S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
35-2
Cisco MDS 9000 Family CLI Configuration Guide
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Chapter 35 Configuring IPsec Network Security
About IPsec
About IPsec
Note
IPsec is not supported by the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric
Switch for IBM BladeCenter.
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating
IPsec devices (peers).
IPsec provides the following network security services. In general, the local security policy dictates the
use of one or more of these services between two participating IPsec devices:
•
Data confidentiality—The IPsec sender can encrypt packets before transmitting them across a
network.
•
Data integrity—The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that
the data has not been altered during transmission.
•
Data origin authentication—The IPsec receiver can authenticate the source of the IPsec packets sent.
This service is dependent upon the data integrity service.
•
Anti-replay protection—The IPsec receiver can detect and reject replayed packets.
Note
The term
data authentication
is generally used to mean data integrity and data origin authentication.
Within this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification,
or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets,
extranets, and remote user access.
IPsec as implemented in Cisco SAN-OS software supports the Encapsulating Security Payload (ESP)
protocol. This protocol encapsulates the data to be protected and provides data privacy services, optional
data authentication, and optional anti-replay services.
Note
The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption.
Figure 35-1
shows different IPsec scenarios.