Chapter 30
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
Initializing IKE
The IKE feature must first be enabled and configured so the IPsec feature can establish data flow with
the required peer.
You cannot disable IKE if IPsec is enabled. When you disable the IKE feature, the IKE configuration is
cleared from the running configuration.
To enable IKE, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto ike enable
switch(config)# no crypto ike enable
Configuring the IKE Domain
You must apply the IKE configurations to an IPsec domain to allow traffic to reach the supervisor module
in the local switch.
To configure the IPsec domain, follow these steps:
Command
Step 1
switch# config terminal
switch(config)#
Step 2
switch(config)# crypto ike domain
ipsec
switch(config-ike-ipsec)#
About IKE Tunnels
An IKE tunnel is a secure IKE session between two end points. IKE creates this tunnel to protect IKE
messages used in IPsec SA negotiations.
Two versions of IKE are used in the Cisco SAN-OS implementation.
•
•
IKE Policy Negotiation
To protect IKE negotiations, each IKE negotiation begins with a common (shared) IKE policy. An IKE
policy defines a combination of security parameters to be used during the IKE negotiation. By default,
no IKE policy is configured. You must create IKE policies at each peer. This policy states which security
parameters will be used to protect subsequent IKE negotiations and mandates how peers are
authenticated. You can create multiple, prioritized policies at each peer to ensure that at least one policy
will match a remote peer's policy.
OL-6973-03, Cisco MDS SAN-OS Release 2.x
IKE version 1 (IKEv1) is implemented using RFC 2407, 2408, 2409, and 2412.
IKE version 2 (IKEv2) is a simplified and more efficient version and does not interoperate with
IKEv1. IKEv2 is implemented using the draft-ietf-ipsec-ikev2-16.txt draft.
Purpose
Enters configuration mode.
Enables the IKE feature.
Disables (default) the IKE feature.
Purpose
Enters configuration mode.
Allows IKE configurations for IPsec domains.
Cisco MDS 9000 Family Configuration Guide
Initializing IKE
30-7