Cisco Preparative Procedures & Operational User Guide
© 2016 Cisco Systems, Inc. All rights reserved.
o DH Groups: 14, 24
ESP Ciphers*:
o Encryption algorithms: AES-CBC-128, AES-CBC-256
o Integrity algorithms: SHA-1
Authentication: X.509v3 certificates
o create authority trustpoint_name
Traffic Selector: remote host or subnet
o set local-addr ip_address
o set remote-addr ip_address
o set remote-subnet ip/mask
o set remote-ike-ident remote_identity_name
IKE SA Life Time: Configurable up to 24 hours. Only time is supported.
o set ike-rekey-time minutes
IKE Child SA Life Time: Configurable up to 8 hours. Only time is supported.
o set esp-rekey-time minutes
* Not configurable
Security Policy Database (SPD)
In FXOS, the SPDs are pretty simple because FXOS is not operating as a VPN gateway, and the SPDs are
just based on IP addresses, so the type of traffic being tunneled (syslog, LDAP, etc.) is irrelevant to the
tunneling decisions.
The local-addr is the local management IP.
The remote-addr is the IP of the IPsec peer (in tunnel mode or transport mode).
A remote-subnet is applicable only in tunnel mode, and defines the subnet that would be
reachable beyond the remote-addr.
Outbound traffic will be encrypted when the source address is local-addr, *and*:
o the destination address is the remote-addr (in tunnel or transport mode); *or*
o the destination address is on the remote-subnet (in tunnel mode).
Outbound traffic will bypass the tunnel if:
o the destination address is *not* the remote-addr; *and*
o the destination address is *not* on the remote-subnet.
Inbound traffic will be dropped if:
o the source address (prior to decryption) is on the remote-subnet (in tunnel mode); *or*
o the source address is the remote-address, *and* the packets are *not* IKE or ESP.
To Next Page
Loading...
Need help?
General
