map map-name
map-name: The name of dynamic encrypted map set
dynamic encrypted map
does not exist.
global configuration mode. The
command is used for entering into the configuration status of dynamic encrypted map.
The command is used for creating a new dynamic
encrypted map or amending the existing dynamic encrypted map.
The functions of dynamic encrypted map and
common encrypted map are similar. The major differences lies in:
IP address of the opposite terminal does not
need to be set in the dynamic encrypted map and allows IPSec equipment of any
address to negotiate, this function can be used for supporting the connection
with the mobile users. While common encrypted map shall designate IP address of
the opposite terminal and only allows IPSec of the address to negotiate. IP
address can be set in dynamic encrypted map. Under such circumstance, the
dynamic encrypted map basically equals to the common encrypted map.
Example:
The example
below shows the configuration needed for the minimum encrypted map when IKE is
used for establishing security association.
crypto dynamic-map aaa
match address aaa
set
transform-set one
Relevant command:
crypto map (global
configuration)
match address
set peer
set pfs
set security-association
lifetime
set transform-set
show crypto map
Designating
the local router whether it should receive non-IPSec packet or incorrect IPSec
packet or not.
crypto ipsec secure
no crypto ipsec secure
none
Non-IPSec packet or incorrect IPSec packet
is allowed to pass.
global configuration mode.
When packet passes and the user-defined
rules are configured and if the packet is not IPSec packet or is incorrect IPSec
packet, the router will process the packet as usual in the event that the
option is not set at the time. If the option is set at the time, the router
will abandon the packet.
Example:
The example below sets the option of the
router.
crypto ipsec secure
Relevant command:
crypto map
The global configuration command “crypto
ipsec transform-set” is used for defining a ipsec transform set---a feasible
mix of security protocol and algorithm. The “no” format of the command can be
used for deleting a transform set.
crypto ipsec transform-set transform-set-name
no crypto ipsec
transform-set transform-set-name
transform-set-name:Designating the name of
transform set that is to be created (or amended)
none
global configuration mode
.The command is executed for entering the encryption transform configuration
status.
Transform set is the mix of security protocols,
algorithm and other settings of communications subject to IPSec protection.
The multiple sets can be configured the none or multiple sets can be designated in the encrypted map. The transform set defined in the encrypted map is used for negotiating IPSec security association with a view to protecting the packets of access list set by the matched encrypted map. During the negotiation, the two sides search for the same transform set available to the two sides. When such set is found, the set will be selected as a part of IPSec association of two sides that is to be used on the protected communication.
If IKE is not used for setting up security
association, a sole transform set shall be designated. The set shall have a
negotiation.
Only after the transform set is defined by
using the command, the transform set can be set in the encrypted map.
The command “transform-type” can be used for configuring the transform type.
Example:
The example below defines a
transform set
crypto ipsec transform-set
one
transform-type
esp-des esp-sha-hmac
mode
transform-type
set
transform-set
show crypto ipsec
transform-set
The global
configuration command can be used for creating or amending an encrypted map and
entering into the configuration status of encrypted map. The “no” format of the
command can be used for deleting an encrypted map or set.
crypto map map-name seq-num
ipsec-manual
crypto map map-name seq-num
ipsec-isakmp
crypto map map-name seq-num
ipsec-isakmp dynamic dynamic-map-name
no crypto map map-name
seq-num
map-name: The name of encrypted map set
seq-num: Serial
number of encrypted map. The detailed explanation of how to use the
parameter can be referred to the part of “Direction for Use”.
ipsec-manual:
IPSec Security Association is set up through manual work for protecting
the communication designated by the encrypted map.
ipsec-isakmp: IPSec Security Association is set up through
IKE for protecting the communication designated by the encrypted map.
dynamic-map-name:The encrypted map is used as the name of dynamic
encrypted map that serves as templete.
The encrypted map does not exist.
global configuration mode .When there is
no dynamic and its parameter, the command shall be used for entering into the
configuration status of encrypted map.
The command is used for creating a new
encrypted map or amending an existing encrypted map.
After an encrypted map is created, the
parameter designated under global configuration mode cannot be changed because
these parameters decide which commands can be used in the configuration status
of encrypted map. For example, Once a map is created as ipsec-isakmp, it cannot be
changed into ipsec-manual. It shall be deleted and changed into ipsec-manual
under the configuration status of the encrypted map. After the encrypted map is
defined, the command “crypto map(interface configuration)can be used for applying the encrypted map set to the interface.
The function of the encrypted map
The
encrypted map bears two functions: Filtrating and classifying the communication
that needs to be protected and defining the policy of communication. The
encrypted map of IPSec links the definitions below together:
The communications that should be
protected.
The opposite
terminal of IPSec accessible to the data under protection can set up a security
association with the local router.
How to manage and use secret key and
security association (or when IKE is not used, what is secret key)
The multiple encrypted maps with the same
map name forms a encrypted map set.
The encrypted map set is the gathering
composed of the encrypted maps, of which each map has different seq-num and
same map-name. Therefore, for the given interface, some security policy can be
adopted to the communication transmitted to the opposite terminal of IPSec. The
different security policies shall be adopted to other communications
transmitted to the same or the different opposite terminals of IPSec. To this
end, two encrypted maps shall be created, each map has the same map-name, but
has different seq-num.
Seq-num parameter
The numerical value of seq-num cannot be defined at will. The numerical value is used for sequencing the multiple encrypted map in an encrypted map set. The encrypted map with small seq-num is judged before the with big seq-num, which means that the smaller the num numerical value is, the more priority the mapping has.
For instance, Here is the assumption that
the encrypted map set contains three encrypted maps: aaa 10,aaa 20 and aaa 30.
The encrypted map set named aaa is used on the interface Serial 0. When the
communication passes through the interface Serial 0, it shall be judged by aaa
10. If the communication matches with a permit in the extended access list
designated by aaa 10, the communication will be processed on the policy defined
in aaa 10 (including the IPSec security association established when
necessary). If the communication does not matches with aaa 10 access list, aaa
20 will be used, the aaa 30 will judge the communication, till the
communication matches with a permit sentence in a map (if the communication
does not match with the permit sentence in any encrypted map, the communication
will be transmitted directly without any IPSec protection.
The following example shows the required minimum configuration for
the encrypted map when the security association is set up through IKE.
crypto map aaa 10
ipsec-isakmp
match address aaa
set transform-set one
set peer 192.2.2.1
The following example shows the required minimum configuration for the encrypted map when the security association is set up through dynamic encrypted map.
crypto dynamic-map aaa
match address aaa
set
transform-set one
crypto map bbb
10 ipsec-isakmp dynamic-map aaa
The following example shows the required minimum configuration for
the encrypted map when the security association is set up through manual work.
crypto transform-set one
transform-type ah-md5-hmac esp-des
crypto map aaa 10
ipsec-manual
match address aaa
set transform-set one
set peer 192.2.2.1
set security-association
inbound ah 300 98765432109876543210987654
set security-association
outbound ah 300 fedcbafedcbafedcfedcbafedcbafedc
set security-association
inbound esp 300 cipher 0123456789012345
set security-association
outbound esp 300 cipher abcedfabcdefabcd
crypto map (interface configuration)
crypto map local-address
match address
set peer
set pfs
set security-association
lifetime
set transform-set
show crypto map
The command
“crypto map” can be used for applying the encrypted map set defined in advance to the interface. The “no” format
of the command can be used for removing the encrypted map set from an
interface.
crypto map map-name
no crypto map
map-name: The name of the set of encrypted maps
The encrypted map is not configured on the interface.
Command mode:
Interface Configuration
mode
The command is used for applying the
encrypted map set to the interface. An encrypted map set shall be configured
before the interface is able to provide IPSec service. Only an encrypted map
set can be set for an interface. If multiple encrypted maps have the same map-name and different seq-num,
they will be in the same set and will applied to the same interface. The
encrypted map with the smaller Seq-num has the more priority and will be judged
beforehand. An encrypted map set is likely to contain the mix of the encrypted
maps of ipsec-isakmp and ipsec-manual.
The example
below contributes the encrypted map set aaa to the interface S0. When the
packet passes through the interface S0, all the encrypted maps in “mymap” set
will be used for judging the packet. When the outbound packet matches with the
access list corresponding to a linkage in the encrypted maps of “mymap”, the
linkage based on the security association (IPSec supposed) configured by the
encrypted map will be established (if there is no existing security
association).
interface s0
crypto map aaa
crypto map
(global configuration)
crypto map
local-address
show crypto map
The command
“crypto map
local-address” can be used for designating an
interface identifier and designating the identifier to be used for IPSec
communication in the encrypted map. The “no” format of the command can be
used for deleting the command from the configuration.
crypto map map-name
local-address interface-id
no crypto map map-name local-address
map-name: The name of the encrypted map set
interface-id: Designating the
interface identifier used by the encrypted map set.
Default:
none
global configuration
mode
If the command
is configured, the local terminal address of IPSec of the encrypted map in the
encrypted map set uses IP address of the designated interface
none
crypto map (interface
configuration)
In the course of process IPSec, the command
is used for checking the error information resulting from the upper-layer data
processing by IPSec.
parameter:
none
The related information is not shown under
default status.
Supervisor
mode
Some important and frequent-occurring information
related to IPSec processing is shown in the list below.
|
Connotation of Information |
rec'd IPSEC packet from
IPADDR has invalid spi. |
Spi value of outbound of the opposite terminal is different from the
one of inbound of local terminal, or the configuration policy of
configuration is different (esp, ah) |
packet missing policy. |
The configuration policy of outbound of the opposite terminal is
different from the one of the local terminal (esp、ah) |
rec'd IPSEC packet from
IPADDR has bad pading. |
The encryption key of outbound of the opposite terminal is
different from the one of inbound of local terminal. |
rec'd IPSEC packet mac verify failed. |
ESP or AH verification secret key of outbound
of the opposite terminal is different from the one of inbound of local
terminal. |
rec'd
IPSEC packet from IPADDR to IPADDR does not agree with policy. |
The packet processed by IPSec does not
agree with the corresponding access-list. The configuration of access-list of
Sub-MAP has problem. |
Relevant command:
show crypto ipsec sa
debug crypto isakmp
The command
“match address” can be used for designating an extended
access list for an encrypted map. The “no” format of the command can be used
for canceling the set extended access list from an encrypted map.
match address access-list-name
no match address access-list-name
access-list-name: Encryption access list. This name shall
match with the name of the configured access list.
Any access
list is configured to the encrypted map.
The configuration mode of the encrypted
map
The command is a must for all the encrypted
maps.
The command is used for contributing the
extended access list to an encrypted map. The command “ip access-list extended” is used for defining this access list.
The extended access list designated by the
command is used by IPSec for judging which communication should be protected
through encryption and which communications shall not be protected through
encryption (The communication allowed by the access list will be protected and
the communications refused by the access list will be not be protected in the
corresponding encrypted map).
Note: The encrypted access list is not used for
deciding whether the communication is allowed to pass some interface. The job
is done by the access list that works on the interface.
The encrypted access list designated by the
command is used for judging inbound communication and is also used for judging
outbound communication. The encrypted access list corresponding to the
encrypted map of interface will make judgment on the outbound communication to
decide whether the communication should be got under encrypted protection and
deciding the encryption policy employed if so (the communication configures a
permit). After passing the examination of common access list on the interface,
the inbound communication will be judged by the encrypted access list
designated by the encrypted map set of the interface to determine whether the
communication should be got under encryption protection and to decide which
encryption policy should be adopted for protecting the communication (In the
case of applying IPSec, the unprotected communication will be abandoned because
it should be protected by IPSec.).
Example:
The following example is
the required minimum configuration of encrypted map created by IKE.
crypto map aaa 100
ipsec-isakmp
match address aaa
set transform-set one
set peer 192.2.2.1
crypto map(global
configuration)
crypto map(interface
configuration)
crypto map local-address
ip access-list extended
set peer
set pfs
set security-association
lifetime
set transform-set
show crypto map
The command of
encryption transform configuration “mode” is used for changing the mode of a
transform set. The “no” format of the command can be used for restoring the
mode to the default value of tunnel mode.
mode {tunnel | transport}
no mode
tunnel|transport: Designating the mode of a transform set: tunnel mode or transport
mode. If tunnel and transport are not designated, the default value (tunnel
mode) will be used.
Default:
Tunnel Mode
Configuration mode of Encryption Transform
The command is used for changing transform
mode. Only when the message that is to be protected and two terminals of IPSec
have the same IP address value (such kind of communication can be encapsulated
under both tunnel mode and transport mode), the setting will be effective and will
be ineffective for all the other communications (all the other communications
are encapsulated under tunnel mode).
If the communication to be protected and two
terminals of IPSec have the same IP address and the transport mode is
designated, the router will apply for transport mode during the negotiation.
Both transport mode and tunnel mode can be accepted. If tunnel mode is
designated, the router will apply for tunnel mode and only the tunnel mode can
be accepted.
After
defining the transform set, the configuration status of encryption transform
will follow. Under the configuration status, the mode can be changed into
tunnel mode or transport mode.
If the mode is not set at the time of defining
transform set and the mode of the transform set needs to be changed later, the
transform set shall be re-accessed and its mode shall be changed.
If the command is used for
changing the mode, the change will only affect the setup of the subsequent
IPSec security association of the encrypted map designating the transform set.
If the configuration of the transform set is needed to take effect as soon as
possible, the partial or whole database of security association can be cleared.
The more details can be secured by referring to the command “clear crypto sa”.
Tunnel Mode
Under tunnel mode, the whole original IP
message will be protected (encryption, verification or both two) and is
encapsulated by IPSec (ESP, AH or both two). Then the new IP head will be added
to the message, the IP head designates IPSec source and destination address.
Any IP communication can be transmitted by
tunnel mode. If IPSec is used for protecting the communication of the host
linked to the back of two terminals of IPSec, the tunnel mode shall be used.
Under transport mode, only the effective load
(data) of IP subgroup is protected (encryption, verification or both two) and
is encapsulated by IPSec (ESP, Ah or both two). The original IP message head
remains unchanged and is not protected by IPSec. Only when the source of IP
subgroup to be protected and destination address are the two terminals of
IPSec, the transport mode is used. For instance, the transport mode can be used
for protecting router management communication. Designating the transport mode
in the application enables the router to negotiate with the remote terminal for
deciding the transport mode or tunnel mode should be used.
The example below
defines a transform set and changes the mode into transport mode.
router_config# crypto ipsec
transform-set one
router_config_crypto_trans#transform-type
esp-des esp-sha-hmac
router_config_crypto_trans
# mode transport
router_config_crypto_trans
# exit
router_config#
crypto ipsec transform-set
The configuration command of encrypted map
“set peer” can be used for designating the opposite terminal of IPSec in the
encrypted map. The “no” format of the command can be used for deleting the
opposite terminal of IPSec from the encrypted map.
set peer ip-address
no set peer ip-address
ip-address:The opposite terminal of
IPSec designated by IP address.
The opposite terminal of IPSec is not
designated under default state.
Configuration mode of Encrypted Map
The command is used for designating an
opposite terminal of IPSec for the encrypted map. The command is a must for all
the encrypted maps. One encrypted map can only designate one opposite terminal
of IPSec. If the opposite terminal needs to changed, the new opposite terminal
can be designated, which will cover the original settings.
The example below shows the configuration of an encrypted map at
the time IKE is used for creating a security association.
crypto map aaa 100
ipsec-isakmp
match address aaa
set transform-set one
set peer 192.2.2.1
crypto map(global
configuration)
crypto map(interface
configuration)
crypto map local-address
match address
set pfs
set security-association
lifetime
set transform-set
show crypto map
When the new
security association is applied for the encrypted map, IPSec shall be
designated to applying for perfect
forward system (PFS), or when the application for setting up new security
association is received, IPSec will demand PFS that the configuration command
of encrypted map “set
pfs” can be used. The “no” format of the command can be used for
determining that IPSec will not apply for PFS
set pfs [group1|group2]
no set pfs
group1:When new Diffle-Hellman exchange
is organized, the designated IPSec will use 768-digit Diffle-Hellman group.
group2: When
new Diffle-Hellman exchange is organized,
the designated IPSec will use 1024-digit Diffle-Hellman group.
Under
default state, PFS is not required.
The
configuration mode of encrypted map
The command is applicable only to the
encrypted map of ipsec-isakmp.
During
the negotiation period, the command enables IPSec to apply for new security
association for the encrypted map and PFS simultaneously. When the local terminal
starts negotiation and local configuration designates the use of PFS, the
opposite terminals shall organize PFS exchange, otherwise the negotiation will
fail. If local configuration does not designate a group, the local router will
suggest the use of default value group1 and either group 1 or group 2 provided
by the opposite terminal will be accepted. If local configuration designates
group 2, the opposite terminal shall provide this group, otherwise the
negotiation will fail. If local configuration does not designate PFS, the local
router will accept PFS provided by the opposite terminal.
PFS adds the security of another level.
If one secret key is attacked or decrypted, only the data that is transmitted
under this secret key will be threatened. Without PFS, the data transmitted
under other secret key is likely to be threatened. Under the case of using PFS,
a new Diffle-Helman
exchange will be started at the time of negotiating new security association
(this exchange takes extra time for processing).
1024-bite Diffle-Hellman group, namely group
2, offers more security than group 1 does. But it takes more time for
processing.
Example:
The
following example designates that PFS should be used at any time when encrypted
map aaa 100 negotiates new security association.
crypto map aaa 100
ipsec-isakmp
set pfs group2
crypto map (global
configuration)
crypto map (interface
configuration)
crypto map local-address
match address
set peer
set security-association
lifetime
set transform-set
show crypto map
The
configuration command of encrypted map “Set security-association lifetime” can be used for setting lifetime value for
an encrypted map (this value is used for negotiating IPSec security
association). The “no” format of the command can be used for
restoring the lifetime value of an encrypted map to the default value.
set security-association
lifetime [seconds seconds | kilobytes kilobytes]
no set security-association
lifetime [seconds | kilobytes]
seconds
seconds: Designating the surviving seconds of a
security association before the timeout terminates.
kilobytes
kilobytes:
The communication traffic that can be transmitted by using this security
association before the timeout of a security association occurs (calculated on
kilobyte)
The security
association of encrypted map is negotiated on the default lifetime value.
Default
timeout value is 3600 seconds (1 hour), the communication traffic under default
state is 4,608,000 kilobyte.
Configuration status of encrypted map
The command is applicable only to the ipsec-isakmp encrypted map.
IPSec security association uses the shared
secret keys. These secret keys and their corresponding security association overtimes
simultaneously. Given the assumption that the specified encrypted map has been
configured with new lifetime when the router applies for new security
association in the negotiation of security association, it will use its own
lifetime value of encrypted map in the application made to the opposite
terminal and use the value as the lifetime value of new security association.
When the router receives the application for negotiation transmitted from the
opposite terminal, it will take the smaller one of the lifetime values that are
suggested by the opposite terminal and configured by the local router
respectively as the lifetime of new security association.
The lifetime can be classified into two: one is
the seconds lifetime, the other is kilobyte lifetime. Either one of the two
lifecycles expires first, the security association will overtime.
The format of the command “set security-association lifetime
seconds” can be used for changing seconds
lifetime that designates that security association and secret key overtimes
after the given seconds.
The format of the command “set security-association
lifetimekilobytes” can be used for changing the
kilobyte lifetime that designates that security association and secret key
overtimes when the communication traffic (calculated on KB) encrypted by the
secret key of security association reaches a set amount.
The shorter the lifetime value is, the more
difficult the secret key is attacked or decrypted as the data available to the
attacker is less. However, the shorter the lifetime is, the more working time
CPU takes for establishing new security association.
The lifetime value will be ignored at the time
of setting up security association through manual work (The encrypted map of ipsec-manual is used for creating
security association).
How lifetime works
Given the assumption that the specified
encrypted map is not configured with new lifetime, when the router applies for
new security association, it will use the default lifetime value in the
application made to the opposite terminal and will use the value as lifetime
value of new security association. When the router receives the application for
negotiation transmitted from the opposite terminal, it will take the smaller
one of the lifetime values that are suggested by the opposite terminal and
configured by the local router respectively as the lifetime value of new
security association.
After a period of time (designated by the
keyword “seconds”), a given byte of communication traffic is transmitted.
Either of the said two events occurs first, the security association (and
corresponding secret key) will overtime.
New security association starts negotiation
before the lifetime limit of original security association is hit so as to
ensure a new security association available when the original security
association overtimes. The new security association starts negotiation 30
seconds in advance of the overtime of seconds lifetime or when the communication traffic
transmitted through the tunnel has 256 KB away from kilobytes lifetime (based on the sequence of
the occurrence of the events)
If no communication passes through the tunnel during the whole lifetime of a security association, the negotiation of new security association will be carried out when this security association overtimes. Correspondingly, the negotiation of new security association will be conducted only when IPSec gains a subgroup that shall be protected.
Example:
This example of encrypted map sets the
shorter lifetime value because the secret key of security association belonging
to the encrypted map is likely to be stolen. Kilobyte lifetime value remains
unchanged as the communication traffic sharing these security association is
not so large. The seconds lifetime value is shortened to 1800 seconds (30 minutes).
crypto map aaa 100
ipsec-isakmp
set
security-association lifetime seconds 1800
crypto map (global
configuration)
crypto map (interface
configuration)
crypto map local-address
match address
set peer
set pfs
set transform-set
show crypto map
The
configuration command of encrypted map “set” can be used for designating secret key of IPSec through manual work in the
encrypted map. The “no” format of the command can be used for deleting
the secret key of IPSec from the encrypted map. The command is applicable only
to the encrypted map of ipsec-manual.
set security-association
{inbound|outbound} ah spi hex-key-string
set security-association
{inbound|outbound} esp spi [cipher hex-key-string] [authenticator
hex-key-string]
no set security-association
{inbound|outbound} ah
no set security-association
{inbound|outbound} esp
inbound:Setting secret key of IPSec of message (both the inbound message
and outbound message shall be set).
Outbound: Setting secret key of IPSec of message (both the inbound message
and outbound message shall be set).
Ah:Setting secret key of IPSec for AH protocol. Only when the
transform set of this encrypted map includes AH transform, it works.
Esp: Setting secret key of IPSec for ESP protocol. Only when the
transform set of this encrypted map includes ESP transform, it works.
spi:Security parameter index (SPI) is used for identifying a security
association exclusively. SPI is a number give at random between 256 to 4,294,967,295(FFFFFFFF).
The same SPI can be given to the security association with two directions
(inbound and outbound) and two protocols (AH, ESP). The sole SPI value shall be
used for a mix with given destination address/protocol. Under the case of
inbound, the destination address is the address of local router. Under the case
of outbound, the destination address is the address of the opposite terminal.
hex-key-string:Secret key is entered in the format of hex. It is a random hex
character string with a length of 8, 16, 20 or 24 bytes. If the transform set
of the encrypted maps includes DES algorithm, each secret needs at least 8
bytes. If the transform set of the encrypted maps includes 3DES algorithm, each
secret needs at least 24 bytes. If the transform set of the encrypted maps
includes MD5 algorithm, each secret needs at least 16 bytes. If the transform set
of the encrypted maps includes SHA algorithm, each secret needs at least 20 bytes.
The secret key exceeding the said lengths will be truncated simply.
cipher: Indicating
this character string of secret key is the key of ESP encryption transform.
authenticator:(optional) indicating this
character string of secret key is the key of ESP verification transform. This parameter
is needed only when the transform set of this encrypted map includes ESP
verification algorithm.
Any secret key of IPSec
is not defined under default state.
The configuration mode
of encrypted map
The command can be used for designating secret
key of IPSec for those security association created by the encrypted map of ipsec-manual (the encrypted map of ipsec-isakmp, security association and corresponding secret key is created
through automatically through IKE negotiation.).
If the
transform set of encrypted map includes AH protocol,
the secret key of IPSe shall be defined for both outbound communication and
inbound communication of AH. If the transform set of encrypted map includes the encrypted protocol of
ESP, the secret key of IPSe shall be defined for both
outbound communication and inbound communication of ESP encryption. If the transform set of encrypted
map includes ESP verification protocol, the secret key
of IPSe shall be defined for both outbound communication and inbound
communication of ESP verification.
When multiple secret keys of IPSec is defined
for an encrypted map, the same SPI number can be given to all the secret keys. SPI is used for identifying the
security association corresponding to the encrypted map. However, not all the
given value of SPI have the same randomness. The same SPI value shall be given
only once for ensuring the mix of the same destination address /protocol.
The security association created by this
command will not overtime (it is different from the security association
created by IKE).
The secret key of local terminal shall match
with the one of the opposite terminal. If the secret key is changed, the
security association using the secret key will be deleted or re-added.
Example:
The example below
is the encrypted map of security association created through manual work. The
transform set one includes only one AH protocol.
crypto ipsec transform-set
one
transform-set
ah-md5-hmac
crypto map aaa 100
ipsec-manual
match address aaa
set transform-set one
set peer 192.2.2.1
set security-association
inbound ah 300 11111111111111111111111111111111
set security-association
outbound ah 300 22222222222222222222222222222222
The example
below is the encrypted map of security association created through manual work.
The transform set one includes only one AH protocol and one ESP protocol.
So both inbound and outbound communication of AH and ESP need configuring
secret keys. This transform set includes the encryption of ESP and verification
exchange. The keyword of cipher and authenticator should be used for creating secret key for these
two transforms.
crypto ipsec transform-set
one
transform-type
ah-sha-hmac esp-des esp-sha-hmac
crypto map aaa 100
ipsec-manual
match address aaa
set transform-set one
set peer 192.2.2.1
set association inbound ah
300 9876543210987654321098765432109876543210
set security-association
outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedcba
fedc
set security-association
inbound esp 300 cipher 0123456789012345
authenticator 0000111122223333444455556666777788889999
set security-association
outbound esp 300 cipher abcdefabcdefabcd
authenticator
9999888877776666555544443333222211110000
crypto
map(global configuration)
crypto
map(interface configuration)
crypto map
local-address
match address
set peer
set
transform-set
show crypto map
The configuration command of encrypted
map of set transform-set can be used for designating the transform set used by
the encrypted map. The “no” format of the command can be used for removing all
transform sets from the encrypted map.
set transform-set transform-set-name1
[transform-set-name2...transform-set-name6]
no set transform-set
transform-set-name: The name of transform set. Only one transform set can be designated
for encrypted map of ipsec-manual. Less than or equal to six transform
set sets can be
designated for ipsec-isakmp.
Any transform set is included under default state.
Configuration status of encrypted map
The command is a must for all the encrypted
maps.
The command is used for designating the
transform sets that will be contained in an encrypted map
The command can be used for listing multiple
transform sets for encrypted map of ipsec-isakmp. The transform set with top priority will be listed first.
If local router starts negotiation, the
transform set will be provided to the opposite terminal on the sequence
designated in the encrypted map. If the opposite terminal starts negotiation,
the local router will accept the first matchable transform.
The first machable transform set found at the
two terminals will be used for creating security association. If no match item
is found, IPSec will not set up security association. The message will be
abandoned because no security association protect these communications.
The sole transform set can be designated for
the encrypted map of ipsec-manual. If this transform set is not able to match with the one of
encrypted map of the opposite terminal, the two terminals of IPSec cannot
communicate normally as they use different rules for protecting communication.
If the content of transform set needs to be
changed, the content of the transform set shall be reset to cover the old one. This
change will not affect the existing security association but will be used for
creating new security association. If the change is needed to take effect as
soon as possible, the command “clear crypto sa” can be used
for deleting the whole or partial content of security association database.
Any transform set containing in an encrypted
map shall be defined first by the command “crypto ipsec transform-set”.
The example
below defines two transform sets and designating them to be used in a same
encrypted map (the example is used only when IKE is used for creating security
association. For the encrypted map used by the security association set up
through manual work, a given encrypted map contains only a transform set.).
crypto ipsec transform-set
one
transform-type
esp-des esp-sha-hmac
crypto ipsec transform-set
two
transform-type
ah-sha-hmac esp-des esp-sha-hmac
crypto map aaa 100
ipsec-isakmp
match address aaa
set transform-set one two
set peer 192..2.2.1
In this example,
when the communication matches with access list aaa, the security association
can use transform set one (first priority level) and set 2 (second priority
level), which depends on the set and the matching with the transform set on the
opposite terminal.
crypto map (global
configuration)
crypto map (interface
configuration)
crypto map local-address
match address
set peer
set pfs
set security-association
lifetime
set security-association
inbound
set security-association
outbound
show crypto map
The command
“show crypto ipsec sa” can be used for checking the settings used by the
current security association.
show crypto ipsec sa [map map-name |interface interface-id ] [detail]
map map-name:(optional): showing the existing
security association created by the encrypted map
interface interface-id:(optimal) Showing the existing security
association created by the encrypted map on the identification interface.
Detail:(optimal) Showing the statistic
information of security association
Default:
If no keyword is
designated, all the security association will be shown.
Supervisor
mode
none
The following example is
an output of the command “show
crypto ipsec sa”
router#show crypto ipsec sa
detail
Interface: Ethernet0/0
Crypto map name:aaa
remote ident (addr/mask/prot/port):
(197.7.7.0/255.255.255.0/0/0)
local crypto endpt.: 192.2.2.87, remote crypto endpt.: 192.2.2.86
inbound esp sas:
spi:0x190(400)
transform: esp-des
esp-sha-hmac
in use settings ={ Tunnel }
no sa timing
#pkts decaps: 0, #pkts decrypt: 0, #pkts
auth: 0
#pkts decaps err: 0, #pkts decrypt err: 0,
#pkts auth err: 0
#pkts replay failed: 0
spi:0x12c(300)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timing
#pkts decaps: 0, #pkts decrypt: 0, #pkts
auth: 0
#pkts decaps err: 0, #pkts decrypt err: 0,
#pkts auth err: 0
#pkts replay failed: 0
spi:0x191(401)
transform: esp-des
esp-sha-hmac
in use settings ={ Tunnel }
no sa timing
#pkts encaps: 0, #pkts encrypt: 0, #pkts
auth: 0
#pkts encaps err: 0, #pkts encrypt err: 0,
#pkts auth err: 0
#pkts replay failed: 0
spi:0x12d(301)
transform: ah-md5-hmac
in use settings ={ Tunnel }
no sa timing
#pkts encaps: 0, #pkts encrypt: 0, #pkts
auth: 0
#pkts encaps err: 0, #pkts encrypt err: 0,
#pkts auth err: 0
#pkts replay failed: 0
none
The command “show crypto ipsec
transform-set” can be used for checking all the configured transform set
show crypto ipsec
transform-set [transform-set-name]
transform-set-name:(optional) Showing the
transform set of the designated transform-set-name
If the keyword is not
used, all the transform set will be shown on the router.
Supervisor
mode
none
The example below is an
output of the command “show crypto ipsec transform-set”.
router# show crypto ipsec
transform-set
Transform set aaa: {
esp-des }
will negotiate ={ Tunnel }
Transform set bbb: {
ah-md5-hmac esp-3des }
will negotiate ={ Tunnel }
none
The command “show crypto map” can
be used for checking the configuration of the encrypted map.
show crypto map [map-name]
map-name: (optional) Showing the encrypted map
designated by map-name
If no keyword is designated,
all the encrypted map configurations will be shown on the router.
Supervisor
mode
none
The following example is
an output of the command “show crypto map”.
router_config#show crypto
map
Crypto Map aaa 100
ipsec-manual
Extended IP access list aaa
permit ip 192.2.2.0 255.255.255.0 193.3.3.0 255.255.255.0
peer = 192.2.2.1
Inbound esp spi: 300 ,
cipher key: 1234567812345678 ,
auth key ,
Inbound ah spi: 301 ,
key:
000102030405060708090a0b0c0d0e0f ,
Outbound esp spi: 300 ,
cipher key: 1234567812345678 ,
auth key ,
Outbound ah spi: 301 ,
key:
000102030405060708090a0b0c0d0e0f
Transform sets={ 1}
Extended IP access list bbb
permit ip 191.1.1.0
255.255.255.0 197.7.7.0 255.255.255.0
peer = 192.2.2.19
PFS (Y/N): N
Security association lifetime: 2560
kilobytes/3600 seconds
Transform sets={ 1, 2,}
Relevant command:
none
The command
“transform-type” is used for setting transform type under configuration status
of encryption transform.
transform-type transform1
[transform2[transform3]]
transform1: Less
than 3 transforms can be designated. These transforms define IPSec security protocol
and algorithm. The acceptable transform value will be illustrated in “Direction
for Use”.
transform2
transform3
The default transform
type is ESP-DES (ESP applies DES encryption algorithm)
Configuration mode of
Encryption Transform
Transform set can designate one or two IPSec
security protocol (or ESP, or AH or both two) and designate the algorithm used
together with the selected security protocol. ESP and AH IPSec security
protocol is detailed in the part “IPSecprotocol:Encapsulation Security Protocol and
Authentication Head”.
The definition of transform set can designate
one to three transforms---each transform represents an IPSec security protocol
(ESP or AH) and the mix of the algorithms to be used. When some transform set
is used for IPSec security negotiation, the whole transform set (protocol,
algorithm and the mix of other settings) shall match with a transform set of
the opposite terminal.
In a transform set, AH protocol, ESP or both
two can be designated. If an ESP is designated in transform set, only ESP
encryption exchange can be defined, and both ESP encryption exchange and ESP
verification transform can defined.
Choosing Transform for Transform Set: Workable Transform Mix |
|||||
Choose one from AH transform |
Choose one from ESP encryption transform |
Choose one from ESP verification transform |
|||
Transform |
Description |
Transform |
Description |
Transform |
Description |
ah-md5-hmac |
AH verification algorithm with MD5(HMAC variable) |
esp-des |
ESP Encryption Algorithm employing DES |
esp-md5-hmac |
ESP verification algorithm with MD5
(HMAC variable) |
ah-sha-hmac |
AH verification algorithm with SHA
(HMAC variable) |
esp-3des |
Applying ESP encryption algorithm of
3DES |
esp-sha-hmac |
ESP verification algorithm with SHA
(HMAC variable) |
IPSecprotocol:ESP and AH
ESP and AH protocol provide security service
for IPSec
ESP provides the services of subgroup encryption,
the optional data verification and anti-replay.
AH provides the service of data verification
and anti-replay.
ESP uses an ESP head and an ESP end to
encapsulate the protected data or a complete IP self-search address data packet
(or only the effective load). AH is inlaid into the protective data. It inserts
an AH head directly into the back of outside IP head, inside IP data packet or
the front of effective load. The whole IP data message should be encapsulated
and protected in the tunnel mode, while in transport mode only the effective
load in IP data message is encapsulated/protected. For further information of
these two modes, please refer to the description of mode commands.
Choosing appropriate transform
IPSec transform is relatively complex. The
following prompts can help you choose the right transform:
l
If
the data confidentiality is needed to provide, ESP encryption transform can be
used.
l
If the data verification of outside IP
message head and data are needed to provide, AH transform can be used.
l
If an ESP encryption transform is
used, ESP verification transform or AH transform can be considered to be used
for providing the verification service of transform set.
l
If the function of data verification
is needed (or ESP or AH is used), MD5 verification algorithm or SHA algorithm
can be chosen. SHA algorithm is more vigorous than MD5 algorithm, but it takes
more time.
Configuration status of encryption transform
After the command “crypto ipsec transform-set” is executed, the configuration status of
encryption transform will be accessed. Under this state, the mode can be
changed into tunnel mode or transport mode (it is optional change). After these
changes are made, global configuration mode can be
restored by typing in “exit”. For more information of these optional changes,
please refer to the detailed illustration of mode commands.
Changing the existing transform
If one or multiple transforms are designated
for a transform set in the command “transform-type”, these designated
transforms will replace the existing transform of transform set. If the command
“transform-type” is changed, the change will be applied to
the encryption map referring to the transform set. But the change will not be
applied to the existing security association and will be used for creating new
security association. The command “clear crypto sa” can be used
for deleting the partial or whole security association database.
Example:
The example below
defines a transform set
crypto ipsec transform-set
one
transform-type
esp-des esp-sha-hmac
crypto ipsec transform-set
mode
set
transform-set
show crypto ipsec transform-set