Ipsec Compatibility; Ipsec And Ike Terminology - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

IPsec Compatibility

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
IPsec Compatibility
IPsec features are compatible with the following Cisco MDS 9000 Family hardware:
•
•
•
IPsec features are compatible with the following fabric set up:
•
•
•

IPsec and IKE Terminology

The terms used in this chapter are explained in this section.
•
Cisco MDS 9000 Family Configuration Guide
30-4
MPS-14/2 modules in Cisco MDS 9200 Switches or Cisco MDS 9500 Directors
Cisco MDS 9216i Switch with the 14/2-Port multiprotocol capability in the integrated supervisor
module. Refer to the Cisco MDS 9200 Series Hardware Installation Guide for more information on
the Cisco MDS 9216i Switch.
The IPsec feature is not supported on the management interface.
Two connected Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS
SAN-OS Release 2.0(1b) or later.
A Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS SAN-OS Release
2.0(1b) or later connected to any IPsec compliant device.
The following features are not supported in the Cisco SAN-OS implementation of the IPsec feature:
– Authentication Header (AH).
Transport mode.
–
Security association bundling.
–
Manually configuring security associations.
–
Per host security association option in a crypto map.
–
Security association idle timeout
–
Dynamic crypto maps.
–
Note Any reference to crypto maps in this document, only refers to static crypto maps.
Security association (SA)— An agreement between two participating peers on the entries required
to encrypt and decrypt IP packets. Two SAs are required for each peer in each direction (inbound
and outbound) to establish bidirectional communication between the peers. Sets of bidirectional SA
records are stored in the SA database (SAD). IPsec uses IKE to negotiate and bring up SAs. Each
SA record includes the following information:
Security parameter index (SPI)—A number which, together with a destination IP address and
–
security protocol, uniquely identifies a particular SA. When using IKE to establish the SAs, the
SPI for each SA is a pseudo-randomly derived number.
Peer—A switch or other device that participates in IPsec. For example, a Cisco MDS switch or
–
other Cisco routers that support IPsec.
Transform—A list of operations done to provide data authentication and data confidentiality.
–
For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm.
Session key—The key used by the transform to provide security services.
–
Chapter 30 Configuring IPsec Network Security
OL-6973-03, Cisco MDS SAN-OS Release 2.x