IPSec
IKE and IPSec

IPSec, in Cisco IOS software, processes packets as shown in Figure . The PIX Security Appliance processes IPSec traffic in a similar manner. The process shown in the figure assumes that public and private keys have already been created and that at least one access list exists.

Step 1 – Access lists are used by Cisco IOS software to select interesting traffic to be encrypted.

  • Cisco IOS software checks to see if IPSec Security Associations (SA) have been established.
  • If the SA has already been established by manual configuration, or set up by IKE, the packet is encrypted based on the policy specified on the router, and is transmitted out the interface.

Step 2 – If the SA has not been established, Cisco IOS software checks to see if an ISAKMP SA has been configured and set up. If the ISAKMP SA has been set up, the ISAKMP SA governs negotiation of the IPSec SA as specified in the ISAKMP policy. The packet is then encrypted by IPSec and is transmitted.

Step 3 – If the ISAKMP SA has not been set up, Cisco IOS software checks to see if certification authority has been configured to establish an ISAKMP policy. If CA authentication is configured, the router will do the following:

  • Use public/private keys previously configured
  • Get the public certificate from the CA
  • Get a certificate for its own public key
  • Use the key to negotiate an ISAKMP SA
  • Use the same key, which in turn is used to establish IPSec SA

Step 4 – The router then encrypts and transmits the packet.