|
|
IPSec supports the Triple DES encryption algorithm (168-bit) in addition to 56-bit encryption. Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks. It enables customers, particularly in the finance industry, to utilize network layer encryption.
This feature is supported only on the Cisco 1720 router.
This feature is available only in software images with the Triple DES encryption feature set for IPSec.
None.
Configuring the router for Triple DES encryption has two parts:
To configure an IKE policy, use the following commands starting in global configuration mode:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| crypto isakmp policy priority | Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode.) | ||
| encryption 3des | Specify the encryption algorithm. | ||
| Specify the hash algorithm. | |||
| Specify the authentication method. | |||
| ||||
| ||||
| exit | Exit the config-isakmp command mode. | ||
| exit | Exit the global configuration mode. | ||
| (Optional) View all existing IKE policies. (Use this command in EXEC mode.) |
| Step | Command | Purpose | ||
|---|---|---|---|---|
| access-list access-list-number permit ip source source-wildcard destination destination-wildcard | Configure Access Control Lists (ACLs) to permit through the router interface the IP network traffic that you want to protect. | ||
| crypto ipsec transform-set transform-set-name esp-3Des | Configure a transform-set that identifies the IPSec triple DES transform to use for encapsulating network traffic. | ||
| crypto map map-name seq-num ipsec-isakmp | Create a crypto map that binds together elements of the IPSec configuration. | ||
| match address [access-list-id | name] | Specify an extended access list for a crypto map entry. | ||
| set transform-set transform-set-name | Specify which transform set can be used with the crypto map entry. | ||
| set peer {hostname | ip-address} | Specify an IPSec peer in a crypto map entry. | ||
| exit | Exit the crypto map command mode. | ||
| interface type number | Specify an interface on which to apply the crypto map. | ||
| crypto map map-name | Apply the previously defined crypto map set to an interface. | ||
| exit | Exit the interface command mode. | ||
| exit | Exit the global configuration mode. | ||
| (Optional) View all existing crypto map policies. (Use this command in EXEC mode.) |
This IPSec configuration example has two parts:
This example creates an IKE policy, with 3des as the encryption algorithm.
crypto isakmp policy 15 encryption 3des hash md5 authentication rsa-sig group 2 lifetime 5000
The following is an example of a minimal IPSec configuration where the security associations will be established via IKE. In this example, IKE must be enabled.
An IPSec access list defines which traffic to protect:
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
A transform set defines how the traffic will be protected:
crypto ipsec transform-set myset esp-3des esp-md5-hmac
A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer):
crypto map toRemoteSite 10 ipsec-isakmp match address 101 set transform-set myset set peer 10.2.2.5
The crypto map is applied to an interface:
interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite
This section documents changes to the crypto ipsec transform-set and crypto isakmp policy commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Security Configuration Guide in the "Internet Key Exchange Security Protocol Commands" chapter and the "IPSec Network Security Commands" chapter.
To define a transform set---an acceptable combination of security protocols and algorithms---use the crypto ipsec transform-set global configuration command. This command is documented in the Cisco IOS Release 12.0 Security Command Reference.
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transform-set-name | Specify the name of the transform set to create (or modify). |
transform1 | Specify up to three "transforms." These transforms define the IPSec security protocol(s) and algorithm(s). Accepted transform values are described in the "Usage Guidelines" section. |
None
Global configuration. This command invokes the crypto transform configuration mode.
This command first appeared in Cisco IOS Release 11.3 T. The esp-3des option first appeared in Cisco IOS Release 12.0(1) XA.
Acceptable combinations of transforms are shown in Table 1.
| AH Transform pick up to one | ESP Encryption Transform pick up to one | ESP Authentication Transform pick up to one, only if you also selected the esp-des transform (not esp-rfc1829) | |||
|---|---|---|---|---|---|
| Transform | Description | Transform | Description | Transform | Description |
ah-md5-hmac | AH with the MD5 (HMAC variant) authentication algorithm | esp-des | ESP with the 56-bit DES encryption algorithm | esp-md5-hmac | ESP with the MD5 (HMAC variant) authentication algorithm |
ah-sha-hmac | AH with the SHA (HMAC variant) authentication algorithm | esp-3des | ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) |
|
|
ah-rfc1828 | older version of the AH protocol | esp-rfc1829 | older version of the ESP protocol (per RFC 1829); does not allow an accompanying ESP authentication transform | esp-sha-hmac | ESP with the SHA (HMAC variant) authentication algorithm |
Examples of acceptable transform combinations are:
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.
This example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.
crypto ipsec transform-set newer esp-3des esp-sha-hmac crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829
initialization-vector size
mode
set transform-set
show crypto ipsec transform-set
des | Specifies 56-bit DES-CBC as the encryption algorithm. |
3des | Specifies 168-bit DES (3DES) as the encryption algorithm. |
The 56-bit DES-CBC encryption algorithm.
ISAKMP policy configuration (config-isakmp)
This command first appeared in Cisco IOS Release 11.3 T. The 3des option first appeared in Cisco IOS Release 12.0(1) XA.
Use this command to specify the encryption algorithm to be used in an IKE policy.
router(config)#crypto isakmp policy router(config-isakmp)#encryption 3des router(config-isakmp)#
authentication (IKE policy)
crypto isakmp policy
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy
|
|