Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

851

852

853

854

855

856

857

858

859

860

Internet Protocol Security (IPSec)

Internet protocol security (IPSec) is an end-to-end security scheme for securing IP communications by authenticating and encrypting all

packets in a session. Use IPSec between hosts, gateways, or hosts and gateways.

IPSec uses a series of protocol functions to achieve information security:

• Authentication Headers (AH) — connectionless integrity and origin authentication for IP packets.

• Encapsulating Security Payloads (ESP) — confidentiality, authentication, and data integrity for IP packets.

• Security Associations (SA) — algorithm-provided parameters required for AH and ESP protocols.

IPSec capability is available on control (protocol) and management traffic; end-node support is required.

IPSec supports two operational modes: Transport and Tunnel.

• Transport is the default mode for IPSec and encrypts only the payload of the packet. Routing information is unchanged.

• Tunnel mode is used to encrypt the entire packet, including the routing information in the IP header. Tunnel mode is typically used in

creating virtual private networks (VPNs).

Transport mode provides IP packet payload protection using ESP. You can use ESP alone or in combination with AH to provide additional

authentication. AH protects data from modification but does not provide confidentiality.

SA is the configuration information that specifies the type of security provided to the IPSec flow. The SA is a set of algorithms and keys

used to authenticate and encrypt the traffic flow. The AH and ESP use SA to provide traffic protection for the IPSec flow.

NOTE:

Due to performance limitations on the control processor, you cannot enable IPSec on all packets in a communication

session.

Topics:

• crypto ipsec transform-set

• crypto ipsec policy

• management crypto-policy

• match

• session-key

• show crypto ipsec transform-set

• show crypto ipsec policy

• transform-set

crypto ipsec transform-set

Create a transform set, or combination of security algorithms and protocols, of cryptos.

C9000 Series

Syntax

crypto ipsec transform-set name {ah-authentication {md5|sha1|null} | esp-

authentication {md5|sha1|null} | esp-encryption {3des|cbc|des|null}}

To delete a transform set, use the no crypto ipsec transform-set name {ah-authentication

{md5|sha1|null} | esp-authentication {md5|sha1|null} | esp-encryption {3des|

cbc|des|null}} command.

Parameters

name

Enter the name for the transform set.

ah-authentication Enter the keywords ah-authentication then the transform type of operation to

apply to traffic. The transform type represents the encryption or authentication applied to

traffic.

856 Internet Protocol Security (IPSec)