Internet Protocol Security (IPSec) is a framework of open standards for ensuring secure private communications over IP networks. Based on standards developed by the Internet Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network. IPSec provides a necessary component for a standards-based, flexible solution for deploying a network-wide security policy.
This document covers the following information for network designers, system engineers, administrators, and users implementing IPSec on Cisco equipment:
Example scenarios with configuration files
Review of interoperability among Cisco products and feature sets, and with other vendors' products
Examples of debugging messages
The IPSec initiative has been proposed to offer a standard way of establishing authentication and encryption services between endpoints. This means not only standard algorithms and transforms, but also standard key negotiation and management mechanisms to promote interoperability between devices by allowing for the negotiation of services between these devices. The Internet Key Exchange (IKE), based on ISAKMP/Oakley, is the protocol used to manage the generation and handling of keys. It is also the protocol by which potential peer devices form Security Associations.
A Security Association (SA) is a negotiated policy or agreed way of handling the data that will be exchanged between two peer devices, an example of a policy item is the transform used to encrypt data. The active SA parameters are stored in the Security Association Database (SAD).
SAs for both IKE and IPSec are negotiated by IKE over various phases and modes:
Phase 1: IKE negotiates IPSec SAs during this phase. Two modes can be used for phase 1:
Main mode is used in the vast majority of situations.
Aggressive mode is used under rare circumstances, given particular configuration parameters between two systems.
The user has no control over which mode is chosen. The router automatically chooses a mode, depending on the configuration parameters set up on both peers.
Phase 2: IKE negotiates IPSec SAs during this phase. The only phase 2 exchange is quick mode.
IPSec SAs terminate through deletion or by timing out. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase 2 and, if necessary, a new phase 1 negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire, so that a given flow can continue uninterrupted.
The components of IPSec, SAs, and IKE, are covered in more detail later.
IPSec in Detail
Within the TCP/IP environment, IPSec protocols offer security services at the IP layer....