Cisco MDS 9000 Series Configuration Manual page 189

Configuring IPSec Network Security
• The IPsec feature is not supported on the management interface.
IPsec features are compatible with the following fabric setup:
• Two connected Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS SAN-OS
• A Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS SAN-OS Release
• The following features are not supported in the Cisco NX-OS implementation of the IPsec feature:
Note
Any reference to crypto maps in this document, only refers to static crypto maps.
IPsec and IKE Terminology
The terms used in this chapter are explained in this section.
• Security association (SA)— An agreement between two participating peers on the entries required to
Release 2.0(1b) or later, or Cisco NX-OS 4.1(1).
2.0(1b) or later, or Cisco NX-OS 4.1(1) connected to any IPsec compliant device.
• Authentication Header (AH).
• Transport mode.
• Security association bundling.
• Manually configuring security associations.
• Per host security association option in a crypto map.
• Security association idle timeout
• Dynamic crypto maps.
encrypt and decrypt IP packets. Two SAs are required for each peer in each direction (inbound and
outbound) to establish bidirectional communication between the peers. Sets of bidirectional SA records
are stored in the SA database (SAD). IPsec uses IKE to negotiate and bring up SAs. Each SA record
includes the following information:
• Security parameter index (SPI)—A number which, together with a destination IP address and security
protocol, uniquely identifies a particular SA. When using IKE to establish the SAs, the SPI for each
SA is a pseudo-randomly derived number.
• Peer—A switch or other device that participates in IPsec. For example, a Cisco MDS switch or
other Cisco routers that support IPsec.
• Transform—A list of operations done to provide data authentication and data confidentiality. For
example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm.
• Session key—The key used by the transform to provide security services.
• Lifetime—A lifetime counter (in seconds and bytes) is maintained from the time the SA is created.
When the time limit expires the SA is no longer operational and, if required, is automatically
renegotiated (rekeyed).
• Mode of operation—Two modes of operation are generally available for IPsec: tunnel mode and
transport mode. The Cisco NX-OS implementation of IPsec only supports the tunnel mode. The
IPsec tunnel mode encrypts and authenticates the IP packet, including its header. The gateways
encrypt traffic on behalf of the hosts and subnets. The Cisco NX-OS implementation of IPsec does
not support transport mode.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
IPsec and IKE Terminology
171