Table of Contents
Advertisement
access lists used for IPSec are used only to determine which traffic should be protected by IPSec, not
which traffic should be blocked or permitted through the interface. Separate access lists define blocking
and permitting at the interface.) A crypto map set can contain multiple entries, each with a different
access list.
When a packet matches a permit entry in a particular access list, and the corresponding crypto map
entry is tagged as ipsec-isakmp, IPSec is triggered. If no security association exists that IPSec can use
to protect this traffic to the peer, IPSec uses IKE to negotiate with the remote peer to set up the
necessary IPSec security associations.
If the crypto map entry is tagged as ipsec-manual, IPSec is triggered. If no security association exists
that IPSec can use to protect this traffic to the peer, the traffic is dropped. In this case, the security
associations are installed via the configuration, without the intervention of IKE. If the security
associations did not exist, IPSec did not have all of the necessary pieces configured.
Once established, the set of security associations (outbound, to the peer) is then applied to the
triggering packet as well as to subsequent applicable packets as those packets exit the router.
"Applicable" packets are packets that match the same access list criteria that the original packet
matched.
If IKE is used to establish the security associations, the security associations will have lifetimes so that
they will periodically expire and require renegotiation. (This provides an additional level of security.)
Multiple IPSec tunnels can exist between two peers to secure different data streams, with each tunnel
using a separate set of security associations. For example, some data streams might be just
authenticated while other data streams must both be encrypted and authenticated. Access lists
associated with IPSec crypto map entries also represent which traffic the router requires to be
protected by IPSec. Inbound traffic is processed against the crypto map entries—if an unprotected
packet matches a permit entry in a particular access list associated with an IPSec crypto map entry,
that packet is dropped because it was not sent as an IPSec-protected packet. Crypto map entries also
include transform sets. A transform set is an acceptable combination of security protocols, algorithms
and other settings to apply to IPSec protected traffic. During the IPSec security association negotiation,
the peers agree to use a particular transform set when protecting a particular data flow.
5. Nesting Of IPSec
You can nest IPSec traffic to a series of IPSec peers. For example, in order for traffic to traverse
multiple firewalls (and these firewalls have a policy of not letting through traffic that they themselves
have not authenticated), the router needs to establish IPSec tunnels with each firewall in turn.
In the example shown, Router A encapsulates the traffic destined for Router C in IPSec (Router C is the
IPSec peer). However, before Router A can send this traffic, it must first reencapsulate this traffic in
IPSec in order to send it to Router B.
It is possible for the traffic between the "outer" peers to have one kind of protection (such as data
authentication) and for traffic between the "inner" peers to have different protection (such as both data
authentication and encryption).
6. IPSec Configuration Steps
After you have completed IKE configuration, configure IPSec by completing the following tasks at each
participating IPSec peer:
♦ Ensuring That Access Lists Are Compatible with IPSec
♦ Creating Crypto Access Lists
Model Name
Nesting Example of IPSec Peers
- 360 -
Hide quick links:
Advertisement
Table of Contents
