IPSec Configuration Guide

introduction introduction ipsec is a suite of protocols defined by the internet engineering task force (ietf) for providing secure transmission of data over ip networks these protocols include the authentication header (ah) and encapsulation security payload (esp) the ipsec framework also includes key exchange and algorithms used for authentication and encryption these protocols allow two devices to establish an ipsec tunnel between them, so that data is securely forwarded over the ipsec tunnel ipsec configuration ipsec configuration create ipsec create ipsec operation command description enter the system configuration view configure terminal create and enter the ipsec configuration view ipsec \<name> configure ike configure ike operation command description enter the system configuration view configure terminal enter the ipsec configuration view ipsec \<name> configure ike authentication algorithms, key lengths, encryption algorithms, and dh algorithms ike crypto alg {des iv64|des|3des|rc5|idea|cast|blowfish|3idea|des iv32|null|aes cbc|aes ctr|aes gcm 16} crypto alg size <0 65535> integ alg {none|md5 96|sha1 96|des mac|kpdk md5|aes xcbc 96|md5 128|sha1 160|cmac 96|aes 128 gmac|aes 192 gmac|aes 256 gmac|hmac sha2 256 128|hmac sha2 384 192|hmac sha2 512 256} dh {none|modp 768|modp 1024|modp 1536|modp 2048|modp 3072|modp 4096|modp 6144|modp 8192|ecp 192|ecp 256|ecp 384|ecp 512|modp 1024 160|modp 2048 224|modp 2048 256} crypto alg encryption algorithms crypto alg size key lengths integ alg\ authentication algorithms dh dh algorithms configure id type and id value of local user ike local type {ip4|ip6|rfc822|fqdn} data \<value> type id type data id value configure id type and id value of remote user ike remote type {ip4|ip6|rfc822|fqdn} data \<value> type id type data id value configure shared key shared key mic {string|hex} \<value> configure sa configure sa operation command description enter the system configuration view configure terminal enter the ipsec configuration view ipsec \<name> configure ike authentication algorithms, key lengths and encryption algorithms sa {des iv64|des|3des|rc5|idea|cast|blowfish|3idea|des iv32|null|aes cbc|aes ctr|aes gcm 16} crypto alg size <0 65535> integ alg {none|md5 96|sha1 96|des mac|kpdk md5|aes xcbc 96|md5 128|sha1 160|cmac 96|aes 128 gmac|aes 192 gmac|aes 256 gmac|hmac sha2 256 128|hmac sha2 384 192|hmac sha2 512 256} sa encryption algorithms crypto alg size key lengths integ alg\ authentication algorithms sa negotiation switch sa init sa negotiation configuration sa lifetime \<value> jitter \<value> handover \<value> max bytes \<value> lifetime lifetime of sa jitter random jitter time (seconds), to avoid simultaneous renegotiation at both ends handover smooth transition time (seconds), old sa retention time to ensure that traffic is not interrupted before the new sa is established random jitter time (seconds) to avoid simultaneous renegotiation at both ends max bytes sa data transfer limit; renegotiation triggered when limit is exceeded nat traversal detection switch sa natt {enable|disable} configure sa tunnel sa tunnel {ip4|ip6} src ip \<a b c d> dst ip \<a b c d> next hop \<a b c d> remote ip \<a b c d/m> shared interface \<name> ip4|ip6 tunnel ip type src ip ike local ip dst ip ike remote ip next hop next node remote ip router to destination shared interface ipsec tunnel port bind ipsec to port bind ipsec to port operation command description enter the system configuration view configure terminal enter the interface configuration view interface ethernet \<id> bind ipsec to port ipsec \<name> peer {ip4|ip6} \<a b c d>|\<x\ x x\ x> name name of ipsec a b c d|x\ x x\ x peer ipv4/ipv6 address display and maintenance display and maintenance operation command display ipsec information show ipsec ipsec configuration example ipsec configuration example network requirements the enterprise wants to protect data flows between the branch subnet and the headquarters subnet an ipsec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet procedure device1 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 1/24 sonic(config if 2)# ipsec test peer ip4 1 1 1 2 sonic(config if 2)# mtu 1492 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 1 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 1 1 1 1 sonic(config ipsec test)# ike remote type ip4 data 1 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 10 1 1 0 addr end 10 1 1 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 10 1 2 0 addr end 10 1 2 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 1 1 1 1 dst ip 1 1 1 2 next hop 1 1 1 2 remote ip 10 1 2 0/24 shared interface ethernet2 device2 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 2/24 sonic(config if 2)# mtu 1492 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 2 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 1 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 1 1 1 1 sonic(config ipsec test)# ike traffic selector local ip4 addr start 10 1 2 0 addr end 10 1 2 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 10 1 1 0 addr end 10 1 1 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 1 1 1 2 dst ip 1 1 1 1 next hop 1 1 1 1 remote ip 10 1 1 0/24 shared interface ethernet2 example of ipsec configuration in pppoe scenario example of ipsec configuration in pppoe scenario network requirements the enterprise wants to protect data flows between the branch subnets and the headquarters subnet an ipsec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet the branch gateway functions as the pppoe client to obtain an ip address, so the headquarters gateway cannot obtain the branch gateway's ip address and can only respond to ipsec negotiation requests initiated by the branch gateway procedure device1 sonic(config)# interface dialer 1 sonic(config dialerif 1)# ppp chap username test1 test123 sonic(config dialerif 1)# ipsec test peer ip4 20 1 1 2 sonic(config dialerif 1)# mtu 1492 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 80 0 0 1/24 sonic(config)# interface ethernet 1 sonic(config if 1)# pppoe client 1 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 10 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 20 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 80 0 0 0 addr end 80 0 0 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 90 0 0 0 addr end 90 0 0 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 10 1 1 2 dst ip 20 1 1 2 next hop 10 1 1 1 remote ip 90 0 0 0/24 shared interface dialer1 sonic(config)# ip route 20 1 1 0/24 dialer 1 device1 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 20 1 1 2/24 sonic(config if 1)# mtu 1492 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 90 0 0 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 20 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 10 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 90 0 0 0 addr end 90 0 0 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 80 0 0 0 addr end 80 0 0 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 20 1 1 2 dst ip 10 1 1 2 next hop 20 1 1 1 remote ip 80 0 0 0/24 shared interface ethernet5 sonic(config)# ip route 10 1 1 0/24 20 1 1 1