Configuring IPSec with CLI

This section provides information to configure IPSec using the command line interface.

Topics in this section include:

  1. Basic Configuration Overview
  2. Common Configuration Tasks
  3. Service Management Tasks

Basic Configuration Overview

The following list provides a high-level outline for setting up IPSec on the 7705 SAR.

  1. Create an IPSec tunnel group.
  2. Configure an IPSec IKE policy.
  3. Configure an IPSec transform policy.
  4. Create a private side tunnel interface on the VPRN service.
    1. Create an interface using the tunnel keyword and private tunnel SAP.
    2. Create the IPSec tunnel and configure its parameters, which include local and peer gateway IP addresses, IP MTU, keying (manual or dynamic), and so on.
  5. Create a public side tunnel interface on the IES.
    1. Create an interface and public tunnel SAP.
  6. Configure a VPRN static route for the IPSec tunnel.

Common Configuration Tasks

This section provides a brief overview of the following common configuration tasks that must be performed to configure IPSec:

  1. Configuring an IPSec Tunnel Group
  2. Configuring Router Interfaces for IPSec
  3. Configuring IPSec Parameters
  4. Configuring IPSec and IPSec Tunnels in Services

Configuring an IPSec Tunnel Group

The following output displays an IPSec group configuration in the ISA context. The 7705 SAR supports only one tunnel-group. The tunnel-group-id is always 1.

*A:7705custDoc:Sar18>config>isa# info detail
----------------------------------------------
        tunnel-group 1 create
            shutdown
            no description
        exit
----------------------------------------------
*A:7705custDoc:Sar18>config>isa#

Configuring Router Interfaces for IPSec

An IPSec tunnel requires the following three interfaces:

  1. public tunnel interface (under IES)
  2. private tunnel interface (under VPRN)
  3. physical untrusted network/Internet-facing interface: either IES or router

The physical interface is the one that must reside on an encryption-capable adapter card.

The following example displays an interface (“internet”) configured using a network port (1/1/1) and an IES interface (“public”) configuration using SAP 1/1/8.

*A:ALU-49>config# info
----------------------------------------------
...
    router
        interface "internet"
            address 10.10.7.118/24
            port 1/1/1
        exit
        interface "system"
            address 10.20.1.118/32
        exit
         autonomous-system 123
    exit
...
----------------------------------------------
*A:ALU-49>config#
*A:7705:Dut-A>config>service>ies# info
----------------------------------------------
            description "ies interface towards internet"
            interface "public" create
                address 200.1.1.1/24
                sap 1/1/8 create
                    description "sap-100-200.1.1.1"
                exit
            exit
            no shutdown
----------------------------------------------

Configuring IPSec Parameters

Under the IPSec context, configure the IKE policy and IPSec transform parameters.

The following example displays the IPSec parameter configuration output.

*A:7705custDoc:Sar18>config>ipsec# info
#--------------------------------------------------
    ipsec
        ike-policy 2 create
            own-auth-method psk
            dh-group 14
            ipsec-lifetime 48000
            isakmp-lifetime 60000
            pfs dh-group 5
            auth-algorithm sha384
            encryption-algorithm aes192
            nat-traversal keep-alive-interval 240
            dpd interval 25
        exit
        ipsec-transform 2 create
            esp-auth-algorithm md5
            esp-encryption-algorithm 3des
        exit
    exit
#--------------------------------------------------
 

Configuring IPSec and IPSec Tunnels in Services

IPSec is configured under IES and VPRN services.

Under VPRN service, configure IPSec security policies, and create tunnel interfaces, private tunnel SAPs, and IPSec tunnels along with setting the IPSec tunnel parameters. Use the tunnel keyword when creating an interface for a private tunnel SAP.

Under IES service, create an interface and public tunnel SAP. The tunnel keyword is not used when creating an interface for a public tunnel SAP.

Private and public tunnels function in pairs, where a pair is defined by the tag in the sap-id; for example, SAP tunnel-1.private:22 and SAP tunnel-1.public:22 are a pair.

The local gateway address and delivery service configured under the VPRN ipsec-tunnel>local-gateway-address command correspond to the IES interface address and service ID where the public tunnel interface is defined. In the example below, the local-gateway-address is 10.10.10.11 and the delivery-service is 10.

The following example displays the configuration output when configuring IPSec for VPRN services and for IES.

*A:7705custDoc:Sar18>config>service>vprn# info detail
----------------------------------------------
...
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                    entry 2 create
                        local-ip 192.100.100.10/32 
                        remote-ip 192.100.200.10/32 
                    exit
                exit
                security-policy 15 create
                    entry 15 create
                        no local-ip
                        no remote-ip
                    exit
                exit
            exit
...
            interface "vprn_tunnel" tunnel create
                no ip-mtu
                sap tunnel-1.private:22 create
                    no description
                    ingress
                        qos 1
                    exit
                    egress
                        qos 1
                        no filter
                        no agg-rate-limit
                    exit
                    ipsec-tunnel "ipsec_tunnel_tag1" create
                        shutdown
                        no description
                        security-policy 1 2
                        local-gateway address 10.10.10.11 peer 11.11.11.11 
                           delivery-service 10
                        no bfd-designate
                        no clear-df-bit
                        no ip-mtu
                    exit
                    no shutdown
                exit
                no shutdown
            exit
            no service-name
            static-route 192.100.200.10/32 ipsec-tunnel "ipsec_tunnel_tag1" 
----------------------------------------------
*A:7705custDoc:Sar18>config>service>vprn#
 
*A:7705custDoc:Sar18>config>service>ies# info detail
----------------------------------------------
  ...
        ies 10 customer 1 create
            interface "ies_tunnelPublicSide_1" create
                address 10.10.10.1/24 
                sap tunnel-1.public:22 create
                    no description
                    ingress
                        qos 1
                    exit
                    egress
                        qos 1
                        no filter
                        no agg-rate-limit
                    exit
                    no collect-stats
                    no accounting-policy
                    no shutdown
                exit
            exit
            no service-name
----------------------------------------------
*A:7705custDoc:Sar18>config>service>ies#

Service Management Tasks

This section provides a brief overview of the following service management tasks:

  1. Deleting an IPSec IKE Policy or an IPSec Transform
  2. Deleting a Public IPSec Tunnel SAP and Interface
  3. Deleting a Private IPSec Tunnel SAP and Interface
  4. Deleting an IPSec Security Policy
  5. Deleting an IPSec Tunnel

Deleting an IPSec IKE Policy or an IPSec Transform

An IPSec IKE policy or transform cannot be deleted if it is being used by an IPSec tunnel. To delete an IKE policy or IPSec transform:

CLI Syntax:
config>service>vprn>interface>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy ike-policy-id
config>ipsec# no ipsec-transform transform-id
Example:
config>service>vprn>interface>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>interface>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy 2
config>ipsec# no ipsec-transform 2

Deleting a Public IPSec Tunnel SAP and Interface

A public IPSec tunnel interface and SAP are created under IES. To delete a public IPSec tunnel interface and SAP:

CLI Syntax:
config>service>ies>interface# no sap tunnel-id.public:tag
config>service>ies# no interface ip-int-name
Example:
config>service>ies>interface# no sap tunnel-1.public:22
config>service>ies# no interface ies_tunnelPublicSide_1

Deleting a Private IPSec Tunnel SAP and Interface

A private IPSec tunnel interface and SAP are created under a VPRN service. To delete a private IPSec tunnel interface and SAP:

CLI Syntax:
config>service>vprn>interface# no sap tunnel-id.private:tag
config>service>vprn# no interface ip-int-name
Example:
config>service>vprn>interface# no sap tunnel-1.private:22
config>service>vprn# no interface vprn-tunnel

Deleting an IPSec Security Policy

Security policies are created under the VPRN service. To delete an IPSec security policy:

CLI Syntax:
config>service>vprn>ipsec# no security-policy security-policy-id
Example:
config>service>vprn# no security-policy 35

Deleting an IPSec Tunnel

IPSec tunnels are created under the VPRN service. To delete an IPSec tunnel:

CLI Syntax:
config>service>vprn>interface>sap# no ipsec-tunnel ipsec-tunnel-name
Example:
config>service>vprn>interface>sap# no ipsec-tunnel ies_tunnelPublicSide_1