EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

IKE Enabled IPSEC tunnels

IKE Enabled IPSEC tunnels

Posted on Jan 27, 2020 (0)

IKE Enabled IPSEC tunnels

IPSEC powered with IKE Protocols provides authentication and encryption of data traffic and ensure secure packet delivery. Viptela supports both IKE Version 1 and IKE Version 2

Configure an IPsec Tunnel

To configure an IPsec tunnel interface , create a logical Ipsec interface:

vEdge(config)# vpn vpn-id interface ipsec number ( range 1 to 255 )
vEdge(config-interface-ipsec)# ip address ipv4-prefix/length
vEdge(config-interface-ipsec)# (tunnel-source ip-address | tunnel-source-interface interface-name)
vEdge(config-interface-ipsec)# tunnel-destination ipv4-address
vEdge(config-interface-ipsec)# no shutdown

You can create the IPsec tunnel in the transport VPN (VPN 0) and in any service VPN (VPN 1 through 65530, except for 512).

Configure an IPsec Static Route

In order to send the traffic from any Service VPN to IPSEC tunnel in VPN 0 , a static route must be configured in Service VPN.

vEdge(config)# vpn vpn-id
vEdge(config-vpn)# ip ipsec-route prefix/length vpn 0 interface ipsec number [ipsecnumber2]

The VPN ID is that of any service VPN (VPN 1 through 65530, except for 512).

Here you can configure one or two IPSEC tunnel interface, in which first one is primary and second one is secondary IPSEC tunnel and if primary tunnel fails, traffic will use secondary tunnel and preempted to primary once primary comes back.

Enable IKE Version 1

By default following attributes are enabled on IKEv1.

• Authentication and encryption—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
• Diffie-Hellman group number—16
• Rekeying time interval—4 hours
• SA establishment mode—Main

By default, IKEv1 uses IKE main mode to establish IKE SAs. In this mode, six negotiation packets are exchanged to establish the SA. To exchange only three negotiation packets, enable aggressive mode:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# mode aggressive

By default, IKEv1 uses Diffie-Hellman group 16 in the IKE key exchange which is 4096-bit more modular exponential (MODP) group during IKE key exchange. Other groups options available are group number to 2 (for 1024-bit MODP), 14 (2048-bit MODP), or 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# group number

By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity. To change the authentication:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# cipher-suite suite

The authentication suite can be one of the following:

aes128-cbc-sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
aes128-cbc-sha2—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity
aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity; this is the default.
aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity

By default, IKE keys are refreshed every 1 hours (3600 seconds). To change the rekeying interval value from 30 seconds through 14 days (1209600 seconds) use below command . It is recommended that the rekeying interval be at least 1 hour.

vEdge(config)# vpn vpn-id interface ipsec number ike
vEdge(config-ike)# rekey seconds

To force the generation of new keys for an IKE session, issue the request ipsec ike-rekey command.

vEdge(config)# vpn vpn-id interface ipsecnumber ike

For IKE, you can also configure preshared key (PSK) authentication:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password

If the remote IKE peer requires a local or remote ID, you can configure this identifier:

vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-type
vEdge(config-authentication-type)# local-id id
vEdge(config-authentication-type)# remote-id id

Enable IKE Version 2

By default following attributes are enabled on IKEv2.

• Authentication and encryption—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
• Diffie-Hellman group number—16
• Rekeying time interval—4 hours

By default, IKEv2 uses Diffie-Hellman group 16 in the IKE key exchange. This group uses the 4096-bit more modular exponential (MODP) group during IKE key exchange. To change the group number to 2 (for 1024-bit MODP), 14 (2048-bit MODP), or 15 (3072-bit MODP):

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# group number

By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity. You can change the authentication:

vEdge(config)# vpn vpn-id interface ipsec number ike
vEdge(config-ike)# cipher-suite suite

The authentication suite can be one of the following:

aes128-cbc-sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity
aes128-cbc-sha2—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity
aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity; this is the default.
aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity

By default, IKE keys are refreshed every 4 hours (14,400 seconds). You can change the rekeying interval to a value from 30 seconds through 14 days (1209600 seconds):

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# rekey seconds

To force the generation of new keys for an IKE session, issue the request ipsec ike-rekey command.
For IKE, you can also configure preshared key (PSK) authentication:

vEdge(config)# vpn vpn-id interface ipsecnumber ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret password

password is the password to use with the preshared key. It can be an ASCII or a hexadecimal string, or it can be an AES-encrypted key.
If the remote IKE peer requires a local or remote ID, you can configure this identifier:

vEdge(config)# vpn vpn-id interface ipsecnumber ike authentication-type
vEdge(config-authentication-type)# local-id id
vEdge(config-authentication-type)# remote-id id

Configure IPsec Tunnel Parameters

By default, the following parameters are used on the IPsec tunnel that carries IKE traffic:

• Authentication and encryption—AES-256 algorithm in GCM (Galois/counter mode)
• Rekeying interval—4 hours
• Replay window—32 packets

You can change the encryption on the IPsec tunnel to the AES-256 cipher in CBC (cipher block chaining mode, with HMAC-SHA1-96 keyed-hash message authentication or to null, to not encrypt the IPsec tunnel used for IKE key exchange traffic

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# cipher-suite (aes256-cbc-sha1 | aes256-gcm | null-sha1)

By default, IKE keys are refreshed every 4 hours (14,400 seconds). You can change the rekeying interval to a value from 30 seconds through 14 days (1209600 seconds):

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# rekey seconds

To force the generation of new keys for an IPsec tunnel, issue the request ipsec ipsec-rekey command.
By default, perfect forward secrecy (PFS) is enabled on IPsec tunnels, to ensure that past sessions are not affected if future keys are compromised. PFS forces a new Diffie-Hellman key exchange, by default using the 4096-bit Diffie-Hellman prime module group. You can change the PFS setting:

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# perfect-forward-secrecy pfs-setting

pfs-setting can be one of the following:

• group-2—Use the 1024-bit Diffie-Hellman prime modulus group.
• group-14—Use the 2048-bit Diffie-Hellman prime modulus group.
• group-15—Use the 3072-bit Diffie-Hellman prime modulus group.
• group-16—Use the 4096-bit Diffie-Hellman prime modulus group. This is the default.
• none—Disable PFS.

By default, the IPsec replay window on the IPsec tunnel is 512 bytes. You can set the replay window size to 64, 128, 256, 512, 1024, 2048, or 4096 packets:

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# replay-window number


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.