Implementing IPSec Network Security on Cisco IOS XR Software
Information About Implementing IPSec Networks
SC-99
Cisco IOS XR System Security Configuration Guide
IPSec NAT Transparency
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
Previously, a standard IPSec Virtual Private Network (VPN) tunnel does not work if there were one or
more Network Address Translator (NAT) or Point Address Translation (PAT) points in the delivery path
of the IPSec packet. The IPSec NAT transparency feature makes NAT IPSec-aware; therefore, allowing
remote access users to build IPSec tunnels to home gateways.
IPSec Security Association Idle Timers
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
When a router running Cisco IOS XR software creates an IPSec SA for a peer, resources must be
allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers,
these resources are wasted. If enough resources are wasted by idle peers, the counter could be prevented
from creating new SAs with other peers. The IPSec security feature introduces a configurable idle timer
to monitor SAs for activity, allowing SAs for idle peers to be deleted. The idle timers are configured
either globally or on a crypto profile basis.
Prefragmentation for Cisco IPSec VPN SPAs
Note This IPSec feature is supported only on the Cisco IPSec VPN SPA.
When a packet is nearly the size of the maximum transmission unit (MTU) of the outbound link of the
encrypting router and it is encapsulated with IPSec headers, the packet is likely to exceed the MTU of
the outbound link. The packet causes packet fragmentation after encryption, which makes the decrypting
router reassemble in the process path. Prefragmentation for Cisco IPSec VPN SPAs increases the
decrypting router's performance by enabling it to operate in the high-performance CEF path instead of
the process path.
This feature allows an encrypting router to predetermine the encapsulated packet size from information
available in transform sets, which are configured as part of the IPSec SA. If it is predetermined that the
packet exceeds the MTU of the output interface, the packet is fragmented before encryption. This
function avoids process-level reassembly before decryption and helps improve decryption performance
and overall IPSec traffic throughput.
Prefragmentation for the Cisco IPSec VPN SPA functionality depends on the service-ipsec interface
from the crypto ipsec df-bit command configuration and the incoming packet “do not fragment” (DF)
bit state (see Table 4).
To Next Page
Loading...
Need help?
General
