Implementing IPSec Network Security on Cisco IOS XR Software
Information About Implementing IPSec Networks
SC-83
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
If the router accepts the peer’s request, at the point that it installs the new IPSec SAs it implicitly installs
a temporary crypto profile entry. This entry is filled in with the results of the negotiation. At this point,
the router performs normal processing, using this temporary crypto profile entry as a normal entry, even
requesting new SAs if the current ones are expiring (based upon the policy specified in the temporary
crypto profile entry). After the flow expires (that is, all of the corresponding SAs expire), the temporary
crypto profile entry is then removed.
Static Crypto Profiles
When static crypto profile entries exist, if outbound traffic matches a permit statement in an access list
and the corresponding SA is not yet established, the router initiates new SAs with the remote peer. In the
case of dynamic crypto profile entries, if no SA existed, the traffic would be dropped because dynamic
crypto profiles are not used for initiating new SAs.
Crypto Access Lists
Crypto access lists are used to define all IP traffic whether or not it is protected by crypto. For example,
access lists can be created to protect all IP traffic between Subnet
A and Subnet Y or Telnet traffic
between Host
A and Host B.
The access lists themselves are not specific to IPSec. It is the crypto profile entry referencing the specific
access list that defines whether IPSec processing is applied to the traffic matching a permit in the
access
list.
Crypto access lists associated with IPSec crypto profile entries have four primary functions:
• Select outbound traffic to be protected by IPSec (permit = protect).
• Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPSec SAs.
• Process inbound traffic to filter and discard traffic that should have been protected by IPSec.
• Determine whether to accept requests for IPSec SAs on behalf of the requested data flows when
processing IKE negotiation from the IPSec peer. (Negotiation is done only for ipsec-isakmp crypto
profile entries.) To be accepted, the peer initiating the IPSec negotiation must specify a data flow
that is “permitted” by a crypto access list associated with an ipsec-isakmp crypto profile entry.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication
only) and other traffic to receive a different combination of IPSec protection (for example, both
authentication and encryption), you must create two different crypto access lists to define the two
different types of traffic.
Transform Sets
A transform set represents a certain combination of security protocols and algorithms. During the IPSec
SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
You can specify multiple transform sets and then one or more of these transform sets in a crypto profile
entry. The transform set defined in the crypto profile entry is used in the IPSec SA negotiation to protect
the data flows specified by that crypto profile entry’s access list.
To Next Page
Loading...
Need help?
General
