cc/td/doc/product/lan/cat4000/12_2_13t
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring Encryption Services

Configuring Encryption Services

This chapter describes how to configure the Encryption Service Adapter (ESA) module on the Cisco Catalyst 4000 Access Gateway Module (AGM).

This chapter contains the following major sections:

About the Encryption Service Adapter

The ESA is a high-performance data encryption module that offloads some of the encryption processing from the AGM main processor and improves performance. The ESA implements data encryption and authentication algorithms on the AGM through a software service called a crypto engine.

The ESA includes a public key math processor and a hardware random number generator. These features support public key cryptography for key generation, exchange, and authentication. The ESA can encrypt and authenticate two full-duplex T1 or two E1 communication links. Each data line can be channelized with a separate encryption context. The ESA uses Public Key (PK) technology based on the concept of the Protected Entity (PE) and employs IPSec Data Encryption Standard (DES) 56-bit and 3(Triple) DES 168-bit encryption to ensure that secure data and information can be transferred between similarly equipped hosts on your network.

Configuring the Encryption Service Adapter

To configure the ESA, perform the procedures in the following sections:

Configure the T1 Channel Group

The first step toward configuring the ESA is to establish a T1 connection. In order to do this, you must define the characteristics of a configuration group (such as speed and slot number).

To configure the T1 channel group, follow this procedure:

Command Purpose

Step 1 

gateway(config)# controller {t1|e1}slot|port

Specifies a controller and enter controller configuration mode.

Step 2 

gateway(config-controller)# clock source
{line|internal|loop-timed}

Specifies the clock source for a link.

line specifies that the link uses the recovered clock from the link and is the default setting. Generally, this setting is most reliable.

internal specifies that the DS1 link uses the internal clock.

loop-timed specifies that the T1 or E1 interface takes the clock from the Rx (line) and uses it for Tx. This setting decouples the controller clock from the system-wide clock set with the network-clock-select command.

Step 3 

gateway(config-controller)# framing {sf|esf}

Specifies the framing type for the T1 or E1 data line.

sf specifies Super Frame as the T1 frame type.

esf specifies Extended Super Frame as the T1 frame type.

Step 4 

gateway(config-controller)# linecode
{ami|b8zs|hdb3}

Specifies the line code format.

ami specifies alternate mark inversion (AMI) as the line-code type. Valid for T1 or E1 controllers; the default for T1 lines.

b8zs specifies B8ZS as the line-code type. Valid for T1 controller only.

hdb3 specifies high-density bipolar 3 (hdb3) as the line-code type. Valid for E1 controller only; the default for E1 lines.

Step 5 

gateway(config-controller)# channel-group channel_number timeslots range

Specifies the channel group and time slots to be mapped.

Step 6 

gateway(config-controller)# exit

Returns to global configuration mode.

Configure the Internet Key Exchange Security Protocol

The second step is to establish an Internet Key Exchange (IKE) Security Protocol for encryption.

The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. (For more information on IPSec, see the "Configuring IPSec Network Security" section.)

To configure an IKE Security Protocol, follow this procedure:

Command Purpose

Step 1 

gateway(config)# crypto isakmp policy priority

Creates an IKE policy1 with a unique priority number and enter Internet Security Association and Key Management Protocol (ISAKMP2) policy configuration mode.

Note   You can configure multiple policies on each peer3, but at least one of these policies must contain exactly the same encryption, authentication, and other parameters as one of the policies on the remote peer.

Step 2 

gateway(config-isakmp)# authentication
{rsa-sig|rsa-encr|pre-share}

Specifies the authentication method to be used in an IKE policy.

Step 3 

gateway(config-isakmp)# exit

Returns to global configuration mode.

Step 4 

gateway(config)# crypto isakmp key keystring address peer_address|peer_hostname

Configures the authentication key for each peer that shares a key.

1You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation. IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, the security parameters of the policy are identified by a security association established at each peer, and these security associations apply to all subsequent IKE traffic during the negotiation.
2A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association.
3In the context of this document, a peer refers to a Catalyst 4224 or other device that participates in IPSec and IKE.

For information on how to create a private or public key and to download a certificate, visit the following website:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/scdipsec.htm

Configuring IPSec Network Security

The third step is to define how the T1 data will be handled. This requires that you use IPSec (IP Security Protocol) security.

IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

To configure IPSec network security, follow this procedure:

Command Purpose

Step 1 

gateway(config)# crypto ipsec security-association lifetime seconds seconds kilobytes kilobytes

Specifies the lifetime of a security association1.

As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPSec security associations can be set up more quickly.

The default lifetimes are 3600 seconds (one hour) and 4608000 kilobytes (10 megabytes per second for one hour).

Step 2 

gateway(config)# crypto ipsec transform-set transform_set_name transform1 [transform2 [transform3]]

Specifies a transform set2 and enter transform-set configuration mode.

To define a transform set, specify one to three "transforms"---each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms and other settings) must match a transform set at the remote peer.

Step 3 

gateway(cfg-crypto-trans)# exit

Returns to global configuration mode.

Step 4 

gateway(config)# crypto map map_name seq_num ipsec-isakmp [dynamic dynamic_map_name] [discover]

Creates a crypto map3 denoted by map-name. Enter crypto map configuration mode, unless you use the dynamic keyword.

seq-num is the number you assign to the crypto map entry.

ipsec-isakmp indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

dynamic is an optional argument specifying that this crypto map entry references a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.

dynamic-map-name specifies the name of the dynamic crypto map set that should be used as the policy template.

Step 5 

gateway(config-crypto map)# set peer hostname|ip_address

Specifies the same remote IPSec peer that you specified in Step 4 in the previous procedure, Configure the Internet Key Exchange Security Protocol.

Step 6 

gateway(config-crypto map)# set transform-set transform_set_name

For this crypto map entry, specify the same transform set that you specified in Step 2 of this procedure.

Step 7 

gateway(config-crypto map)# match address [access_list_id | name]

Specifies an extended access list for a crypto map entry. This value should match the access-list-number or name argument of the extended access list.

Step 8 

gateway(cfg-crypto-trans)# exit

Returns to global configuration mode.

Step 9 

gateway(config)# access-list access_list_number {permit | deny} {type_code wild_mask | address mask}

Creates an access list.4

access_list_number denotes an IP list number from 1 through 99.

permit or deny specifies permit or deny condition for this list.

IP-address is the IP address to which the router compares the address being tested.

wild-mask is the wildcard mask bits for the address in 32-bit, dotted decimal notation.

1A security association (SA) describes how two or more entities will utilize security services to communicate securely. For example, an IPSec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used during the IPSec connection. Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user configuration.
2A transform set represents a specific combination of security protocols and algorithms. During the IPSec security association negotiation, the peers search for a transform set that is the same on both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of both peers' IPSec security associations.
3With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in order, and the Catalyst 4224 attempts to match the packet to the access list specified in that entry.
4Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, we provide access lists. An access list is a sequential collection of permit and deny conditions that apply to IP addresses.

Configure Encryption on the T1 Channel Group Serial Interface

The fourth step is to configure a T1 serial interface with an IP address and a crypto map.

To configure encryption on the T1 channel group, follow this procedure:

Command Purpose

Step 1 

gateway (config)# interface serial slot|port:timeslot

Selects the serial interface and enter interface configuration mode.

Step 2 

gateway (config-if)# ip address address mask

Specifies an IP address followed by the subnet mask for this interface.

Step 3 

gateway (config-if)# crypto map map_name

Assigns a crypto map to this interface.

Step 4 

gateway(config-if)# exit

Returns to global configuration mode.

Step 5 

gateway(config)# exit

Returns to the enable mode.

Step 6 

gateway# show running-config

Displays the current operating configuration, including any changes just made.

Step 7 

gateway# show startup-config

Displays the configuration currently stored in nonvolatile random-access memory (NVRAM).

Step 8 

gateway# copy running-config startup-config

At the enable prompt, write your changes to NVRAM.

Note   The results of the show running-config and show startup-config commands differ if you have made changes to the configuration but have not yet written them to NVRAM.

For more information about configuration commands and about configuring LAN and WAN interfaces on your switch, refer to the Cisco IOS configuration guides and command references.

Verifying the Configuration

After configuring the new interface, use the following commands to verify that it is operating correctly:

Sample Configurations

The following topics are discussed in this section:

Encrypting Traffic Between Two Networks

The sample configurations in this section show you how to encrypt traffic between a private network (10.103.1.x) and a public network (98.98.98.x) using IPSec. The 98.98.98.x network knows the 10.103.1.x network by the private addresses. The 10.103.1.x network knows the 98.98.98.x network by the public addresses.

Configuration File for the Public Gateway

gateway-2b# show running config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname gateway-2b ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 95.95.95.2 ! crypto ipsec transform-set rtpset esp-des esp-md5-hmac ! crypto map rtp 1 ipsec-isakmp set peer 95.95.95.2 set transform-set rtpset match address 115 ! interface Ethernet0/0 ip address 98.98.98.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet0/1 ip address 99.99.99.2 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache crypto map rtp ! interface Ethernet0/2 no ip address no ip directed-broadcast shutdown ! interface Ethernet0/3 no ip address no ip directed-broadcast shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 99.99.99.1 no ip http server ! access-list 115 permit ip 98.98.98.0 0.0.0.255 10.103.1.0 0.0.0.255 access-list 115 deny ip 98.98.98.0 0.0.0.255 any ! line con 0 transport input none line aux 0 line vty 0 4 login ! end

Configuration File for the Private Gateway

gateway-6a# show running config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname gateway-6a ! enable secret 5 $1$S/yK$RE603ZNv8N71GDYDbdMWd0 enable password ww ! ip subnet-zero ! ip audit notify log ip audit PO max-events 100 isdn switch-type basic-5ess isdn voice-call-failure 0 ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 99.99.99.2 ! crypto ipsec transform-set rtpset esp-des esp-md5-hmac crypto map rtp 1 ipsec-isakmp set peer 99.99.99.2 set transform-set rtpset match address 115 ! interface Ethernet0/0 no ip address no ip directed-broadcast ! interface Serial0/0 no ip address no ip directed-broadcast no ip mroute-cache shutdown ! interface Ethernet0/1 no ip address no ip directed-broadcast ! interface Serial0/1 no ip address no ip directed-broadcast shutdown ! interface BRI1/0 no ip address no ip directed-broadcast shutdown isdn switch-type basic-5ess ! interface Ethernet1/0 no ip address no ip directed-broadcast shutdown ! interface Serial1/0 no ip address no ip directed-broadcast shutdown ! interface TokenRing1/0 no ip address no ip directed-broadcast shutdown ring-speed 16 ! interface Ethernet3/0 ip address 95.95.95.2 255.255.255.0 no ip directed-broadcast ip nat outside no ip route-cache no ip mroute-cache crypto map rtp ! interface Ethernet3/1 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/2 ip address 10.103.1.75 255.255.255.0 no ip directed-broadcast ip nat inside ! interface Ethernet3/3 no ip address no ip directed-broadcast shutdown ! ip nat pool FE30 95.95.95.10 95.95.95.10 netmask 255.255.255.0 ip nat inside source route-map nonat pool FE30 overload ip classless ip route 0.0.0.0 0.0.0.0 95.95.95.1 ip route 171.68.120.0 255.255.255.0 10.103.1.1 no ip http server ! access-list 110 deny ip 10.103.1.0 0.0.0.255 98.98.98.0 0.0.0.255 access-list 110 permit ip 10.103.1.0 0.0.0.255 any access-list 115 permit ip 10.103.1.0 0.0.0.255 98.98.98.0 0.0.0.255 access-list 115 deny ip 10.103.1.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit route-map nonat permit 10 match ip address 110 ! tftp-server flash:cgateway-io3s56i-mz.120-7.T ! line con 0 transport input none line 65 72 line aux 0 line vty 0 4 password WW login ! end

Exchanging Encrypted Data Through an IPSec Tunnel

This section contains sample configuration files for two peer AGMs set up to exchange encrypted data through a secure IPSec tunnel over a channelized T1 interface channel group, serial 1/0:0.

Configuration File for Peer 1

    version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Rose ! logging buffered 100000 debugging enable password lab ! ip subnet-zero no ip domain-lookup ! crypto isakmp policy 10 authentication pre-share crypto isakmp key pre-shared address 6.6.6.2 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set transform-1 esp-des ! crypto map cmap 1 ipsec-isakmp set peer 6.6.6.2 set transform-set transform-1 match address 101 ! controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-23 speed 64 channel-group 1 timeslots 24 speed 64 ! controller T1 1/1 channel-group 0 timeslots 1-23 speed 64 channel-group 1 timeslots 24 speed 64 ! process-max-time 200 ! interface FastEthernet0/0 ip address 111.0.0.2 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache speed 10 ! interface Serial0/0 no ip address no ip directed-broadcast shutdown ! interface FastEthernet0/1 ip address 4.4.4.1 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache load-interval 30 speed 10 ! interface Serial1/0:0 bandwidth 1472 ip address 6.6.6.1 255.0.0.0 no ip directed-broadcast encapsulation ppp no ip route-cache load-interval 30 no fair-queue crypto map cmap ! interface Serial1/0:1 no ip address no ip directed-broadcast fair-queue 64 256 0 ! interface Serial1/1:0 no ip address no ip directed-broadcast ! interface Serial1/1:1 no ip address no ip directed-broadcast fair-queue 64 256 0 ! router rip network 4.0.0.0 network 6.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 111.0.0.1 no ip http server ! access-list 101 deny udp any eq rip any access-list 101 deny udp any any eq rip access-list 101 permit ip 6.6.6.0 0.0.0.255 6.6.6.0 0.0.0.255 ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 password lab login ! end

Configuration File for Peer 2

    version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Peony ! logging buffered 100000 debugging enable password lab ! ip subnet-zero no ip domain-lookup ! crypto isakmp policy 10 authentication pre-share crypto isakmp key pre-shared address 6.6.6.1 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set transform-1 esp-des ! crypto map cmap 1 ipsec-isakmp set peer 6.6.6.1 set transform-set transform-1 match address 101 ! controller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-23 speed 64 channel-group 1 timeslots 24 speed 64 ! controller T1 1/1 channel-group 0 timeslots 1-23 speed 64 channel-group 1 timeslots 24 speed 64 ! process-max-time 200 ! interface FastEthernet0/0 ip address 172.0.0.13 255.0.0.0 no ip directed-broadcast no ip mroute-cache load-interval 30 no keepalive speed 10 ! interface FastEthernet0/1 ip address 3.3.3.2 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache load-interval 30 speed 10 ! interface Serial1/0:0 bandwidth 1472 ip address 6.6.6.2 255.0.0.0 no ip directed-broadcast encapsulation ppp no ip route-cache load-interval 30 no fair-queue crypto map cmap ! interface Serial1/0:1 no ip address no ip directed-broadcast fair-queue 64 256 0 ! interface Serial1/1:0 no ip address no ip directed-broadcast ! interface Serial1/1:1 no ip address no ip directed-broadcast fair-queue 64 256 0 ! router rip network 3.0.0.0 network 6.0.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 111.0.0.1 no ip http server ! access-list 101 deny udp any eq rip any access-list 101 deny udp any any eq rip access-list 101 permit ip 6.6.6.0 0.0.0.255 6.6.6.0 0.0.0.255 ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 login !! end

hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Dec 19 10:06:08 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.