1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Configuring IPSec Manually

Configuring IPSec Manually

You can configure the IPSec keys manually. This section provides a brief overview of how this is done and why manual key use isn’t generally recommended.

Use the set session-key command in Crypto Map Configuration mode to specify the IPSec session keys manually within a crypto map entry. The command is only available for ipsec-manual crypto map entries. They aren’t used with ipsec-isakmp entries because the SAs and corresponding keys are automatically established via the IKE negotiation. Use the no form of this command to remove IPSec session keys from a crypto map entry. The command uses the following syntax:

Rtr1(config)#crypto map map-name seq-num ipsec-manual
Rtr1(config-crypto-map)#set session-key {inbound | outbound} ah spi hex-key-string|
Rtr1(config-crypto-map)#set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} ah
Rtr1(config-crypto-map)#no set session-key {inbound | outbound} esp

inbound

Sets the inbound IPSec session key. Both inbound and outbound must be set.

outbound

Sets the outbound IPSec session key. Both inbound and outbound must be set.

ah

Sets the IPSec session key for the AH protocol. Use if the crypto map entry transform set includes an AH transform.

esp

Sets the IPSec session key for the ESP. Use if the crypto map entry transform set includes an ESP transform.

spi

Specifies the security parameter index (SPI), a number used to uniquely identify a security association. SPI is an arbitrary value assigned by the admin between 256 and 4,294,967,295 (FFFF FFFF).

hex-key-string

The session key in HEX format. The key is an arbitrary HEX string of 8, 16, or 20 bytes. If the crypto map’s transform set includes ?A DES algorithm—use at least 8 bytes per key ?An MD5 algorithm—use at least 16 bytes per key ?An SHA algorithm—use at least 20 bytes per key Keys longer than the previous sizes are truncated.

cipher

Indicates the key string is to be used with the ESP encryption transform.

authenticator

(Optional) Indicates the key string is to be used with the ESP authentication transform. This argument is required only when the crypto map entry’s transform set includes an ESP authentication transform.

Use the following rules to determine when to create keys:

  • If the crypto map transform set includes an AH protocol, IPSec keys must be defined for AH for both inbound and outbound traffic.

  • If the crypto map transform set includes an ESP encryption protocol, IPSec keys must be defined for ESP encryption for both inbound and outbound traffic.

  • If the crypto map transform set includes an ESP authentication protocol, IPSec keys must be defined for ESP authentication for inbound and outbound traffic.

The SPI is used to identify the security association used with the crypto map. When defining multiple IPSec session keys within a single crypto map, it’s permissible to assign the same SPI number to all keys. Session keys must be the same for both peers. Before assigning a SPI, confirm with the peer’s admin that the same SPI isn’t used more than once for the same destination address/protocol combination.

If a session key is changed, the SA using the key will be deleted and reinitialized.

Rtr1(config)#crypto map testmap2 50 ipsec-manual
Rtr1(config-crypto-map)#set peer 10.0.10.133
Rtr1(config-crypto-map)#match address 100
Rtr1(config-crypto-map)#set transform-set encrypt-des 
Rtr1(config-crypto-map)#set session-key inbound esp 300 32a87b445c98701c 
Rtr1(config-crypto-map)#set session-key outbound esp 300 32a87b445c98701c

Configuring IPSec Manually Is Not Recommended

Cisco recommends using IKE to set up the SAs because it’s difficult to ensure the SA values match between peers and D-H is a more secure method for generating secret keys between peers. Other reasons not to configure IPSec manually include the following:

  • Manual keying doesn’t scale well.

  • The result can be insecure because of difficulty in creating secure keying material manually.

  • Manually established SAs never expire.

  • ACLs used for crypto map entries using ipsec-manual are restricted to a single permit statement. Any other entries are ignored.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Configure IPSec Encryption Tasks
Configuring IPSec Manually
Chapter Review
Chapter 11: Cisco IOS IPSec Certificate Authority Support
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars