IP Security Basics : How to Set Up IPSec Direct Encapsulation on Cisco Devices

With the importance of internet security being at the forefront of everyone’s mind these days, importance of keeping data safe while in transit is vital. There are of course a number of different technologies that are available to keep data safe including IP Security (IPSec), Generic Routing Encapsulation (GRE), Secure Sockets Layer (SSL) VPNs, and more. One of the major issues that many people have with IPSec is that it does not directly support IP multicast (required for many routing protocols) or protocols other than IP; this is often why a mix of different technologies are used to provide a solution that is optimal for each situation.

For now, let’s take a look at just IPSec — specifically, IPSec direct encapsulation on Cisco devices.

Transport or Tunnel? Tackling IPSec Modes

The first thing to recognize is that IPSec itself is not a protocol but a collection of protocols that are used collectively to create a secure connection between endpoints. While IPSec is an open standard, among the most used features are the Internet Security Association and Key Management Protocol (ISAKMP), which is used to establish a Security Association (SA) between endpoints. This includes a common encryption protocol (for ISAKMP) and authentication method and parameters. Authentication Header (AH) provides the ability for a connection to have integrity protection and data origin authentication, while Encapsulating Security Payload (ESP) provides the ability for a connection to have integrity protection and data origin authentication as well as the ability to have data confidentiality using encryption. IPSec offers two modes of operation: transport and tunnel. The Authentication Header and ESP operate differently depending on the mode being used.

Now that I’ve thrown a mess of acronyms at you, let’s tackle the modes of operation. In transport mode, AH inserts an IPSec header after the main IP header and is able to protect the contents of all IP header fields. In tunnel mode, AH authenticates the original header, encapsulates it and creates a new IP header which it then protects the same as in transport mode. Because of the way that AH monitors the whole IP header it is not compatible with NAT as NAT changes the source and destination IP address fields.

In transport mode, ESP encrypts the IP payload and inserts an IPSec header after the original header; it does not alter the original IP header and does not authenticate the IP header itself. In tunnel mode, however, ESP inserts the IPSec header after the original IP header, and it encapsulates and encrypts (that is, if configured) the whole IP packet. A new IP header is then put onto the encapsulated packet (this new IP header is not authenticated).

IPSec Direct Encapsulation Configuration

There are a number of commands that are used to set up IPSec. Below, table 1 shows the commands that are required and their options. Obviously, this is certainly a long list of commands to follow. The simplest way to learn it is to set up two routers (or emulated routers) and configure them with these steps.

1 Enter privileged EXEC mode router>enable
2 Enter device configuration mode router#configure terminal
3 Create and enter ISAKMP policy configuration mode router(config)#crypto isakmp policy policy-priority
4 Configure an ISAKMP encryption standard router(config-isakmp)#encryption [3des | aes | des]
5 Configure ISAKMP authentication type router(config-isakmp)#authentication [pre-share | rsa-encr | rsa-sig]
6 Configure a Diffie-Hellman group router(config-isamkp)#group [1 | 2 | 5 | 14 | 15 | 16]
7 Exit ISAKMP policy configuration mode router(config-isakmp)#exit
8 Configure ISAKMP pre-shared key. This is just one method — other Public Key Infrastructure options can also be used router(config)#crypto isakmp key key [address ip-address | hostname hostname]
9 Configure Dead Peer Detection (DPD) keep alive messages. While this is not required, it provides a mechanism to know when an IKE peer goes down. router(config)#crypto isakmp keepalive seconds
10 Create a IPSec transform set. This is a combination of security protocols and algorithms used. There are several transforms available; check the Cisco command reference for a complete list. router(config)#crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
11 Configure the source IPSec interface to be used router(config)#crypto map map-name local-address interface
12 Create and enter Crypto map configuration mode router(config)#crypto map map-name sequence-number ipsec-isakmp
13 Configure the IPSec peer router(config-crypto-map)#set peer [peer-ip-address | peer-hostname]
14 Configure the IPSec transform set to be used router(config-crypto-map)#set transform-set transform-set-name
15  Configure the ACL to be used for interesting traffic. “Interesting traffic” is the traffic that will be acted upon by IPSec router(config-crypto-map)#match address acl-number
16 Exit Crypto map configuration mode router(config-crypto-map)#exit
17 Create an ACL for interesting traffic. This is typically an extended ACL that is used to specify the traffic that will be handled by IPSec. router(config)#access-list acl-number permit ip source-network source-inverse-mask destination-network destination-inverse-mask
18 Enter interface configuration mode. This is the source interface for IPSec router(config)#interface interface
19 Configure the interface to use a specific crypto map router(config-if)#crypto map map-name

Just the Beginning

When it comes to IP Security, there are certainly a large number of options and methods of using both IPSec direct encapsulation by itself and in conjunction with other security technologies. Hopefully this article helped make you feel less mired in your understanding of general IPSec concepts, and you’ve learned a bit about how to how to configure direct IPSec encapsulation without the use of any other technologies.