index_167
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
167
The transform set also specifies what part of each packet is protected by the IPSec
tunnel. For a hostile network scenario, the preferred mode is tunnel (which is the
default). This mode protects both the original data portion of the IP packet and the
origina l packet header, and creates a new IP header using the routers IP addresses.
This hides potentially sensitive IP protocol information about the networks and
applications that are sending data through the tunnel. If the IPSec tunnel is used for
separating communities of interest over a protected network, then the transport mode
will be sufficient. This mode protects the original data portion of the IP packet, but
leaves the original IP header intact. The IPSec standards requires that tunnel mode be
used when routers are employed as gateway security devices. For more information
on both the encryption and authentication algorithms, and the tunnel modes, consult
the Cisco IOS 12.0 Security Configuration Guide [2].
The command syntax for configuring an IPSec transform set is: crypto ipsec
transform-set transform-set-name transform1 transform2 . . .
transformN. When you give this command, IOS will enter crypto transform set
configuration mode, to which you can give a variety of transform-set related
commands. Use exit to leave transform set configuration mode.
Configure the IPSec transform sets using the following commands:
North#
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac
! The name set1 is an arbitrary name
North(cfg-crypto-trans)# mode tunnel
North(cfg-crypto-trans)# exit
North(config)# exit
North#
and
Remote#
Remote# config t
Enter configuration commands, one per line. End with CNTL/Z.
Remote(config)#crypto ipsec transform-set set1 esp-3des esp-sha-hmac
! The name set1 is an arbitrary name
Remote(cfg-crypto-trans)# mode tunnel
Remote(cfg-crypto-trans)# exit
Remote(config)# exit
Remote#
3. Create the necessary crypto map
Cisco IOS uses crypto maps to bring together all information needed to create IPSec
tunnels. This information includes: the access-list to specify what traffic should be
protected (covered above in section 1), the transform-set used to build the tunnel
(covered above in section 2), the remote address for the peer end of the IPSec tunnel,
the security association lifetime for the tunnel (in kilobytes and/or seconds), and
whether to use the IKE protocol in setting up the tunnel. Each crypto map is