Table of Contents
Advertisement
Implementing IPSec Network Security on Cisco IOS XR Software
For IPSec to succeed between two IPSec peers, both peers' crypto profile entries must contain
compatible configuration statements. When two peers try to establish an SA, each must have at least one
crypto profile entry that is compatible with one of the other peer's crypto profile entries. For two crypto
profile entries to be compatible, they must at least meet the following criteria:
•
•
Note
•
•
Dynamic Crypto Profiles
A dynamic crypto profile entry is essentially a crypto profile entry without all the parameters configured.
It acts as a policy template in which the missing parameters are later dynamically configured (as the
result of an IPSec negotiation) to match a remote peer's requirements. This allows remote peers to
exchange IPSec traffic with the router even if the router does not have a crypto profile entry specifically
configured to meet all of the remote peer's requirements.
Dynamic crypto profiles are not used by the router to initiate new IPSec SAs with remote peers. Dynamic
crypto profiles are used when a remote peer tries to initiate an IPSec SA with the router. Dynamic crypto
profiles are also used in evaluating traffic.
If the router accepts the peer's request, at the point that it installs the new IPSec SAs it implicitly installs
a temporary crypto profile entry. This entry is filled in with the results of the negotiation. At this point,
the router performs normal processing, using this temporary crypto profile entry as a normal entry, even
requesting new SAs if the current ones are expiring (based upon the policy specified in the temporary
crypto profile entry). After the flow expires (that is, all of the corresponding SAs expire), the temporary
crypto profile entry is then removed.
For static crypto profile entries, if outbound traffic matches a permit statement in an access list and the
corresponding SA is not yet established, the router will initiate new SAs with the remote peer. In the case
of dynamic crypto profile entries, if no SA existed, the traffic would be dropped (because dynamic crypto
profiles are not used for initiating new SAs).
Crypto Access Lists
Crypto access lists are used to define the IP traffic that is and is not protected by crypto. For example,
access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic
between Host A and Host B.
The access lists themselves are not specific to IPSec. It is the crypto profile entry referencing the specific
access list that defines whether IPSec processing is applied to the traffic matching a permit in the
access list.
The crypto profile entries must contain compatible crypto access lists. In the case where the
responding peer is using dynamic crypto profiles, the entries in the local crypto access list must be
"permitted" by the peer's crypto access list.
The crypto profile entries must have at least one transform set in common.
Crypto profiles cannot be shared, that is, the same profile cannot be attached to multiple
tunnel-IPSec interfaces or an interface and transport mode IPSec.
The restriction is only for ipsec-tunnel interface or transport and not service-ipsec or service-gre
interfaces.
Information About Implementing IPSec Networks
Cisco IOS XR System Security Configuration Guide
SC-95
Hide quick links:
Advertisement
Chapters
Table of Contents
