7705 SAR R6.2
Introduction:
IPSec provides security services at IP layer including data integrity, data origin authentication, confidentiality and rejection of replay packets between participating peers. Operating at layer 3, IPSec can be used to protect layer 4 protocols, both TCP and UDP. 7750 SR supports both Static and Dynamic Tunnels whereas 7705 SAR only supports Static Tunnels. This configuration note focuses on Static (7705 SAR) to Dynamic (7750 SR) IPSec Tunnels.
IPSec tunnel creation consists of private domain VPRN service and public domain VPRN/IES service (7705 SAR only supports IES). These two services are coupled to each other via the encryption engine.
Network setup consists of:
· Hardware
o The 7705 SAR equipped with CSMv2, a8-1gb-v3-sfp MDA in a SAR-8v2 chassis. Any MDA supporting IPSec should be sufficient.
o The 7750 SR equipped with standard Ethernet cards and CPM. An isa-ms MDA provisioned as an isa-tunnel is being used to terminate the IPSec tunnels.
· Software
o The 7705 SAR - Release 6.2R1, but the following configuration should be supported on any release that has IPSec and Hybrid ports available.
o The 7750 SR - Release 12.0R8, but should work on supported versions.
Prerequisites:
This Configuration Note assumes that base configuration including cards, MDAs and ports have been implemented on the nodes.
Setup 1: Static-Dynamic LAN-to-LAN IPSec Tunnel:
Configuration Steps:
In this setup, 7705 SAR is the Static side and 7750 SR is the Dynamic side of the LAN-to-LAN IPSec Tunnel. Below is the step by step procedure to configure and verify.
1. IP Interface Configuration: Configure Interface for providing IP reachability to the tunnel peers in GRT (Global Routing Table).
A:SAR8v2-09>config>router# interface to-SR180
A:SAR8v2-09>config>router>if# info
----------------------------------------------
address 10.180.9.1/31
port 1/1/6
dhcp
shutdown
exit
----------------------------------------------
*B:SR-7-180# configure router interface "to-SAR9"
*B:SR-7-180>config>router>if# info
----------------------------------------------
address 10.180.9.0/31
port 3/2/19
no shutdown
----------------------------------------------
2. Tunnel Group Configuration: 7705 SAR supports only one tunnel group per chassis and 7750 SR supports up to 16 tunnel groups. Multiple IPSec tunnels can be configured in one tunnel group.
*A:SAR8v2-09# configure isa
*A:SAR8v2-09>config>isa# info
----------------------------------------------
tunnel-group 1 create
no shutdown
exit
----------------------------------------------
*B:SR-7-180# configure isa
*B:SR-7-180>config>isa# info
----------------------------------------------
tunnel-group 1 create
primary 2/2
no shutdown
exit
----------------------------------------------
3. IPSec Policy Configurations: The following three policy configurations are mandatory for an IPSec tunnel:
a. IKE policy: This policy contains the parameters describing the IKE session / phase-1 itself. Only 1 IKE policy per tunnel is supported. 7705 SAR supports only IKEv2 (ike-version 2) but 7750 SR has ike-version 1 by default, so change it to version 2 as both sides should match.
A:SAR8v2-09>config>ipsec# ike-policy 4 create
A:SAR8v2-09>config>ipsec>ike-policy# info detail
----------------------------------------------
no description
no auth-method
no own-auth-method
no dh-group
no ipsec-lifetime
no isakmp-lifetime
no pfs
auth-algorithm sha1
encryption-algorithm aes128
no nat-traversal
no dpd
----------------------------------------------
B:SR-7-180# configure ipsec ike-policy 4 create
B:SR-7-180>config>ipsec>ike-policy# info detail
----------------------------------------------
no description
ike-version 2
no ike-mode
no auth-method
auto-eap-method cert
auto-eap-own-method cert
no own-auth-method
no dh-group
no ipsec-lifetime
no isakmp-lifetime
no pfs
auth-algorithm sha1
encryption-algorithm aes128
no nat-traversal
no dpd
no match-peer-id-to-cert
exit
----------------------------------------------
b. IPSec Transform Policy: This policy includes the authentication and encryption algorithms used by ESP / phase-2 which are negotiated during SA set-up. This policy is also required to enable the tunnel.
A:SAR8v2-09>config>ipsec>transform# info detail
----------------------------------------------
esp-auth-algorithm sha1
esp-encryption-algorithm aes128
----------------------------------------------
B:SR-7-180>config>ipsec>transform# info detail
----------------------------------------------
esp-auth-algorithm sha1
esp-encryption-algorithm aes128
----------------------------------------------
c. Security Policy: Tunnel cannot be enabled without security policy. It is used to allow the traffic from certain IP address ranges by configuring a local and remote IP addresses. On static side of tunnel (7705 SAR), put local-ip address as the customer network to make it recognizable on dynamic side.
A:SAR8v2-09# configure service vprn 36
A:SAR8v2-09>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 4 create
entry 1 create
local-ip 3.3.3.0/24
remote-ip any
exit
exit
exit
----------------------------------------------
B:SR-7-180>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 4 create
entry 1 create
local-ip any
remote-ip any
exit
exit
exit
----------------------------------------------
d. Tunnel Template: Template is only configured on 7750 SR which includes reference to IPSec transform policy configured above and the option to enable Reverse Route Injection (RRI).
*B:SR-7-180>config>ipsec# tunnel-template 4
*B:SR-7-180>config>ipsec>tnl-temp># info
----------------------------------------------
sp-reverse-route
transform 4
----------------------------------------------
4. IPSec Public Interface Configuration: This interface represents the public side of the IPSec encryption engine.
*A:SAR8v2-09# configure service ies 33
*A:SAR8v2-09>config>service>ies# info
----------------------------------------------
interface "Public-SR-test" create
address 33.33.33.1/24
sap tunnel-1.public:4 create
exit
exit
no shutdown
----------------------------------------------
IPSec gateway (ipsec-gw) is configured in public domain of 7750 SR which includes:
- Reference to VPRN service id and tunnel interface
- Reference to Ike-policy and Tunnel-template configured above
- Local gateway address
- Pre-shared key must match remote peer’s configuration
*B:SR-7-180>config>service>ies# info
----------------------------------------------
interface "Public-SAR-test" create
address 44.44.44.1/24
tos-marking-state untrusted
sap tunnel-1.public:4 create
ipsec-gw "vprn-36-test"
default-secure-service 36 interface "Pri-SAR-test"
default-tunnel-template 4
ike-policy 4
local-gateway-address 44.44.44.2
pre-shared-key "alcatel"
no shutdown
exit
exit
exit
no shutdown
- VPRN Private Domain Configuration: Private IPSec interface represents the private side of the encryption engine. Only VPRN can be configured as a private interface. Private VPRN SAP configuration is similar to the public IES SAP, except that the keyword “private” replaces “public”. Moreover, private SAP ID must match public SAP ID and “-1” represents the tunnel-group.
Following configuration is included in the SAP of static side of tunnel only (7705 SAR).
- Local gateway and public IES addresses must be in the same subnet
- Delivery service ID must be the public service ID
- Peer Gateway address is the remote peer’s gateway IP address
For dynamic side it has already been configured in IPSec gateway in the public IES interface.
A:SAR8v2-09>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 4 create
entry 1 create
local-ip 3.3.3.0/24
remote-ip any
exit
exit
exit
route-distinguisher 65100:33
vrf-target target:65100:33
interface "Pri-SR-test" tunnel create
sap tunnel-1.private:4 create
ipsec-tunnel "tunnel-SR-test" create
security-policy 4
local-gateway-address 33.33.33.2 peer 44.44.44.2 delivery-service 33
dynamic-keying
ike-policy 4
pre-shared-key "alcatel"
transform 4
exit
no shutdown
exit
exit
exit
interface "CE-test" create
address 3.3.3.1/24
sap 1/1/5 create
exit
exit
static-route 4.4.4.0/24 ipsec-tunnel "tunnel-SR-test"
no shutdown
----------------------------------------------
B:SR-7-180>config>service>vprn# info
----------------------------------------------
ipsec
security-policy 4 create
entry 1 create
local-ip any
remote-ip any
exit
exit
exit
route-distinguisher 65100:33
vrf-target target:65100:33
interface "Pri-SAR-test" tunnel create
sap tunnel-1.private:4 create
exit
exit
interface "CE-test" create
address 4.4.4.1/24
sap 3/2/16 create
exit
exit
no shutdown
----------------------------------------------
6. VPRN Static Route Configuration: Only on a 7705 SAR, a static route is required to route the CE traffic through IPSec tunnel.
For 7750 SR, RRI allows each Security Association (SA) offered by static side to be converted to a locally installed route (as managed route) to IPSec tunnel. One RRI route is added per SA.
*A:SAR8v2-09>config>service# vprn 36
*A:SAR8v2-09>config>service>vprn# info
----------------------------------------------
static-route 4.4.4.0/24 ipsec-tunnel "tunnel-SR-test"
----------------------------------------------
7. Triggering Tunnel: By default, the tunnel negotiation does not happen automatically, unless “auto-establish” is configured under the tunnel. A data packet could trigger the tunnel set-up.
This can be done with a ping from a private address reachable in the local VPRN to a private address reachable at the other side of the tunnel.
A:SAR8v2-09# ping 4.4.4.1 router 36
PING 4.4.4.1 56 data bytes
64 bytes from 4.4.4.1: icmp_seq=1 ttl=64 time=0.400ms.
64 bytes from 4.4.4.1: icmp_seq=2 ttl=64 time=0.380ms.
64 bytes from 4.4.4.1: icmp_seq=3 ttl=64 time=0.390ms.
64 bytes from 4.4.4.1: icmp_seq=4 ttl=64 time=0.427ms.
64 bytes from 4.4.4.1: icmp_seq=5 ttl=64 time=0.428ms.
---- 4.4.4.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 0.380ms, avg = 0.405ms, max = 0.428ms, stddev = 0.019ms
8. Verification:
7705 SAR: Use <show ipsec tunnel> to display tunnel name, status, peer IP addresses etc.
A:SAR8v2-09# show ipsec tunnel
==========================================================================
IPsec Tunnels
==========================================================================
TunnelName LocalAddress SvcId Admn Keying
SapId RemoteAddress DlvrySvcId Oper Sec
Plcy
--------------------------------------------------------------------------
tunnel-SR-test 33.33.33.2 36 Up Dynamic
tunnel-1.private:4 44.44.44.2 33 Up 4
--------------------------------------------------------------------------
IPsec Tunnels: 1
7750 SR: Use <show ipsec gateway> to display gateway name, status, local IP address etc
*B:SR-7-180# show ipsec gateway
==========================================================================
IPSec Gateway
==========================================================================
Name LclGwAddr Adm Opr Ike Auth
SAP Service
--------------------------------------------------------------------------
vprn-36-test 44.44.44.2 Up Up 4 psk
tunnel-1.public:4 33
--------------------------------------------------------------------------
Number of gateways: 1
==========================================================================
CLI command to check ike-policy:
A:SAR8v2-09# show ipsec ike-policy
==========================================================================
IPsec IKE Policies
==========================================================================
Id Ike Ike DH Pfs Pfs Auth Encr Isakmp IPsec Auth DPD NAT
Mode Ver DH Alg Alg Life- Life- Method
time time
--------------------------------------------------------------------------
4 Main 2 2 False 2 Sha1 Aes128 86400 3600 psk disable disable
--------------------------------------------------------------------------
No. of IPsec IKE Policies: 1
==========================================================================
CLI command to check vprn route table
A:SAR8v2-09# show router 36 route-table
==========================================================================
Route Table (Service: 36)
==========================================================================
Dest Prefix Type Proto Age Pref
Next Hop[Interface Name] Metric
--------------------------------------------------------------------------
3.3.3.0/24 Local Local 22h06m07s 0
CE-test 0
4.4.4.0/24 Remote Static 21h02m20s 5
tunnel-SR-test (IPsec Tunnel) 1
10.10.10.9/32 Remote Static 21h59m29s 5
3.3.3.2 1
10.10.10.180/32 Remote Static 21h02m20s 5
tunnel-SR-test (IPsec Tunnel) 1
--------------------------------------------------------------------------
No. of Routes: 4
Flags: B = BGP backup route available
n = Number of times nexthop is repeated
==========================================================================
*B:SR-7-180>config>service>vprn# show router 36 route-table
==========================================================================
Route Table (Service: 36)
==========================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
--------------------------------------------------------------------------
3.3.3.0/24 Remote IPsec 00h00m06s 0
vprn-36-test-33.33.33.2:500 (IPsec Tunnel)(P*" 0
4.4.4.0/24 Local Local 22h05m32s 0
CE-test 0
10.10.10.9/32 Remote IPsec 21h05m52s 0
vprn-36-test-33.33.33.2:500 (IPsec Tunnel)(P*" 0
10.10.10.180/32 Remote Static 22h01m41s 5
4.4.4.2 1
--------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
==========================================================================
CLI command to check security-policy:
A:SAR8v2-09# show ipsec security-policy
==========================================================================
IPsec Security Policies
==========================================================================
ServiceId SecurityPolicyId Security Policy Params
Entry count
--------------------------------------------------------------------------
36 4 2
--------------------------------------------------------------------------
No. of IPsec Security Policies: 1
CLI command to check ipsec transform policy:
A:SAR8v2-09# show ipsec transform
================================================================
IPsec Transforms
================================================================
TransformId EspAuthAlgorithm EspEncryptionAlgorithm
----------------------------------------------------------------
4 Sha1 Aes128
----------------------------------------------------------------
No. of IPsec Transforms: 1
================================================================
CLI command to check tunnel template:
*B:SR-7-180# show ipsec tunnel-template
==========================================================================
IPSec Tunnel Template
==========================================================================
Id Trnsfrm1 Trnsfrm2 Trnsfrm3 Trnsfrm4 ReverseRoute ReplayWnd
--------------------------------------------------------------------------
4 4 none none none useSecurityPolicy 0
--------------------------------------------------------------------------
Number of templates: 1
==========================================================================
CLI command for MDA statistics:
A:SAR8v2-09# show mda 1/1 statistics security encryption
==========================================================================
MDA 1/1 Security Statistics
==========================================================================
--------------------------------------------------------------------------
IPsec Datapath Statistics
--------------------------------------------------------------------------
Encrypted packets : 2114
Encrypted bytes : 175206
Outbound dropped packets : 0
Outbound SA misses : 0
Outbound policy entry misses : 0
Decrypted packets : 2114
Decrypted bytes : 175612
Inbound dropped packets : 0
Inbound SA misses : 0
Inbound IP dst/src mismatches : 0
Inbound IP fragmented packets : 0
Transmit packet errors : 0
Drop Too Big/Df-set Pkts : 0
--------------------------------------------------------------------------
IPsec Control Statistics (System Wide)
--------------------------------------------------------------------------
Static IPsec Tunnels : 2
Dynamic IPsec Tunnels : 0
--------------------------------------------------------------------------
IPsec Queue Statistics
--------------------------------------------------------------------------
Decryption Queue Best-effort Packets Bytes
Hi Priority forwarded : 0 0
Hi Priority dropped : 0 0
Low Priority forwarded : 2115 277116
Low Priority dropped : 0 0
Decryption Queue Expedited Packets Bytes
Hi Priority forwarded : 0 0
Hi Priority dropped : 0 0
Low Priority forwarded : 0 0
Low Priority dropped : 0 0
Encryption Queue Best-effort Packets Bytes
In Profile forwarded : 0 0
In Profile dropped : 0 0
Out Profile forwarded : 113 7136
Out Profile dropped : 0 0
Encryption Queue Expedited Packets Bytes
In Profile forwarded : 0 0
In Profile dropped : 0 0
Out Profile forwarded : 0 0
Out Profile dropped : 0 0
Encryption Queue CTL Packets Bytes
Forwarded : 2000 168000
Dropped : 0 0
==========================================================================