Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.0 Special and Early Deployments

Triple DES for IPSec

Downloads

Table of Contents

Triple DES Encryption for IPSec
 Feature Summary
 Platforms
 Prerequisites
 Supported MIBs and RFCs
 Configuration Tasks
 Configuration Example
 Command Reference
 crypto ipsec transform-set
 encryption (IKE policy)

Triple DES Encryption for IPSec

Feature Summary

IPSec supports the Triple DES encryption algorithm (168-bit) in addition to 56-bit encryption. Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks. It enables customers, particularly in the finance industry, to utilize network layer encryption.

Platforms

This feature is supported only on the Cisco 1720 router.

Prerequisites

This feature is available only in software images with the Triple DES encryption feature set for IPSec.

Supported MIBs and RFCs

None.

Configuration Tasks

Configuring the router for Triple DES encryption has two parts:

  • Internet key exchange policy configuration
  • Crypto map policy configuration

To configure an IKE policy, use the following commands starting in global configuration mode:

Step Command Purpose
1.

crypto isakmp policy priority

Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.)

(This command puts you into the config-isakmp command mode.)
2.

encryption 3des

Specify the encryption algorithm.
3.

hash {sha | md5}

Specify the hash algorithm.
4.

authentication {rsa-sig | rsa-encr | pre-share}

Specify the authentication method.
5.

group {1 | 2}

Specify the Diffie-Hellman group identifier.
6.

lifetime seconds

Specify the security association's lifetime.
7.

exit

Exit the config-isakmp command mode.
8.

exit

Exit the global configuration mode.
9.

show crypto isakmp policy

(Optional) View all existing IKE policies.

(Use this command in EXEC mode.)

To configure an IPSec crypto map policy, use the following commands starting in global configuration mode:

Step Command Purpose
1.

access-list access-list-number permit ip source source-wildcard destination destination-wildcard

Configure Access Control Lists (ACLs) to permit through the router interface the IP network traffic that you want to protect.
2.

crypto ipsec transform-set transform-set-name esp-3Des

Configure a transform-set that identifies the IPSec triple DES transform to use for encapsulating network traffic.
3.

crypto map map-name seq-num ipsec-isakmp

Create a crypto map that binds together elements of the IPSec configuration.

(This command puts you into the crypto map command mode.)
4.

match address [access-list-id | name]

Specify an extended access list for a crypto map entry.
5.

set transform-set transform-set-name

Specify which transform set can be used with the crypto map entry.
6.

set peer {hostname | ip-address}

Specify an IPSec peer in a crypto map entry.
7.

exit

Exit the crypto map command mode.
8.

interface type number

Specify an interface on which to apply the crypto map.

(This command puts you into the interface command mode.)
9.

crypto map map-name

Apply the previously defined crypto map set to an interface.
10.

exit

Exit the interface command mode.
11.

exit

Exit the global configuration mode.
12.

show crypto map

(Optional) View all existing crypto map policies.

(Use this command in EXEC mode.)

Configuration Example

This IPSec configuration example has two parts:

  • Configuring IKE policy
  • Configuring IPSec policy, including the access list, transform set, crypto map, and interface definition

This example creates an IKE policy, with 3des as the encryption algorithm.

crypto isakmp policy 15
 encryption 3des
 hash md5
 authentication rsa-sig
 group 2
 lifetime 5000

The following is an example of a minimal IPSec configuration where the security associations will be established via IKE. In this example, IKE must be enabled.

An IPSec access list defines which traffic to protect:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic will be protected:

crypto ipsec transform-set myset esp-3des esp-md5-hmac

A crypto map joins together the IPSec access list and transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp
match address 101
set transform-set myset
set peer 10.2.2.5

The crypto map is applied to an interface:

interface Serial0
ip address 10.0.0.2
crypto map toRemoteSite

Command Reference

This section documents changes to the crypto ipsec transform-set and crypto isakmp policy commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Security Configuration Guide in the "Internet Key Exchange Security Protocol Commands" chapter and the "IPSec Network Security Commands" chapter.

crypto ipsec transform-set

To define a transform set—an acceptable combination of security protocols and algorithms—use the crypto ipsec transform-set global configuration command. This command is documented in the Cisco IOS Release 12.0 Security Command Reference.

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
no crypto ipsec transform-set transform-set-name

Syntax Description

transform-set-name

Specify the name of the transform set to create (or modify).

transform1
transform2
transform3

Specify up to three "transforms." These transforms define the IPSec security protocol(s) and algorithm(s). Accepted transform values are described in the "Usage Guidelines" section.

Default

None

Command Mode

Global configuration. This command invokes the crypto transform configuration mode.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3 T. The esp-3des option first appeared in Cisco IOS Release 12.0(1) XA.

Acceptable combinations of transforms are shown in Table 1.

Table 1   Selecting Transforms for a Transform Set: Allowed Transform Combinations

AH Transform
pick up to one 		ESP Encryption Transform
pick up to one 		ESP Authentication Transform
pick up to one, only if you also selected the esp-des transform (not esp-rfc1829)
Transform Description Transform Description Transform Description

ah-md5-hmac

AH with the MD5 (HMAC variant) authentication algorithm

esp-des

ESP with the 56-bit DES encryption algorithm

esp-md5-hmac

ESP with the MD5 (HMAC variant) authentication algorithm

ah-sha-hmac

AH with the SHA (HMAC variant) authentication algorithm

esp-3des

ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)

 

 

ah-rfc1828

older version of the AH protocol
(per RFC 1828)

esp-rfc1829

older version of the ESP protocol (per RFC 1829); does not allow an accompanying ESP authentication transform

esp-sha-hmac

ESP with the SHA (HMAC variant) authentication algorithm

Examples of acceptable transform combinations are:

  • ah-md5-hmac
  • esp-des
  • esp-3des and esp-md5-hmac
  • ah-sha-hmac and esp-des and esp-sha-hmac
  • ah-rfc1828 and esp-rfc1829

The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.

Example

This example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.

crypto ipsec transform-set newer esp-3des esp-sha-hmac
crypto ipsec transform-set older ah-rfc-1828 esp-rfc1829

Related Commands

initialization-vector size
mode
set transform-set
show crypto ipsec transform-set

encryption (IKE policy)

To specify the encryption algorithm within an IKE policy, use the encryption (IKE policy) ISAKMP policy configuration command. IKE policies define a set of parameters to be used during IKE negotiation. Use the no form of this command to reset the encryption algorithm to the default value.

encryption {des | 3des}
no encryption

Syntax Description

des

Specifies 56-bit DES-CBC as the encryption algorithm.

3des

Specifies 168-bit DES (3DES) as the encryption algorithm.

Default

The 56-bit DES-CBC encryption algorithm.

Command Mode

ISAKMP policy configuration (config-isakmp)

Usage Guidelines

This command first appeared in Cisco IOS Release 11.3 T. The 3des option first appeared in Cisco IOS Release 12.0(1) XA.

Use this command to specify the encryption algorithm to be used in an IKE policy.

Example

This example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):

router(config)#crypto isakmp policy
router(config-isakmp)#encryption 3des
router(config-isakmp)#

Related Commands

authentication (IKE policy)
crypto isakmp policy
group (IKE policy)
hash (IKE policy)
lifetime (IKE policy)
show crypto isakmp policy