IPSec Transform Set Configuration Mode Commands

The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and Encapsulating Security Payload (ESP). AH may be considered redundant as ESP can provide the same authentication services that AH does.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

encryption

Configures the appropriate IPSec ESP encryption algorithm and encryption key length. AES-CBC-128 is the default.

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc | null }default encryption
3des-cbc

Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three different cypher keys (triple DES).

aes-cbc-128

Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits. This is the default setting for this command.

aes-cbc-256

Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.

des-cbc

Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.

null

The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then be used to provide authentication and integrity without confidentiality.

default

Sets the default IPSec ESP algorithm to AES-CBC-128.


Usage:

In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A randomly generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC provides confidentiality, but not message integrity.

Because RFC 4307 calls for interoperability between IPSec and IKEv2, the IKEv2 confidentiality algorithms must be the same as those configured for IPSec in order for there to be an acceptable match during the IKE message exchange. In IKEv2, there is no NULL option.


Example:
The following command configures the encryption to be the default aes-cbc-128:
default encryption
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

group

Configures the appropriate key exchange cryptographic strength and activate Perfect Forward Secrecy by applying a Diffie-Hellman group.

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
group { 1 | 2 | 5 | 14 | none }  default group
default group

Configures the default crypto strength to be none and disables Perfect Forward Secrecy.

1

Configures crypto strength at the Group 1 level. Lowest security.

2

Configures crypto strength at the Group 2 level. Medium security.

5

Configures crypto strength at the Group 5 level. Higher security.

14

Configures crypto strength at the Group 14 level. Highest security.

none

Applies no group and disables Perfect Forward Secrecy. This is the default.

default

Sets the default Diffie-Hellman group algorithm to none. This also deactivates PFS.


Usage:

Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.

Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, Group 5 provides 1536 bits and Group14 2048 bits. Selecting a group automatically activates Perfect Forward Secrecy. The default value is none, which disables PFS


Example:
This command configures security at Group 2 and activates PFS:
group 2 
hmac

Configures the IPSec ESP integrity algorithm using a Hash-based Message Authentication Code (HMAC).

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
hmac { aes-xcbc-96 | md5-96 | sha1-96 | null }default hmac
aes-xcbc-96

AES-XCBC-96 uses a 128-bit secret key and produces a 128-bit authenticator value.

md5-96

MD5-96 uses a 128-bit secret key and produces a 128-bit authenticator value.

sha1-96

SHA-1 uses a 160-bit secret key and produces a 160-bit authenticator value.

This is the default setting for this command.

null

Configures the hmac value to be null. The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then be used to provide authentication and integrity without confidentiality.

default hmac

Sets the default IPSec hashing algorithm to SHA1-96.


Usage:

HMAC is an encryption technique used by IPSec to make sure that a message has not been altered.

A keyed-Hash-based Message Authentication Code (HMAC), is a type of message authentication code that is calculated using a cryptographic hash function in combination with a secret key to verify both data integrity and message authenticity. A hash takes a message of any size and transforms it into a message of a fixed size: the authenticator value. This is truncated to 96 bits and transmitted. The authenticator value is reconstituted by the receiver and the first 96 bits are compared for a 100 percent match.

Because RFC 4306 calls for interoperability between IPSec and IKEv2, the IKEv2 integrity algorithms must be the same as those configured for IPSec in order for there to be an acceptable match during the IKE message exchange.


Example:
The following command configures the default HMAC value (SHA1-96):
default hmac
mode

Configures the security of IP datagrams based on header placement. Tunnel mode applies security to a completely encapsulated IP datagram, while Transport does not. Default is Tunnel mode.

Platform:

ASR 5000

Product:

ePDG, PDIF, SCM


Privilege:

Security Administrator, Administrator


Syntax
mode { transport | tunnel }default mode
transport

In Transport mode, the IPSec header is applied only over the IP payload, not over the IP header in front of it. The AH and/or ESP headers appear between the original IP header and the IP payload, as follows:

Original IP header, IPSec headers (AH and/or ESP), IP payload (including transport header).

Transport mode is used for host-to-host communications and is generally unsuited to PDIF traffic.

tunnel

In Tunnel mode, the original IP header is left intact, so a complete IP datagram is encapsulated, forming a virtual tunnel between IPSec-capable devices. The IP datagram is passed to IPSec, where a new IP header is created ahead of the AH and/or ESP IPSec headers, as follows:

New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload.

Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-to-host communications over the Internet.

This is the default setting for this command.

default mode

Sets the default IPSec Mode to Tunnel.


Usage:

IPSec modes are closely related to the function of the two core protocols, the Authentication Header (AH) and Encapsulating Security Payload (ESP). Both of these protocols provide protection by adding to a datagram a header (and possibly other fields) containing security information. The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this.


Example:
The following command configures the default Tunnel mode:
default mode