Cisco MDS 9000 Series Configuration Manual page 185

Configuring IPSec Network Security
IP security (IPsec) protocol is a framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. It is developed by the Internet Engineering Task Force
(IETF). IPsec provides security services at the IP layer, including protecting one or more data flows between
a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The overall
IPsec implementation is the latest version of RFC 2401. Cisco NX-OS IPsec implements RFC 2402 through
RFC 2410.
IPsec uses the Internet Key Exchange (IKE) protocol to handle protocol and algorithm negotiation and to
generate the encryption and authentication keys used by IPsec. While IKE can be used with other protocols,
its initial implementation is with the IPsec protocol. IKE provides authentication of the IPsec peers, negotiates
IPsec security associations, and establishes IPsec keys. IKE uses RFCs 2408, 2409, 2410, and 2412, and
additionally implements the draft-ietf-ipsec-ikev2-16.txt draft.
Note The term IPsec is sometimes used to describe the entire protocol of IPsec data services and IKE security
protocols and is other times used to describe only the data services.
• This chapter includes the following sections:
• About IPsec, on page 168
• About IKE, on page 169
• IPsec Prerequisites, on page 170
• Using IPsec, on page 170
• IPsec Digital Certificate Support, on page 173
• Manually Configuring IPsec and IKE, on page 176
• Optional IKE Parameter Configuration, on page 181
• Crypto IPv4-ACLs, on page 184
• IPsec Maintenance, on page 197
• Global Lifetime Values, on page 197
• Displaying IKE Configurations, on page 199
• Displaying IPsec Configurations, on page 200
• Sample FCIP Configuration, on page 204
• Sample iSCSI Configuration, on page 208
• Default Settings, on page 209
C H A P T E R
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
9
167