IPSec Transform Set Configuration Mode Commands


IPSec Transform Set Configuration Mode Commands
 
 
The IPSec Transform Set Configuration Mode is used to configure IPsec security parameters. There are two core protocols, the Authentication Header (AH) and Encapsulating Security Payload (ESP). AH may be considered redundant as ESP can provide the same authentication services that AH does.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
default
Set or restore the default mode for a given parameter
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
default { encryption | group | hmac | mode }
default { encryption | group | hmac | mode
Set the defaults for the IPSec transform-set as follows:
encryption: Default Child SA IPSec ESP algorithm is AES-CBC-128
group: Default Diffie-Hellman group algorithm is none. This also deactivates PFS.
hmac: Default Child SA IPSec hashing algorithm is SHA1-96.
mode: Default Child SA IPSec Mode is Tunnel.
Usage
Defines the default values for the Child SA IPSec transform-set.
Example
Use the following configuration to set the default mode to Tunnel:
default mode
 
encryption
Configures the appropriate IPsec ESP encryption algorithm and encryption key length. AES-CBC-128 is the default.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc | null }
default encryption
3des-cbc
“Triple DES.” Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three different cypher keys.
aes-cbc-128
Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits. This is the default setting for this command.
aes-cbc-256
Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.
des-cbc
Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.
null
The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then be used to provide authentication and integrity without confidentiality.
Usage
In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A randomly generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC provides confidentiality, but not message integrity.
Because RFC 4307 calls for interoperability between IPsec and IKEv2, the IKEv2 confidentiality algorithms must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE message exchange. In IKEv2, there is no NULL option.
Example
The following command configures the encryption to be the default aes-cbc-128:
default encryption
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
group
Configure the appropriate key exchange cryptographic strength and activate Perfect Forward Secrecy by applying a Diffie-Hellman group.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
group { 1 | 2 | 5 | 14 | none }
default group
default group
Configures the default crypto strength to be none and disables Perfect Forward Secrecy.
1
Configures crypto strength at the Group 1 level. Lowest security.
2
Configures crypto strength at the Group 2 level. Medium security.
5
Configures crypto strength at the Group 5 level. Higher security.
14
Configures crypto strength at the Group 14 level. Highest security.
none
Applies no group and disables Perfect Forward Secrecy. This is the default.
Usage
Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.
Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, Group 5 provides 1536 bits and Group14 2048 bits. Selecting a group automatically activates Perfect Forward Secrecy. The default value is none, which disables PFS
Example
This command configures security at Group 2 and activates PFS:
group 2
 
hmac
Configures the IPsec ESP integrity algorithm.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
hmac { md5-96 | sha1-96 | null }
default hmac
default
Configures the default hmac value of sha1-96.
md5-96
MD5-96 uses a 128-bit secret key and produces a 128-bit authenticator value.
sha1-96
SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value.
This is the default setting for this command.
null
Configures the hmac value to be null. The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then be used to provide authentication and integrity without confidentiality.
Usage
HMAC is an encryption technique used by IPSec to make sure that a message has not been altered.
A keyed-Hash Message Authentication Code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key to verify both data integrity and message authenticity. A hash takes a message of any size and transforms it into a message of a fixed size: the authenticator value. This is truncated to 96 bits and transmitted. The authenticator value is reconstituted by the receiver and the first 96 bits are compared for a 100 percent match.
Because RFC 4306 calls for interoperability between IPsec and IKEv2, the IKEv2 integrity algorithms must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE message exchange.
Example
The following command configures the default HMAC value (SHA1-96):
default hmac
 
mode
Configures the security of IP datagrams based on header placement. Tunnel mode applies security to a completely encapsulated IP datagram, while Transport does not. Default is Tunnel mode.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
mode { transport | tunnel }
default mode
transport
In Transport mode, the IPSec header is applied only over the IP payload, not over the IP header in front of it. The AH and/or ESP headers appear between the original IP header and the IP payload, as follows:
Original IP header, IPSec headers (AH and/or ESP), IP payload (including transport header).
Transport mode is used for host-to-host communications and is generally unsuited to PDIF traffic.
tunnel
In Tunnel mode, the original IP header is left intact, so a complete IP datagram is encapsulated, forming a virtual tunnel between IPSec-capable devices. The IP datagram is passed to IPSec, where a new IP header is created ahead of the AH and/or ESP IPSec headers, as follows:
New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload.
Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-to-host communications over the Internet.
This is the default setting for this command.
Usage
IPSec modes are closely related to the function of the two core protocols, the Authentication Header (AH) and Encapsulating Security Payload (ESP). Both of these protocols provide protection by adding to a datagram a header (and possibly other fields) containing security information. The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this.
Example
The following command configures the default Tunnel mode:
default mode
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883