Internet Protocol Security (IPSec)Internet protocol security (IPSec) is an end-to-end security scheme for securing IP communications byauthenticating and encrypting all packets in a session. Use IPSec between hosts, gateways, or hosts andgateways.IPSec uses a series of protocol functions to achieve information security:• Authentication Headers (AH) — connectionless integrity and origin authentication for IP packets.• Encapsulating Security Payloads (ESP) — confidentiality, authentication, and data integrity for IPpackets.• Security Associations (SA) — algorithm-provided parameters required for AH and ESP protocols.IPSec capability is available on control (protocol) and management traffic; end-node support is required.IPSec supports two operational modes: Transport and Tunnel.• Transport is the default mode for IPSec and encrypts only the payload of the packet. Routinginformation is unchanged.• Tunnel mode is used to encrypt the entire packet, including the routing information in the IP header.Tunnel mode is typically used in creating virtual private networks (VPNs).Transport mode provides IP packet payload protection using ESP. You can use ESP alone or in combinationwith AH to provide additional authentication. AH protects data from modification but does not provideconfidentiality.SA is the configuration information that specifies the type of security provided to the IPSec flow. The SA is aset of algorithms and keys used to authenticate and encrypt the traffic flow. The AH and ESP use SA toprovide traffic protection for the IPSec flow.NOTE:Due to performance limitations on the control processor, you cannot enable IPSec on all packets in acommunication session.Topics:• crypto ipsec transform-set• crypto ipsec policy• management crypto-policy• match• session-key• show crypto ipsec transform-set• show crypto ipsec policy• transform-set24Internet Protocol Security (IPSec) 1155