|
The Encryption Service Adapter (ESA) is a high-performance data encryption module that offloads some of the encryption processing from the Catalyst 4224 main processor and improves performance. The ESA implements data encryption and authentication algorithms on the Catalyst 4224 through a software service called a crypto engine.
The ESA includes a public key math processor and a hardware random number generator. These features support public key cryptography for key generation, exchange, and authentication. The ESA can encrypt and authenticate two full-duplex T1 or two E1 communication links.
Each data line can be channelized with a separate encryption context. The ESA uses Public Key (PK) technology based on the concept of the Protected Entity (PE) and employs IPSec Data Encryption Standard (DES) 56-bit and 3(Triple) DES 168-bit encryption to ensure that secure data and information can be transferred between similarly equipped hosts on your network.
This section details how to configure the ESA and includes the following topics:
Configuring the ESA requires four steps, as outlined below:
The first step toward configuring the ESA is to establish a T1 connection. You must define the characteristics of a configuration group (such as speed and slot number).
To configure the T1 channel group, follow this procedure:
The second step is to establish an Internet Key Exchange (IKE) Security Protocol for encryption.
The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. (For more information on IPSec, see the "Step 3: Configure IPSec Network Security" section.)
To configure an IKE Security Protocol, follow this procedure:
1You must create IKE policies at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation. IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, the security parameters of the policy are identified by a security association established at each peer, and these security associations apply to all subsequent IKE traffic during the negotiation.
2A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. 3In the context of this document, a peer refers to a Catalyst 4224 or other device that participates in IPSec and IKE. |
For information on how to create a private or public key and to download a certificate, visit the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/scdipsec.htm
The third step is to define how the T1 data will be handled. This requires that you use IPSec (IP Security Protocol) security.
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
To configure IPSec network security, follow this procedure:
Task | Command | |
---|---|---|
Step 1 | Specify the lifetime of a security association1. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPSec security associations can be set up more quickly. The default lifetimes are 3600 seconds (one hour) and 4608000 kilobytes (10 megabytes per second for one hour). |
|
Step 2 | Specify a transform set2 and enter transform-set configuration mode. To define a transform set, specify one to three "transforms"each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms and other settings) must match a transform set at the remote peer. |
|
Step 3 | ||
Step 4 | Create a crypto map3 denoted by map-name. Enter crypto map configuration mode, unless you use the dynamic keyword. seq-num is the number you assign to the crypto map entry. ipsec-isakmp indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. dynamic is an optional argument specifying that this crypto map entry references a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available. dynamic-map-name specifies the name of the dynamic crypto map set that should be used as the policy template. |
Gateway(config)# crypto map map_name seq_num ipsec-isakmp [dynamic dynamic_map_name] [discover] |
Step 5 | Specify the same remote IPSec peer that you specified in Step 4 in the previous procedure, "Step 2: Configure the Internet Key Exchange Security Protocol" section. |
|
Step 6 | For this crypto map entry, specify the same transform set that you specified in Step 2 of this procedure. |
Gateway(config-crypto map)# set transform-set transform_set_name |
Step 7 | Specify an extended access list for a crypto map entry. This value should match the access-list-number or name argument of the extended access list. |
Gateway(config-crypto map)# match address [access_list_id | name] |
Step 8 | ||
Step 9 |
access_list_number denotes an IP list number from 1 through 99. permit or deny specifies permit or deny condition for this list. IP-address is the IP address to which the router compares the address being tested. wild-mask is the wildcard mask bits for the address in 32-bit, dotted decimal notation. |
1A security association (SA) describes how two or more entities will utilize security services to communicate securely. For example, an IPSec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used during the IPSec connection. Both IPSec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPSec SA is established either by IKE or by manual user configuration.
2A transform set represents a specific combination of security protocols and algorithms. During the IPSec security association negotiation, the peers search for a transform set that is the same on both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of both peers' IPSec security associations. 3With IPSec you define what traffic should be protected between two IPSec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in order, and the Catalyst 4224 attempts to match the packet to the access list specified in that entry. 4Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, Cisco provides access lists. An access list is a sequential collection of permit and deny conditions that apply to IP addresses. |
The fourth step is to configure a T1 serial interface with an IP address and a crypto map.
To configure encryption on the T1 channel group, follow this procedure:
For complete information about configuration commands and about configuring LAN and WAN interfaces on your switch, refer to the Cisco IOS configuration guides and command references.
After configuring the new interface, use the following commands to verify that it is operating correctly:
Note Encryption is enabled by default when you install the ESA hardware. If you need to enable encryption, use the no crypto engine accel command. This command is useful for debugging problems with the ESA or for testing features available only with software encryption. |
This section contains the following topics:
The sample configurations in this section show you how to encrypt traffic between a private network (10.103.1.x) and a public network (98.98.98.x) using IPSec. The 98.98.98.x network knows the 10.103.1.x network by the private addresses. The 10.103.1.x network knows the 98.98.98.x network by the public addresses.
This section contains sample configuration files for two peer Catalyst 4224s set up to exchange encrypted data through a secure IPSec tunnel over a channelized T1 interface channel group, serial 1/0:0.
Posted: Sat Apr 5 03:54:20 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.