Configure an IPsec Security Association

Use the following procedure to configure an IPsec security association (SA). An SA is a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec needs to process an IP packet.

Before you begin

  • Create an IPsec security association to configure.

About this task

You cannot delete or modify a security association if the security association links to a policy. To modify a parameter in the security association, or to delete the security association, you must first unlink the security association from a policy. You can only unlink a security association from a policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink the policy from the interface, and then unlink the policy from the security association.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the IPsec security association key-mode:

    ipsec security-association WORD<1–32> key-mode <automatic|manual>

    This device only supports manual mode.

  3. Configure the IPsec security association mode:

    ipsec security-association WORD<1–32> mode <transport|tunnel>

    This device only supports transport mode.

  4. Configure the IPsec security association encapsulation protocol:

    ipsec security-association WORD<1–32> encap–proto <AH|ESP>

  5. Configure the IPsec security association security parameters index:

    ipsec security-association WORD<1–32> spi <1-4294967295>

    For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.

  6. Configure the IPsec security association encryption algorithm:

    ipsec security-association WORD<1–32> Encrpt-algo <3DES|AES-CBC|AES-CTR|NULL> [EncrptKey WORD<1–256>][KeyLength <1–256>]

    The encryption algorithm parameters are only accessible if you configure the encapsulation protocol to ESP.

  7. Configure the IPsec security association authentication algorithm:

    ipsec security-association WORD<1–32> auth-algo <AES-XCBC-MAC|MD5|SHA1|SHA2> [auth-key WORD<1–256>][KeyLength <1–256>]

  8. Configure the IPsec security association lifetime value:

    ipsec security-association WORD<1–32> lifetime <Bytes<1-4294967295>|seconds<1-4294967295>>

Example

Configure an IPsec security association named new_sa to have a key-mode of ASCII, an SA mode of transport, and an encapsulation protocol of ESP. Configure the encryption algorithm to 3DES, with an encryption key of 111111111111111111111111, and a keylength of 24. Configure the authorization algorithm to SHA1, the authorization key to 11111111111111111111, and key length to 20. Configure the SPI to 1 and the lifetime in seconds to 1000.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec security-association newsa mode transport  
Switch:1(config)#ipsec security-association newsa encap-proto ESP
Switch:1(config)#ipsec security-association newsa Encrpt-algo 3DES Encrpt-key 111111111111111111111111111111111111111111111111 KeyLength 48
Switch:1(config)#ipsec security-association newsa auth-algo SHA1 auth-key 11111111111111111111 KeyLength 20
Switch:1(config)#ipsec security-association newsa key-mode manual
Switch:1(config)#ipsec security-association newsa spi 1 
Switch:1(config)#ipsec security-association newsa lifetime seconds 1000

Variable Definitions

The following table defines parameters for the ipsec security-association command.

Variable

Value

WORD<1–32>

Specifies the security association.

auth-algo <AES-XCBC-MAC|MD5|SHA1|SHA2> [auth-key WORD<1–256> ] [KeyLength <1–256>]

Specifies the authorization algorithm, which includes one of the following values:
  • AES-XCBC-MAC

  • MD5

  • SHA1

  • SHA2

The default authentication algorithm name is MD5.

The parameter auth-key specifies the authentication key.

The KeyLength parameter specifies a string value of 1 to 256 characters in length. The default KeyLength is 128. The KeyLength values are as follows: 3DES is 48, AES-CBC is 32, 48, or 64, AES-CTR is 32.

encap-proto <AH|ESP>

Specifies the encapsulation protocol:
  • AH—Specifies authentication header.

  • ESP—Specifies encapsulation security payload.

If you configure the encapsulation protocol as AH, you cannot configure the encryption algorithms and other encryption related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.

The default value is ESP.

Encrpt-algo <3DES|AES-CBC|AES-CTR|NULL> [EncrptKey WORD<1–256>] [KeyLength <1–256>]

Specifies the encryption algorithm value as one of the following:
  • 3DES-CBC

  • AES-CBC

  • AES-CTR

  • NULL—Only use the NULL parameter to debug. Do not use this parameter in other circumstances.

The default encryption algorithm is AES-CBC.

You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.

The EncrptKey specifies the encryption key.

The KeyLength specifies the key length value in a string from 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows: 3DES is 48, AES-CBC is 32, 48, or 64, AES-CTR is 32.

key-mode <automatic | manual>

Specifies the key-mode as one of the following:
  • automatic

  • manual

The default is manual.

lifetime <Bytes<1-4294967295> | seconds<1-4294967295>

Specifies the lifetime value in seconds or bytes.

The default lifetime value in seconds is 28800. The default lifetime value in bytes is 4294966272.

mode <transport | tunnel>

Specifies the mode value as one of the following:
  • transport—Transport mode encapsulates the IP payload and provides a secure connection between two end points.

  • tunnel—Tunnel mode encapsulates the entire IP packet and provides a secure tunnel.

The default is transport mode.

spi<1-4294967295>

Specifies the security parameters index (SPI) value, which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet.

For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.

The default value is 0.