Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

671

672

673

674

675

676

677

678

679

680

Internet Protocol Security (IPSec)

Internet protocol security (IPSec) is an end-to-end security scheme for securing IP communications by authenticating and encrypting all

packets in a session. Use IPSec between hosts, gateways, or hosts and gateways.

IPSec uses a series of protocol functions to achieve information security:

• Authentication Headers (AH) — Connectionless integrity and origin authentication for IP packets.

• Encapsulating Security Payloads (ESP) — Confidentiality, authentication, and data integrity for IP packets.

• Security Associations (SA) — Algorithm-provided parameters required for AH and ESP protocols.

IPSec capability is available on control (protocol) and management traffic; end-node support is required.

IPSec supports two operational modes: Transport and Tunnel.

• Transport is the default mode for IPSec and encrypts only the payload of the packet. Routing information is unchanged.

• Tunnel mode is used to encrypt the entire packet, including the routing information in the IP header. Tunnel mode is typically used in

creating virtual private networks (VPNs).

Transport mode provides IP packet payload protection using ESP. You can use ESP alone or in combination with AH to provide additional

authentication. AH protects data from modification but does not provide confidentiality.

SA is the configuration information that specifies the type of security provided to the IPSec flow. The SA is a set of algorithms and keys

used to authenticate and encrypt the traffic flow. The AH and ESP use SA to provide traffic protection for the IPSec flow.

NOTE:

The Dell EMC Networking OS supports IPSec only for FTP and telnet protocols (ports 20, 21, and 23). The system

rejects if you configure IPSec for other protocols.

Topics:

• crypto ipsec transform-set

• crypto ipsec policy

• management crypto-policy

• match

• session-key

• show crypto ipsec transform-set

• show crypto ipsec policy

• transform-set

crypto ipsec transform-set

Create a transform set, or combination of security algorithms and protocols, of cryptos.

Syntax

crypto ipsec transform-set name {ah-authentication {md5|sha1|null} | esp-

authentication {md5|sha1|null} | esp-encryption {3des|cbc|des|null}}

To delete a transform set, use the no crypto ipsec transform-set name {ah-authentication

{md5|sha1|null} | esp-authentication {md5|sha1|null} | esp-encryption {3des|

cbc|des|null}} command.

Parameters

name

Enter the name for the transform set.

ah-authentication Enter the keywords ah-authentication then the transform type of operation to

apply to traffic. The transform type represents the encryption or authentication applied to

traffic.

• md5 — Use Message Digest 5 (MD5) authentication.

674 Internet Protocol Security (IPSec)