IPSec Configuration Directory

About Configuration of IPSec

O verview of IPSec

Standards supported

Limitation

The summarization of IPSec working process

IPSec nesting

IPSec configuration process

Guarantee the compatibility between access list and IPSec

Establishing encryption access list

The definition of transform set

Establishing encryption map

The application of encryption map set to the interface

Examples for IPSec configuration

 

About Configuration of IPSec

This chapter expatiates how to configure IPSec. IPSec is the public standard frame developed by IETF. IPSec provides safety for transferring sensitive data on unsafe networks (e.g.Internet). IPSec functions in the network level, safeguarding and authenticating the IP bags transferring among IPSec facilities (e.g. the company’s router).

IPSec provides the following service for network safety, which is optional. Generally, local safety strategies will regulate to use one or more of following services:

l        Privacy of data-----sender of IPSec encrypts the message before transferring it by network.

l        Integrality of data-----Receiver of IPSec authenticates the message sent by senders to ensure that the data has not been changed during transfer.

l       Authentication of source of data------receiver of IPSec authenticates the source address of IPSec message. This service is based on the service of integrality of data.

l         Antireplay-----receiver of IPSec may test and reject rebroadcast messages.

With IPSec, there is no need to worry about the data to be supervised, changed and forged during transfer.

To obtain the complete expatriation of IPSec commands used in this chapter, please refer to ‘IPSec configuration command’.

 

Overview of IPSec

The safety scheme provided by IPSec is very strong and healthy as well as based on standards. As a complement to privacy of data, IPSec also provides the service of data demonstration and Antireplay.

 

Standards supported

Router IPSec of our company realized the following standards:

 

l      IPSec----IP Security protocol. IPSec is an open standard framework which provides data confidentiality, data integrity, and data authentication. IPSec provides these security services at IP level; it uses IKE to negotiate protocol and algorithm, and generates encryption and authentication key for IPSec. IPSec can provide protection for a pair of host computers, a pair of security gateways or one or several data streams.

l      Internet key exchange (IKE)-----A mixed protocol to realize Oakley and SKEME key exchange in the ISAKMP framework. Although IKE can be jointly used with other protocols, it is initially used with IPSec protocol. IKE provides authentication of IPSec corresponding peers, negotiates IPSec security association, and generates IPSec keys. For detailed information about IKE, please refer to “Configuring internet key exchange security protocol”.

The IPSec technique consists of:

l       DES----Data Encryption StandardDESis used to encrypt packet data, it is a kind of symmetrical encryption algorithm, our router uses DES-CBC with an IV of 56 bit. CBC requires an Initial Value to make encryption.

l        3DES----3DES is used to encrypt packet data, it is a kind of symmetrical encryption algorithm, our router uses DES-CBC with an IV of 168 bit. 3DES is safer than DES.

l        MD5(HMAC variable)----MD5 is a kind of hash algorithm. HMAC is an encrypted hash variable used to make authentication towards data.

l        SHA(HMAC variable)-----SHA is a kind of hash algorithm. HMAC is an encrypted hash variable used to make authentication towards data.

 

The IPSec of our router software also supports the following standards:

l        AH----A kind of security protocol used to provide data integrity, data original identity authentication, and several optional anti-replay services. AH can be used to protect a superstratum protocol (transport mode) or a complete IP data packet (tunnel mode). AH can be used independently, or be used together with ESP. The definition is detailed in RFC2402.

l        ESP----A kind of security protocol used to provide security services include confidentiality, data source authentication, anti-replay and data integrity and etc. ESP can be used to protect a superstratum protocol (transport mode) or a complete IP data packet (tunnel mode). The definition is detailed in RFC2406.

 

Limitation

Currently, IPSec can only be use for IP data packet uni-cast. As IPSec workgroup is not engaged in group key distribution, IPSec currently does not support multicast or broadcasting IP data packets. If Network address translation (NAT) is used, static NAT should be configured to enable normal operation. All in all, NAT should be executed before the router carries out IPSec encapsulationin other words, IPsec should use a global address.

 

The summarization of IPSec working process

IPSec can provide a security tunnel between two routers. And define which packets should be transferred through these security tunnels. Also, defines the parameters to protect these sensitive packets through specifying the parameters of these tunnels. Then, when IPSec receives such message, it creates corresponding security tunnel, to transfer the data packets to the corresponding peer through the tunnel.

More exactly, the tunnel is the set of security associations established on the two peers of IPSec. These security tunnels define which protocols and algorithms will be applied in the sensitive message, meanwhile defines the key to be used on the two peers of IPSec. The security association is unilateral, every security protocol (AH or ESP) is established respectively.

In IPsec, the specified communication will be protected through the configuration of the access list, putting the access list in the encryption map, and applying it to the interface. Therefore, the communication can be filtered based on source and destination address, any fourth level protocol or portwhen applying to access list of IPSec, it only defines which communications will receive protection from IPSec, but does not define which communications will be passed or prohibited from a certain port. A set of encryption map may include several encryption maps, each corresponding with one different access list.

When the message matches the first permit rules of certain access list and the corresponding type of encryption map is ipsec-isakmp, it will be processed by IPSec. If there is no existence of security association to protect messages, IPSec uses IKE to establish security association to negotiate with the corresponding port.

When the corresponding type of encryption map is ipsec-manual, it will be processed by IPSec. If there is no existence of security association to protect messages, messages will be discarded. Under this situation, the security association does not need IKE through manual configuration. If there is no existence of security association, then, not all required parameters are configured.

Once the set of security associations is established, it is applied to process messages and the succedent applicable messages. The applicable messages indicate those messages that match the same access list conditions.

If IKE is used to establish security association, then these security associations will have a life cycle, they will periodically have overtime, and require re-negotiation (this provides an additional level of security).

The two peers of IPSec may have several IPSec tunnels to encrypt different datastreams, each corresponds to one independent set of security associations. For example, some data streams may only require authentication, while others require encryption and authentication. The access list set by the IPSec encryption map specifies which communications require IPSec protection. Entering the message and processing according to the encryption map-----if one unencrypted message matches a permit in the certain access list set by an IPSec encryption map, this message will be discarded, because it is not transferred as a message protected by IPSec. Encryption map also includes a transform set. A transform set is a combination of security protocol, algorithm and other configuration of communication protected by the IPSec. During the process of IPSec security association negotiation, identically uses a certain transform set to protect a data message.

IPSec nesting

You can practice IPSec communication nesting on a series of IPSecrouter. For example, in order to enable the communication to penetrate several firewalls (All these firewalls have corresponding policies, the communication, without the ability to make authentication itself, will not be passed), the router should set IPSec tunnels according to the order and each firewall.

In the following examples listed in the following figure, routerA uses IPSec to make encapsulation of the communications towards routerC (routerC is the corresponding port of IPSec). But, before routerA can transfer communication, it should use IPSec to make pre-encapsulation towards communication, with the aim to transfer the message to routerB.

An example of IPSec router nesting

There may be one same protection between two peers of external IPSec (such as data authentication), also there may be different protections between two peers of internal IPSec. (for example: data authentication and encryption)

IPSec configuration process

After completion of IKE configuration, IPSec configuration can be processed. If the user wants to configure IPSec, he/she should complete the following operations on each IPSec router participates in communication.

Guarantee the compatibility between access list and IPSec

Establishing encryption access list

The definition of transform set

Establishing encryption map

The application of encryption map set to the interface

 

Guarantee the compatibility between access list and IPSec

IKE uses UDP port 500. IPSec ESP and A protocol uses IP protocol No. 50, 51. Guarantee that when the user is configuring-access list, the communications on the protocol 50, 51 and UDP port 500 are not prohibited on the interface used by IPSec.

 

Establishing encryption access list

The encryption access list is used to define which IP communication should be encrypted and protected, and which need not. (These access lists are not the same as normal access list, the normal ones only decide which can pass, and which should be prohibited on the interface).

 

The encryption access list specified by the IPSec encryption map has four major functions:

l        Judging the outgoing messages to be protected by IPSec (permit is protected)

l      When beginning negotiating IPSec security association, indication data stream will be protected by the new security association (indicated by a single permit)

l        Processed into the message, with the aim to filter and discard those communications should be protected by IPSec but not covered by it.

l        When processing IKE negotiation initiated by corresponding port of IPSec, decide whether to accept the application of IPSec security association of it.

If the user wants to let one certain message uses a combination protected by IPSec (For example, just make authentication), the other uses another combination protected by IPSec, (For example, authentication and encryption) then two different encryption access lists are required to be created to define two different types of communication. These two different access lists are used in different encryption maps, and these encryption maps adopt different IPSec policies.

Afterwards, when applying set of encryption map to the interface, these encryption access lists are accordingly related with these interfaces. Use the following command to create encryption access list under global configuration state:

command

Objective

ip access-list extended name

Then uses “permit” and “deny” command to configure accessing rules

permit  protocol source source-mask destination destination-mask

Defines which IP communications should be encryption protection

 

Encryption access list techniques

Using the key word permit will enable all IP communications to meet the requirements to receive encryption protection from depicted policy of corresponding encryption map. Using the key word deny will prohibit the communication to receive encryption protection from certain encryption map (namely, it does not permit the specified policy of this encryption map to be applied on this communication). If all the encryption maps on the interface deny certain communication, this communication will not be provided with encryption protection.

After defining the corresponding encryption map, and applying the set of encryption map on the interface, the specified encryption access list will be applied on this interface. Incoming and outgoing messages will be judged by the same IPSec access list. Thus, the access list can be directly used for outgoing messages, and reversely used for incoming messages. So only one rule should be defined in the access list, when applying this rule, IPSec will match the data messages with reverse source and destination addresses.

If several rules are set for a certain encryption access list, only the first rule works.

 

Using key word any in encryption access list

When establishing encryption access list, using key word any may bring about problems. That’s why key word any is not recommended to use for specifying source or destination address.

When IPSec interface is required to transfer multicast communication, the key word any is not recommended to be used in the permit sentence; it may result in the failure of multicast. In the sentence permit any, any is not suitable to use especially because all the outgoing messages are therefore under protection (and all the messages under protection will be sent to the corresponding port specified in the corresponding encryption map), and will request all the incoming messages to be under protection.

The definition of transform set

The transform set is a combination of specified security protocol and algorithm. In the process of IPSec security association negotiation, the two peers negotiate to use one specified transform set to protect specified data stream.

The user can define several transform sets, and then configure one or more of these transform sets in a encryption map.

When IKE negotiates for security association, the two peers will search for the transform set with unity on both sides, after finding that, the security association will use this transform set to protect specified data stream.

For manual established security association, there is no negotiation process between the two sides, so both sides should specify the same transform set.

If an alteration is made to the definition of transform set, then the change will only be applied to the encryption map which configured the transform set. The alteration will not be applied to the existed security association, but it will be applied in the later negotiation of establishing new security association. If the user wants to activate all these new settings immediately, “clear crypto sa ”command may be used to partly or totally delete the security association database.

Using the following commands to define and transform set under global configuration state:

Steps

command

Objective

1

crypto ipsec transform-set transform-set-name

To define a transform set, when executing this command, it will enter into the encrypted exchange configuration state

2

transform-type  transform1 [transform2[transform3]]

Setting transform type

3

mode [tunnel | transport]

Change the mode of transform set. The mode setting is only applicable to communications with the same source and destination addresses of IPSec; yet not used for all other communications (all other communications will be processed only under tunnel mode)

4

exit

Exit encrypted transform configuration state

The following list is the applicable transform combination

Selecting transform for transform set: applicable transform combination

Select one type from AH transform

Select one from ESP encrypted transform

Select one from ESP authentication transform

Transform

Description

Transform

Description

Transform

Description

ah-md5-hmac

AH authentication algorithm with MD5 (HMAC variable) 

esp-des

ESP encrypted algorithm using DES

esp-md5-hmac

ESP authentication algorithm with MD5 (HMAC variable)

ah-sha-hmac

AH authentication algorithm with SHA (HMAC variable)

esp-3des

ESP encrypted algorithm using 3DES

esp-sha-hmac

ESP authentication algorithm with SHA (HMAC variable)

 

Establishing encryption map

Regarding encryption map

The encryption map established for IPSec includes the following parts:

l      Which of the communications should receive IPSec protection (encryption access list)

l        Data stream intervals that will receive one protection from set of security association set

l        Corresponding port address used for IPSec communication

l        Current port address used for IPSec communication

l        Which IPSec security policies apply to these communications (select from one or more transform set)

l        Security associate is established manually or through IKE

l       Other parameters may be used to define IPSec security association

Encryption maps with the same encryption map name (but different mapping serial number) form a encryption map set. Then applies the encryption map set on the interface; in this way, all IP messages passing this interface will be applied to the encryption map set on the interface to make judgment. If one encryption map matches an outgoing message that should receive protection, and encryption map specified to use IKE, it will carry out security association negotiation with corresponding port according to the included parameters of this encryption map. If the encryption map uses security association set manually established, then the security association should be established when processing configuration. If the negotiation is initiated from locally, then the specified policy in the encryption map will be used to establish and send to the IPSec corresponding port. If the negotiation is initiated from the corresponding port of the IPSec, then the local router will check the policy provided by the corresponding port, and then decide whether to accept or to decline the application from corresponding port.

In order to smoothly process IPSec communications between the two peers of IPSec, the encryption map on the two peers should include mutually compatible configuration sentence.

When two peers try to establish security association, both peers should have at least one encryption map which is compatible with one encryption map of the corresponding port. The compatibility of the two encryption maps should at least meet the following conditions:

l      The encryption map should include compatible encryption access list.

l        The encryption map of both sides should specify the corresponding peer address.

l        The encryption map should have at least one identical transform set.

 

How many encryption maps should be established?

One interface may use only one encryption map set. The encryption map set includes combination of IPSec/ipsec-isakmpor IPSec/ipsec-manual. If the user wants to apply the same policy on many interfaces, or to let many interfaces share the same encryption map set.

If the user wants to establish many encryption maps for the specified interface, seq-num parameter which uses mapping will be used to arrange sequence; the lower the value of seq-num is, the higher the priority is. First use mapping of high priority to judge communication on the interface with this encryption map set. If one situation of the followings exists, the user should establish many encryption maps for one port:

Different data messages will be processed by different IPSec corresponding peers.

If the user wants to apply different IPSec security policies to different types of data messages; for example, he/she wants to apply authentication to the communications in one setup subnet, yet apply both authentication and encryption in the other setup subnet. Under this situation, different types of communications should be defined in two different access list, and should establish a separate encryption map for each encryption access list.

If the user established security association manually, and wanted to specify many access lists, he/she should establish different access lists (each includes one permit), and specify a separate encryption map set for each access list.

 

Establishing manual mode encryption map

The use of manual security association is the result pre-arranged by the local router and the administrator of IPSec corresponding peer. Both sides may want to use manual security association at the beginning, and then use security association based on IKE, or the remote system may not support IKE. If the security association is not established with IKE, no negotiation process of security association will exist, so, in order to smoothly process messages for IPSec, the configuration of two peers should be the same.

The router may support both manual establishment and IKE establishment of security association.

In order to establish encryption map with manual mode, use the following commands under global configuration state:

Step

command

 Objective

1

crypto map map-name seq-num ipsec-manual

Establishing or modifying encryption map, execute this command and enter into encryption map configuration state

2

match address access-list-name

Setting IPSec access list. This access list decides which messages can be protected by IPSec, which cannot be protected under the IPSec security defined by this encryption map.

3

set peer ip-address

Setting IPSec corresponding port address. The messages protected by IPSec will be forwarded to this address.

4

set transform-set transform-set-name

Setting transform setregarding ipsec-manual encryption map, only transform set can be defined. For ipsec-isakmp, no more than six encryption maps can be defined

5

set security-association inbound ah spi hex-key-dataset security-association outbound ah spi hex-key-data

If the specified transform set includes AH protocol, then this command should be used to set AH security parameter index (SPIs) and key for incoming and outgoing messages. This command manually specified that AH security association will be used to protect messages.

6

set security-association inbound esp spi [cipher hex-key-data ][authenticator hex-key-data]set security-association outbound esp spi [cipher hex-key-data] [authenticator hex-key-data]

If the specified transform set includes ESP protocol, then this command should be used to set ESP security parameter index (SPIs) and key for incoming and outgoing messages. If it includes ESP encryption algorithm, encryption key must be provided. This command manually specified that ESP security association will be used to protect communication.

7

exit

Exit encryption map configuration state, and return to global configuration state

Repeat these steps to establish other encryption maps.

Establishing encryption map with IKE

In order to establish security association encryption map via IKE, use the following commands under global configuration state:

Step

command

 Objective

1

crypto map map-name seq-num ipsec-isakmp

Establishing or modifying encryption map, execute this command and entering into encryption map configuration state

2

match address access-list-name

Setting IPSec access list. This access list decides which messages can be protected by IPSec, which cannot be protected under the IPSec security defined by this encryption map.

3

set peer  ip-address

Setting IPSec corresponding port address. The messages protected by IPSec will be forwarded to this address.

4

set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]

Setting transform setno more than six encryption maps can be definedthe first has the highest priority

5

set security-association lifetime seconds secondsset security-association lifetime kilobytes kilobytes

(Optional) setting the life cycle of encryption map negotiated security association

6

set pfs [group1 | group2]

(optional) The specified IPSec is applying for perfect forward security when using this encryption map to apply for new security association, and requires the application replied from the IPSec corresponding port to have PFS request.

7

exit

Exit encryption map configuration state, and return to global configuration state

Repeat these steps to establish other encryption maps.

The application of encryption map set to the interface

In order to let the configured encryption map work, the user should apply the encryption map to the interface. The router uses this encryption map set to judge all the messages passing through this interface, and applies specified policies to different messages under protection in the security association negotiation process.

In order to apply the encryption map set to the interface, use the following commands under interface configuration state.

command

Objective

crypto map map-name

Applying the encryption map set to the interface

A same encryption map set may be used for many interfaces.

Examples for IPSec configuration

The following are examples of  IPSec configuration using IKE negotiated security association.

Regarding IKE, please refer to document “Configuring IKE”.

 

l        Defining encryption access lists

ip access-list extended aaa

permit ip 130.130.0.0 255.255.0.0 131.131.0.0 255.255.0.0

l      Defining transform set:

crypto ipsec transform-set one

 transform-type esp-des esp-sha-hmac

l        Setting IPSec access list and transform set with encryption map, and defining the destination of encrypted messages (the corresponding port of IPSec):

crypto map toShanghai 100 ipsec-isakmp

match address aaa

set transform-set one

set peer 192.2.2.1

l        Applying encryption map to the interface:

interface Serial1/1

ip address 192.2.2.2

crypto map toShanghai