This section provides information to configure IPSec using the command line interface.
Topics in this section include:
The following list provides a high-level outline for setting up IPSec on the 7705 SAR.
This section provides a brief overview of the following common configuration tasks that must be performed to configure IPSec:
The following output displays an IPSec group configuration in the ISA context. The 7705 SAR supports only one tunnel-group. The tunnel-group-id is always 1.
An IPSec tunnel requires the following three interfaces:
The physical interface is the one that must reside on an encryption-capable adapter card.
The following example displays an interface (“internet”) configured using a network port (1/1/1) and an IES interface (“public”) configuration using SAP 1/1/8.
Under the IPSec context, configure the IKE policy and IPSec transform parameters.
The following example displays the IPSec parameter configuration output.
IPSec is configured under IES and VPRN services.
For the private-side IPSec tunnel interface and SAP, under the VPRN service context, configure IPSec security policies, and create tunnel interfaces, private tunnel SAPs, IPSec tunnels, and IPSec tunnel parameters. The tunnel keyword must be used when creating an interface for a private tunnel SAP.
For a public-side IPSec tunnel interface and SAP, under the IES or VPRN service context, create an interface and public tunnel SAP. The tunnel keyword is not used when creating an interface for a public tunnel SAP.
Private-side and public-side tunnels function in pairs, where a pair is defined by the service ID and the interface subnet.
The local gateway address and delivery service configured using the VPRN ipsec-tunnel>local-gateway-address command correspond to the IES or VPRN interface address and service ID where the public-side tunnel interface is defined. In the example below, the local-gateway-address is 10.10.10.11 and the delivery-service is 10.
The following example displays the configuration output when configuring IPSec for a private-side VPRN service and a public-side IES.
Use the following CLI syntax to configure IPSec IPv6 parameters for a VPRN private service:
The following example displays IPSec IPv6 parameters configuration output.
Perform the following steps to configure certificate enrollment.
Perform the following steps to import the CA certificate and CRL.
The following example displays a certificate authentication for IKEv2 static LAN-to-LAN tunnel configuration.
The following example displays the syntax to import a certificate from the PEM format.
The following example displays the syntax to export a certificate to the PEM format.
CMPv2 server information is configured under a corresponding ca-profile by using the following CLI commands:
The url command specifies the HTTP URL of the CMPv2 server and the service-id specifies the routing instance that the system used to access the CMPv2 server (if the service ID is omitted, the system uses the base routing instance).
The service ID is only needed for in-band connections to the server via VPRN services. IES services are not referenced by the service ID, since an IES service routing instance is considered to be a base routing instance.
The response-signing-cert command specifies an imported certificate that is used to verify CMP response messages if they are protected by a signature. If this command is not configured, the CA’s certificate is used.
The key-list command specifies a list of pre-shared-keys used for CMPv2 initial registration message protection.
All CMPv2 operations are invoked by using the admin certificate cmpv2 command.
If there is no key-list defined under the cmpv2 configuration, the system defaults to the cmpv2 transaction that was input for the command line related to authenticating a message without a sender ID. If there is no sender ID in the response message and there is a key-list defined, the system chooses the lexicographical first entry only, and if that fails, there is a fail result for the transaction.
The system supports optional commands (such as always-set-sender-ir) to support inter-operation with CMPv2 servers. Refer to the IPSec Command Reference for details about syntax and usage.
OCSP server information is configured under the corresponding ca-profile:
The responder-url command specifies the HTTP URL of the OCSP responder. The service command specifies the routing instance that the system used to access the OCSP responder.
For a given IPSec tunnel, the user can configure a primary method, a secondary method, and a default result.
On the 7705 SAR, IPSec routes to the secure gateway address can be resolved by using either a BGP 3107 label route or an IGP shortcut. When BGP learns IPv4 addressed as BGP 3107 label routes, BGP resolves the next hops for these routes with an LDP or RSVP-TE tunnel. These BGP routes create BGP tunnels that can be used to resolve an IPSec secure gateway address. When an IGP shortcut is enabled on the 7705 SAR by using the config>router>ospf>rsvp-shortcut command, OSPF installs an OSPF route in the RIB, with an RSVP-TE LSP as the next hop. If this OSPF route is determined as the overall best route, then the next hop is an RSVP-TE tunnel.
The IPSec implementation on the 7705 SAR is VPN-based. In order to configure IPSec, a private VPRN and a public IES or VPRN must both be configured; the encryption and decryption functions occur between these two services.
This section shows a configuration example of an IPSec route resolved by a BGP 3107 label route and a configuration example of an IPSec route resolved by an IGP shortcut.
To route IPSec traffic using BGP 3107 label routes, the following components must be configured:
Figure 138 shows a scenario where IPSec traffic is routed over a BGP 3107 label route. In this example, both the BGP 3107 tunnel and the IPSec tunnel are set up between Dut-A and Dut-F. The nature of BGP 3107 requires the LDP or RSVP-TE tunnel to be set up inside the autonomous system between Dut-A and Dut-E.
Setting up a static LAN-to-LAN tunnel for IPSec traffic involves configuring a number of elements, including:
The CLI output below is an example of a static LAN-to-LAN tunnel configuration.
The CLI output below is an example of a policy option configuration.
The CLI output below is an example of BGP enabled with label route advertisement.
The CLI output below is an example of an LDP tunnel that is configured to resolve the next hop for the BGP 3107 label route. An RSVP-TE tunnel could also be configured to resolve the next hop.
To route IPSec traffic over an IGP shortcut, the following must be configured:
The CLI output below is an example of a static LAN-to-LAN tunnel configuration.
The CLI output below is an example of an IGP shortcut configuration. An IGP shortcut is created using the rsvp-shortcut command in the ospf context.
The CLI output below is an example of an RSVP-TE LSP with CSPF enabled.
This section provides a brief overview of the following service management tasks:
An IPSec IKE policy or transform cannot be deleted if it is being used by an IPSec tunnel. To delete an IKE policy or IPSec transform:
A public-side IPSec tunnel interface and SAP are created under an IES or VPRN service. The output below uses the CLI syntax and an example from the IES context to show how to delete a public-side IPSec tunnel interface and SAP:
A private-side IPSec tunnel interface and SAP are created under a VPRN service. To delete a private-side IPSec tunnel interface and SAP:
Security policies are created under the VPRN service. To delete an IPSec security policy:
IPSec tunnels are created under the VPRN service. Although an IPSec tunnel is created on the private side of the tunnel in the CLI, the configuration itself is general and can apply to either the public or private side of the tunnel. To delete an IPSec tunnel: