Filter
Top Products
4-4
Integrated Services Adapter and Integrated Services Module Installation and Configuration
OL-3575-01 B0
Chapter 4 Configuring the ISA and ISM
Configuring IPSec
Configuring IPSec
After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This
section contains basic steps to configure IPSec and includes the tasks discussed in the following sections:
• Creating Crypto Access Lists, page 4-4
• Defining a Transform Set, page 4-5
For detailed information on configuring IPSec, refer to the “Configuring IPSec Network Security”
chapter in the Security Configuration Guide publication. This chapter contains information on the
following topics:
• Ensure Access Lists Are Compatible with IPSec
• Set Global Lifetimes for IPSec Security Associations
• Create Crypto Access Lists
• Define Transform Sets
• Create Crypto Map Entries
• Apply Crypto Map Sets to Interfaces
• Monitor and Maintain IPSec
Creating Crypto Access Lists
Crypto access lists are used to define which IP traffic will be protected by encryption and which will not.
(These access lists are not the same as regular access lists, which determine what traffic to forward or
block at an interface.) For example, access lists can be created to protect all IP traffic between subnet A
and subnet Y or Telnet traffic between host A and host B.
The access lists themselves are not specific to IPSec—they are no different from what is used for Cisco
Encryption Technology (CET). It is the crypto map entry referencing the specific access list that defines
whether IPSec or CET processing is applied to the traffic matching a permit entry in the access list.
Crypto access lists associated with IPSec crypto map entries have four primary functions:
• Select outbound traffic to be protected by IPSec (permit = protect).
• Indicate the data flow to be protected by the new security associations (specified by a single permit
entry) when initiating negotiations for IPSec security associations.
• Process inbound traffic in order to filter out and discard traffic that should have been protected by
IPSec.
• Determine whether or not to accept requests for IPSec security associations on behalf of the
requested data flows when processing IKE negotiation from the IPSec peer. (Negotiation is only
done for ipsec-isakmp crypto map entries.) In order to be accepted, if the peer initiates the IPSec
negotiation, it must specify a data flow that is “permitted” by a crypto access list associated with an
ipsec-isakmp crypto map entry.
If you want certain traffic to receive one combination of IPSec protection (for example, authentication
only) and other traffic to receive a different combination of IPSec protection
(for example, both authentication and encryption), you need to create two different crypto access lists to
define the two different types of traffic. These different access lists are then used in different crypto map
entries that specify different IPSec policies.