Reference Guide
Internet Protocol Security (IPSec)
Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and
encrypting all packets in a communication session.
Use IPSec between hosts, between gateways, or between hosts and gateways.
IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel.
● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
● Tunnel mode — Use to encrypt the entire packet including the routing information of the IP header. Typically used when
creating virtual private networks (VPNs).
NOTE: Due to performance limitations on the control processor, You cannot enable IPSec on all packets in a communication
session.
IPSec uses the following protocols:
● Authentication Headers (AH) — Disconnected integrity and origin authentication for IP packets
● Encapsulating Security (ESP) — Confidentiality, authentication, and data integrity for IP packets
● Security Associations (SA) — Necessary algorithmic parameters for AH and ESP functionality
IPSec supports the following authentication and encryption algorithms:
● Authentication only:
○ MD5
○ SHA1
● Encryption only:
○ 3DES
○ CBC
○ DES
● ESP Authentication and Encryption:
○ MD5 & 3DES
○ MD5 & CBC
○ MD5 & DES
○ SHA1 & 3DES
○ SHA1 & CBC
○ SHA1 & DES
Topics:
• Configuring IPSec
Configuring IPSec
The following sample configuration shows how to configure FTP and telnet for IPSec.
1. Define the transform set.
CONFIGURATION mode
crypto ipsec transform-set myXform-seta esp-authentication md5 esp-encryption des
2. Define the crypto policy.
CONFIGURATION mode
crypto ipsec policy myCryptoPolicy 10 ipsec-manual
transform-set myXform-set
session-key inbound esp 256 auth <key>
23
366 Internet Protocol Security (IPSec)