Ipsec Digital Certificate Support - Cisco MDS 9000 Series Configuration Manual

Configuring IPSec Network Security
• Secure Hash Algorithm (SHA-1, SHA-2) is a hash algorithm with the Hash Message Authentication
• AES-XCBC-MAC is a Message Authentication Code (MAC) using the AES algorithm.
Supported IKE Transforms and Algorithms
The component technologies implemented for IKE include the following transforms:
• Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared
• Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 bits using
• Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory 56-bit
• Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive information
Note
Cisco NX-OS images with strong encryption are subject to United States government export controls, and
have a limited distribution. Images to be installed outside the United States require an export license. Customer
orders might be denied or subject to delay due to United States government regulations. Contact your sales
representative or distributor for more information, or send e-mail to export@cisco.com.
• Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
• Secure Hash Algorithm (SHA-1, SHA-2) is a hash algorithm with the Hash Message Authentication
Note
IKEv1 does not support SHA-2.
• The switch authentication algorithm uses the preshared keys based on the IP address

IPsec Digital Certificate Support

This section describes the advantages of using certificate authorities (CAs) and digital certificates for
authentication.
Implementing IPsec Without CAs and Digital Certificates
Without a CA and digital certificates, enabling IPsec services (such as encryption) between two Cisco MDS
switches requires that each switch has the key of the other switch (such as an RSA public key or a shared
key). You must manually specify either the RSA public keys or preshared keys on each switch in the fabric
Code (HMAC) variant. IPsec supports SHA-2 on Cisco MDS 9250i Multiservice Fabric Switches starting
from Cisco MDS NX-OS Release 7.3(0)D1(1).
secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session
keys. Group 1 (768-bit), Group 2 (1024-bit), and Group 5 (1536-bit) are supported.
Cipher Block Chaining (CBC) or counter mode.
DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly given in
the IPsec packet.
to be transmitted over untrusted networks.
used to authenticate data.
Code (HMAC) variant. IKEv2 supports SHA-2 on Cisco MDS 9250i Multiservice Fabric Switches
starting from Cisco MDS NX-OS Release 7.3(0)D1(1).
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Supported IKE Transforms and Algorithms
173