cc/td/doc/product/software/sdm
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

IP Security

IPSec Policies

Add or Edit IPSec Policy

Add or Edit Crypto Map: General Panel

Add or Edit Crypto Map: Peer Information Panel

Add or Edit Crypto Map: Transform Sets Panel

Add or Edit Crypto Map: IPSec Rules Panel

Dynamic Crypto Map Sets

Add or Edit Dynamic Crypto Map Set

Associate Crypto Map with this IPSec Policy

IPSec Profiles

Add or Edit IPSec Profile and Add Dynamic Crypto Map

Transform Set

Add or Edit Transform Set

IPSec Rules


IP Security

IP Security (IPSec) is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec.

SDM lets you configure IPSec transform sets, rules, and policies.

Use the IPSec tree to go to the IPSec configuration windows that you want to use.

IPSec Policies

This window displays the IPSec policies configured on the router, and the crypto maps associated with each policy. IPSec policies are used to define VPN connections. To learn about the relationship between IPSec policies, crypto maps, and VPN connections, see More about VPN Connections and IPSec Policies.

Icon

If this icon appears next to the IPSec policy, it is read-only, and it cannot be edited. An IPSec policy may be read-only if it contains commands that SDM does not support.


Name

The name of this IPSec policy.

Type

One of the following:

ISAKMPIKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. SDM supports Internet Security Association and Key Management Protocol (ISAKMP) crypto maps.

Manual—IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

SDM does not support the creation of manual crypto maps. SDM treats as read-only any manual crypto maps that have been created using the command-line interface (CLI).

Dynamic—Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device.

SDM does not support the creation of dynamic crypto maps. SDM treats as ready only any dynamic crypto maps created using the CLI.

Crypto Maps in this IPSec policy

Name

The name of the IPSec policy of which the crypto map is a part.

Seq. No.

When an IPSec policy is used in a VPN connection, the combination of the sequence number and IPSec policy name uniquely identifies the connection.

Peers

This column lists the IP addresses or host names of the peer devices specified in the crypto map. Multiple peers are separated by commas.

Transform Set

This column lists the transform sets used in the crypto map.

Dynamic Crypto Maps Sets in this IPSec Policy

Dynamic Crypto Map Set Name

The name of this dynamic crypto map set. Names enable administrators to understand how the crypto map set is used.

Sequence Number

The sequence number for this dynamic crypto map set.

Type

Type is always Dynamic.

What Do You Want to Do?

If you want to:
Do this:

Add an IPSec policy to the configuration.

Click Add.

Edit an existing IPSec policy.

Select the policy, and click Edit.

Remove a crypto map entry from a policy.

Select the policy, and click Edit. In the window, select the crypto map you want to remove, and click Delete. Then, click OK to return to this window.

Remove an IPSec policy.

Select the policy, and click Delete.


Add or Edit IPSec Policy

Use this window to add or edit an IPSec policy.

Name

The name of this IPSec policy. This name can be any set of alphanumeric characters. It may be helpful to include the peer names in the policy name, or to include other information that will be meaningful to you.

Crypto Maps in this IPSec policy

This box lists the crypto maps in this IPSec policy. The list includes the name, the sequence number, and the transform set that makes up this crypto map. You can select a crypto map and edit it or delete it from the IPSec policy.

If you want to add a crypto map, click Add. If you want SDM to guide you through the process, check Use Add Wizard, and then click Add.

Icon

If a crypto map is read-only, the read-only icon appears in this column. A crypto map may be read-only if it contains commands that SDM does not support.


Dynamic Crypto Maps Sets in this IPSec Policy

This box lists the dynamic crypto map sets in this IPSec policy. Use the Add button to add an existing dynamic crypto map set to the policy. Use the Delete button to remove a selected dynamic crypto map set from the policy.

What Do You Want to Do?

If you want to:
Do this:

Add a crypto map to this policy.

Click Add, and create a crypto map in the Add crypto map panels. Or, check Use Add Wizard, and then click Add.

Note The wizard allows you to add only one transform set to the crypto map. If you need multiple transform sets in the crypto map, do not use the wizard.

Edit a crypto map in this policy.

Select the crypto map, click Edit, and edit the crypto map in the Edit crypto map panels.

Remove a crypto map from this policy.

Select the crypto map, and click Delete.


Add or Edit Crypto Map: General Panel

Change general crypto map parameters in this window. This window contains the following fields.

Name of IPSec Policy

A read-only field that contains the name of the policy in which this crypto map is used.

Description

Enter or edit a description of the crypto map in this field. This description appears in the VPN Connections list, and it can be helpful in distinguishing this crypto map from others in the same IPSec policy.

Sequence Number

A number that, along with the IPSec policy name, is used to identify a connection. SDM generates a sequence number automatically. You can enter your own sequence number if you wish.

Security Association Lifetime

IPSec security associations use shared keys. These keys, and their security associations time out together. There are two lifetimes: a timed lifetime and a traffic-volume lifetime. The security association expires when the first of these lifetimes is reached.

You can use this field to specify a different security association lifetime for this crypto map than the lifetime that is specified globally. You can specify the lifetime in the number of kilobytes sent; in hours minutes and seconds; or both. If both are specified, the lifetime will expire when the first criterion has been satisfied. The maximum number of kilobytes you can specify is 4608000, and the maximum time is 1 hour.

Enable Perfect Forwarding Secrecy

When security keys are derived from previously generated keys, there is a security problem, because if one key is compromised, then the others can be compromised also. Perfect Forwarding Secrecy (PFS) guarantees that each key is derived independently. It thus ensures that if one key is compromised, no other keys will be. If you enable PFS, you can specify use of the Diffie-Hellman group1, group2, or group5 method.

Note If your router does not support group5, it will not appear in the list.

Enable Reverse Route Injection

Reverse Route Injection (RRI) is used to populate the routing table of an internal router running Open Shortest Path First (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN clients or LAN-to-LAN sessions.

Reverse Route Injection dynamically adds static routes to the clients connected to the Easy VPN server.

Add or Edit Crypto Map: Peer Information Panel

Use this panel to add or edit crypto map peer information. The list of peers associated with this crypto map is shown in the Current List box. You can add new peers, remove peers, or edit them. You can specify a peer using either an IP address or a host name. Multiple peers provide the router with more routing paths.

If you want to:
Do this:

Add a peer to the Current List.

Click Add, and enter the IP address or host name of the peer.

Remove a peer from the Current List.

Select the peer, and click Remove.


Add or Edit Crypto Map: Transform Sets Panel

Use this window to add, edit, and order the transform sets used in the crypto map. The devices at both ends of the VPN connection must use the same transform set, and the can negotiate to determine which transform set to use. Configuring multiple transform sets helps ensure that the router can offer a transform set that the negotiating peer can agree to use.

Note A crypto map can contain a maximum of 6 transform sets.

Available Transform Sets

Configured transform sets available for use in crypto maps. If no transform sets have been configured on the router, this list contains the default transform sets that SDM provides.

NoteNot all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the screen.

Not all IOS images support all the transform sets that SDM supports. Transform sets unsupported by the IOS image will not appear in the screen.

If hardware encryption is turned on, only those transform sets supported by both hardware encryption and the IOS image will appear in the screen.

Selected Transform Sets

The transform sets that have been selected for this crypto map, in the order in which they will be used. Both ends of a VPN connection must use the same transform set, and they can negotiate to determine which set to use. Configuring multiple transform sets helps ensure that your router can offer a transform set that the peer will accept. During negotiations, the router will offer transform sets in the order given in this list. You can use the up and down arrow buttons to reorder the list.

What Do You Want to Do?

If you want to:
Do this:

Add a transform set to the Selected Transform Sets box.

Select a transform set in the Available Transform Sets box, and click the right-arrow button.

Remove a transform set from the Selected Transform Sets box.

Select the transform set you want to remove, and click the left-arrow button.

Change the preference order of the selected transform sets.

Select a transform set, and click the up button or the down button.

Add a transform set to the Available Transform Sets list.

Click Add, and configure the transform set in the Add Transform Set window.

Edit a transform set in the Available Transform Sets list.

Click Edit, and configure the transform set in the Edit Transform Set window.


Add or Edit Crypto Map: IPSec Rules Panel

Use this screen to add or change the IPSec rule used in this crypto map. IPSec rules contain access rule entries that determine the traffic to be encrypted. The IPSec rule field shows the name of the IPSec rule in use.

Note If you are adding an IPSec rule for a VPN connection that uses a tunnel interface, the rule must specify the same source and destination data as the tunnel configuration.

To add or change the IPSec rule for this crypto map:

Step 1 Click the button to the right of the IPSec Rule field.

Step 2 Click Select an existing rule (ACL) if the rule you want to use has already been created, select the rule, and click OK.

Note IPSec rules must be extended rules, not standard rules. If the number or name you enter identifies a standard rule, SDM will display a warning message when you click OK.

Step 3 Click Create a new rule and select if the rule you need has not been created. Create the rule, and click OK.

Step 4 Click OK if you want to close the crypto map window, or click another tab if you want to work in another panel.

Dynamic Crypto Map Sets

This window lists the dynamic crypto map sets configured on the router.

Add/Edit/Delete Buttons

Use these buttons to manage the crypto maps in the window. If you try to delete a crypto map set associated with an IPSec policy, SDM prevents you from doing so. You must disassociate the crypto map from the policy before deleting it. You can do this in the IPSec Policies window.

Name

The name of the dynamic crypto map.

Type

Always Dynamic.

Add or Edit Dynamic Crypto Map Set

Add or edit a dynamic crypto map set in this window.

Name

If you are adding a dynamic crypto map, enter the name in this field. If you are editing a crypto map set, this field is disabled, and you cannot change the name.

Crypto maps in this IPSec Policy

This area lists the crypto maps used in this set. Use the Add, Edit, and Delete buttons to add, remove, or modify crypto maps in this list.

Associate Crypto Map with this IPSec Policy

Sequence Number

Enter a sequence number to identify this crypto map set. This sequence number cannot be in use by any other crypto map set.

Select the Dynamic Crypto Map Set

Select the dynamic crypto map set you want to add from this list.

Crypto Maps in this Dynamic Crypto Map Set

This area lists the names, sequence numbers, and peers in the dynamic crypto map set you selected.

IPSec Profiles

This window lists configured IPSec profiles on the router. IPSec profiles consist of one or more configured transform sets; the profiles are applied to mGRE tunnels to define how tunneled traffic is encrypted.

Name

The name of the IPSec profile.

Transform Set

The transform sets used in this profile.

Description

A description of the IPSec profile.

Add

Click to add a new IPSec profile.

Delete

Click to edit a selected IPSec profile. If the profile you are deleting is currently used in a DMVPN tunnel, you must configure the DMVPN tunnel to use a different IPSec profile.

Add or Edit IPSec Profile and Add Dynamic Crypto Map

Use this window to add or to edit an IPSec profile, or to add a dynamic crypto map.

Name

Enter a name for this profile.

Available Transform Sets

This column lists the transform sets configured on this router. To add a transform set from this list to the Selected Transform Sets column, select a transform set and click the right arrow (>>) button.

If you need to configure a new transform set, click the Transform Sets node in the IPSec tree to go to the Transform Sets window. In that window, click Add to create a new transform set.

Selected Transform Sets

This column lists the transform sets that you are using in this profile. You can select multiple transform sets so that the router you are configuring and the router at the other end of the tunnel can negotiate which transform set to use.

Transform Set

This screen allows you to view transform sets, add new ones, and edit or remove existing transform sets. A transform set is a particular combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

You can create multiple transform sets and then specify one or more of them in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list.

During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers. When that transform set is found, it is selected and applied to the protected traffic as part of both peers' IPSec security associations.

Name

Name given to the transform set.

ESP Encryption

SDM recognizes the following ESP encryption types:

ESP_DES—Encapsulating Security Payload (ESP), Data Encryption Standard (DES). DES supports 56-bit encryption.

ESP_3DES—ESP, Triple DES. This is a stronger form of encryption than DES, supporting 168-bit encryption.

ESP_AES_128—ESP, Advanced Encryption Standard (AES). Encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than 3DES.

ESP_AES_192—ESP, AES encryption with a 192-bit key.

ESP_AES_256—ESP, AES encryption with a 256-bit key.

ESP_NULL—Null encryption algorithm, but encryption transform used.

ESP_SEAL—ESP with the 160-bit encryption key Software Encryption Algorithm (SEAL) encryption algorithm. SEAL (Software Encryption Algorithm) is an alternative algorithm to software-based Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms.

ESP Integrity

Indicates the integrity algorithm being used. This column will contain a value when the transform set is configured to provide both data integrity and encryption. The column will contain one of the following values:

ESP-MD5-HMAC—Message Digest 5, Hash-based Message Authentication Code (HMAC).

ESP-SHA-HMAC—Security Hash Algorithm, HMAC.

AH Integrity

Indicates the integrity algorithm being used. This column will contain a value when the transform set is configured to provide data integrity but not encryption. The column will contain one of the following values:

AH-MD5-HMAC—Message Digest 5.

AH-SHA-HMAC—Security Hash Algorithm.

IP Compression

Indicates whether IP data compression is used.

Note If your router does not support IP compression, this box will be disabled.

Mode

This column contains one of the following values:

Tunnel—Both the headers and data are encrypted. The mode used in VPN configurations.

Transport—Only the data is encrypted. This mode is used when the encryption endpoints and the communication endpoints are the same.

Type

Either User Defined or SDM Default.

What Do You Want to Do?

If you want to:
Do this:

Add a new transform set to the router's configuration.

Click Add, and create the transform set in the Add Transform Set window.

Edit an existing transform set.

Select the transform set, and click Edit. Then edit the transform set in the Edit Transform Set window.

Note SDM Default transform sets are read-only and cannot be edited.

Delete an existing transform set.

Select the transform set, and click Delete.

Note SDM Default transform sets are read-only and cannot be deleted.


Add or Edit Transform Set

Use this window to add or edit a transform set.

To obtain a description of the allowable transform combinations, and descriptions of the transforms, click Allowable Transform Combinations.

NoteNot all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the screen.

Not all IOS images support all the transform sets that SDM supports. Transform sets unsupported by the IOS image will not appear in the screen.

If hardware encryption is turned on, only those transform sets supported by both hardware encryption and the IOS image will appear in the screen.

Easy VPN servers only support tunnel mode. Transport mode is not supported by Easy VPN servers.

Easy VPN Servers only support transform sets with ESP encryption. Easy VPN servers do not support the AH algorithm.

Easy VPN Servers do not support ESP-SEAL encryption.

Name of this transform set

This can be any name that you want. The name does not have to match the name in the transform set that the peer uses, but it may be helpful to give corresponding transform sets the same name.

Data integrity and encryption (ESP)

Check this box if you want to provide Encapsulating Security Payload (ESP) data integrity and encryption.

Integrity Algorithm

Select one of the following:

ESP_MD5_HMAC. Message Digest 5.

ESP_SHA_HMAC. Security Hash Algorithm.

Encryption

SDM recognizes the following ESP encryption types:

ESP_DES. Encapsulating Security Payload (ESP), Data Encryption Standard (DES). DES supports 56-bit encryption.

ESP_3DES. ESP, Triple DES. This is a stronger form of encryption than DES, supporting 168-bit encryption.

ESP_AES_128. ESP, Advanced Encryption Standard (AES). Encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than 3DES.

ESP_AES_192. ESP, AES encryption with a 192-bit key.

ESP_AES_256. ESP, AES encryption with a 256-bit key.

ESP_SEAL—ESP with the 160-bit encryption key Software Encryption Algorithm (SEAL) encryption algorithm. SEAL (Software Encryption Algorithm) is an alternative algorithm to software-based Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms.

ESP_NULL. Null encryption algorithm, but encryption transform used.

Note The types of ESP encryption available depend on the router. Depending on the type of router you are configuring, one or more of these encryption types may not be available.

Data and address integrity without encryption (AH)

This check box and the fields below it appear if you click Show Advanced.

Check this box if you want the router to provide Authentication Header (AH) data and address integrity. The authentication header will not be encrypted.

Integrity Algorithm

Select one of the following:

AH_MD5_HMAC—Message Digest 5.

AH_SHA_HMAC—Security Hash Algorithm.

Mode

Select which parts of the traffic you want to encrypt:

Transport. Encrypt data only—Transport mode is used when both endpoints support IPsec; this mode places the AH or ESP after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets. Transport mode should be used only when the destination of the data is always the remote VPN peer.

Tunnel. Encrypt data and IP header—Tunnel mode provides stronger protection than transport mode. Because the entire IP packet is encapsulated within AH or ESP, a new IP header is attached, and the entire datagram can be encrypted. Tunnel mode allows network devices such as a router to act as an IPsec proxy for multiple VPN users; tunnel mode should be used in those configurations.

IP Compression (COMP-LZS)

Check this box if you want to use data compression.

Note Not all routers support IP compression. If your router does not support IP compression, this box is disabled.

IPSec Rules

This window shows the IPSec rules configured for this router. IPSec rules define which traffic IPSec will encrypt. The top part of the window lists the access rules defined. The bottom part shows the access rule entries for the access rule selected in the rule list.

IPSec rules contain IP address and type-of-service information. Packets that match the criteria specified in the rule are encrypted. Packets that do not match the criteria are sent unencrypted.

Name/Num

The name or number of this rule.

Used By

Which crypto maps this rule is used in.

Type

IPSec rules must specify both source and destination and must be able to specify the type of traffic the packet contains. Therefore, IPSec rules are extended rules.

Description

A textual description of the rule, if available.

Action

Either Permit or Deny. Permit means that packets matching the criteria in this rules are protected by encryption. Deny means that matching packets are sent unencrypted. For more information see Meanings of the Permit and Deny Keywords.

Source

An IP address or keyword that specifies the source of the traffic. Any specifies that the source can be any IP address. An IP address in this column may appear alone, or it may be followed by a wildcard mask. If present, the wildcard mask specifies the portions of the IP address that the source IP address must match. For more information, see IP Addresses and Subnet Masks.

Destination

An IP address or keyword that specifies the destination of the traffic. Any specifies that the destination can be any IP address. An IP address in this column may appear alone, or it may be followed by a wildcard mask. If present, the wildcard mask specifies the portions of the IP address that the destination IP address must match.

Service

The type of traffic that the packet must contain.

What Do You Want to Do?

If you want to:
Do this:

See the access rule entries for a particular rule.

Select the rule in the rule list. The entries for that rule appear in the lower box.

Add an IPSec rule.

Click Add, and create the rule in the rule window displayed.

Delete an IPSec rule.

Select the rule in the rule list, and click Delete.

Delete a particular rule entry.

Select the rule in the rule list, and click Edit. Then, delete the entry in the rule window displayed.

Apply an IPSec rule to an interface.

Apply the rule in the interface configuration window.


hometocprevnextglossaryfeedbacksearchhelp

Posted: Fri Oct 7 13:30:22 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.