How to Use IPsec in Your Network
The Internet Protocol Security Architecture (IPsec), defined in RFC 4301, describes how to provide a set of security services for traffic at the IP layer in both IPv4 and IPv6 environments. As described in the RFC, for this release, security services are provided through use of the Encapsulating Security Payload (ESP) traffic security protocol, and through the use of cryptographic key management procedures and protocols.
The IPsec implementation on the S- K- and 7100-Series platforms provides the following functionality:
- IPsec and IKE (Internet Key Exchange protocol) are defined for the RADIUS host application only. This implementation supports configuring the default Security Association (SA) with servers configured for RADIUS, and the RADIUS application helps define the IPsec flow.
- Only the Encapsulating Security Payload (ESP) mode of operation is supported. Authentication Header (AH) mode is not supported.
- IKEv1 is supported.
Note
Although the use of certificates will be supported for IPsec in future releases, in the current release, only use of a shared secret is supported.
- HMAC-SHA1 is the supported IKE integrity mechanism.
- 3DES and the Advanced Encryption Standard (AES) encryption algorithms are supported. AES supports key lengths of 128, 192, and 256 bits.
- IPsec does not prevent the independent simultaneous use of MSCHAP-V2 style encryption of user passwords between the switch and the RADIUS server.
- If FIPS security mode is enabled, using the set security fips mode command, only the SHA1 authentication algorithm is supported.