The concept of crypto-map entries is used to configure IPSec security associations. Crypto map entries
created for IPSec pull together the various parts used to set up IPSec security associations. Crypto map
entries also include transform sets. A transform set is an acceptable combination of security protocols,
algorithms and other settings to apply to IPSec protected traffic.
The Internet Key Exchange (IKE) protocol automatically negotiates IPSec SA's and enables IPSec secure
communications without manual pre-configuration.
11.2.1 Traffic Secured in VPN
VPN is used to provide secure access between two subnet separated by an unsecured network. The WS5100
switch can be used to configure:
• Site -to-Site VPN — This might be for example one company branch office traffic to another branch office
traffic with an unsecured link in between.
• Remote VPN — This gives remote user ability to access their company resources from outside the
company premises.
IPSec VPN manages two types of traffic:
1. Control Traffic — This negotiates what type of encryption, authentication and group key algorithms
should used for data traffic. This is referred to as IKE negotiation. There are two phases in IKE
negotiation:
• Phase 1 – Is used for device authentication and negotiates IKE parameters to be used at local and
remote peer.
• Phase 2 – Negotiates what security algorithms, encryption and authentication algorithms should be
used for data traffic.
Phase-1 (IKE exchange) happens in plaintext and Phase-2 generally happens in encrypted traffic. In VPN
terminology, tunnel established for control traffic is referred to as IKE SA.
NOTE: In addition to the above phases, there is a sub-phase between IKE Phase-1 and IKE
Phase-2 that is referred to as
scenario and is used to authenticate remote client and assign private IP pool to the
clients.
2. Data Traffic — The tunnel usually consists of two SA for data traffic, one in each direction. The
encryption, security algorithms, authentication, key group to use for data traffic is negotiated between
two peers in IKE Phase 2.
11.3 Configuring VPN using CLI
Execute the following steps to configure IPSec VPN functionality on the WS5100 switch:
•
Configure Peer Properties
•
Configure Parameters for Control Traffic using ISAKMP Policy
•
Security Parameters for Data Traffic using Transform Set
•
Specifying Traffic to Protect using Crypto ACL
•
Binding all Parameters to a Remote Peer using Crypto Map
•
Activating IPSec to a Remote Peer
•
Configuring for Remote VPN Client
mode
config. This is used only in case of remote VPN
11-3
VPN