Name: Cisco IOS XR
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Implementing IPSec Network Security on Cisco IOS XR Software

Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic

SC-141

Cisco IOS XR System Security Configuration Guide

A transform set defines how the traffic is protected. In this example, transform set myset1 uses Data

Encryption Standard (DES) encryption and Secure Hash Algorithm (SHA) for data packet

authentication:

crypto ipsec transform-set myset1

transform esp-des esp-sha

Another transform set example is myset2, which uses 3DES encryption and the Message Digest 5 (MD5)

(Hashed Message Authentication Code [HMAC] variant) algorithm for data packet authentication:

crypto ipsec transform-set myset2

transform esp-3des esp-md5-hmac

A crypto profile named toRemoteSite is created and joins the IPSec access list and transform set:

crypto ipsec profile toRemoteSite

match sample1 transform-set myset1

end

The toRemoteSite crypto profile is then applied to a tunnel-ipsec interface:

interface tunnel-ipsec0

profile toRemoteSite

tunnel source 10.0.0.2

tunnel destination 10.0.0.5

Configuring a Dynamic Profile and Attaching to a Tunnel-ipsec Interface:

Example

The following example shows a minimal IPSec configuration where a dynamic crypto profile is created

and attached to a tunnel-ipsec interface.

An IPSec access list named sample2 defines which traffic to protect:

ipv4 access-list sample2 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255

A transform set defines how the traffic is protected. In this example, transform set myset2 uses DES

encryption and SHA for data packet authentication:

crypto ipsec transform-set myset2

transform esp-des esp-sha

Another transform set example is myset3, which uses 3DES encryption and MD5 (HMAC variant) for

data packet authentication:

crypto ipsec transform-set myset3

transform esp-3des esp-md5-hmac

A dynamic crypto profile named toRemoteSite is created and joins the IPSec access list and transform

set:

crypto ipsec profile toRemoteSite

match sample2 transform-set myset3

set type dynamic discover

end

The toRemoteSite profile is applied to a tunnel-ipsec interface:

interface tunnel-ipsec0

profile toRemoteSite

tunnel source 10.0.0.2

The tunnel destination is not required when the profile is dynamic.

Questions and Answers:

Need help?

Do you have a question about the Cisco IOS XR and is the answer not in the manual?

Cisco IOS XR Specifications

General

Operating System	Cisco IOS XR
Architecture	Microkernel
High Availability	Yes
Type	Network operating system
Developed by	Cisco Systems
License	Proprietary
Programming Language	C, C++
Kernel	QNX
Supported Platforms	Cisco ASR9000, NCS series
Security Features	Role-Based Access Control (RBAC), Secure Boot, Encryption
Management Interface	CLI, SNMP, NETCONF, RESTCONF
Release Date	2004
Target Devices	High-end core routers, service provider edge routers, data center interconnect (DCI) routers
Supported Hardware	Cisco routers and switches
Networking Protocols	BGP, OSPF, IS-IS, MPLS
Virtualization Support	Virtualization-ready, supports network function virtualization (NFV) and containerization technologies.