IPSec Preparation

Before you begin the configuration of IPSec connections on your perimeter router, you need to do some background investigative work. You need to gather important information about how IPSec connections will be established, lay out a network design, allow for IPSec in your design, and then begin your implementation. The following two sections discuss this process.

Basic Tasks

When designing an IPSec solution, you go through eight different steps:

Step 1. Handle design and policy issues? Here, you lay out which routers will be terminating IPSec connections, what types of IPSec connections will be used (L2L and/or remote access), and how the IPSec connections will be protected (authentication methods, encryption algorithms, hashing functions, and so on).

Step 2. Allow for IPSec traffic? On your perimeter router and other routers and firewalls performing filtering, you need to allow IPSec connections to the appropriate source(s) and destination(s).

Step 3. Configure IKE Phase 1 management-connection policies? You must define the IKE Phase 1 policies that will be used to protect the management connection between your two IPSec devices. The management connection is used to build IPSec data connections in IKE Phase 2. These policies include the type of authentication that will be used to authenticate the peer's identities (preshared keys, RSA encrypted nonces, or RSA signatures), the encryption algorithm used, the hashing function used, the lifetime of the management connection, and the Diffie-Hellman key group to be used to create the shared secret key (this is used to share keying information securely for other processes, such as with the 3DES encryption key or the MD5 hashing function key).

Step 4. Define what traffic is to be protected by the IPSec connection? On Cisco routers, a crypto ACL is used to define what traffic is to be protected between two IPSec peers. Basically, a crypto ACL is an ACL with permit statements in it that identify the data traffic, in IKE Phase 2, that is to be protected.

Step 5. Create your transform set(s)? A transform set defines the protocols and algorithms that are used to protect the data traffic in IKE Phase 2. Protocols include the Authentication Header (AH) and the Encapsulation Security Payload (ESP). Algorithms include DES, 3DES, AES, and null for encryption, and SHA or MD5 for hashing functions. The transform also defines the method for terminating a connection: tunnel or transport mode. For low-bandwidth connections, you also can specify LZS compression.

Step 6. Build a crypto map? A crypto map binds together all of your IPSec components to build secured connections, called security associations (SAs). This includes information such as who the remote peer is (its IP address or fully qualified domain name [FQDN]), the transform set and crypto ACL to use, and other configuration information. For remote-access connections, you need to build a special type of crypto map called a dynamic crypto map; in addition, you need to define your client policies, such as split tunneling, local IP address assignment, and other client functions.

Step 7. Activate your crypto map? After you have built your crypto map, the router will not use it until you activate it on one or more of the router's interfaces. For a perimeter router, this typically is the router's external or public interface.

Step 8. Test your IPSec connection? In the last step, you test your IPSec connection by generating traffic that will trigger your routers to build the management (IKE Phase 1) and data (IKE Phase 2) connections. You can use many show and debug commands to help troubleshoot this process.

As you can see from this list, you have your work cut out for you.

External ACL

Whether your perimeter router will be terminating an IPSec connection or an internal device will be performing this function, the perimeter router's ACL on the external interface must allow IPSec traffic. You probably need to permit three connections for each peer that is connecting:

  • IKE Phase 1 traffic: UDP port 500

  • IKE Phase 2 traffic: AH and ESP packets

Here is a simple breakdown on the ACL commands to use:

Router(config)# access-list ACL_# permit udp

  source_address wildcard_mask destination_address wildcard_mask eq isakmp

Router(config)# access-list ACL_# permit ahp

  source_address wildcard_mask destination_address wildcard_mask

Router(config)# access-list ACL_# permit esp

  source_address wildcard_mask destination_address wildcard_mask

Router(config)# interface type [slot_#/]port_#

Router(config-if)# ip access-group ACL_# in

To allow the IKE Phase 1 connection between the two peers, you need to allow UDP port 500 traffic, which the first ACL statement in this code listing does. If your perimeter router is terminating the connection, put your router's IP address as the destination address. For security purposes, if you know the IP address of the remote IPSec peer, configure this instead of using the keyword any as the source address in the ACL statement. The second ACL statement applies to AH connections, and the third one applies to ESP connections.


In most situations, AH is not used with IPSec connections because it breaks when these packets are sent through an intermediate address-translation device. AH protects the IP header and payload contents with an integrity checksum value (ICV), and an address-translation device changes address information in the IP and, possibly, the transport layer head; this breaks the ICV value. Therefore, if you are not using AH, do not allow it in your ACL statement. ESP, on the other hand, does not protect the IP header contents?it protects only the encapsulated payload (which could be an encapsulated IP packet, if the IPSec connection is functioning in tunnel mode, as discussed in the "Transform Set" section later in this chapter).


For remote-access IPSec connections, you typically do not know the IP address of the peer until the peer makes first contact. Therefore, your ACL must be somewhat promiscuous in the use of the keyword any for the source IP address. If this is a concern, configure the router to allow specific L2L connections and force remote-access users to use authentication proxy. Then have your AAA server download the appropriate ACL entry to allow the user's IPSec remote-access connection.