Create an IPsec Security Association

Use the following procedure to create an IPsec security association. A security association (SA) is a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec needs to process an IP packet.

About this task

You cannot delete or modify a security association if the security association links to a policy. To modify a parameter in the security association or to delete the security association, you must first unlink the security association from a policy.

You can only unlink a security association from a policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink the policy from the interface, and then unlink the policy from the security association.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Select IPSec.
  3. Select the Security Association tab.
  4. Select Insert.
  5. In Name, type a name to identify the SA.
  6. In SPI, type the security parameters index.
    Note

    Note

    For IPsec to function, each peer must have the same SPI value configured for a particular policy.

  7. Complete the remaining optional configuration.
  8. Select Insert.

Security Association field descriptions

Use the data in the following table to use the Security Association tab.

Name

Description

Name

Specifies the name of the security association.

Spi

Specifies the security parameters index (SPI) value, which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet.

For IPsec to function, each peer must have the same SPI value configured for a particular policy.

The default value is 0.

HashAlgorithm

Specifies the authorization algorithm, which includes one of the following values:

  • AESXCBC

  • MD5

  • SHA1

  • SHA2

The default authentication algorithm name is MD5.

EncryptAlgorithm

Specifies the encryption algorithm value as one of the following:

  • DES3CBC

  • AES128CBC

  • AESCTR

  • NULL—Only use the NULL parameter to debug. Do not use this parameter in any other circumstance.

The default encryption algorithm is AES128CBC. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.

AuthMethod

Specifies the encapsulation protocol:

  • ah—Specifies authentication header.

  • es—Specifies encapsulation security payload.

If you configure the encapsulation protocol as ah, you cannot configure the encryption algorithms and other encryption related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to es.

The default value is es.

Mode

Specifies the mode value as one of the following:

  • transport—Transport mode encapsulates the IP payload and provides a secure connection between two end points. This device only supports transport mode.

  • tunnel—Tunnel mode encapsulates the entire IP packet and provides a secure tunnel. This device does not support tunnel mode.

The default is transport mode.

KeyMode

Specifies the key-mode as one of the following:

  • manual

  • auto

The default is manual.

EncryptKeyName

Specifies the encryption key.

EncryptKeyLength

Specifies the numbers of bits used in the encryption key. The key length values are as follows:

  • DES3CBC is 48

  • AES128CBC is 32, 48, 64

  • AESCTR is 32

HashKeyName

Specifies the authentication key.

HashKeyLength

Specifies the numbers of bits used in the hash key. The key length values are as follows:

  • AESXCBC is 32

  • MD5 is 32

  • SHA1 is 40

LifetimeSeconds

Specifies the lifetime value in seconds. The lifetime determines the traffic that can pass between IPsec peers using a security association before that security association expires.

The default lifetime value in seconds is 28800.

LifetimeKbytes

Specifies the lifetime value in kilobytes. The lifetime determines the traffic that can pass between IPsec peers using a security association before that security association expires.

The default lifetime value in bytes is 4294967295.