IKE Enabled IPSEC tunnels

IKE Enabled IPSEC tunnels

IPSEC powered with IKE Protocols provides authentication and encryption of data traffic and ensure secure packet delivery. Viptela supports both IKE Version 1 and IKE Version 2

Configure an IPsec Tunnel

To configure an IPsec tunnel interface , create a logical Ipsec interface:

You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512).

Configure an IPsec Static Route

In order to send the traffic from any Service VPN to IPSEC tunnel in VPN 0 , a static route must be configured in Service VPN.

The VPN ID is that of any service VPN (VPN 1 through 65530, except for 512).

Here you can configure one or two IPSEC tunnel interface, in which first one is primary and second one is secondary IPSEC tunnel and if primary tunnel fails, traffic will use secondary tunnel and preempted to primary once primary comes back.

Enable IKE Version 1

By default following attributes are enabled on IKEv1.

• Authentication and encryption—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
• Diffie-Hellman group number—16
• Rekeying time interval—4 hours
• SA establishment mode—Main

By default, IKEv1 uses IKE main mode to establish IKE SAs. In this mode, six negotiation packets are exchanged to establish the SA. To exchange only three negotiation packets, enable aggressive mode:

By default, IKEv1 uses Diffie-Hellman group 16 in the IKE key exchange which is 4096-bit more modular exponential (MODP) group during IKE key exchange. Other groups options available are group number to 2 (for 1024-bit MODP), 14 (2048-bit MODP), or 15 (3072-bit MODP):

By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity. To change the authentication:

The authentication suite can be one of the following:

• aes128-cbc-sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
• aes128-cbc-sha2—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity
• aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity; this is the default.
• aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity

By default, IKE keys are refreshed every 1 hours (3600 seconds). To change the rekeying interval value from 30 seconds through 14 days (1209600 seconds) use below command . It is recommended that the rekeying interval be at least 1 hour.

To force the generation of new keys for an IKE session, issue the request ipsec ike-rekey command.

For IKE, you can also configure preshared key (PSK) authentication:

If the remote IKE peer requires a local or remote ID, you can configure this identifier:

Enable IKE Version 2

By default following attributes are enabled on IKEv2.