Cisco Cisco Packet Data Gateway (PDG)
Introduction to IP Security (IPSec)
IPSec Terminology ▀
IPSec Reference, StarOS Release 17 ▄
17
IPSec Terminology
There are several items related to IPSec support under StarOS that must be understood prior to beginning configuration.
They include:
They include:
Crypto Access Control List (ACL)
Access Control Lists define rules, usually permissions, for handling subscriber data packets that meet certain criteria.
Crypto ACLs, however, define the criteria that must be met in order for a subscriber data packet to be routed over an
IPSec tunnel.
Crypto ACLs, however, define the criteria that must be met in order for a subscriber data packet to be routed over an
IPSec tunnel.
Unlike other ACLs that are applied to interfaces, contexts, or one or more subscribers, crypto ACLs are matched with
crypto maps. In addition, crypto ACLs contain only a single rule while other ACL types can consist of multiple rules.
crypto maps. In addition, crypto ACLs contain only a single rule while other ACL types can consist of multiple rules.
Prior to routing, the system examines the properties of each subscriber data packet. If the packet properties match the
criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
criteria specified in the crypto ACL, the system will initiate the IPSec policy dictated by the crypto map.
For additional information refer to the Access Control chapter of this guide. There you will find a discussion of blacking
and whitelisting, as well as IKE Call Admission Control (CAC).
and whitelisting, as well as IKE Call Admission Control (CAC).
Transform Set
Transform Sets are used to define IPSec security associations (SAs). IPSec SAs specify the IPSec protocols to use to
protect packets.
protect packets.
Transform sets are used during Phase 2 of IPSec establishment. In this phase, the system and a peer security gateway
negotiate one or more transform sets (IPSec SAs) containing the rules for protecting packets. This negotiation ensures
that both peers can properly protect and process the packets.
negotiate one or more transform sets (IPSec SAs) containing the rules for protecting packets. This negotiation ensures
that both peers can properly protect and process the packets.
For additional information refer to the Transform Set Configuration chapter of this guide,
ISAKMP Policy
Internet Security Association Key Management Protocol (ISAKMP) policies are used to define Internet Key Exchange
(IKE) SAs. The IKE SAs dictate the shared security parameters (such as which encryption parameters to use, how to
authenticate the remote peer, etc.) between the system and a peer security gateway.
(IKE) SAs. The IKE SAs dictate the shared security parameters (such as which encryption parameters to use, how to
authenticate the remote peer, etc.) between the system and a peer security gateway.
During Phase 1 of IPSec establishment, the system and a peer security gateway negotiate IKE SAs. These SAs are used
to protect subsequent communications between the peers including the IPSec SA negotiation process.
to protect subsequent communications between the peers including the IPSec SA negotiation process.
For additional information refer to the ISAKMP Policy Configuration chapter of this guide.