Common Configuration Tasks
This section provides a brief overview of the following common configuration tasks that must be performed to configure IPSec:
Configuring an IPSec Tunnel Group
The following output displays an IPSec group configuration in the ISA context. The 7705 SAR supports only one tunnel-group. The tunnel-group-id is always 1.
*A:7705custDoc:Sar18>config>isa# info detail
----------------------------------------------
tunnel-group 1 create
shutdown
no description
exit
----------------------------------------------
*A:7705custDoc:Sar18>config>isa#
Configuring Router Interfaces for IPSec
An IPSec tunnel requires the following three interfaces:
public tunnel interface (under IES)
private tunnel interface (under VPRN)
physical untrusted network/Internet-facing interface: either IES or router
The physical interface is the one that must reside on an encryption-capable adapter card.
The following example displays an interface (“internet”) configured using a network
port (1/1/1) and an IES interface (“public”) configuration using SAP 1/1/8.
*A:ALU-49>config# info
----------------------------------------------
...
router
interface "internet"
address 10.10.7.118/24
port 1/1/1
exit
interface "system"
address 10.20.1.118/32
exit
autonomous-system 123
exit
...
----------------------------------------------
*A:ALU-49>config#
*A:7705:Dut-A>config>service>ies# info
----------------------------------------------
description "ies interface towards internet"
interface "public" create
address 200.1.1.1/24
sap 1/1/8 create
description "sap-100-200.1.1.1"
exit
exit
no shutdown
----------------------------------------------
Configuring IPSec Parameters
Under the IPSec context, configure the IKE policy and IPSec transform parameters.
The following example displays the IPSec parameter configuration output.
*A:7705custDoc:Sar18>config>ipsec# info
#--------------------------------------------------
ipsec
ike-policy 2 create
own-auth-method psk
dh-group 14
ipsec-lifetime 48000
isakmp-lifetime 60000
pfs dh-group 5
auth-algorithm sha384
encryption-algorithm aes192
nat-traversal keep-alive-interval 240
dpd interval 25
exit
ipsec-transform 2 create
esp-auth-algorithm md5
esp-encryption-algorithm 3des
exit
exit
#--------------------------------------------------
Configuring IPSec and IPSec Tunnels in Services
IPSec is configured under IES and VPRN services.
Under VPRN service, configure IPSec security policies, and create tunnel interfaces, private tunnel SAPs, and IPSec tunnels along with setting the IPSec tunnel parameters. Use the tunnel keyword when creating an interface for a private tunnel SAP.
Under IES service, create an interface and public tunnel SAP. The tunnel keyword is not used when creating an interface for a public tunnel SAP.
Private and public tunnels function in pairs, where a pair is defined by the tag in the sap-id; for example, SAP tunnel-1.private:22 and SAP tunnel-1.public:22 are a pair.
The local gateway address and delivery service configured under the VPRN ipsec-tunnel>local-gateway-address command correspond to the IES interface address and service ID where the public tunnel interface is defined. In the example below, the local-gateway-address is 10.10.10.11 and the delivery-service is 10.
The following example displays the configuration output when configuring IPSec for VPRN services and for IES.
*A:7705custDoc:Sar18>config>service>vprn# info detail
----------------------------------------------
...
ipsec
security-policy 1 create
entry 1 create
local-ip any
remote-ip any
exit
entry 2 create
local-ip 192.100.100.10/32
remote-ip 192.100.200.10/32
exit
exit
security-policy 15 create
entry 15 create
no local-ip
no remote-ip
exit
exit
exit
...
interface "vprn_tunnel" tunnel create
no ip-mtu
sap tunnel-1.private:22 create
no description
ingress
qos 1
exit
egress
qos 1
no filter
no agg-rate-limit
exit
ipsec-tunnel "ipsec_tunnel_tag1" create
shutdown
no description
security-policy 1 2
local-gateway address 10.10.10.11 peer 11.11.11.11
delivery-service 10
no bfd-designate
no clear-df-bit
no ip-mtu
exit
no shutdown
exit
no shutdown
exit
no service-name
static-route 192.100.200.10/32 ipsec-tunnel "ipsec_tunnel_tag1"
----------------------------------------------
*A:7705custDoc:Sar18>config>service>vprn#
*A:7705custDoc:Sar18>config>service>ies# info detail
----------------------------------------------
...
ies 10 customer 1 create
interface "ies_tunnelPublicSide_1" create
address 10.10.10.1/24
sap tunnel-1.public:22 create
no description
ingress
qos 1
exit
egress
qos 1
no filter
no agg-rate-limit
exit
no collect-stats
no accounting-policy
no shutdown
exit
exit
no service-name
----------------------------------------------
*A:7705custDoc:Sar18>config>service>ies#
Configuring IPSec IPv6 Parameters for a VPRN Service
Use the following CLI syntax to configure IPSec IPv6 parameters for a VPRN service:
config>service# vprn service-id [customer customer-id] [create]
ipsec
security-policy security-policy-id [create]
entry entry-id [create]
local-v6-ip {ipv6-prefix/prefix-length | any}
remote-v6-ip {ipv6-prefix/prefix-length | any}
A:ALU-41>config>service# vprn 1011
A:ALU-41>config>service>vprn$ ipsec
A:ALU-41>config>service>vprn>ipsec>security-policy$ 1 create
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry$ 1 create
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>local-v6-ip$ fd00:1:1:1::/64
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>local-v6-ip$ exit
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>remote-v6-ip$ fd00:1:129:1::/64
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry>remote-v6-ip$ exit
A:ALU-41>config>service>vprn>ipsec>sec-plcy>entry$ exit
A:ALU-41>config>service>vprn>ipsec>security-policy$ exit
A:ALU-41>config>service>vprn>ipsec$ exit
The following example displays IPSec IPv6 parameters configuration output.
*A:7705:Dut-A>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 1 create
entry 1 create
local-v6-ip fd00:1:1:1::/64
remote-v6-ip fd00:1:129:1::/64
exit
exit
exit
Configuring X.509v3 Certificate Parameters
Perform the following steps to configure certificate enrollment.
Generate a key:
admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsa
Generate a certificate request:
admin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-dn "C=US,ST=CA,CN=7705" file 7705_req.csr
Send the certificate request to CA-1 to sign and get the signed certificate.
Import the key:
admin certificate import type key input cf3:/key_plain_rsa2048 output key1_rsa2048 format der
Import the signed certificate:
admin certificate import type cert input cf3:/7705_cert.pem output 7705cert format pem
Perform the following steps to import the CA certificate and CRL.
Import the CA certificate:
admin certificate import type cert input cf3:/CA_1_cert.pem output ca_cert format pem
Import the CA’s CRL:
admin certificate import type crl input cf3:/CA_1_crl.pem output ca_crl format pem
The following example displays a certificate authentication for IKEv2 static LAN-to-LAN tunnel configuration.
config>system>security>pki# info
----------------------------------------------
ca-profile "alu-root" create
cert-file "alu_root.cert"
crl-file "alu_root.crl"
no shutdown
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 1 create
auth-method cert-auth
exit
ipsec-transform 1 create
exit
cert-profile "segw" create
entry 1 create
cert segw.cert
key segw.key
exit
no shutdown
exit
trust-anchor-profile "alu" create
trust-anchor "alu-root"
exit
config>service>vprn>if>sap
----------------------------------------------
ipsec-tunnel "t50" create
security-policy 1
local-gateway-address 192.168.55.30 peer 192.168.33.100 delivery- service 300
dynamic-keying
ike-policy 1
transform 1
cert
trust-anchor-profile "alu"
cert-profile "segw"
exit
exit
no shutdown
exit
The following example displays the syntax to import a certificate from the PEM format.
*A:ALU-A# admin certificate import type cert input cf3:/pre-import/R1-0cert.pem output R1-0cert.der format pem
The following example displays the syntax to export a certificate to the PEM format.
*A:ALU-A# admin certificate export type cert input R1-0cert.der output cf3:/R1-0cert.pem format pem
Configuring CMPv2
CMPv2 server information is configured under a corresponding ca-profile by using the following CLI commands:
config>system>security>pki>ca-profile
cmpv2
url url-string [service-id service-id]
response-signing-cert filename
key-list
key password [hash | hash2] reference reference-number
The url command specifies the HTTP URL of the CMPv2 server and the service-id specifies the routing instance that the system used to access the CMPv2 server (if the
service ID is omitted, the system uses the base routing instance).
The service ID is only needed for in-band connections to the server via VPRN services. IES services are not referenced by the service ID, since an IES service routing instance is considered to be a base routing instance.
The response-signing-cert command specifies an imported certificate that is used to verify CMP response messages if they are protected by a signature. If this command is not configured, the CA’s certificate is used.
The key-list command specifies a list of pre-shared-keys used for CMPv2 initial registration message protection.
config>system>security>pki>ca-profile>
cmpv2
url "http://cmp.example.com/request" service-id 100
key-list
key passwordToBeUsed [hash | hash2] reference "1"
All CMPv2 operations are invoked by using the admin certificate cmpv2 command.
If there is no key-list defined under the cmpv2 configuration, the system defaults to the cmpv2 transaction that was input for the command line related to authenticating a message without a sender ID. If there is no sender ID in the response message and there is a key-list defined, the system chooses the lexicographical first entry only, and if that fails, there is a fail result for the transaction.
The system supports optional commands (such as always-set-sender-ir) to support inter-operation with CMPv2 servers. Refer to the IPSec Command Reference for details about syntax and usage.
Configuring OCSP
OCSP server information is configured under the corresponding ca-profile:
config>system>security>pki>ca-profile>
ocsp
responder-url url-string
service service-id
The responder-url command specifies the HTTP URL of the OCSP responder. The service command specifies the routing instance that the system used to access the OCSP responder.
config>system>security>pki>ca-profile>
ocsp
responder-url “http://ocsp.example.com/request”
service 100
For a given IPSec tunnel, the user can configure a primary method, a secondary method, and a default result.
config>service>vprn>if>sap>ipsec-tun>
cert
status-verify
primary {ocsp | crl}
secondary {ocsp | crl}
default-result {revoked | good}
config>service>vprn>if>sap>ipsec-tun>
cert
status-verify
primary ocsp
secondary crl
Service Management Tasks
This section provides a brief overview of the following service management tasks:
Deleting an IPSec IKE Policy or an IPSec Transform
An IPSec IKE policy or transform cannot be deleted if it is being used by an IPSec tunnel. To delete an IKE policy or IPSec transform:
config>service>vprn>if>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy ike-policy-id
config>ipsec# no ipsec-transform transform-id
config>service>vprn>if>sap>ipsec-tunnel# dynamic-keying
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no ike-policy
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# no transform
config>service>vprn>if>sap>ipsec-tunnel>dynamic-keying# exit all
config>ipsec# no ike-policy 2
config>ipsec# no ipsec-transform 2
Deleting a Public IPSec Tunnel SAP and Interface
A public IPSec tunnel interface and SAP are created under IES. To delete a public IPSec tunnel interface and SAP:
config>service>ies>interface# no sap tunnel-id.public:tag
config>service>ies# no interface ip-int-name
config>service>ies>interface# no sap tunnel-1.public:22
config>service>ies# no interface ies_tunnelPublicSide_1
Deleting a Private IPSec Tunnel SAP and Interface
A private IPSec tunnel interface and SAP are created under a VPRN service. To delete a private IPSec tunnel interface and SAP:
config>service>vprn>interface# no sap tunnel-id.private:tag
config>service>vprn# no interface ip-int-name
config>service>vprn>interface# no sap tunnel-1.private:22
config>service>vprn# no interface vprn-tunnel
Deleting an IPSec Security Policy
Security policies are created under the VPRN service. To delete an IPSec security policy:
config>service>vprn>ipsec# no security-policy security-policy-id
config>service>vprn# no security-policy 35
Deleting an IPSec Tunnel
IPSec tunnels are created under the VPRN service. To delete an IPSec tunnel:
config>service>vprn>if>sap# no ipsec-tunnel ipsec-tunnel-name
config>service>vprn>if>sap# no ipsec-tunnel ies_tunnelPublicSide_1