-
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4
-
Overview: Secure Connectivity
- Internet Key Exchange for IPsec VPNs
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP-IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management Plane
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
- SSL VPN
-
Table Of Contents
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Enabling IPsec SNMP Notifications
Configuring IPsec Failure History Table Size
Configuring IPsec Tunnel History Table Size
Verifying IPsec MIB Configuration
Monitoring and Maintaining IPsec MIB
Enabling IPsec Notifications Examples
Specifying History Table Size Examples
IPsec—SNMP Support
Feature History
This document describes the IPsec—SNMP Support feature in Cisco IOS Release 12.1 E, 12.2 T, and 12.2 S and includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Note
Feature Overview
The IP Security (IPsec) - SNMP Support feature introduces support for industry-standard IPsec MIBs and Cisco IOS-software specific IPsec MIBs.
The IPsec MIBs allow IPsec configuration monitoring and IPsec status monitoring using SNMP, and can be integrated in a variety of Virtual Private Network (VPN) management solutions.
For example, this feature allows you to specify the desired size of a tunnel history table or a tunnel failure table using the Cisco IOS CLI. The history table archives attribute and statistic information about the tunnel; the failure table archives tunnel failure reasons along with the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
This feature also provides IPsec Simple Network Management Protocol (SNMP) notifications for use with network management systems.
Benefits
The commands in this feature allow you to examine the version of the IPsec MIB feature, to enable and disable SNMP traps, and to monitor and control the size of the buffers used by this feature.
Restrictions
Only the following tunnel setup failure logs are supported with the IPsec - SNMP Support feature:
•
"A tunnel could not be established because the peer did not supply an acceptable proposal."
•
"A tunnel could not be established because it failed to encrypt a packet to be sent to a peer."
•
"A tunnel could not be established because the system ran out of resources."
•
"A tunnel could not be established because of an internal error."
Note that these failure notices are recorded in the failure tables, but are not available as SNMP notifications (traps).
The following functions are not supported with the IPsec MIB feature:
•
•
Note
The CISCO-IPSEC-POLICY-MAP-MIB (ciscoIpSecPolMap) defines no notifications (the "IPSec Policy Map Notifications Group" is empty).
Related Features and Technologies
The IPsec—SNMP Support feature was designed to support the VPN Device Manager (VDM). VDM enables network administrators to manage and configure site-to-site VPNs on a single device from a web browser and to see the effects of changes in real time. VDM implements a wizard-based graphical user interface (GUI) to simplify the process of configuring site-to-site VPNs using the IPsec protocol. VDM software is installed directly on Cisco VPN routers, and is designed for use and compatibility with future Device Manager products.
For more information on Cisco VDM, refer to the following URL:
http://www.cisco.com/warp/public/cc/pd/nemnsw/vpdvmn/
Related Documents
IPsec and Related Security Information
•
•
SNMP Configuration Information
•
•
For the Cisco IOS Release12.1 E implementation of security and SNMP features, refer to the Cisco IOS Release 12.1 versions of these documents. For Cisco IOS Release 12.2 T and 12.2 S implementation of these features, refer to the Cisco IOS Release 12.2 versions of these documents.
Supported Platforms
The IPsec MIB feature is supported on the following platforms in Cisco IOS Release 12.1(4)E:
•
•
•
The IPsec MIB feature is supported on the following platforms in Cisco IOS Release 12.2(4)T:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The IPsec MIB feature is supported on the following platforms in Cisco IOS Release 12.2(14)S:
•
•
•
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
The following MIBs are supported by the IPsec—SNMP Support feature:
•
•
•
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
See the following sections for configuration tasks for the IPsec—SNMP Support feature. Each task in the list is identified as either required or optional:
•
•
•
Enabling IPsec SNMP Notifications
To enable a router to send IPsec trap or inform notifications to a specified host, use the following commands in global configuration mode:
For more information on configuring SNMP, refer to the chapter "Configuring SNMP Support" in the Cisco IOS Configuration Fundamentals Configuration Guide.
Configuring IPsec Failure History Table Size
The default failure history table size is 200. To change the size of the failure history table, use the following command in global configuration mode:
Router(config)# crypto mib ipsec flowmib history failure size number
Changes the size of the IPsec failure history table.
Configuring IPsec Tunnel History Table Size
The default tunnel history table size is 200. To change the size of the tunnel history table, use the following command in global configuration mode:
Router(config)# crypto mib ipsec flowmib history tunnel size number
Changes the size of the IPsec tunnel history table.
Verifying IPsec MIB Configuration
To verify that the IPsec MIB feature is configured properly, perform the following tasks:
•
Router# show crypto mib ipsec flowmib history failure sizeIPSec Failure Window Size: 140•
Router# show crypto mib ipsec flowmib history tunnel sizeIPSec History Window Size: 130•
Router# show crypto mib ipsec flowmib versionIPSec Flow MIB version: 1•
Router# debug crypto mibCrypto IPSec Mgmt Entity debugging is onMonitoring and Maintaining IPsec MIB
To monitor the status of IPsec MIB information, use any of the following commands in EXEC mode:
Configuration Examples
This section provides the following configuration examples:
•
•
Enabling IPsec Notifications Examples
In the following example, IPsec notifications are enabled:
snmp-server enable traps ipsec isakmpIn the following example, the router is configured to send IPsec notifications to the host nms1.cisco.com:
snmp-server host nms1.cisco.com public ipsec isakmpTranslating "nms1.cisco.com"...domain server (171.00.0.01) [OK]Specifying History Table Size Examples
In the following example, the specified failure history table size is 140:
crypto mib ipsec flowmib history failure size 140In the following example, the specified tunnel history table size is 130:
crypto mib ipsec flowmib history tunnel size 130Command Reference
The following commands are introduced or modified in the feature or features
•
•
•
•
•
•
•
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Glossary
CA—certificate authority. A certificate authority (CA) is an entity in a network that issues and manages security credentials and public keys (in the form of X509v3 certificates) for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Certificates generally include the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
IP Security—See IPsec.
IPsec—Internet Protocol Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
Management Information Base—See MIB.
MIB—Management Information Base. Database of network management information that is used and maintained by a network management protocol such as Simple Network Management Protocol (SNMP) or Common Management Information Protocol (MIP). The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a graphical user interface (GUI) network management system (NMS). MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.
Simple Network Management Protocol—See SNMP.
SNMP—Simple Network Management Protocol. An application-layer protocol that provides a message format for communication between SNMP managers and agents.
trap—Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
