About Ipsec - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

About IPsec

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
•
•
•
•
•
•
About IPsec
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating
IPsec devices (peers).
IPsec provides the following network security services. In general, the local security policy dictates the
use of one or more of these services between two participating IPsec devices:
•
•
•
•
The term data authentication is generally used to mean data integrity and data origin authentication.
Note
Within this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification,
or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets,
extranets, and remote user access.
IPsec as implemented in Cisco SAN-OS software supports the Encapsulating Security Payload (ESP)
protocol. This protocol encapsulates the data to be protected and provides data privacy services, optional
data authentication, and optional anti-replay services.
Note The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption.
Figure 30-1
Cisco MDS 9000 Family Configuration Guide
30-2
Global Lifetime Values, page 30-22
Displaying IKE Configurations, page 30-23
Displaying IPsec Configurations, page 30-24
Sample FCIP Configuration, page 30-29
Sample iSCSI Configuration, page 30-34
Default Settings, page 30-36
Data confidentiality—The IPsec sender can encrypt packets before transmitting them across a
network.
Data integrity—The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that
the data has not been altered during transmission.
Data origin authentication—The IPsec receiver can authenticate the source of the IPsec packets sent.
This service is dependent upon the data integrity service.
Anti-replay protection—The IPsec receiver can detect and reject replayed packets.
shows different IPsec scenarios.
Chapter 30 Configuring IPsec Network Security
OL-6973-03, Cisco MDS SAN-OS Release 2.x