- Index
- Preface
- Using Cisco IOS Software
- SIP, SSC, and SPA Product Overview
-
- Overview of the IPsec VPN SPA
- Configuring VPNs in Crypto-Connect Mode
- Configuring VPNs in VRF Mode
- Configuring IPsec VPN Fragmentation and MTU
- Configuring IKE Features Using the IPsec VPN SPA
- Configuring Enhanced IPsec Features Using the IPsec VPN SPA
- Configuring PKI Using the IPsec VPN SPA
- Configuring Advanced VPNs Using the IPsec VPN SPA
- Configuring Duplicate Hardware and IPsec Failover Using the IPsec VPN SPA
- Configuring Monitoring and Accounting for the IPsec VPN SPA
- Troubleshooting the IPsec VPN SPA
- Glossary
- Overview of Enhanced IPsec Features
- Configuring Advanced Encryption Standard in a Transform Set
- Configuring Reverse Route Injection
- Configuring the IPsec Anti-Replay Window Size
- Configuring an IPsec Preferred Peer
- Configuring IPsec Security Association Idle Timers
- Configuring Distinguished Name-Based Crypto Maps
- Configuring QoS for VPN
- Advanced Encryption Standard Configuration Example
- Reverse Route Injection Configuration Examples
- IPsec Anti-Replay Window Size Configuration Examples
- IPsec Preferred Peer Configuration Examples
- IPsec Security Association Idle Timer Configuration Examples
- Distinguished Name-Based Crypto Maps Configuration Example
- QoS Configuration Examples
- Platform ACL Configuration Example
- Deny Policy Enhancements for ACLs Configuration Example
Configuring Enhanced IPsec Features Using the IPsec VPN SPA
This chapter provides information about configuring enhanced IPsec features using the IPsec VPN SPA on the Catalyst 6500 Series switch. It includes the following sections:
•Overview of Enhanced IPsec Features
•Configuring Advanced Encryption Standard in a Transform Set
•Configuring Reverse Route Injection
•Configuring the IPsec Anti-Replay Window Size
•Configuring an IPsec Preferred Peer
•Configuring IPsec Security Association Idle Timers
•Configuring Distinguished Name-Based Crypto Maps
•Configuring Platform ACLs for VPN
•Configuring Sequenced Crypto ACLs
Note For detailed information on Cisco IOS IPsec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 12.2.
For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, see the Catalyst 6500 Series Cisco IOS Command Reference, Release 12.2SX publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the "Related Documentation" section on page xlv.
Tip To ensure a successful configuration of your VPN using the IPsec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks.
Overview of Enhanced IPsec Features
IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF). It provides security for transmission of sensitive information over unprotected networks, such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.
This chapter describes the advanced IPsec features that can be used to improve scalability and performance of your IPsec VPN.
Configuring Advanced Encryption Standard in a Transform Set
The Advanced Encryption Standard (AES) is a privacy transform for IPsec and Internet Key Exchange (IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES. AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length. The algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.
To configure the AES encryption algorithm within a transform set, perform this task beginning in global configuration mode:
|
|
|
---|---|---|
Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]] ... |
Specifies a transform set and IPsec security profiles and algorithms. |
transform-set-name specifies the name of the transform set.
transform1[transform2[transform3]] defines IPsec security protocols and algorithms. To configure AES, you must choose from the following AES Encapsulating Security Payload (ESP) encryption transforms:
•esp-aes specifies ESP with the 128-bit AES encryption algorithm.
•esp-aes 192 specifies ESP with the 192-bit AES encryption algorithm.
•esp-aes 256 specifies ESP with the 256-bit AES encryption algorithm.
For other accepted transform values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.
Verifying the AES Transform Set
To verify the configuration of the transform set, enter the show crypto ipsec transform-set command:
Router# show crypto ipsec transform-set
Transform set transform-1:{esp-256-aes esp-md5-hmac}
will negotiate = {Tunnel, }
For more complete configuration information about AES support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_aes.html
For an AES configuration example, see the "Advanced Encryption Standard Configuration Example" section.
Configuring Reverse Route Injection
Reverse Route Injection (RRI) provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.
After the static route is created on the VPN router, this information is propagated to upstream devices, allowing them to determine the appropriate VPN router to which to send returning traffic in order to maintain IPsec state flows. Being able to determine the appropriate VPN router is particularly useful if multiple VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices are not accessible via a default route. Routes are created in either the global routing table or the appropriate virtual routing and forwarding (VRF) table.
RRI is applied on a per-crypto map basis, whether this is via a static crypto map or a dynamic crypto map template. For both dynamic and static maps, routes are created only at the time of IPsec SA creation. Routes are removed when the SAs are deleted. The static keyword can be added to the reverse-route command if routes are created on the basis of the content of the crypto ACLs that are permanently attached to the static crypto map.
RRI Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring RRI:
Note When RRI is enabled, do not make changes to the crypto configuration while VPN sessions are active. Enter the clear crypto session command before making changes.
•IP routing should be enabled and static routes should be redistributed if dynamic routing protocols are to be used to propagate RRI-generated static routes.
•You can specify an interface or address as the explicit next hop to the remote VPN device. This functionality allows the overriding of a default route to properly direct outgoing encrypted packets.
•You can add a route tag value to any routes that are created using RRI. This route tag allows redistribution of groups of routes using route maps, allowing you to be selective about which routes enter your global routing table.
•RRI can be configured on the same crypto map that is applied to multiple router interfaces.
•The reverse-route remote-peer [static] command creates two routes. One route is the standard remote proxy ID and the next hop is the remote VPN client tunnel address. The second route is the actual route to that remote tunnel endpoint and is used when a recursive lookup requires that the remote endpoint be reachable by the next hop. Creation of the second route for the actual next hop is important in the VRF case in which a default route must be overridden by a more explicit route.
To reduce the number of routes created and support some platforms that do not readily facilitate route recursion, the reverse-route {ip-address} [static] keyword can be used to create one route only.
•For devices using an IPsec VPN SPA, reverse route specifies the next hop to be the interface, subinterface, or virtual LAN (VLAN) with the crypto map applied to it.
Configuring RRI Under a Static Crypto Map
To configure RRI under a static crypto map, perform the following steps beginning in global configuration mode:
Configuring RRI Under a Dynamic Crypto Map
To configure RRI under a dynamic crypto map, perform the following steps beginning in global configuration mode:
For more complete configuration information for RRI, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html
For RRI configuration examples, see the "Reverse Route Injection Configuration Examples" section.
Configuring the IPsec Anti-Replay Window Size
Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association (SA) anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value (X) of the highest sequence number that it has already seen. N is the window size of the decryptor. Any packet with a sequence number less than X minus N is discarded. Currently, N is set at 64.
Note The IPsec anti-replay window size feature is supported in Cisco IOS Release 12.2(18)SXF6 and later releases.
At times, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they are not replayed packets. The IPsec anti-replay window size feature allows you to expand the window size so that sequence number information can be kept for more than 64 packets.
Note A change in the anti-replay window size will not take effect until after the next rekeying.
Expanding the IPsec Anti-Replay Window Size Globally
To expand the IPsec anti-replay window globally so that it affects all SAs that are created (except for those that are specifically overridden on a per-crypto map basis), perform this task beginning in global configuration mode:
Expanding the IPsec Anti-Replay Window at the Crypto Map Level
To expand the IPsec anti-replay window on a crypto map basis so that it affects those SAs that have been created using a specific crypto map or profile, perform this task beginning in global configuration mode:
Verifying the IPsec Anti-Replay Window Size Configuration at the Crypto Map Level
To verify that IPsec anti-replay window size is enabled at a crypto map, enter the show crypto map command for that particular map. If anti-replay window size is enabled, the display will indicate that it is enabled and indicate the configured window size. If anti-replay window size is disabled, the results will indicate that also.
The following example indicates that IPsec anti-replay window size is enabled:
Router# show crypto map tag TESTMAP
Crypto Map "TESTMAP" 10 ipsec-isakmp
WARNING: This crypto map is in an incomplete state!
(missing peer or access-list definitions)
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
}
Antireplay window size = 128
Interfaces using crypto map TESTMAP:
For more complete configuration information for IPsec anti-replay window size, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html
For IPsec anti-replay window size configuration examples, see the "IPsec Anti-Replay Window Size Configuration Examples" section.
Note Anti-replay failures detected by the IPsec VPN SPA can be caused by reordering, requeueing, or fragmentation elsewhere in the network. As a defense against man-in-the-middle attacks, the IPsec VPN SPA will drop these packets. This is the expected behavior.
Disabling the IPsec Anti-Replay Checking
To disable the IPsec anti-replay checking, enter the crypto ipsec security-association replay disable command in global configuration mode as follows:
|
|
|
---|---|---|
Router(config)# crypto ipsec security-association replay disable |
Disables the IPsec anti-replay checking. |
To disable the IPsec anti-replay checking on a particular crypto map, enter the set security-association replay disable command in crypto map configuration mode as follows:
Configuring an IPsec Preferred Peer
The IP Security (IPsec) Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If all connections to the current peer time out, the next time a connection is initiated, it is directed to the default peer.
Note The IPsec Preferred Peer feature is supported in Cisco IOS Release 12.2(33)SXH and later releases.
This feature includes the following capabilities:
•Default peer configuration
If a connection timeout occurs, the connection to the current peer is closed. The set peer command allows you to configure the first peer as the default peer. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current peer and future connections through the crypto map try that peer.
This capability is useful when traffic on a physical link stops due to the failure of a remote peer. DPD indicates that the remote peer is unavailable, but that peer remains the current peer.
A default peer facilitates the failover to a preferred peer that was previously unavailable, but has returned to service. Users can give preference to certain peers in the event of a failover. This is useful if the original failure was due to a network connectivity problem rather than failure of the remote peer.
To configure a default peer, see the "Configuring a Default Peer" section.
•IPsec idle timer with default peer configuration
When a router running Cisco IOS software creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers.
IPsec SA idle timers increase the availability of resources by deleting SAs associated with idle peers. Because IPsec SA idle timers prevent the wasting of resources by idle peers, more resources are available to create new SAs when required. (If IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.)
When both an IPsec SA idle timer and a default peer are configured and all connections to the current peer time out, the next time a connection is initiated it is directed to the default peer configured in the set peer command. If a default peer is not configured and there is a connection timeout, the current peer remains the one that timed out.
This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but is in service now.
To configure an IPsec idle timer, see the "Configuring the IPsec Idle Timer with a Default Peer" section.
IPsec Preferred Peer Configuration Guidelines and Restrictions
When configuring an IPsec preferred peer, follow these guidelines and restrictions:
•When configuring a default peer, follow these guidelines and restrictions:
–Only one peer can be designated as the default peer in a crypto map.
–The default peer must be the first peer in the peer list.
Note The default peer feature must be used in conjunction with Dead Peer Detection (DPD). It is most effective on a remote site running DPD in periodic mode. DPD detects the failure of a device quickly and resets the peer list so that the default peer is tried for the next attempted connection.
•When configuring IPsec idle timer usage with a default peer, follow these guidelines and restrictions:
–The IPsec idle timer usage with a default peer feature works only on the crypto map for which it is configured. You cannot configure the capability globally for all crypto maps.
–If there is a global idle timer, the crypto map idle timer value must be different from the global value; otherwise, the idle timer is not added to the crypto map.
Configuring a Default Peer
To configure a default peer, perform this task beginning in global configuration mode:
Configuring the IPsec Idle Timer with a Default Peer
To configure the IPsec idle timer with a default peer, perform this task beginning in global configuration mode:
For complete configuration information for IPsec preferred peer, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_ipspp.html
For IPsec preferred peer configuration examples, see the "IPsec Preferred Peer Configuration Examples" section.
Configuring IPsec Security Association Idle Timers
When a switch running Cisco IOS software creates an IPsec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the switch could be prevented from creating new SAs with other peers. The IPsec security association idle timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. The idle timers can be configured either globally, on a per-crypto map basis, or through an ISAKMP profile. The benefits of this feature include the following:
•Increased availability of resources
•Improved scalability of Cisco IOS IPsec deployments
IPsec Security Association Idle Timer Configuration Guidelines
When configuring idle timers on a per-crypto map basis, follow these guidelines:
•The IPsec VPN SPA rounds up the CLI-configured interval to the nearest 10-minute interval. For example, if you configure 12 minutes for idle timeout, the IPsec VPN SPA uses a value of 20 minutes for idle timeout. If you configure 5 minutes, the IPsec VPN SPA uses a value of 10 minutes for idle timeout.
•Because of the way the IPsec VPN SPA does idle timeout detection, it can take anywhere between one to three (ten-minute) intervals for idle timeout detection. For example, if you configured 12 minutes for idle timeout, idle timeout could happen anywhere between 20 to 60 minutes.
•When the idle timer is configured globally, the idle timer configuration will be applied to all SAs.
•When the idle timer is configured for a crypto map, the idle timer configuration will be applied to all SAs under the specified crypto map.
Configuring the IPsec SA Idle Timer Globally
To configure the IPsec SA idle timer globally, enter the crypto ipsec security-association idle-time command in global configuration mode as follows:
Configuring the IPsec SA Idle Timer per Crypto Map
To configure the IPsec SA idle timer for a specified crypto map, use the set security-association idle-time command within a crypto map configuration:
For detailed information on configuring IPsec SA idle timers, refer to the following Cisco IOS documentation:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html
For IPsec SA idle timer configuration examples, see the "IPsec Security Association Idle Timer Configuration Examples" section.
Configuring Distinguished Name-Based Crypto Maps
The distinguished name-based crypto maps feature allows you to configure the switch to restrict access to selected encrypted interfaces for those peers with specific certificates, especially certificates with particular distinguished names (DNs).
Previously, if the switch accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did not have a method of preventing the peer from communicating with any encrypted interface other than the restrictions on the IP address of the encrypting peer. This feature allows you to configure which crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, which enables you to control which encrypted interfaces a peer with a specified DN can access. You can configure a DN-based crypto map that can be used only by peers that have been authenticated by a DN or one that can be used only by peers that have been authenticated by a hostname.
Distinguished Name-Based Crypto Map Configuration Guidelines and Restrictions
When configuring a distinguished name-based crypto map, follow these guidelines and restrictions:
•If you restrict access to a large number of DNs, we recommend that you specify a few number of crypto maps referring to large identity sections instead of specifying a large number of crypto maps referring to small identity sections.
To configure a DN-based crypto map that can be used only by peers that have been authenticated by a DN, or one that can be used only by peers that have been authenticated by a hostname, perform this task beginning in global configuration mode:
For complete configuration information for distinguished name-based crypto maps, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftdnacl.html
For a distinguished name-based crypto map configuration example, see the "Distinguished Name-Based Crypto Maps Configuration Example" section.
Configuring QoS for VPN
Typical applications of quality of service (QoS) for VPN are the use of traffic policing to prevent a hub from overwhelming a lower-capacity spoke, and the prioritization over VPN of delay-sensitive traffic such as voice over IP (VoIP). QoS features for VPN traffic are provided both by the module (IPsec VPN SPA and SSC-400 carrier card) and by the platform (Catalyst 6500 Series switch). The module provides a dual-priority queue for module traffic. In Cisco IOS Release 12.2(33)SXI and later releases, the Catalyst 6500 Series switch provides data classification and either remarking or policing of traffic on the tunnel interface.
To activate the QoS capabilities of the module, carrier, and platform, you must enable QoS globally by entering the mls qos command.
When QoS is disabled globally, the system behavior is as follows:
•All QoS fields are left intact in packets.
•Packets flow through only one queue in the carrier card.
When QoS is enabled globally, the system behavior is as follows:
•The default state of all ports and VLANs is the untrusted state, causing ports to clear the QoS fields in all traffic to zero unless a QoS policy is configured on the the port.
•Packets flow through two queues in the carrier card. Packets with a CoS value of 5 will use the higher priority queue, while all other packets will use the lower priority queue.
Before configuring QoS for VPN, see the additional information provided in the following URLs:
Configuring QoS on the Catalyst 6500 Series switch:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html
Configuring QoS Features on a SIP:
Configuring QoS on the FlexWAN Modules:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexqos.html
QoS Policing on the Catalyst 6500 Series switch:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml
QoS Output Scheduling on the Catalyst 6500 Series switch:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bf98.shtml
QoS Troubleshooting:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008074d6b1.shtml
Using the Module QoS Features of the IPsec VPN SPA
The IPsec VPN SPA implements a two-level, strict-priority QoS. The Cisco 7600 SSC-400 and the IPsec VPN SPA together implement two queues for each direction, inbound and outbound. Packets are dequeued in a two-to-one ratio, meaning that two packets are dequeued from the high-priority low-latency queue (LLQ) before one packet is dequeued from the low-priority queue. Packets are enqueued based on your priority-queue configuration settings. To take advantage of the IPsec VPN SPA's QoS capability, you must use standard QoS commands to ensure that the class of service (CoS) of packets is marked on ingress. You must configure the CoS map for the inside and outside ports and you must also enable QoS globally for the IPsec VPN SPA to acknowledge the CoS mapping.
Module QoS Configuration Guidelines and Restrictions
When configuring QoS settings for an IPsec VPN SPA, follow these guidelines and note these restrictions:
•In releases before Cisco IOS Release 12.2(33)SXI, service policies should not be applied on GRE and VTI tunnel interfaces.
•Packets are enqueued based on the mls qos command and the priority-queue configuration settings as follows:
–When the mls qos command is not configured, all data packets are enqueued into the high-priority queue.
–When the mls qos command is configured and no explicit priority-queue configuration is present on the IPsec VPN SPA Ethernet interfaces, only packets with a CoS value of 5 are enqueued into the high-priority queue; all other packets are enqueued into the low-priority queue.
–When the mls qos command is configured and priority-queue configuration is present on the IPsec VPN SPA Ethernet interfaces, traffic is enqueued based on the priority-queue configuration.
•A maximum of three CoS map values can be sent to the high-priority queue. Because the CoS value of 5 is preconfigured as high-priority, you can choose only two other values for high-priority queueing.
Note Do not configure more than three CoS map values because any additional values will overwrite previously configured values. If you overwrite the CoS value of 5, the system will restore it, overwriting one of your other configured values. To restore an overwritten CoS map value, you must first delete the new value and then reconfigure the earlier value.
•When the mls qos command is configured, you must also configure the mls qos trust command on the IPsec VPN SPA Ethernet interfaces, as in the following example:
Interface GigabitEthernet4/0/1
mls qos trust cos
priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
mls qos trust cos
priority-queue cos-map 1 0 1 5
In this example, the CoS values of 0, 1, and 5 are sent to the high-priority queue.
•In a blade failover group, both IPsec VPN SPAs must have matching platform QoS configurations.
•If the mls qos trust command is not configured, the QoS fields in all traffic will be cleared to the default level. If the mls qos trust command is configured, the QoS fields will be preserved.
For a configuration example of module QoS, see the "Module QoS Configuration Example" section.
Using the Platform QoS Features of the Switch
With Cisco IOS Release 12.2(33)SXI and later releases, the Catalyst 6500 Series switch allows data classification and either remarking or policing of packets on the tunnel interface.
Platform QoS configuration uses the Cisco Modular QoS CLI (MQC) framework. You can define traffic classes, associate policies and actions to each traffic class, and attach these policies to interfaces by following these steps:
Step 1 Define traffic classes using match statements with the class-map command.
Step 2 Configure policies using the defined traffic classes with the policy-map command.
Step 3 Attach defined policies to an interface with the service-policy command.
For more information on configuring QoS in the Catalyst 6500 Series switch, see the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html
Remarking of Packets
Remarking is specified by using a set command within a policy map. Platform QoS for VPN is capable of remarking the priority settings of original IP, GRE, and IPsec headers of tunnel traffic, depending on the tunnel type. For remarking of packets, the port trust settings must be as follows:
•If matching is based on ToS bits of the incoming packets, the LAN interface must be configured as a trusted port, using the mls qos trust command.
•Depending on the VPN mode and the desired behavior, the inside interface of the IPsec VPN SPA must be configured as VLAN-based, using the mls qos vlan-based command, or as a trusted port, using the mls qos trust command.
The following sections describe remarking behavior in different modes:
Remarking of IPsec Packets in Crypto-Connect Mode
The outside interface of the IPsec VPN SPA must be configured as a trusted port, using the mls qos trust command.
If the inside interface of the IPsec VPN SPA is configured as VLAN-based, using the mls qos vlan-based command, the remarking behavior will be as follows:
•Apply the service policy to the interface VLAN.
•For outbound traffic, remarking is performed on the original IP header and copied to the IPsec header.
•For inbound traffic, remarking is performed on the original IP header.
•Traffic matching the service policy will be remarked. Traffic not matching the service policy will be set to a priority of 0.
If the inside interface of the IPsec VPN SPA is configured as as a trusted port, using the mls qos trust command, the remarking behavior will be as follows:
•Apply the service policy to the interface VLAN.
•Remarking is supported only on outbound traffic.
•Remarking is performed on the original IP header and copied to the IPsec header.
•Traffic matching the service policy will be remarked.
Remarking of GRE Packets in Crypto-Connect Mode
The outside interface of the VSPA must be configured as a trusted port, using the mls qos trust command.
The inside interface of the IPsec VPN SPA is configured as VLAN-based, using the mls qos vlan-based command. The remarking behavior will be as follows:
•Remarking is supported for both inbound and outbound traffic.
•If the GRE tunnel is taken over by the IPsec VPN SPA:
–Apply the service policy to the tunnel interface. Any service policy on the interface VLAN will be ignored.
–Remarking is performed on the original IP header, the GRE header, and the IPsec header.
•If the GRE tunnel is not taken over by the IPsec VPN SPA:
–Apply the service policy to the tunnel interface or to the interface VLAN.
–Remarking is performed on the GRE header and the IPsec header, and not on the original IP header (inner header).
•Traffic matching the service policy will be remarked.
Remarking of GRE Packets with Tunnel Protection in VRF Mode
The outside interface of the IPsec VPN SPA must be configured as a trusted port, using the mls qos trust command. After egress from the IPsec VPN SPA, an encrypted packet cannot be remarked.
The inside interface of the IPsec VPN SPA is configured as VLAN-based, using the mls qos vlan-based command. The remarking behavior will be as follows:
•Remarking is supported for both inbound and outbound traffic.
•If the GRE tunnel is taken over by the IPsec VPN SPA:
–Apply the service policy to the tunnel interface.
–Remarking is performed on the original IP header, the GRE header, and the IPsec header.
•If the GRE tunnel is not taken over by the IPsec VPN SPA:
–Apply the service policy to the tunnel interface or to the interface VLAN.
–Remarking is performed on the GRE header and the IPsec header, and not on the original IP header (inner header).
•Traffic matching the service policy will be remarked.
Remarking of VTI Packets in VRF Mode
The outside interface of the IPsec VPN SPA must be configured as a trusted port, using the mls qos trust command. After egress from the IPsec VPN SPA, an encrypted packet cannot be remarked.
The inside interface of the IPsec VPN SPA is configured as VLAN-based, using the mls qos vlan-based command. The remarking behavior will be as follows:
•Apply the service policy to the tunnel interface.
•Remarking is supported for both inbound and outbound traffic.
•Remarking is performed on the original IP header and the IPsec header.
•Traffic matching the service policy will be remarked.
Policing of Packets
Policing enforces a maximum packet rate by dropping excess packets. Policing can limit the rate that packets are passed to and from the IPsec VPN SPA.
For more information on configuring policing in the Catalyst 6500 Series switch, see the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html
Platform QoS Guidelines and Restrictions
When configuring platform QoS for VPN, follow these guidelines and note these restrictions:
•To enable QoS, you must apply the mls qos command globally.
•Platform QoS policies can be applied to the tunnel interface in any of these situations:
–GRE in crypto-connect mode, whether or not GRE is taken over by the IPsec VPN SPA
–GRE with tunnel protection, whether or not GRE is taken over by the IPsec VPN SPA
–Static VTI
–mGRE
•The match all, match not, and match cos classification criteria are not supported for platform QoS on the tunnel interface.
•In the police command, the exceed-action set options are not supported for platform QoS on the tunnel interface, and cannot be configured for remarking or policing.
•Platform QoS policies do not apply to packets generated by the route processor or destined for the route processor.
•Supports 1023 policers or remarkers.
•When applying a service policy during configuration, the policy does not take effect until after you exit the interface configuration mode.
•If you apply and then remove a service policy, some packets will be remarked to other priorities during the transition. (CSCso84671)
•In some cases, upon removal of a service policy from a tunnel, the tunnel continues to remark outbound traffic. (CSCsq99617)
•When configuring for blade-to-blade failover, you must enter identical QoS configurations on the inside interfaces of both IPsec VPN SPAs.
For a configuration example of platform QoS, see the "Platform QoS Configuration Example" section.
Configuring Platform ACLs for VPN
With Cisco IOS Release 12.2(33)SXI and later releases, you can apply access control lists (ACLs) to VPN tunnel interfaces.
Platform ACL Configuration Guidelines and Restrictions
When configuring platform ACLs for an IPsec VPN SPA, follow these guidelines and note these restrictions:
•ACLs can be applied to the tunnel interface in any of these situations:
–GRE in crypto-connect mode, whether or not GRE is taken over by the IPsec VPN SPA
–GRE with tunnel protection, whether or not GRE is taken over by the IPsec VPN SPA
–Static VTI
–DMVPN, in either crypto-connect or VRF mode
•Permit and deny ACLs can be applied to tunnel interfaces in either the inbound or outbound direction.
•In crypto-connect mode with GRE, when GRE is not taken over by the IPsec VPN SPA, apply the ACL to the interface VLAN to filter GRE-encapsulated packets, or to the tunnel interface to filter clear IP packets.
•In crypto-connect mode with GRE, when GRE is taken over by the IPsec VPN SPA, ACLs on the interface VLAN are not supported. Apply the ACL to the tunnel interface to filter clear IP packets.
•ACLs on tunnels are supported in blade-to-blade failover.
•ACLs will be applied to transit packets, but will not be applied to packets generated by the switch.
For an ACL configuration example, see the "Platform ACL Configuration Example" section.
Configuring Sequenced Crypto ACLs
Access control lists (ACLs) are made up of access control entries (ACEs). With sequenced ACLs, ACEs can be entered with a sequence number in front of the ACE and the ACEs are then processed by sequence number. Additionally, ACEs can be deleted one at a time by using the sequence number in the front of the ACE that you want to delete. The sequence numbers do not appear in the configuration but they can be displayed using the show access-list command.
Note If an ACE is removed or modified, the ACL is reconfigured on the IPsec VPN SPA, which might result in tearing down existing sessions.
Configuring Deny Policy Enhancements for Crypto ACLs
Specifying a deny address range in an ACL results in "jump" behavior. When a denied address range is hit, it forces the search to "jump" to the beginning of the ACL associated with the next sequence in a crypto map and continue the search. If you want to pass clear traffic on these addresses, you must insert a deny address range for each sequence in a crypto map. In turn, each permit list of addresses inherits all the deny address ranges specified in the ACL. A deny address range causes the software to do a subtraction of the deny address range from a permit list, and creates multiple permit address ranges that need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed in the hardware for a single deny address range, resulting in multiple permit address ranges in a single ACL. To avoid this problem, use the crypto ipsec ipv4-deny {jump | clear | drop} command set as follows:
•The jump keyword results in the standard "jump" behavior.
•The clear keyword allows a deny address range to be programmed in hardware. The deny addresses are then filtered out for encryption and decryption. If the VPN mode is crypto-connect, when a deny address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state. If the VPN mode is VRF, the deny address matching traffic is dropped.
•The drop keyword causes traffic to be dropped when a deny address is hit.
The clear and drop keywords can be used to prevent repeated address ranges from being programmed in the hardware, resulting in more efficient TCAM space utilization.
Deny Policy Enhancements for Crypto ACLs Configuration Guidelines and Restrictions
When configuring the deny policy enhancements, follow these guidelines and restrictions:
•The crypto ipsec ipv4-deny {jump | clear | drop} command is a global command that is applied to a single IPsec VPN SPA. The specified keyword (jump, clear, or drop) is propagated to the ACE software of the IPsec VPN SPA. The default behavior is jump.
•When the clear keyword is used with VRF mode, deny address traffic is dropped rather than passed in the clear state. VRF mode does not pass traffic in the clear state.
•If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured on the IPsec VPN SPA, all existing IPsec sessions are temporarily removed and restarted, which impacts traffic on your network.
•The number of deny entries that can be specified in an ACL are dependent on the keyword specified:
–jump—Supports up to 8 deny entries in an ACL.
Note The limit of 8 deny jump entries in an ACL should be considered a guideline rather than a fixed limit. Depending on your configuration, the practical limit could be fewer than 8.
–clear—Supports up to 1000 deny entries in an ACL.
–drop—Supports up to 1000 deny entries in an ACL.
For a deny policy enhancements configuration example, see the "Deny Policy Enhancements for ACLs Configuration Example" section.
Configuration Examples
This section provides examples of the following configurations:
•Advanced Encryption Standard Configuration Example
•Reverse Route Injection Configuration Examples
•IPsec Anti-Replay Window Size Configuration Examples
•IPsec Preferred Peer Configuration Examples
•IPsec Security Association Idle Timer Configuration Examples
•Distinguished Name-Based Crypto Maps Configuration Example
•Platform ACL Configuration Example
•Deny Policy Enhancements for ACLs Configuration Example
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SXH.
As of Cisco IOS Release 12.2(33)SXH, the crypto engine subslot command used in previous releases has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that this command has been modified in your start-up configuration to avoid extended maintenance time.
Advanced Encryption Standard Configuration Example
The following example configures the Advanced Encryption Standard (AES) 256-bit key:
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
mode transport
crypto map aesmap 10 ipsec-isakmp
set peer 10.0.110.1
set transform-set aesset
Reverse Route Injection Configuration Examples
The following examples show how to configure RRI:
•RRI Under a Static Crypto Map Configuration Example
•RRI Under a Dynamic Crypto Map Configuration Example
•RRI with Existing ACLs Configuration Example
•RRI for Two Routes Configuration Example
•RRI Through a User-Defined Hop Configuration Example
RRI Under a Static Crypto Map Configuration Example
The following example shows how to configure RRI under a static crypto map. In this example, the RRI-created route has been tagged with a tag number. This tag number can then be used by a routing process to redistribute the tagged route via a route map:
Router(config)# crypto map mymap 1 ipsec-isakmp
Router(config-crypto-map)# reverse-route tag 5
RRI Under a Dynamic Crypto Map Configuration Example
The following example shows how to configure RRI under a dynamic crypto map:
Router(config)# crypto dynamic-map mymap 1
Router(config-crypto-map)# reverse-route remote peer 10.1.1.1
RRI with Existing ACLs Configuration Example
The following example shows how to configure RRI for a situation in which there are existing ACLs:
Router(config)# crypto map mymap 1 ipsec-isakmp
Router(config-crypto-map)# set peer 172.17.11.1
Router(config-crypto-map)# reverse-route static
Router(config-crypto-map)# set transform-set esp-3des-sha
Router(config-crypto-map)# match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
RRI for Two Routes Configuration Example
The following example shows how to configure two routes, one for the remote endpoint and one for route recursion to the remote endpoint via the interface on which the crypto map is configured:
Router(config-crypto-map)# reverse-route remote-peer
RRI Through a User-Defined Hop Configuration Example
The following example shows that one route has been created to the remote proxy through a user-defined next hop. This next hop should not require a recursive route lookup unless it will recurse to a default route.
Router(config-crypto-map)# reverse-route remote-peer 10.4.4.4
IPsec Anti-Replay Window Size Configuration Examples
The following examples show how to configure the IPsec anti-replay window size:
•IPsec Anti-Replay Window Global Configuration Example
•IPsec Anti-Replay Window per Crypto Map Configuration Example
IPsec Anti-Replay Window Global Configuration Example
The following example shows that the anti-replay window size has been set globally to 1024:
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-Gateway1
!
boot-start-marker
boot-end-marker
!
clock timezone EST 0
no aaa new-model
ip subnet-zero
!
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123
address 192.165.201.2
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set basic esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.165.201.2
set transform-set basic
match address 101
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Serial1/0
ip address 192.165.200.2 255.255.255.252
serial restart-delay 0
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.165.200.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!access-list 101 remark Crypto ACL
!
control-plane
!
line con 0
line aux 0
line vty 0 4
end
IPsec Anti-Replay Window per Crypto Map Configuration Example
The following example shows that anti-replay checking is disabled for IPsec connections to 172.150.150.2, but enabled (and the default window size is 64) for IPsec connections to 172.150.150.3 and 172.150.150.4:
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dr_whoovie
!
enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1
enable password ww
!
ip subnet-zero
cns event-service server
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco170
address 172.150.150.2
crypto isakmp key cisco180
address 172.150.150.3
crypto isakmp key cisco190
address 172.150.150.4
crypto ipsec transform-set 170cisco esp-des esp-md5-hmac
crypto ipsec transform-set 180cisco esp-des esp-md5-hmac
crypto ipsec transform-set 190cisco esp-des esp-md5-hmac
crypto map ETH0 17 ipsec-isakmp
set peer 172.150.150.2
set security-association replay disable
set transform-set 170cisco
match address 170
crypto map ETH0 18 ipsec-isakmp
set peer 150.150.150.3
set transform-set 180cisco
match address 180
crypto map ETH0 19 ipsec-isakmp
set peer 150.150.150.4
set transform-set 190cisco
match address 190
!
interface Ethernet0
ip address 172.150.150.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled
crypto map ETH0
!
interface Serial0
ip address 172.160.160.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
ip classless
ip route 172.170.170.0 255.255.255.0 172.150.150.2
ip route 172.180.180.0 255.255.255.0 172.150.150.3
ip route 172.190.190.0 255.255.255.0 172.150.150.4
no ip http server
!
access-list 170 permit ip 172.160.160.0 0.0.0.255 172.170.170.0 0.0.0.255
access-list 180 permit ip 172.160.160.0 0.0.0.255 172.180.180.0 0.0.0.255
access-list 190 permit ip 172.160.160.0 0.0.0.255 172.190.190.0 0.0.0.255
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
end
IPsec Preferred Peer Configuration Examples
The following examples show how to configure an IPsec preferred peer:
•Default Peer Configuration Example
•IPsec Idle Timer with Default Peer Configuration Example
Default Peer Configuration Example
The following example shows how to configure a default peer. In this example, the first peer, at IP address 1.1.1.1, is the default peer:
Router(config)# crypto map tohub 1 ipsec-isakmp
Router(config-crypto-map)# set peer 1.1.1.1 default
Router(config-crypto-map)# set peer 2.2.2.2
Router(config-crypto-map)# exit
IPsec Idle Timer with Default Peer Configuration Example
The following example shows how to configure an IPsec idle timer with a default peer. In the following example, if the current peer is idle for 600 seconds, the default peer 1.1.1.1 (which was specified in the set peer command) is used for the next attempted connection:
Router (config)# crypto map tohub 1 ipsec-isakmp
Router(config-crypto-map)# set peer 1.1.1.1 default
Router(config-crypto-map)# set peer 2.2.2.2
Router(config-crypto-map)# set security-association idle-time 600 default
Router(config-crypto-map)# exit
IPsec Security Association Idle Timer Configuration Examples
The following examples show how to configure the IPsec SA idle timer:
•IPsec SA Idle Timer Global Configuration Example
•IPsec SA Idle Timer per Crypto Map Configuration Example
IPsec SA Idle Timer Global Configuration Example
The following example globally configures the IPsec SA idle timer to drop SAs for inactive peers after 600 seconds:
Router(config)# crypto ipsec security-association idle-time 600
IPsec SA Idle Timer per Crypto Map Configuration Example
The following example configures the IPsec SA idle timer for the crypto map named test to drop SAs for inactive peers after 600 seconds:
Router(config) # crypto map test 1 ipsec-isakmp
Router(config-crypto-map)# set security-association idle-time 600
Distinguished Name-Based Crypto Maps Configuration Example
The following example shows how to configure distinguished name based crypto maps that have been authenticated by DN and hostname. Comments are included inline to explain various commands.
! DN based crypto maps require you to configure an IKE policy at each peer.
crypto isakmp policy 15
encryption 3des
hash md5
authentication rsa-sig
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
lifetime 10000
crypto isakmp key 1234567890 address 171.69.224.33
!
!The following is an IPsec crypto map (part of IPsec configuration). It can be used only
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
set peer 172.21.114.196
set transform-set my-transformset
match address 124
identity to-bigbiz
!
crypto identity to-bigbiz
dn ou=BigBiz
!
!
! This crypto map can be used only by peers that have been authenticated by hostname
!and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
set peer 172.21.115.119
set transform-set my-transformset
match address 125
identity to-little-com
!
crypto identity to-little-com
fqdn little.com
!
QoS Configuration Examples
The following examples show how to configure QoS for VPN:
•Module QoS Configuration Example
•Platform QoS Configuration Example
Module QoS Configuration Example
The following example shows how to configure the dual-priority queue for module QoS:
mls qos
!
Interface GigabitEthernet4/0/1
mls qos trust cos
priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
mls qos trust cos
priority-queue cos-map 1 0 1 5
Platform QoS Configuration Example
This example shows how to configure platform QoS with inbound and outbound service policies:
mls qos
!
! Define class maps
!
class-map match-any IPP1
match ip precedence 1
class-map match-any IPP0
match ip precedence 0
class-map match-any IPP3
match ip precedence 3
class-map match-any IPP2
match ip precedence 2
class-map match-any IPP5
match ip precedence 5
class-map match-any IPP4
match ip precedence 4
class-map match-any IPP7
match ip precedence 7
class-map match-any IPP6
match ip precedence 6
!
! Define policy maps
!
policy-map SET_3TO5
class IPP3
set precedence 5
!
policy-map SET_1TO5
class IPP1
set precedence 5
!
!
! LAN interface configuration
!
interface GigabitEthernet2/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 46,51,3501-4000
switchport mode trunk
mls qos trust ip-precedence
!
! inside interface configuration
!
interface GigabitEthernet3/0/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
mtu 9216
mls qos vlan-based
flowcontrol receive on
flowcontrol send off
spanning-tree portfast edge trunk
!
! outside interface configuration
!
interface GigabitEthernet3/0/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan none
switchport mode trunk
mtu 9216
mls qos trust ip-precedence
!
! tunnel interface configuration
!
interface Tunnel1
ip vrf forwarding i1
ip address 26.0.1.2 255.255.255.0
ip access-group T1ACL_IN in
ip access-group T1ACL_OUT out
ip mtu 1400
tunnel source 27.0.1.2
tunnel destination 192.0.20.1
tunnel mode ipsec ipv4
tunnel vrf f1
tunnel protection ipsec profile TUN_PROTECTION
crypto engine slot 3/0 inside
service-policy input SET_1TO5
service-policy output SET_3TO5
Platform ACL Configuration Example
This example shows a tunnel configuration with inbound and outbound platform ACLs:
interface Tunnel1
ip vrf forwarding i1
ip address 26.0.1.2 255.255.255.0
ip access-group T1ACL_IN in
ip access-group T1ACL_OUT out
ip mtu 1400
tunnel source 27.0.1.2
tunnel destination 67.0.1.6
tunnel vrf f1
tunnel protection ipsec profile TUN_PROTECTION
crypto engine slot 3/0 inside
!
!
ip access-list extended T1ACL_IN
permit tcp any any
permit icmp any any
permit ip any host 50.0.1.2 precedence critical
permit ip any host 50.0.1.2 precedence internet
permit ip any host 50.0.1.2 precedence priority
permit ip any host 50.0.1.2 precedence flash
deny ip any any
ip access-list extended T1ACL_OUT
permit tcp any any
permit icmp any any
permit ip any host 60.0.1.2 precedence critical
permit ip any host 60.0.1.2 precedence internet
permit ip any host 60.0.1.2 precedence priority
permit ip any host 60.0.1.2 precedence flash
deny ip any any
Deny Policy Enhancements for ACLs Configuration Example
The following example shows a configuration using the deny policy clear option. In this example, when a deny address is hit, the search will stop and traffic will be allowed to pass in the clear (unencrypted) state:
Router(config)# crypto ipsec ipv4-deny clear