Chapter 37
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
•
Note
•
•
•
IPsec Digital Certificate Support
This section describes the advantages of using certificate authorities (CAs) and digital certificates for
authentication.
For more information on CAs and digital certificates, see
Authorities and Digital Certificates."
Implementing IPsec Without CAs and Digital Certificates
Without a CA and digital certificates, enabling IPsec services (such as encryption) between two Cisco
MDS switches requires that each switch has the key of the other switch (such as an RSA public key or
a shared key). You must manually specify either the RSA public keys or preshared keys on each switch
in the fabric using IPsec services. Also, each new device added to the fabric will require manual
configuration of the other switches in the fabric to support secure communication.
In
Figure
switch; this authentication always occurs when IPsec traffic is exchanged between the two switches.
If you have multiple Cisco MDS switches in a mesh topology and wish to exchange IPsec traffic passing
among all of those switches, you must first configure shared keys or RSA public keys among all of those
switches.
OL-18084-01, Cisco MDS NX-OS Release 4.x
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 bits using
Cipher Block Chaining (CBC) or counter mode.
Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory
56-bit DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPsec packet.
Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive
information to be transmitted over untrusted networks.
Cisco NX-OS images with strong encryption are subject to United States government export
controls, and have a limited distribution. Images to be installed outside the United States require
an export license. Customer orders might be denied or subject to delay due to United States
government regulations. Contact your sales representative or distributor for more information,
or send e-mail to export@cisco.com.
Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
used to authenticate data.
Secure Hash Algorithm (SHA-1) is a hash algorithm with the Hash Message Authentication Code
(HMAC) variant.
The switch authentication algorithm uses the preshared keys based on the IP address (see
Transmission Retry Count for the RADIUS Server" section on page 34-11
preshared keys).
37-2, each switch uses the key of the other switch to authenticate the identity of the other
IPsec Digital Certificate Support
Chapter 36, "Configuring Certificate
Cisco MDS 9000 Family CLI Configuration Guide
"Setting
for more information on
37-7