The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The RFC 430x IPsec Support includes features—RFC 430x IPsec Support Phase 1 and RFC430x IPsec Support Phase 2—that implement Internet Key Exchange (IKE) and IPsec behavior as specified in RFC 4301.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About RFC 430x IPsec Support
The RFC 430x IPsec Support Phase 1 feature implements Internet Key Exchange (IKE) and IPsec behavior as specified in RFC 4301.
RFC 4301 specifies the base architecture for IPsec-compliant systems. RFC 4301 describes how to provide a set of security services for traffic at the IP layer, in both the IPv4 and IPv6 environments. The RFC 430x IPsec Support Phase 1 feature provides support for the following RFC 4301 implementations on Cisco IOS software.
The RFC 430x IPsec Support Phase 2 feature provides support for the RFC 4301 implementation of encryption and decryption of Internet Control Message Protocol (ICMP) packets on Cisco IOS software.
ICMP error messages are sent when an ICMP error occurs. For example, when a host is not reachable, the intermediate device sends a message to the originator of the ICMP request that the host is not reachable. When an ICMP error message reaches an IPsec encryption policy, it may not be classified to match an existing SA. So, the packets are classified based on the data inside the ICMP error message. This data contains the source and destination address of the original ICMP message. If an SA is found based on the address in the ICMP error message, the SA is used. If there is no SA, an SA is created if the policy permits. For decryption, the post decrypt check is performed on the data inside the ICMP error message if a valid SA is not found.
The encryption and decryption of ICMP error messages can be verified through the encrypt and decrypt counters displayed in the output of the show crypto ipsec sa command.
Use the conditional debug commands debug platform condition feature ipsec dataplane submode feature level info, debug platform condition both, and debug platform condition start to view ICMP error message classification.
How to Configure RFC 430x IPsec Support
Perform this task to configure the RFC 4301 implementations globally.
1.
enable
2.
configure
terminal
3.
crypto ipsec
security-association dummy {pps
rate
|
seconds
seconds}
4.
crypto ipsec
security-association ecn {discard |
propogate}
5.
exit
Perform this task to configure the RFC 4301 implementations per crypto map.
1.
enable
2.
configure
terminal
3.
crypto map
map-name
seq-num
ipsec-isakmp
4.
set ipsec
security-association dfbit {clear |
copy
|
set}
5.
set ipsec
security-association dummy {pps
rate
|
seconds
seconds}
6.
set ipsec
security-association ecn {discard |
propogate}
7.
end
8.
show crypto map ipsec
sa
Device# show crypto map ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3FFE:2002::32F7:DFF:FE54:7FD1 protected vrf: (none) local ident (addr/mask/prot/port): (3FFE:2002::32F7:DFF:FE54:7FD1/128/47/0) remote ident (addr/mask/prot/port): (3FFE:2002::C671:FEFF:FE88:EB82/128/47/0) current_peer 3FFE:2002::C671:FEFF:FE88:EB82 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36 #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 #send dummy packets 852600, #recv dummy packets 424905 local crypto endpt.: 3FFE:2002::32F7:DFF:FE54:7FD1, remote crypto endpt.: 3FFE:2002::C671:FEFF:FE88:EB82 plaintext mtu 1430, path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb GigabitEthernet0/0/1 current outbound spi: 0xE963D1EC(3915633132) PFS (Y/N): N, DH group: none Dummy packet: Initializing inbound esp sas: spi: 0xF4E01B9A(4108327834) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } conn id: 2053, flow_id: ESG:53, sibling_flags FFFFFFFF80000049, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/2343) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE963D1EC(3915633132) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } conn id: 2054, flow_id: ESG:54, sibling_flags FFFFFFFF80000049, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/2343) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
Configuration Examples for RFC 430x IPsec Support
The following examples shows how to configure RFC 430x IPsec Support globally:
Device> enable Device# configure terminal Device(config)# crypto ipsec security-association dummy seconds 15 Device(config)# crypto ipsec security-association ecn propogate Device(config-crypto-map)# exit
The following examples shows how to configure RFC 430x IPsec Support per crypto map:
Device> enable Device# configure terminal Device(config)# crypto map cmap 1 ipsec-isakmp Device(config-crypto-map)# set security-association copy Device(config-crypto-map)# set security-association dummy seconds 15 Device(config-crypto-map)# set security-association ecn propogate Device(config-crypto-map)# end Device# show crypto map ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 3FFE:2002::32F7:DFF:FE54:7FD1 protected vrf: (none) local ident (addr/mask/prot/port): (3FFE:2002::32F7:DFF:FE54:7FD1/128/47/0) remote ident (addr/mask/prot/port): (3FFE:2002::C671:FEFF:FE88:EB82/128/47/0) current_peer 3FFE:2002::C671:FEFF:FE88:EB82 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36 #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 #send dummy packets 852600, #recv dummy packets 424905 local crypto endpt.: 3FFE:2002::32F7:DFF:FE54:7FD1, remote crypto endpt.: 3FFE:2002::C671:FEFF:FE88:EB82 plaintext mtu 1430, path mtu 1500, ipv6 mtu 1500, ipv6 mtu idb GigabitEthernet0/0/1 current outbound spi: 0xE963D1EC(3915633132) PFS (Y/N): N, DH group: none Dummy packet: Initializing inbound esp sas: spi: 0xF4E01B9A(4108327834) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } conn id: 2053, flow_id: ESG:53, sibling_flags FFFFFFFF80000049, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/2343) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE963D1EC(3915633132) transform: esp-3des esp-md5-hmac, in use settings ={Tunnel, } conn id: 2054, flow_id: ESG:54, sibling_flags FFFFFFFF80000049, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4608000/2343) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
Related Topic |
Document Title |
---|---|
Cisco IOS Commands |
|
Security commands |
|
IKEv2 configuration |
Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site |
Recommended cryptographic algorithms |
Standard/RFC |
Title |
---|---|
RFC 4301 |
Security Architecture for the Internet Protocol |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
RFC430x IPsec Support Phase 1 |
Cisco IOS XE Release 3.12S |
The RFC 430x IPsec Support Phase 1 feature implements Internet Key Exchange (IKE) and IPsec behavior as specified in RFC 4301. The following commands were introduced or modified: crypto ipsec security-association dummy, crypto ipsec security-association ecn, set ipsec security-association dfbit, set ipsec security-association dummy, set ipsec security-association ecn, show crypto map ipsec sa. |
RFC430x IPsec Support Phase 2 |
Cisco IOS XE Release 3.14S |
The RFC 430x IPsec Support Phase 2 feature provides support for the RFC 4301 implementation of encryption and decryption of Internet Control Message Protocol (ICMP) packets on Cisco IOS software. In Cisco IOS XE Release 3.14S, this feature was introduced on Cisco 4431 Integrated Services Router and Cisco 4451-X Integrated Services Router. In Cisco IOS XE Release 3.15S, this feature was implemented on Cisco ASR 1000 Series Aggregation Services Routers and Cisco CSR 1000V Series Cloud Services Router. No commands were modified or updated for this feature. |