Cisco IOS Software Releases 12.3 T

Table Of Contents

SEAL Encryption

Contents

Prerequisites for SEAL Encryption

Restrictions for SEAL Encryption

Information About SEAL Encryption

SEAL Encryption Overview

How to Configure SEAL Encryption

Configuring SEAL Encryption

Defining Multiple Transform Sets

Troubleshooting Tips

Configuration Examples for SEAL Encryption

SEAL Encryption Configured with an Authentication Transform: Example

SEAL Encryption Configured with a Crypto Accelerator Present: Example

SEAL Encryption Configured Without an Authentication Transform: Example

SEAL Encryption Configured Within a Manually Keyed Crypto Map: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

crypto ipsec transform-set

SEAL Encryption

---

The SEAL Encryption feature adds support for the Software Encryption Algorithm (SEAL) in IP Security (IPSec) implementations.

Feature History for SEAL Encryption

Release	Modification
12.3(7)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for SEAL Encryption

•Restrictions for SEAL Encryption

•Information About SEAL Encryption

•How to Configure SEAL Encryption

•Additional References

•Command Reference

Prerequisites for SEAL Encryption

•You should be familiar with IPSec.

Restrictions for SEAL Encryption

---

Note Your router and the other peer must not have hardware IPSec encryption.

---

•Your router and the other peer must support IPSec.

•Your router and the other peer must support the k9 subsystem.

•This feature is available only on Cisco equipment. Therefore, interoperability is not possible.

Information About SEAL Encryption

To configure the SEAL Encryption feature, you should understand the following concept:

•SEAL Encryption Overview

SEAL Encryption Overview

SEAL (Software Encryption Algorithm) is an alternative algorithm to software-based Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. (See the Prerequisites for SEAL Encryption section for requirements for implementing SEAL encryption.) The SEAL Encryption feature provides support for the SEAL algorithm in Cisco IOS IPSec implementations. You can use a command-line interface (CLI) to configure SEAL encryption using the crypto ipsec transform-set command and the esp-seal transform option.

How to Configure SEAL Encryption

This section contains the following procedures:

•Configuring SEAL Encryption (required)

•Defining Multiple Transform Sets (optional)

Configuring SEAL Encryption

To define a transform set using SEAL encryption, perform the following steps:

SUMMARY STEPS

1. enable

2. configure terminal

3. crytpo ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

4. crypto map map-name seq-number [ipsec-isakmp]

5. set transform-set transform-set-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4] Example: Router (config)# crypto ipsec transform-set seal esp-seal esp-sha-hmac	Defines a transform set—an acceptable combination of security protocols and algorithms.
Step 4	crypto map map-name seq-number [ipsec-isakmp] Example: Router (config)# crypto map cryptomap1 10 ipsec-isakmp	Creates a crypto map entry and enters crypto map configuration mode.
Step 5	set transform-set transform-set-name Example: Router (config-crypto map)# set transform-set seal	Specifies which transform sets can be used with the crypto map entry.

Defining Multiple Transform Sets

If you need to define multiple transform sets, perform the following steps. In this configuration, three transform sets are being defined. (You can define one or multiple transform sets.) When the crypto map is configured, all three transform sets are applied to the crypto map in the same order in which the transform sets were defined. In such a case, when both routers have to send encrypted traffic, each will choose the most efficient way to send the traffic. For example, if one of them cannot do SEAL, but both can do AES, AES is the transform that will be used. If one cannot do AES, both can do 3DES.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto ipsec transform-set transform-set-name transform1

4. crypto ipsec transform-set transform-set-name transform2

5. crypto ipsec transform-set transform-set-name transform3

6. crypto map map-name seq-number [ipsec-isakmp]

7. set transform-set transform-set-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	crypto ipsec transform-set transform-set-name transform1 Example: Router (config)# crypto ipsec transform-set seal esp-seal esp-sha-hmac	Defines a transform set—an acceptable combination of security protocols and algorithms.
Step 4	crypto ipsec transform-set transform-set-name transform2 Example: Router (config)# crypto ipsec transform-set aes esp-aes esp-sha-hmac	Defines a second transform set.
Step 5	crypto ipsec transform-set transform-set-name transform3 Example: Router (config)# crypto ipsec transform-set 3des esp-3des esp-sha-hmac	Defines a third transform set.
Step 6	crypto map map-name seq-number [ipsec-isakmp] Example: Router (config)# crypto map cryptomap1 10 ipsec-isakmp	Creates a crypto map entry and enters crypto map configuration mode.
Step 7	set transform-set transform-set-name Example: Router (config-crypto-map)# set transform-set seal aes 3des	Specifies which transform sets can be used with the crypto map entry.

Troubleshooting Tips

The esp-seal transform set has limitations within the crypto ipsec transform-set command. If you use the esp-seal transform set and one of the three limitations apply, you will receive a warning or error message. See the "Configuration Examples for SEAL Encryption" section for examples of the warning and error messages that can be received if you configure the esp-seal transform set with a crypto accelerator present, without an authentication transform set, or within a manually keyed crypto map.

---

Note If you use the esp-seal transform set and a crypto accelerator is present, you will receive a warning. That is, the configuration will be accepted, but it will be ignored as long as the accelerator is present. If you use the esp-seal transform set with either of the other two limitations, you will receive an error and the configuration will be rejected.

---

Configuration Examples for SEAL Encryption

This section contains the following configuration examples:

•SEAL Encryption Configured with an Authentication Transform: Example

•SEAL Encryption Configured with a Crypto Accelerator Present: Example

•SEAL Encryption Configured Without an Authentication Transform: Example

•SEAL Encryption Configured Within a Manually Keyed Crypto Map: Example

SEAL Encryption Configured with an Authentication Transform: Example

The following example shows that SEAL encryption has been properly configured in conjunction with an authentication transform set (esp-md5-hmac):

Router (config)# crypto ipsec transform-set seal1 esp-seal esp-md5-hmac

SEAL Encryption Configured with a Crypto Accelerator Present: Example

The following warning output shows that SEAL encryption has been configured and that a crypto accelerator is present:

Router# show running-config

crypto ipsec transform-set seal2 esp-seal esp-sha-hmac

! Disabled because transform not supported by encryption hardware

SEAL Encryption Configured Without an Authentication Transform: Example

The following error output shows that SEAL encryption has been configured without an authentication transform also being configured:

Router (config)# crypto ipsec transform seal3 esp-seal

ERROR: Transform requires either ESP or AH authentication.

SEAL Encryption Configured Within a Manually Keyed Crypto Map: Example

The following error output shows that SEAL encryption has been configured within a manually keyed crypto map:

Router (config)# crypto map green 10 ipsec-manual

%Note: This new crypto map will remain disabled until a peer 
        and a valid access list have been configured.

Router (config-crypto-map)# set transform-set seal

ERROR: transform seal illegal for a manual crypto map.

Additional References

The following sections provide references related to SEAL Encryption.

Related Documents

Related Topic	Document Title
Configuring IPSec	"IP Security and Encryption" section of Cisco IOS Security Configuration Guide
Creating crypto maps	"Configuring IPSec Network Security" chapter of the Cisco IOS Security Configuration Guide
Security commands	Cisco IOS Security Command Reference, Release 12.3 T

Standards

Standards	Title
There are no new or modified standards associated with this feature.	—

MIBs

MIBs	MIBs Link
There are no new or modified MIBs associated with this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
There are no new or modified RFCs associated with this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents the following modified command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

•crypto ipsec transform-set

crypto ipsec transform-set

To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set command in global configuration mode. To delete a transform set, use the no form of this command.

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

no crypto ipsec transform-set transform-set-name

Syntax Description

transform-set-name	Name of the transform set to create (or modify).
transform1 transform2 transform3 transform4	Type of transform set. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IP Security (IPSec) security protocols and algorithms. Accepted transform values are described in Table 1.

Defaults

No default behavior or values

Command Modes

Global configuration

This command invokes the crypto transform configuration mode.

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The following transform set options were added: esp-aes, esp-aes 192, and esp-aes 256.
12.3(7)T	The esp-seal transform set option was added.

Usage Guidelines

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec-protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the access list of that crypto map entry. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of the IPSec SAs of both peers.

When Internet Key Exchange (IKE) is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.

Before a transform set can be included in a crypto map entry, it must be defined using this command.

A transform set specifies one or two IPSec security protocols (either AH, ESP, or both) and specifies which algorithms to use with the selected security protocol. The AH and ESP IPSec security protocols are described in the section "IPSec Protocols: AH and ESP."

To define a transform set, you specify one to four "transforms"—each transform represents an IPSec security protocol (AH or ESP) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec SAs, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.

In a transform set you can specify the AH protocol, the ESP protocol, or both. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform set or both an ESP encryption transform set and an ESP authentication transform set.

Table 1 lists the acceptable transform set combination selections for the AH and ESP protocols.

Table 1 Allowed Transform Combinations

Transform Type	Transform	Description
AH Transform (Pick only one.)	ah-md5-hmac ah-sha-hmac	AH with the MD5 (Message Digest 5) (a Hash-based Message Authentication Code [HMAC] variant) authentication algorithm AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm
ESP Encryption Transform (Pick only one.)	esp-aes esp-aes 192 esp-aes 256 esp-des esp-3des esp-null esp-seal	ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim ESP with the 192-bit AES encryption algorithim ESP with the 256-bit AES encryption algorithim ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) Null encryption algorithm ESP with the 160-bit SEAL encryption algorithm.
ESP Authentication Transform (Pick only one.)	esp-md5-hmac esp-sha-hmac	ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm
IP Compression Transform	comp-lzs	IP compression with the Lempel-Ziv-Stac (LZS) algorithm

Examples of acceptable transform set combinations are as follows:

•ah-md5-hmac

•esp-des

•esp-3des and esp-md5-hmac

•ah-sha-hmac and esp-des and esp-sha-hmac

•comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

•esp-seal and esp-md5-hmac

The parser will prevent you from entering invalid combinations; for example, after you specify an AH transform set, it will not allow you to specify another AH transform set for the current transform set.

IPSec Protocols: AH and ESP

Both the AH and ESP protocols implement security services for IPSec.

AH provides data authentication and antireplay services.

ESP provides packet encryption and optional data authentication and antireplay services.

ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates or protects the payload of an IP datagram. For more information about modes, see the mode (IPSec) command description.

The esp-seal Transform

There are three limitations on the use of the esp-seal transform set:

•The esp-seal transform set can be used only if no crypto accelerators are present. This limitation is present because no current crypto accelerators implement the SEAL encryption transform set, and if a crypto accelerator is present, it will handle all IPSec connections that are negotiated with IKE. If a crypto accelerator is present, the Cisco IOS software will allow the transform set to be configured, but it will warn that it will not be used as long as the crypto accelerator is enabled.

•The esp-seal transform set can be used only in conjunction with an authentication transform set, namely one of these: esp-md5-hmac, esp-sha-hmac, ah-md5-hmac, or ah-sha-hmac. This limitation is present because SEAL encryption is especially weak when it comes to protecting against modifications of the encrypted packet. Therefore, to prevent such a weakness, an authentication transform set is required. (Authentication transform sets are designed to foil such attacks.) If you attempt to configure an IPSec transform set using SEAL but without an authentication transform set, an error is generated, and the transform set is rejected.

•The esp-seal transform set cannot be used with a manually keyed crypto map. This limitation is present because such a configuration would reuse the same keystream for each reboot, which would compromise security. Because of the security issue, such a configuration is prohibited. If you attempt to configure a manually keyed crypto map with a SEAL-based transform set, an error is generated, and the transform set is rejected.

Selecting Appropriate Transform Sets

The following tips may help you select transform sets that are appropriate for your situation:

•If you want to provide data confidentiality, include an ESP encryption transform set.

•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform set. (Some consider the benefits of outer IP header data integrity to be debatable.)

•If you use an ESP encryption transform set, also consider including an ESP authentication transform set or an AH transform set to provide authentication services for the transform set.

•If you want data authentication (either using ESP or AH), you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slower.

•Note that some transform sets might not be supported by the IPSec peer.

---

Note If a user enters an IPSec transform set that the hardware does not support, a warning message will be displayed immediately after the crypto ipsec transform-set command is entered.

---

•In cases where you need to specify an encryption transform set but do not actually encrypt packets, you can use the esp-null transform.

Suggested transform set combinations follow:

•esp-3des and esp-sha-hmac

•esp-aes and esp-md5-hmac

The Crypto Transform Configuration Mode

After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, see the match address (IPSec) and mode (IPSec) command descriptions.

Changing Existing Transform Sets

If one or more transform sets are specified in the crypto ipsec transform-set command for an existing transform set, the specified transform sets will replace the existing transform sets for that transform set.

If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.

Examples

The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that supports only the older transforms.

Router (config)# crypto ipsec transform-set newer esp-3des esp-sha-hmac

Router (config)# crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829

The following example is a sample warning message that is displayed when a user enters an IPSec transform set that the hardware does not support:

Router (config)# crypto ipsec transform transform-1 esp-aes 256 esp-md5

WARNING:encryption hardware does not support transform

esp-aes 256 within IPSec transform transform-1

The following output example shows that SEAL encryption has been correctly configured with an authentication transform set:

Router (config)# crypto ipsec transform-set seal esp-seal esp-sha-hmac

The following example is a warning message that is displayed when SEAL encryption has been configured with a crypto accelerator present:

Router (config)# show running-config

crypto ipsec transform-set seal esp-seal esp-sha-hmac

! Disabled because transform not supported by encryption hardware

The following example is an error message that is displayed when SEAL encryption has been configured without an authentication transform set:

Router (config)# crypto ipsec transform seal esp-seal

ERROR: Transform requires either ESP or AH authentication.

The following example is an error message that is displayed when SEAL encryption has been configured within a manually keyed crypto map:

Router (config)# crypto map green 10 ipsec-manual

%Note: This new crypto map will remain disabled until a peer 
        and a valid access list have been configured.

Router (config-crypto-map)# set transform seal

ERROR: transform seal illegal for a manual crypto map.

Related Commands

Command	Description
clear crypto sa	Deletes IPSec security associations.
crypto ipsec transform-set	Defines a transform set—an acceptable combination of security protocols and algorithms.
match address	Specifies an extended access list for a crypto map entry.
mode (IPSec)	Changes the mode for a transform set.
set transform-set	Specifies which transform sets can be used with the crypto map entry.
show crypto ipsec transform-set	Displays the configured transform sets.

Copyright © 2004 Cisco Systems, Inc. All rights reserved.