HostedDB - Dedicated UNIX Servers
index_167
UNCLASSIFIED Advanced Security Services  Version 1.0g  UNCLASSIFIED 167   The transform set also specifies what part of each packet is protected by the IPSec tunnel. For a hostile network scenario, the preferred mode is tunnel (which is the default). This mode protects both the original data portion of the IP packet and the origina l packet header, and creates a new IP header using the routers’ IP addresses. This hides potentially sensitive IP protocol information about the networks and applications that are sending data through the tunnel. If the IPSec tunnel is used for separating communities of interest over a protected network, then the transport mode will be sufficient. This mode protects the original data portion of the IP packet, but leaves the original IP header intact. The IPSec standards requires that tunnel mode be used when routers are employed as gateway security devices. For more information on both the encryption and authentication algorithms, and the tunnel modes, consult the Cisco IOS 12.0 Security Configuration Guide [2]. The command syntax for configuring an IPSec transform set is:  crypto ipsec transform-set transform-set-name transform1 transform2 . . . transformN. When you give this command, IOS will enter crypto transform set configuration mode, to which you can give a variety of transform-set related commands.  Use exit to leave transform set configuration mode. Configure the IPSec transform sets using the following commands: North# North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac ! The name set1 is an arbitrary name North(cfg-crypto-trans)# mode tunnel North(cfg-crypto-trans)# exit North(config)# exit North# and Remote# Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)#crypto ipsec transform-set set1 esp-3des esp-sha-hmac ! The name set1 is an arbitrary name Remote(cfg-crypto-trans)# mode tunnel Remote(cfg-crypto-trans)# exit Remote(config)# exit Remote# 3.     Create the necessary crypto map Cisco IOS uses crypto maps to bring together all information needed to create IPSec tunnels. This information includes: the access-list to specify what traffic should be protected (covered above in section 1), the transform-set used to build the tunnel (covered above in section 2), the remote address for the peer end of the IPSec tunnel, the security association lifetime for the tunnel (in kilobytes and/or seconds), and whether to use the IKE protocol in setting up the tunnel. Each crypto map is