IKE and IPSec Flowchart for Cisco Routers
Cisco IOS software implements and processes IPSec in a predictable and reliable fashion. A summary of how IPSec works in Cisco IOS software is shown in Figure 4. The process shown in the figure assumes that you have already created your own public and private keys, and that at least one access list exists.
Figure 4 IKE and IPSec flowchart.
Remember, IKE is synonymous with ISAKMP in Cisco router or PIX Firewall configurations.
The figure also shows the Cisco IOS commands used to configure each part of the process, although the commands are not shown in the order in which you enter them:
Access lists applied to an interface and cryptographic map are used by Cisco IOS software to select "interesting" traffic to be encrypted.
Cisco IOS software checks whether IPSec SAs have been established.
If the SA has already been established by manual configuration using the crypto ipsec transform-set and crypto map commands, or previously set up by IKE, the packet is encrypted based on the policy specified in the crypto map, and is transmitted out of the interface.
If the SA has not been established, Cisco IOS software checks whether an IKE SA has been configured and set up.
If the IKE SA has been set up, the IKE SA governs negotiation of the IPSec SA as specified in the IKE policy configured by the crypto isakmp policy command, the packet is encrypted by IPSec and is transmitted.
If the IKE SA has not been set up, Cisco IOS software checks whether certification authority has been configured to establish an IKE policy.
If CA authentication is configured with the various crypto ca commands, the router uses public and private keys previously configured, obtains the CA's public certificate, gets a certificate for its own public key, and then uses the key to negotiate an IKE SA, which in turn is used to establish an IPSec SA to encrypt and transmit the packet.