Guest

Cisco IOS Software Releases 12.0 T

Tunnel Endpoint Discovery

Hierarchical Navigation

Downloads

Table Of Contents

Tunnel Endpoint Discovery Enhancement

Feature Overview

Benefits

Restrictions

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring Tunnel Endpoint Discovery

Verifying Tunnel Endpoint Discovery

Configuration Examples

TED Configuration Example

Command Reference

crypto map (global configuration)

Syntax Description

Defaults

Command Modes

Command History

Examples

Related Commands

Glossary


Tunnel Endpoint Discovery Enhancement

This feature module describes the Tunnel Endpoint Discovery (TED) feature. It includes information on the benefits of the new feature, supported platforms, and related documents.

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuration Examples

Command Reference

Glossary

Feature Overview

Tunnel Endpoint Discovery (TED) is an enhancement to the IP Security (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.

To have a large, fully-meshed network without TED, each peer needs to have static crypto maps to every other peer in the network. For example, if there are 100 peers in a large, fully-meshed network, each router needs 99 static crypto maps for each of its peers. With TED, only a single dynamic crypto map with TED enabled is needed because the peer is discovered dynamically. Thus, static crypto maps do not need to be configured for each peer.

Note   TED helps only in discovering peers; otherwise, TED does not function any differently than normal IPSec. TED does not improve the scalability of IPSec (in terms of performance or the number of peers or tunnels).

and the corresponding steps explain a sample TED network topology:

Step 1 Host A sends a packet that is destined for Host B.

Step 2 Router 1 intercepts and reads the packet. According to the IKE policy, Router 1 contains the following information: the packet must be encrypted, there are no SAs for the packet, and TED is enabled. Thus, Router 1 drops the packet and sends a TED probe into the network. (The TED probe contains the IP address of Host A (as the source IP address) and the IP address of Host B (as the destination IP address) embedded in the payload.)

Step 3 Router 2 intercepts the TED probe and checks the probe against the ACLs that it protects; after the probe matches an ACL, it is recognized as a TED probe for proxies that the router protects. It then sends a TED reply with the IP address of Host B(as the source IP address) and the IP address of Host A (as the destination IP address) embedded in the payload.

Step 4 Router 1 intercepts the TED reply and checks the payloads for the IP address and half proxy of Router 2. It then combines the source side of its proxy with the proxy found in the second payload and initiates an IKE session with Router 2; thereafter, Router 1 initiates an IPSec session with Router 2.

Note   IKE cannot occur until the peer is identified.

Figure 1 Tunnel Endpoint Discovery Sample Network Topology

Benefits

Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the required IPSec transforms.

Restrictions

Tunnel Endpoint Discovery has the following restrictions:

It is Cisco proprietary.

It is available only on dynamic crypto maps. (The dynamic crypto map template is based on the dynamic crypto map performing peer discovery. Although there are no access-list restrictions on the dynamic crypto map template, the dynamic crypto map template should cover data sourced from the protected traffic and the receiving router using the any keyword. When using the any keyword, include explicit deny statements to exempt routing protocol traffic prior to entering the permit any command.)

It is limited by the performance and scalability of limitation of IPSec on each individual platform.

Note   Enabling TED slightly decreases the general scalability of IPSec because of the set-up overhead of peer discovery, which involves an additional "round-trip" of IKE messages (TED probe and reply). Although minimal, the additional memory used to store data structures during the peer discovery stage adversely affects the general scalability of IPSec.

The IP addresses must be able to be routed within the network.

The access list used in the crypto map for TED can only contain IP-related entries—TCP, UDP, or any other protocol cannot be used in the access list.

Caution   
Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com.

Related Features and Technologies

The TED feature is related to the existing IPSec and IKE features, which are documented in the Cisco IOS Release 12.0 Security Configuration Guide and Cisco IOS Release 12.0 Security Command Reference.

Related Documents

For related information on the TED feature, refer to the following documents:

Cisco IOS Release 12.0 Security Configuration Guide

Cisco IOS Release 12.0 Security Command Reference

Supported Platforms

TED runs on all platforms that support Cisco IOS Release 12.0(5)T and later releases with IPSec, including, but not limited to, the following platforms:

Cisco 1600 series

Cisco 1720 series

Cisco 2500 series

Cisco 2600 series

Cisco 3600 series

Cisco MC3810 series

Cisco 4000 series (Cisco 4000, 4000-M, 4500, 4500-M, 4700, 4700-M)

Cisco 7200 series

Cisco 7500 series

Cisco AS5300 universal access servers

Supported Standards, MIBs, and RFCs

MIBs

No new MIBs are supported by this feature.

For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

RFC 2409, The Internet Key Exchange (IKE)

Standards

No new standards are supported by this feature.

Prerequisites

Before configuring Tunnel Endpoint Discovery, you must have an IPSec software image that supports the Tunnel Endpoint Discovery feature downloaded on to your router. For more information on downloading a software image, see the following publications:

"Loading and Maintaining System Images and Microcode" chapter of the Cisco IOS Release 12.0 Configuration Fundamentals Configuration Guide

"System Image and Microcode Commands" chapter of the Cisco IOS Release 12.0 Configuration Fundamentals Command Reference

Configuration Tasks

To configure a Cisco router to support Tunnel Endpoint Discovery, perform the following tasks:

Configuring Tunnel Endpoint Discovery (required)

Verifying Tunnel Endpoint Discovery (optional)

Configuring Tunnel Endpoint Discovery

To create a dynamic crypto map entry with Tunnel Endpoint Discovery configured, perform the following tasks starting in crypto-map configuration mode:

Step
Command
Purpose

1

crypto dynamic-map dynamic-map-name dynamic-map-number

set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]

match address access-list-id

set security-association lifetime seconds seconds

or

set security-association lifetime kilobytes kilobytes

set pfs [group1 | group2]

exit

Configures a dynamic crypto map using the crypto dynamic-map command.

Note   You must configure the match address command ; otherwise, the behavior is not secure, and you cannot enable TED because packets are sent in the clear (unencrypted).

2

crypto map map-name map-number ipsec-isakmp dynamic dynamic-map-name [discover]

(Optional) Add a crypto map set to a static crypto map set.

For more information on the crypto map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Release 12.0 Security Command Reference.

(Optional) Enter the discover keyword on the dynamic crypto map to enable TED.


Verifying Tunnel Endpoint Discovery

Step 1 To verify that TED is configured, check the router's running configuration. Enter the show running-configuration command on the router in global configuration mode. If the discover keyword appears in the output, TED has been enabled.

Step 2 Ping Host B from Host A. 

HostB# ping 2.2.2.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.5, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/12 ms

Configuration Examples

This section provides the following configuration example:

TED Configuration Example

TED Configuration Example

The following example shows how to configure TED: 

crypto dynamic map ted-map 10

set transform-set ted-transforms

match address 101

set security-assocation lifetime seconds 2700

!

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover

Command Reference

This section documents modified commands. All other commands used to configure this feature are documented in the Cisco IOS Release 12.0 command reference publications.

crypto map (global configuration)

crypto map (global configuration)

To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. Use the no form of this command to delete a crypto map entry or set.

[no] crypto map map-name seq-num [cisco]

[no] crypto map map-name seq-num ipsec-manual

[no] crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] [discover]

Syntax Description

map-name

Specifies a name to apply to the crypto map set.

seq-num

Specifies a number to apply to the crypto map entry.

cisco

(Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available.

ipsec-manual

Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

ipsec-isakmp

Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

dynamic

(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.

dynamic-map-name

Specifies the name of the dynamic crypto map set.

discover

Enables peer discovery. By default, peer discovery is not enabled.


Defaults

No crypto maps exist.

Peer discovery is not enabled.

Command Modes

Global configuration. Using this command puts you into crypto map configuration mode, unless you use the dynamic keyword.

Command History

Release
Modification

12.0(5)T

This command was introduced.


Examples

The following example shows how to configure TED: 

crypto dynamic map ted-map 10

set transform-set ted-transforms

match address 101

set security-assocation lifetime seconds 2700

!

crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover

Related Commands

Command
Description

crypto dynamic-map

Creates a dynamic map entry.

match address

Names an extended access-list.

set peer

Specify a remote IPSec peer.

set security-association lifetime second seconds

Specify a key lifetime for the crypto map entry.

set security-association lifetime kilobytes kilobytes

Specify a key lifetime for the crypto map entry.

set pfs

Specify that IPSec should ask for perfect forward secrecy when requesting new security associations for this crypto map entry or should demand perfect forward secrecy in requests received from the IPSec peer.


Glossary

AH—Authentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram).

Authentication Header—See AH.

ESP—Encapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected.

Encapsulating Security Payload—See ESP.

Dynamic crypto map—Dynamic crypto maps are only available for use by IKE. A dynamic crypto map entry is a crypto map entry without all the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a remote peer's requirements. This allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto map entry specifically configured to meet all of the remote peer's requirements.

IP Security Protocol—See IPSec.

IPSec—IP Security Protocol. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IKE—Internet Key Exchange. A key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)

Internet Key Exchange—See IKE.

Probe—A packet designated by the router to discover the identity of a tunnel endpoint.