Administrator Guide
Internet Protocol Security (IPSec)
Internet protocol security (IPSec) is an end-to-end security scheme for securing IP communications by authenticating and encrypting all
packets in a session. Use IPSec between hosts, gateways, or hosts and gateways.
IPSec uses a series of protocol functions to achieve information security:
• Authentication Headers (AH) — Connectionless integrity and origin authentication for IP packets.
• Encapsulating Security Payloads (ESP) — Condentiality, authentication, and data integrity for IP packets.
• Security Associations (SA) — Algorithm-provided parameters required for AH and ESP protocols.
IPSec capability is available on control (protocol) and management trac; end-node support is required.
IPSec supports two operational modes: Transport and Tunnel.
• Transport is the default mode for IPSec and encrypts only the payload of the packet. Routing information is unchanged.
• Tunnel mode is used to encrypt the entire packet, including the routing information in the IP header. Tunnel mode is typically used in
creating virtual private networks (VPNs).
Transport mode provides IP packet payload protection using ESP. You can use ESP alone or in combination with AH to provide additional
authentication. AH protects data from modication but does not provide condentiality.
SA is the conguration information that species the type of security provided to the IPSec ow. The SA is a set of algorithms and keys
used to authenticate and encrypt the trac ow. The AH and ESP use SA to provide trac protection for the IPSec ow.
NOTE
:
Due to performance limitations on the control processor, you cannot enable IPSec on all packets in a communication session.
Topics:
• crypto ipsec transform-set
• crypto ipsec policy
• management crypto-policy
• match
• session-key
• show crypto ipsec transform-set
• show crypto ipsec policy
• transform-set
22
722 Internet Protocol Security (IPSec)