IPSec Configuration Directory
The summarization of IPSec working process
Guarantee the compatibility between access list and IPSec
Establishing encryption access list
The definition of transform set
The application of encryption map set to the interface
Examples for IPSec configuration
This chapter expatiates how to configure IPSec. IPSec is the public standard frame developed by IETF. IPSec provides safety for transferring sensitive data on unsafe networks (e.g.Internet). IPSec functions in the network level, safeguarding and authenticating the IP bags transferring among IPSec facilities (e.g. the company’s router).
IPSec provides the following service for network safety, which is optional. Generally, local safety strategies will regulate to use one or more of following services:
l Privacy of data-----sender of IPSec encrypts the message before transferring it by network.
l Integrality of data-----Receiver of IPSec authenticates the message sent by senders to ensure that the data has not been changed during transfer.
l Authentication of source of data------receiver of IPSec authenticates the source address of IPSec message. This service is based on the service of integrality of data.
l
Antireplay-----receiver of IPSec may test
and reject rebroadcast messages.
To obtain the complete expatriation of IPSec commands used in this chapter, please refer to ‘IPSec configuration command’.
The safety scheme provided by IPSec is very strong and healthy as well as based on standards. As a complement to privacy of data, IPSec also provides the service of data demonstration and Antireplay.
Router IPSec of our company realized the following standards:
l IPSec----IP Security protocol. IPSec is an open standard framework which provides data confidentiality, data integrity, and data authentication. IPSec provides these security services at IP level; it uses IKE to negotiate protocol and algorithm, and generates encryption and authentication key for IPSec. IPSec can provide protection for a pair of host computers, a pair of security gateways or one or several data streams.
l Internet
key exchange (IKE)-----A mixed protocol to realize Oakley and SKEME key exchange
in the ISAKMP framework. Although IKE can be jointly used with other protocols,
it is initially used with IPSec protocol. IKE provides authentication of IPSec
corresponding peers, negotiates IPSec security association, and generates IPSec
keys. For detailed information about IKE, please refer to “Configuring
internet key exchange security protocol”.
l DES----Data Encryption Standard(DES)is used to encrypt packet data, it is a kind of symmetrical encryption algorithm, our router uses DES-CBC with an IV of 56 bit. CBC requires an Initial Value to make encryption.
l 3DES----3DES is used to encrypt packet data, it is a kind of symmetrical encryption algorithm, our router uses DES-CBC with an IV of 168 bit. 3DES is safer than DES.
l MD5(HMAC variable)----MD5 is a kind of hash algorithm. HMAC is an encrypted hash variable used to make authentication towards data.
l SHA(HMAC variable)-----SHA is a kind of hash algorithm. HMAC is an encrypted hash variable used to make authentication towards data.
The IPSec of our router software also supports the following standards:
l AH----A kind of security protocol used to provide data integrity, data original identity authentication, and several optional anti-replay services. AH can be used to protect a superstratum protocol (transport mode) or a complete IP data packet (tunnel mode). AH can be used independently, or be used together with ESP. The definition is detailed in RFC2402.
l ESP----A kind of security protocol used to provide security services include confidentiality, data source authentication, anti-replay and data integrity and etc. ESP can be used to protect a superstratum protocol (transport mode) or a complete IP data packet (tunnel mode). The definition is detailed in RFC2406.
Currently, IPSec can only be use for IP data packet uni-cast. As IPSec workgroup is not engaged in group key distribution, IPSec currently does not support multicast or broadcasting IP data packets. If Network address translation (NAT) is used, static NAT should be configured to enable normal operation. All in all, NAT should be executed before the router carries out IPSec encapsulation;in other words, IPsec should use a global address.
The
summarization of IPSec working process
IPSec can provide a security tunnel between two routers. And define which packets should be transferred through these security tunnels. Also, defines the parameters to protect these sensitive packets through specifying the parameters of these tunnels. Then, when IPSec receives such message, it creates corresponding security tunnel, to transfer the data packets to the corresponding peer through the tunnel.
More
exactly, the tunnel is the set of security associations established on the two
peers of IPSec. These security tunnels define which protocols and algorithms
will be applied in the sensitive message, meanwhile defines the key to be used
on the two peers of IPSec. The security association is unilateral, every
security protocol (AH or ESP) is established respectively.
In IPsec, the specified communication will be protected through the configuration of the access list, putting the access list in the encryption map, and applying it to the interface. Therefore, the communication can be filtered based on source and destination address, any fourth level protocol or port(when applying to access list of IPSec, it only defines which communications will receive protection from IPSec, but does not define which communications will be passed or prohibited from a certain port. A set of encryption map may include several encryption maps, each corresponding with one different access list.
When
the message matches the first permit rules of certain access list and the
corresponding type of encryption map is ipsec-isakmp, it will be processed by
IPSec. If there is no existence of security association to protect messages,
IPSec uses IKE to establish security association to negotiate with the
corresponding port.
Once
the set of security associations is established, it is applied to process
messages and the succedent applicable messages. The applicable messages indicate
those messages that match the same access list conditions.
The
two peers of IPSec may have several IPSec tunnels to encrypt different
datastreams, each corresponds to one independent set of security associations.
For example, some data streams may only require authentication, while others
require encryption and authentication. The access list set by the IPSec
encryption map specifies which communications require IPSec protection. Entering
the message and processing according to the encryption map-----if one
unencrypted message matches a permit in the certain access list set by an IPSec
encryption map, this message will be discarded, because it is not transferred as
a message protected by IPSec. Encryption map also includes a transform set. A
transform set is a combination of security protocol, algorithm and other
configuration of communication protected by the IPSec. During the process of
IPSec security association negotiation, identically uses a certain transform set
to protect a data message.
You
can practice IPSec communication nesting on a series of IPSecrouter. For
example, in order to enable the communication to penetrate several firewalls
(All these firewalls have corresponding policies, the communication, without the
ability to make authentication itself, will not be passed), the router should
set IPSec tunnels according to the order and each firewall.
In the following examples listed in the following figure, routerA uses IPSec to make encapsulation of the communications towards routerC (routerC is the corresponding port of IPSec). But, before routerA can transfer communication, it should use IPSec to make pre-encapsulation towards communication, with the aim to transfer the message to routerB.
An example of IPSec router nesting
There
may be one same protection between two peers of external IPSec (such as data
authentication), also there may be different protections between two peers of
internal IPSec. (for example: data authentication and encryption)
After completion of IKE configuration, IPSec configuration can be processed. If the user wants to configure IPSec, he/she should complete the following operations on each IPSec router participates in communication.
Guarantee the compatibility between access list and IPSec
Establishing encryption access list
The definition of transform set
The application of encryption map set to the interface
Guarantee
the compatibility between access list and IPSec
Establishing
encryption access list
The encryption access list is used to define which IP communication should be encrypted and protected, and which need not. (These access lists are not the same as normal access list, the normal ones only decide which can pass, and which should be prohibited on the interface).
The
encryption access list specified by the IPSec encryption map has four major
functions:
l Judging the outgoing messages to be protected by IPSec (permit is protected)
l When beginning negotiating IPSec security association, indication data stream will be protected by the new security association (indicated by a single permit)
l Processed into the message, with the aim to filter and discard those communications should be protected by IPSec but not covered by it.
l When processing IKE negotiation initiated by corresponding port of IPSec, decide whether to accept the application of IPSec security association of it.
If
the user wants to let one certain message uses a combination protected by IPSec
(For example, just make authentication), the other uses another combination
protected by IPSec, (For example, authentication and encryption) then two
different encryption access lists are required to be created to define two
different types of communication. These two different access lists are used in
different encryption maps, and these encryption maps adopt different IPSec
policies.
command |
Objective |
ip access-list extended name Then uses “permit” and “deny” command to configure accessing rules permit protocol source source-mask destination destination-mask |
Defines which IP communications should be encryption protection |
Encryption access list techniques
After
defining the corresponding encryption map, and applying the set of encryption
map on the interface, the specified encryption access list will be applied on
this interface. Incoming and outgoing messages will be judged by the same IPSec
access list. Thus, the access list can be directly used for outgoing messages,
and reversely used for incoming messages. So only one rule should be defined in
the access list, when applying this rule, IPSec will match the data messages
with reverse source and destination addresses.
If several rules are set for a certain encryption access list, only the first rule works.
Using key word any in encryption access list
When establishing encryption access list, using key word any may bring about problems. That’s why key word any is not recommended to use for specifying source or destination address.
When
IPSec interface is required to transfer multicast communication, the key word
any is not recommended to be used in the permit sentence; it may result in the
failure of multicast. In the sentence permit
any, any is not suitable to use especially because all the outgoing messages are
therefore under protection (and all the messages under protection will be sent
to the corresponding port specified in the corresponding encryption map), and
will request all the incoming messages to be under protection.
The
definition of transform set
The
transform set is a combination of specified security protocol and algorithm. In
the process of IPSec security association negotiation, the two peers negotiate
to use one specified transform set to protect specified data stream.
The user can define several transform sets, and then configure one or more of these transform sets in a encryption map.
When
IKE negotiates for security association, the two peers will search for the
transform set with unity on both sides, after finding that, the security
association will use this transform set to protect specified data stream.
For manual established security association, there is no negotiation process between the two sides, so both sides should specify the same transform set.
If
an alteration is made to the definition of transform set, then the change will
only be applied to the encryption map which configured the transform set. The
alteration will not be applied to the existed security association, but it will
be applied in the later negotiation of establishing new security association. If
the user wants to activate all these new settings immediately, “clear crypto
sa ”command may be used to partly or totally delete the security association
database.
Using the following commands to define and transform set under global configuration state:
Steps |
command |
Objective |
1 |
crypto ipsec transform-set transform-set-name |
To define a transform set, when executing this command, it will enter into the encrypted exchange configuration state |
2 |
transform-type transform1 [transform2[transform3]] |
Setting transform type |
3 |
mode [tunnel | transport] |
Change the mode of transform set. The mode setting is only applicable to communications with the same source and destination addresses of IPSec; yet not used for all other communications (all other communications will be processed only under tunnel mode) |
4 |
exit |
Exit encrypted transform configuration state |
The following list is the applicable transform combination
Selecting transform for transform set: applicable transform combination |
|||||
Select one type from AH transform |
Select one from ESP encrypted transform |
Select one from ESP authentication transform |
|||
Transform |
Description |
Transform |
Description |
Transform |
Description |
ah-md5-hmac |
AH authentication algorithm with MD5 (HMAC variable) |
esp-des |
ESP encrypted algorithm using DES |
esp-md5-hmac |
ESP authentication algorithm with MD5 (HMAC variable) |
ah-sha-hmac |
AH authentication algorithm with SHA (HMAC variable) |
esp-3des |
ESP encrypted algorithm using 3DES |
esp-sha-hmac |
ESP authentication algorithm with SHA (HMAC variable) |
Regarding
encryption map
The encryption map established for IPSec includes the following parts:
l Which
of the communications should receive IPSec protection (encryption access list)
l Data stream intervals that will receive one protection from set of security association set
l Corresponding port address used for IPSec communication
l
Current
port address used for IPSec communication
l Which IPSec security policies apply to these communications (select from one or more transform set)
l
Security
associate is established manually or through IKE
l Other parameters may be used to define IPSec security association
Encryption
maps with the same encryption map name (but different mapping serial number)
form a encryption map set. Then applies the encryption map set on the interface;
in this way, all IP messages passing this interface will be applied to the
encryption map set on the interface to make judgment. If one encryption map
matches an outgoing message that should receive protection, and encryption map
specified to use IKE, it will carry out security association negotiation with
corresponding port according to the included parameters of this encryption map.
If the encryption map uses security association set manually established, then
the security association should be established when processing configuration. If
the negotiation is initiated from locally, then the specified policy in the
encryption map will be used to establish and send to the IPSec corresponding
port. If the negotiation is initiated from the corresponding port of the IPSec,
then the local router will check the policy provided by the corresponding port,
and then decide whether to accept or to decline the application from
corresponding port.
In
order to smoothly process IPSec communications between the two peers of IPSec,
the encryption map on the two peers should include mutually compatible
configuration sentence.
When two peers try to establish security association, both peers should have at least one encryption map which is compatible with one encryption map of the corresponding port. The compatibility of the two encryption maps should at least meet the following conditions:
l The
encryption map should include compatible encryption access list.
l The encryption map of both sides should specify the corresponding peer address.
l The encryption map should have at least one identical transform set.
How many encryption maps should be established?
One
interface may use only one encryption map set. The encryption map set includes
combination of IPSec/ipsec-isakmp,or
IPSec/ipsec-manual. If the user wants to apply the same policy on many
interfaces, or to let many interfaces share the same encryption map set.
If
the user wants to establish many encryption maps for the specified interface,
seq-num parameter which uses mapping will be used to arrange sequence; the lower
the value of seq-num is, the higher the priority is. First use mapping of high
priority to judge communication on the interface with this encryption map set.
If one situation of the followings exists, the user should establish many
encryption maps for one port:
Different data messages will be processed by different IPSec corresponding peers.
If
the user wants to apply different IPSec security policies to different types of
data messages; for example, he/she wants to apply authentication to the
communications in one setup subnet, yet apply both authentication and encryption
in the other setup subnet. Under this situation, different types of
communications should be defined in two different access list, and should
establish a separate encryption map for each encryption access list.
If the user established security association manually, and wanted to specify many access lists, he/she should establish different access lists (each includes one permit), and specify a separate encryption map set for each access list.
Establishing manual mode encryption map
The
use of manual security association is the result pre-arranged by the local
router and the administrator of IPSec corresponding peer. Both sides may want to
use manual security association at the beginning, and then use security
association based on IKE, or the remote system may not support IKE. If the
security association is not established with IKE, no negotiation process of
security association will exist, so, in order to smoothly process messages for
IPSec, the configuration of two peers should be the same.
The
router may support both manual establishment and IKE establishment of security
association.
In order to establish encryption map with manual mode, use the following commands under global configuration state:
Step |
command |
Objective |
1 |
crypto map map-name seq-num ipsec-manual |
Establishing or modifying encryption map, execute this command and enter into encryption map configuration state |
2 |
match address access-list-name |
Setting IPSec access list. This access list decides which messages can be protected by IPSec, which cannot be protected under the IPSec security defined by this encryption map. |
3 |
set peer ip-address |
Setting IPSec corresponding port address. The messages protected by IPSec will be forwarded to this address. |
4 |
set transform-set transform-set-name |
Setting transform set(regarding ipsec-manual encryption map, only transform set can be defined. For ipsec-isakmp, no more than six encryption maps can be defined) |
5 |
set security-association inbound ah spi hex-key-data和set security-association outbound ah spi hex-key-data |
If the specified transform set includes AH protocol, then this command should be used to set AH security parameter index (SPIs) and key for incoming and outgoing messages. This command manually specified that AH security association will be used to protect messages. |
6 |
set security-association inbound esp spi [cipher hex-key-data ][authenticator hex-key-data]和set security-association outbound esp spi [cipher hex-key-data] [authenticator hex-key-data] |
If the specified transform set includes ESP protocol, then this command should be used to set ESP security parameter index (SPIs) and key for incoming and outgoing messages. If it includes ESP encryption algorithm, encryption key must be provided. This command manually specified that ESP security association will be used to protect communication. |
7 |
exit |
Exit encryption map configuration state, and return to global configuration state |
Repeat
these steps to establish other encryption maps.
Establishing encryption map with IKE
In order to establish security association encryption map via IKE, use the following commands under global configuration state:
Step |
command |
Objective |
1 |
crypto map map-name seq-num ipsec-isakmp |
Establishing or modifying encryption map, execute this command and entering into encryption map configuration state |
2 |
match address access-list-name |
Setting IPSec access list. This access list decides which messages can be protected by IPSec, which cannot be protected under the IPSec security defined by this encryption map. |
3 |
set peer ip-address |
Setting IPSec corresponding port address. The messages protected by IPSec will be forwarded to this address. |
4 |
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] |
Setting transform set,no more than six encryption maps can be defined(the first has the highest priority) |
5 |
set security-association lifetime seconds seconds或set security-association lifetime kilobytes kilobytes |
(Optional) setting the life cycle of encryption map negotiated security association |
6 |
set pfs [group1 | group2] |
(optional) The specified IPSec is applying for perfect forward security when using this encryption map to apply for new security association, and requires the application replied from the IPSec corresponding port to have PFS request. |
7 |
exit |
Exit encryption map configuration state, and return to global configuration state |
Repeat
these steps to establish other encryption maps.
The application of encryption map set to the interface
In
order to let the configured encryption map work, the user should apply the
encryption map to the interface. The router uses this encryption map set to
judge all the messages passing through this interface, and applies specified
policies to different messages under protection in the security association
negotiation process.
In order to apply the encryption map set to the interface, use the following commands under interface configuration state.
command |
Objective |
crypto map map-name |
Applying the encryption map set to the interface |
A
same encryption map set may be used for many interfaces.
Examples for IPSec configuration
The
following are examples of IPSec configuration using IKE negotiated
security association.
Regarding IKE, please refer to document “Configuring IKE”.
l Defining encryption access lists
ip access-list extended aaa
permit ip 130.130.0.0 255.255.0.0 131.131.0.0 255.255.0.0
l Defining transform set:
crypto ipsec transform-set one
transform-type esp-des esp-sha-hmac
l Setting IPSec access list and transform set with encryption map, and defining the destination of encrypted messages (the corresponding port of IPSec):
crypto map toShanghai 100 ipsec-isakmp
match address aaa
set transform-set one
set peer 192.2.2.1
l Applying encryption map to the interface:
interface Serial1/1
ip address 192.2.2.2
crypto map toShanghai