Configuring an IPsec security association
Use the following procedure to configure an IPsec security association (SA). An SA is a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec needs to process an IP packet.
Before you begin
Create an IPsec security association to configure.
About this task
You cannot delete or modify a security association if the security association links to a policy. To modify a parameter in the security association, or to delete the security association, you must first unlink the security association from a policy. You can only unlink a security association from a policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink the policy from the interface, and then unlink the policy from the security association.
Procedure
Example
Configure an IPsec security association named new_sa to have a key-mode of ASCII, an SA mode of transport, and an encapsulation protocol of ESP. Configure the encryption algorithm to 3DES, with an encryption key of 111111111111111111111111, and a keylength of 24. Configure the authorization algorithm to SHA1, the authorization key to 11111111111111111111, and key length to 20. Configure the SPI to 1 and the lifetime in seconds to 1000.
Switch:1>enable Switch:1#configure terminal Switch:1(config)#ipsec security-association newsa mode transport Switch:1(config)#ipsec security-association newsa encap-proto ESP Switch:1(config)#ipsec security-association newsa Encrpt-algo 3DES Encrpt-key 111111111111111111111111111111111111111111111111 KeyLength 48 Switch:1(config)#ipsec security-association newsa auth-algo SHA1 auth-key 11111111111111111111 KeyLength 20 Switch:1(config)#ipsec security-association newsa key-mode manual Switch:1(config)#ipsec security-association newsa spi 1 Switch:1(config)#ipsec security-association newsa lifetime seconds 1000
Variable Definitions
The following table defines parameters for the ipsec security-association command.
Variable |
Value |
---|---|
WORD<1–32> |
Specifies the security association. |
auth-algo <AES-XCBC-MAC|MD5|SHA1|SHA2> [auth-key WORD<1–256> ] [KeyLength <1–256>] |
Specifies the authorization algorithm, which includes one of the
following values:
The parameter auth-key specifies the authentication key. The KeyLength parameter specifies a string value of 1 to 256 characters in length. The default KeyLength is 128. The KeyLength values are as follows: 3DES is 48, AES-CBC is 32, 48, or 64, AES-CTR is 32. |
encap-proto <AH|ESP> |
Specifies the encapsulation protocol:
If you configure the encapsulation protocol as AH, you cannot configure the encryption algorithms and other encryption related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP. The default value is ESP. |
Encrpt-algo <3DES|AES-CBC|AES-CTR|NULL> [EncrptKey WORD<1–256>] [KeyLength <1–256>] |
Specifies the encryption algorithm value as one of the following:
The default encryption algorithm is AES-CBC. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP. The EncrptKey specifies the encryption key. The KeyLength specifies the key length value in a string from 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows: 3DES is 48, AES-CBC is 32, 48, or 64, AES-CTR is 32. |
key-mode <automatic | manual> |
Specifies the key-mode as one of the following:
The default is manual. |
lifetime <Bytes<1-4294967295> | seconds<1-4294967295> |
Specifies the lifetime value in seconds or bytes. The default lifetime value in seconds is 28800. The default lifetime value in bytes is 4294966272. |
mode <transport | tunnel> |
Specifies the mode value as one of the following:
The default is transport mode. |
spi<1-4294967295> |
Specifies the security parameters index (SPI) value, which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet. For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy. The default value is 0. |