The Any Keyword In Crypto Acls; Transform Sets In Ipsec - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Mds 9000 family
Table of Contents

Advertisement

Chapter 30
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
In
Figure
according to the crypto ACLs at the initiating packet's end. In Case 4, router N requests that all traffic
between Subnet X and Subnet Y be protected, but this is a superset of the specific flows permitted by
the crypto ACL at switch M so the request is therefore not permitted. Case 3 works because switch M's
request is a subset of the specific flows permitted by the crypto ACL at router N.
Because of the complexities introduced when crypto ACLs are not configured as mirror images at peer
IPsec devices, Cisco strongly encourages you to use mirror image crypto ACLs.

The any Keyword in Crypto ACLs

We recommend that you configure mirror image crypto ACLs for use by IPsec and that you avoid using
Tip
the any option.
Any in a permit statement is discouraged when you have multicast traffic flowing through the IPsec
interface—this configuration can cause multicast traffic to fail.
The permit any any statement causes all outbound traffic to be protected (and all protected traffic sent to
the peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing
protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use any in a permit statement, you
must preface that statement with a series of deny statements to filter out any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.

Transform Sets in IPsec

A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers' IPsec security associations.
If you change a transform set definition, the change is only applied to crypto map entries that reference
Tip
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.
When you enable IPsec, the Cisco SAN-OS software automatically creates a default transform set
Note
(ipsec_default_tranform_set) using AES-128 encryption and SHA-1 authentication algorithms.
OL-6973-03, Cisco MDS SAN-OS Release 2.x
30-3, an SA cannot be established in Case 4. This is because SAs are always requested
Cisco MDS 9000 Family Configuration Guide
Configuring IPsec
30-15

Advertisement

Table of Contents
loading

Table of Contents