Configuring IPsec Inline Tagging for TrustSec
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
Configuring IPsec Inline Tagging for TrustSecLast Updated: December 16, 2011
The IPsec Inline Tagging for TrustSec feature enables IPsec to carry the Cisco TrustSec (CTS) Security Group Tag (SGT) between IPsec peers.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Configuring IPsec Inline Tagging for TrustSecInternet Key Exchange Version 2 (IKEv2) and IPsec must be configured on the router. For more information, see the "Configuring Internet Key Exchange Version 2" and "Configuring Security for VPNs with IPsec" modules. This feature is supported only on the Cisco ISR G2 890, 1900, 2900, 3900, and 3900E routers. Restrictions for Configuring IPsec Inline Tagging for TrustSecThe IPsec Inline Tagging for TrustSec feature can be negotiated only with IKEv2 and supports the following with IKEv2:
The IPsec Inline Tagging for TrustSec feature does not support the following: Information About Configuring IPsec Inline Tagging for TrustSecCisco TrustSecThe Cisco TrustSec (CTS) architecture helps to build secure networks by establishing a domain of trusted network devices by combining identity, trust, and policy to protect user transactions and enforce role-based policies. CTS uses the user and the device identification information acquired during the authentication phase to classify packets as they enter the network. CTS maintains a classification of each packet by tagging packets on ingress to the CTS network so that they can be properly identified for applying security and other policy criteria along the data path. The packets or frames are tagged using the Security Group Tag (SGT), which allows network intermediaries such as switches and firewalls, to enforce an access control policy based on the classification. The IPsec Inline Tagging for TrustSec feature is used to propagate the SGT to other network devices.
For more information on CTS and SXP, see the Cisco TrustSec Switch Configuration Guide. SGT and IPsecIPsec uses the IKE protocol for negotiating algorithms, keys, and capabilities. IKEv2 is used to negotiate and inform IPsec about the SGT capability. Once the peers acknowledge the SGT tagging capability, an SGT tag number (a 16-bit) is added as the SGT Cisco Meta Data (CMD) payload into IPsec and sent to the receiving peer. The access layer device authenticates the incoming packets. The access layer device receives an SGT from the authentication server and assigns the SGT along with an IP address to the incoming packets. In other words, an IP address is bound to an SGT. This IP address/SGT binding is propagated to upstream devices to enforce SGT-based policy and inline tagging. If IKEv2 is configured to negotiate the SGT capability in the initiator, the initiator proposes the SGT capability information in the SA_INIT request. If IKEv2 is configured to negotiate the SGT capability in the responder, the responder acknowledges in the SA_INIT response and the initiator and the responder inform IPsec to use inline tagging for all packets to the peer. During egress, IPsec adds the SGT capability and prefixes to the IPsec payload if the peer supports inline tagging; otherwise the packet is not tagged. During ingress, IPsec inspects the packet for the SGT capability. If a tag is available, IPsec extracts the tag information and passes the information to the device only if inline tagging is negotiated. If there is no tag, IPsec processes the packet as a normal packet. The tables below describe how IPsec behaves during egress and ingress. SGT on the IKEv2 Initiator and ResponderTo enable SGT on an IKEv2 session, the SGT capability support must be sent to the peers using the crypto ikev2 cts command. SGT is a Cisco proprietary capability; hence, it is sent as a Vendor ID (VID) payload in the SA_INIT exchange. The table below explains the scenarios when SGT capability is configured on the initiator and the responder:
How to Configure IPsec Inline Tagging for TrustSecEnabling IPsec Inline Tagging
SUMMARY STEPS
DETAILED STEPS Monitoring and Verifying IPsec Inline Tagging for TrustSecTo monitor and verify the IPsec Inline Tagging for TrustSec configuration, perform the following steps. DETAILED STEPS
Configuration Examples for IPsec Inline Tagging for TrustSecExample: Enabling IPsec Inline TaggingStatic VTI Initiator ConfigurationThe following example shows how to enable IPsec inline tagging on a static VTI initiator and dynamic VTI responder. You can use this configuration for configuring crypto maps and VTIs. crypto ikev2 proposal p1 encryption 3des integrity md5 group 2 ! crypto ikev2 policy policy1 proposal p1 ! crypto ikev2 keyring key peer peer address ::/0 pre-shared-key cisco ! peer v4 address 0.0.0.0 0.0.0.0 pre-shared-key cisco ! ! ! crypto ikev2 profile prof3 match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring key ! crypto ikev2 cts sgt ! crypto ipsec transform-set trans esp-3des esp-sha-hmac ! crypto map cmap 1 ipsec-isakmp set peer 10.1.1.2 set transform-set trans set ikev2-profile prof3 match address ipv4acl ! ! interface Loopback1 ip address 209.165.201.1 255.255.255.224 ipv6 address 2001::4:1/112 ! interface Loopback2 ip address 209.165.200.1 255.255.255.224 ipv6 address 2001::40:1/112 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 192.168.210.74 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 172.16.0.1 255.240.0.0 duplex auto speed auto ipv6 address 2001::5:1/112 ipv6 enable crypto map cmap ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 172.16.0.2 ip route 10.12.255.200 255.0.0.0 172.31.255.254 ! ip access-list extended ipv4acl permit ip host 209.165.201.1host 192.168.12.125 permit ip host 209.165.200.1 host 172.18.0.1 permit ip host 172.28.0.1 host 10.10.10.1 permit ip host 10.12.255.200 host 192.168.14.1 ! logging esm config ipv6 route ::/0 2001::5:2 ! ! ! ! !! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! exception data-corruption buffer truncate scheduler allocate 20000 1000 crypto ikev2 proposal p1 encryption 3des integrity md5 group 2 ! crypto ikev2 policy policy1 proposal p1 ! crypto ikev2 keyring key peer peer address 172.160.1.1 255.240.0.0 pre-shared-key cisco ! peer v4_p2 address 172.31.255.1 255.240.0.0 pre-shared-key cisco ! crypto ikev2 profile prof match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring key virtual-template 25 ! crypto ikev2 cts sgt ! crypto ipsec transform-set trans esp-null esp-sha-hmac ! crypto ipsec profile prof_ipv4 set transform-set trans set ikev2-profile prof1_ipv4 ! ! interface Loopback0 ip address 192.168.12.1 255.255.0.0 ! interface Loopback1 no ip address ! interface Loopback2 ip address 172.18.0.1 255.240.0.0 ! interface Loopback10 no ip address ipv6 address 2001::8:1/112 ! interface Loopback11 no ip address ipv6 address 2001::80:1/112 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 10.1.1.2 255.0.0.0 duplex auto speed auto ipv6 address 2001::7:1/112 ipv6 enable ! interface GigabitEthernet0/1 ip address 10.10.10.2 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/2 ip address 192.168.210.144 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/0/0 no ip address shutdown ! interface FastEthernet0/0/1 no ip address ! interface FastEthernet0/0/2 no ip address ! interface FastEthernet0/0/3 no ip address ! ! interface Virtual-Template25 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof_ipv4 ! interface Vlan1 no ip address ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.1.1.1 ip route 172.17.0.0 255.240.0.0 10.10.10.1 ! logging esm config ipv6 route ::/0 2001::7:2 ! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! exception data-corruption buffer truncate scheduler allocate 20000 1000 end Additional ReferencesRelated Documents
Technical Assistance
Feature Information for Configuring IPsec Inline Tagging for TrustSecThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2011 Cisco Systems, Inc. All rights reserved.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||