Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Any reference to crypto maps in this document, only refers to static crypto maps.
IPsec and IKE Terminology
The terms used in this chapter are explained in this section.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Manually configuring security associations.
Per host security association option in a crypto map.
Security association idle timeout
Dynamic crypto maps.
Security association (SA)— An agreement between two participating peers on the entries required
to encrypt and decrypt IP packets. Two SAs are required for each peer in each direction (inbound
and outbound) to establish bidirectional communication between the peers. Sets of bidirectional SA
records are stored in the SA database (SAD). IPsec uses IKE to negotiate and bring up SAs. Each
SA record includes the following information:
Security parameter index (SPI)—A number which, together with a destination IP address and
security protocol, uniquely identifies a particular SA. When using IKE to establish the SAs, the
SPI for each SA is a pseudo-randomly derived number.
Peer—A switch or other device that participates in IPsec. For example, a Cisco MDS switch or
other Cisco routers that support IPsec.
Transform—A list of operations done to provide data authentication and data confidentiality.
For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm.
Session key—The key used by the transform to provide security services.
Lifetime—A lifetime counter (in seconds and bytes) is maintained from the time the SA is
created. When the time limit expires the SA is no longer operational and, if required, is
automatically renegotiated (rekeyed).
Mode of operation—Two modes of operation are generally available for IPsec: tunnel mode and
transport mode. The Cisco SAN-OS implementation of IPsec only supports the tunnel mode.
The IPsec tunnel mode encrypts and authenticates the IP packet, including its header. The
gateways encrypt traffic on behalf of the hosts and subnets.
The Cisco SAN-OS implementation of IPsec does not support transport mode.
The term tunnel mode is different from the term tunnel, which is used to indicate a secure
communication path between two peers, such as two switches connected by an FCIP link.
Anti-replay—A security service where the receiver can reject old or duplicate packets to protect
itself against replay attacks. IPsec provides this optional service by use of a sequence number
combined with the use of data authentication.
Data authentication—Data authentication can refer either to integrity alone or to both integrity and
authentication (data origin authentication is dependent on data integrity).
Data integrity—Verifies that data has not been altered.
Data origin authentication—Verifies that the data was actually sent by the claimed sender.
Data confidentiality—A security service where the protected data cannot be observed.
Cisco MDS 9000 Family CLI Configuration Guide