EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

IKE Enabled IPSEC tunnels

IKE Enabled IPSEC tunnels

Posted on Jan 27, 2020 (0)

IKE Enabled IPSEC tunnels

IPSEC powered with IKE Protocols provides authentication and encryption of data traffic and ensure secure packet delivery. Viptela supports both IKE Version 1 and IKE Version 2

Configure an IPsec Tunnel

To configure an IPsec tunnel interface , create a logical Ipsec interface:

vEdge(config)# vpn vpn-id interface ipsec number ( range 1 to 255 )
vEdge(config-interface-ipsec)# ip address ipv4-prefix/length
vEdge(config-interface-ipsec)# (tunnel-source ip-address | tunnel-source-interface interface-name)
vEdge(config-interface-ipsec)# tunnel-destination ipv4-address
vEdge(config-interface-ipsec)# no shutdown

You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512).

Configure an IPsec Static Route

In order to send the traffic from any Service VPN to IPSEC tunnel in VPN 0 , a static route must be configured in Service VPN.

vEdge(config)# vpn vpn-id
vEdge(config-vpn)# ip ipsec-route prefix/length vpn 0 interface ipsec number [ipsecnumber2]

The VPN ID is that of any service VPN (VPN 1 through 65530, except for 512).

Here you can configure one or two IPSEC tunnel interface, in which first one is primary and second one is secondary IPSEC tunnel and if primary tunnel fails, traffic will use secondary tunnel and preempted to primary once primary comes back.

Enable IKE Version 1

By default following attributes are enabled on IKEv1.

• Authentication and encryption—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
• Diffie-Hellman group number—16
• Rekeying time interval—4 hours
• SA establishment mode—Main

By default, IKEv1 uses IKE main mode to establish IKE SAs. In this mode, six negotiation packets are exchanged to establish the SA. To exchange only three negotiation packets, enable aggressive mode:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# mode aggressive

By default, IKEv1 uses Diffie-Hellman group 16 in the IKE key exchange which is 4096-bit more modular exponential (MODP) group during IKE key exchange. Other groups options available are group number to 2 (for 1024-bit MODP), 14 (2048-bit MODP), or 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# group number

By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity. To change the authentication:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# cipher-suite suite

The authentication suite can be one of the following:

aes128-cbc-sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
aes128-cbc-sha2—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity
aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity; this is the default.
aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity

By default, IKE keys are refreshed every 1 hours (3600 seconds). To change the rekeying interval value from 30 seconds through 14 days (1209600 seconds) use below command . It is recommended that the rekeying interval be at least 1 hour.

vEdge(config)# vpn vpn-id interface ipsec number ike
vEdge(config-ike)# rekey seconds

To force the generation of new keys for an IKE session, issue the request ipsec ike-rekey command.

vEdge(config)# vpn vpn-id interface ipsecnumber ike

For IKE, you can also configure preshared key (PSK) authentication:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password

If the remote IKE peer requires a local or remote ID, you can configure this identifier:

vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-type
vEdge(config-authentication-type)# local-id id
vEdge(config-authentication-type)# remote-id id

Enable IKE Version 2

By default following attributes are enabled on IKEv2.


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.