Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 88

Information About Implementing IPSec Networks
Crypto Profiles
Crypto profile entries created for IPSec combine the various parts used to set up IPSec security
associations (SAs), including the following:
•
•
•
•
Crypto profiles are applied to IPSec interfaces (for example, tunnel-ipsec, service-ipsec, and service) or
crypto transport.
If the access control lists (ACLs) specified within the profile match any outbound IP traffic, the IP traffic
is protected by IPSec. The SA is established with the remote peer by IKE.
When using service-gre interfaces, the profile, which is attached to the interface, is not configured with
an explicit ACL. Instead, all traffic, which is destined to the GRE tunnel, is protected by IPSec.
The policy described in the crypto profile entries is used during the negotiation of SAs. If the local router
initiates the negotiation, it uses the policy specified in the static crypto profile entries to create the offer
to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router checks
the policy associated with the interface or profile associated with the identity specified in the ISAKMP
profile, which is being used to decide whether to accept or reject the peer's request (offer).
For IPSec to succeed between two IPSec peers, both peers' crypto profile entries must contain
compatible configuration statements. When two peers try to establish an SA, each must have at least one
crypto profile entry that is compatible with one of the other peer's crypto profile entries. For two crypto
profile entries to be compatible, they must at least meet the following criteria:
•
•
Note •
•
Dynamic Crypto Profiles
A dynamic crypto profile entry is essentially a crypto profile entry without all the parameters configured.
It acts as a policy template in which the missing parameters are later dynamically configured (as the
result of an IPSec negotiation) to match the requirements of a remote peer. This allows remote peers to
exchange IPSec traffic with the router even if the router does not have a crypto profile entry specifically
configured to meet all of the remote peer's requirements.
Dynamic crypto profiles are not used by the router to initiate new IPSec SAs with remote peers. Dynamic
crypto profiles are used when a remote peer tries to initiate an IPSec SA with the router. Dynamic crypto
profiles are also used in evaluating traffic.
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-82
Traffic that should be protected by IPSec (per a crypto access list)
Granularity of the flow to be protected by a set of SAs
IPSec security that should be applied to this traffic (selecting from a list of one or more transform
sets)
Other parameters that might be necessary to define an IPSec SA
The crypto profile entries must contain compatible crypto access lists. In the case where the
responding peer is using dynamic crypto profiles, the entries in the local crypto access list must be
"permitted" by the peer's crypto access list.
The crypto profile entries must have at least one transform set in common.
Crypto profiles cannot be shared, that is, the same profile cannot be attached to multiple
tunnel-IPSec interfaces or an interface and transport mode IPSec.
The restriction is only for ipsec-tunnel interface or transport and not service-ipsec or service-gre
interfaces.
Implementing IPSec Network Security on Cisco IOS XR Software
OL-20382-01