Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

Information About Implementing IPSec Networks

SC-94

Cisco IOS XR System Security Configuration Guide

Information About Implementing IPSec Networks

To implement IP network security, you should understand the following concepts:

• Crypto Profiles, page SC-94

• Dynamic Crypto Profiles, page SC-95

• Crypto Access Lists, page SC-95

• Transform Sets, page SC-96

• Global Lifetimes for IPSec Security Associations, page SC-96

• Checkpointing, page SC-98

• DF Bit Override Functionality with IPSec Tunnels, page SC-98

• IPSec Antireplay Window, page SC-98

• IPSec NAT Transparency, page SC-99

• IPSec Security Association Idle Timers, page SC-99

• Prefragmentation for Cisco IPSec VPN SPAs, page SC-99

• Reverse-Route Injection, page SC-100

• IPSec—SNMP Support, page SC-101

Note For information about IPSec Quality of Service (QoS), refer to the Cisco IOS XR Quality of Service

Configuration Guide.

Crypto Profiles

Crypto profile entries created for IPSec combine the various parts used to set up IPSec security

associations (SAs), including the following:

• Traffic that should be protected by IPSec (per a crypto access list)

• Granularity of the flow to be protected by a set of SAs

• IPSec security that should be applied to this traffic (selecting from a list of one or more transform

sets)

• Other parameters that might be necessary to define an IPSec SA

Crypto profiles are applied to IPSec interfaces (for example, tunnel-ipsec, service-ipsec, and service) or

crypto transport.

If the access control lists (ACLs) specified within the profile match any outbound IP traffic, the IP traffic

is protected by IPSec. The SA is established with the remote peer by IKE.

When using service-gre interfaces, the profile, which is attached to the interface, is not configured with

an explicit ACL. Instead, all traffic, which is destined to the GRE tunnel, is protected by IPSec.

The policy described in the crypto profile entries is used during the negotiation of SAs. If the local router

initiates the negotiation, it uses the policy specified in the static crypto profile entries to create the offer

to be sent to the specified IPSec peer. If the IPSec peer initiates the negotiation, the local router checks

the policy associated with the interface or profile associated with the identity specified in the ISAKMP

profile, which is being used to decide whether to accept or reject the peer's request (offer).

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.