Internet Protocol Security (IPsec) ensures the authenticity, integrity, and confidentiality of data at the network layer of the Open System Interconnection (OSI) stack.
The IPsec feature is a set of security protocols and cryptographic algorithms that protect communication in a network. Use IPsec in scenarios where you need to encrypt packets between two hosts, or two routers, or a router and a host.
You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4 protocols.
IPsec adds support for OSPF virtual link for the security protection of the communication between the end points. You can also use IPsec with OSPFv3 on a brouter port or VLAN interface, for example, if you want to encrypt OSPFv3 control traffic on a broadcast network. You can also use IPsec with ICMPv6.
Note
If you downgrade your software, the current IPsec configurations are no longer supported. You must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4 protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6, OSPFv3, TCP, and UDP.
Note
When an OSPFv3 virtual link between two end points is secured using IPsec, the IPsec status on the IPv6 interfaces is automatically updated. This is applicable only on those interfaces that have no IPSEC policies manually configured on them
The following figure displays the movement of traffic using IPsec.
The IPsec feature uses security ciphers and encryption algorithms like AES, DES, and 3DES to ensure confidentiality of data, and keyed MAC for authenticity of data. The encryption algorithms require shared keys to secure the communication. The device only supports manual keying and configuration for IPsec. The IPsec feature supports IPv4 and IPv6 interfaces.
To configure IPsec, you create an IPsec policy, and then link the IPsec policy to an interface. You also link each IPsec policy to an IPsec security association. The IPsec policies define the amount of security applied to specific traffic on a specific interface. The IPsec feature supports the following security protocols:
Encapsulating security payload (ESP)
Authentication header (AH)
The device restricts IPsec encryption to control traffic through the CPU. The IPsec feature processes either the ingress, the egress, or both the egress and ingress control packets to and from the CPU.
The device checks every ingress or egress packet for the IPsec base protocol, either AH or ESP. The base protocol interacts with the security policy database (SPD) and security association database (SADB) to check the level of security to apply to the packet. The device consults the SPD for both ingress and egress traffic. For egress traffic, the device consults the SPD to determine if IPsec needs to apply security considerations. For ingress traffic, the device consults the SPD to determine whether the traffic received with IPsec encapsulation complies with the policies defined in the system.
For more information on IPsec, see IPsec Support with OSPFv3, View IPSec Statistics, and Display IPsec Interface Statistics.