Triple DES for IPSec

IPSec supports the Triple DES encryption algorithm (168-bit) in addition to 56-bit encryption. Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks. It enables customers, particularly in the finance industry, to utilize network layer encryption.

Platforms

Prerequisites

This feature is available only in software images with the Triple DES encryption feature set for IPSec.

Supported MIBs and RFCs

Configuration Tasks

To configure an IKE policy, use the following commands starting in global configuration mode:

Step	Command	Purpose
1.	crypto isakmp policy priority	Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode.)
2.	encryption 3des	Specify the encryption algorithm.
3.	hash {sha \| md5}	Specify the hash algorithm.
4.	authentication {rsa-sig \| rsa-encr \| pre-share}	Specify the authentication method.
5.	group {1 \| 2}	Specify the Diffie-Hellman group identifier.
6.	lifetime seconds	Specify the security association's lifetime.
7.	exit	Exit the config-isakmp command mode.
8.	exit	Exit the global configuration mode.
9.	show crypto isakmp policy	(Optional) View all existing IKE policies. (Use this command in EXEC mode.)

To configure an IPSec crypto map policy, use the following commands starting in global configuration mode:

Step	Command	Purpose
1.	access-list access-list-number permit ip source source-wildcard destination destination-wildcard	Configure Access Control Lists (ACLs) to permit through the router interface the IP network traffic that you want to protect.
2.	crypto ipsec transform-set transform-set-name esp-3Des	Configure a transform-set that identifies the IPSec triple DES transform to use for encapsulating network traffic.
3.	crypto map map-name seq-num ipsec-isakmp	Create a crypto map that binds together elements of the IPSec configuration. (This command puts you into the crypto map command mode.)
4.	match address [access-list-id \| name]	Specify an extended access list for a crypto map entry.
5.	set transform-set transform-set-name	Specify which transform set can be used with the crypto map entry.
6.	set peer {hostname \| ip-address}	Specify an IPSec peer in a crypto map entry.
7.	exit	Exit the crypto map command mode.
8.	interface type number	Specify an interface on which to apply the crypto map. (This command puts you into the interface command mode.)
9.	crypto map map-name	Apply the previously defined crypto map set to an interface.
10.	exit	Exit the interface command mode.
11.	exit	Exit the global configuration mode.
12.	show crypto map	(Optional) View all existing crypto map policies. (Use this command in EXEC mode.)

Configuration Example

The following is an example of a minimal IPSec configuration where the security associations will be established via IKE. In this example, IKE must be enabled.

A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer):

Command Reference

This section documents changes to the crypto ipsec transform-set and crypto isakmp policy commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Security Configuration Guide in the "Internet Key Exchange Security Protocol Commands" chapter and the "IPSec Network Security Commands" chapter.

crypto ipsec transform-set

To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set global configuration command. This command is documented in the Cisco IOS Release 12.0 Security Command Reference.

Syntax Description

Default

Command Mode

Global configuration. This command invokes the crypto transform configuration mode.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3 T. The esp-3des option first appeared in Cisco IOS Release 12.0(1) XA.

Table 1 Selecting Transforms for a Transform Set: Allowed Transform Combinations

AH Transform pick up to one		ESP Encryption Transform pick up to one		ESP Authentication Transform pick up to one, only if you also selected the esp-des transform (not esp-rfc1829)
Transform	Description	Transform	Description	Transform	Description
ah-md5-hmac	AH with the MD5 (HMAC variant) authentication algorithm	esp-des	ESP with the 56-bit DES encryption algorithm	esp-md5-hmac	ESP with the MD5 (HMAC variant) authentication algorithm
ah-sha-hmac	AH with the SHA (HMAC variant) authentication algorithm	esp-3des	ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
ah-rfc1828	older version of the AH protocol (per RFC 1828)	esp-rfc1829	older version of the ESP protocol (per RFC 1829); does not allow an accompanying ESP authentication transform	esp-sha-hmac	ESP with the SHA (HMAC variant) authentication algorithm

Examples of acceptable transform combinations are:

ah-md5-hmac
esp-des
esp-3des and esp-md5-hmac
ah-sha-hmac and esp-des and esp-sha-hmac
ah-rfc1828 and esp-rfc1829

The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.

Example

This example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.

 
crypto ipsec transform-set newer esp-3des esp-sha-hmac

 
crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829

Related Commands

initialization-vector size
mode
set transform-set
show crypto ipsec transform-set

encryption (IKE policy)

To specify the encryption algorithm within an IKE policy, use the encryption (IKE policy) ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the encryption algorithm to the default value.

: encryption {des | 3des}
no encryption

Syntax Description

des	Specifies 56-bit DES-CBC as the encryption algorithm.
3des	Specifies 168-bit DES (3DES) as the encryption algorithm.

Default

Command Mode

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3 T. The 3des option first appeared in Cisco IOS Release 12.0(1) XA.

Use this command to specify the encryption algorithm to be used in an IKE policy.

Example

This example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):

Related Commands

authentication (IKE policy)
crypto isakmp policy
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy

transform-set-name	Specify the name of the transform set to create (or modify).
transform1 transform2 transform3	Specify up to three "transforms." These transforms define the IPSec security protocol(s) and algorithm(s). Accepted transform values are described in the "Usage Guidelines" section.

Table of Contents

Triple DES Encryption for IPSec

Feature Summary

Platforms

Prerequisites

Supported MIBs and RFCs

Configuration Tasks

Configuration Example

Command Reference

crypto ipsec transform-set

Syntax Description

Default

Command Mode

Usage Guidelines

Example

Related Commands

encryption (IKE policy)

Syntax Description

Default

Command Mode

Usage Guidelines

Example

Related Commands