Filter
Top Products
4-7
C7200 VSA (VPN Services Adapter) Installation and Configuration Guide
OL-9129-02
Chapter 4 Configuring the VSA
Configuration Tasks
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP
header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately
after the outer IP header and before the inner IP datagram or payload. Traffic that originates and
terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in
tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode
encapsulates/protects the payload of an IP datagram. For more information about modes, refer to the
mode (IPSec) command description.
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
• If you want to provide data confidentiality, include an ESP encryption transform.
• If you want to ensure data authentication for the outer IP header as well as the data, include an AH
transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
• If you use an ESP encryption transform, also consider including an ESP authentication transform or
an AH transform to provide authentication services for the transform set.
• If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA
(HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered
stronger than MD5 but is slightly slower.
• Note that some transforms might not be supported by the IPSec peer.
Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning
message will be displayed immediately after the crypto ipsec transform-set command is
entered.
• In cases where you need to specify an encryption transform but do not actually encrypt packets, you
can use the esp-null transform.
Suggested transform combinations follow:
• esp-aes and esp-sha-hmac
• ah-sha-hmac and esp-aes and esp-sha-hmac
The Crypto Transform Configuration Mode
After you issue the crypto ipsec transform-set command, you are put into the crypto transform
configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are
optional changes.) After you have made these changes, type exit to return to global configuration mode.
For more information about these optional changes, refer to the match address (IPSec) and mode
(IPSec) command descriptions.