Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-DAE proxy configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-IP-based attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-SAVA configuration
- 18-Crypto engine configuration
- 19-Trust level configuration
- 20-SAVNET configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-IPsec configuration | 840.21 KB |
Contents
IPv6 routing protocol-based IPsec
Restrictions and guidelines: IPsec configuration
Configuring IPsec for IPv6 routing protocols
Configuring IPsec for tunnel interfaces
Configuring an IPsec transform set
Configuring and applying a manual IPsec profile
Manual IPsec profile configuration and application tasks at a glance
Configuring a manual IPsec profile
Applying the IPsec profile to an IPv6 routing protocol
Configuring and applying an IKE-based IPsec profile
IKE-based IPsec profile configuration and application tasks at a glance
Configuring an IKE-based IPsec profile
Applying an IKE-based IPsec profile to a tunnel interface
Configuring the device as responder-only for IPsec SA negotiation
Setting the maximum number of IPsec tunnels
Configuring the global IPsec SA lifetime and idle timeout
Configuring the DF bit of IPsec packets
Enabling logging for IPsec packets
Configuring SNMP notifications for IPsec
Display and maintenance commands for IPsec
Example: Configuring IPsec for RIPng
Relationship between IPsec and IKE
Prerequisites for IKE configuration
Configuring peer IDs for the IKE profile
Specifying the IKE keychain or PKI domain
Configuring the IKE phase 1 negotiation mode
Specifying IKE proposals for the IKE profile
Configuring the local ID for the IKE profile
Configuring optional features for the IKE profile
Configuring the global identity information
Configuring the IKE keepalive feature
Setting the maximum number of IKE SAs
Configuring IKE negotiation compatibility
Configuring SNMP notifications for IKE
Display and maintenance commands for IKE
Example: Configuring main mode IKE with pre-shared key authentication
Example: Configuring aggressive mode IKE with RSA signature authentication
IKE negotiation failed because no matching IKE proposals were found
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec SA negotiation failed due to invalid identity information
Prerequisites for IKEv2 configuration
Specifying the local and remote identity authentication methods
Configuring the IKEv2 keychain or PKI domain
Configuring the local ID for the IKEv2 profile
Configuring peer IDs for the IKEv2 profile
Configuring optional features for the IKEv2 profile
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Configuring the IKEv2 DPD feature
Configuring the IKEv2 NAT keepalive feature
Display and maintenance commands for IKEv2
Example: Configuring IKEv2 with pre-shared key authentication
Example: Configuring IKEv2 with RSA signature authentication
IKEv2 negotiation failed because no matching IKEv2 proposals were found
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec tunnel establishment failed
Configuring IPsec
About IPsec
IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
IPsec framework
IPsec is a security framework that has the following protocols and algorithms:
· Authentication Header (AH).
· Encapsulating Security Payload (ESP).
· Internet Key Exchange (IKE).
· Algorithms for authentication and encryption.
AH and ESP are security protocols that provide security services. IKE performs automatic key exchange. For more information about IKE, see "Configuring IKE."
IPsec security services
IPsec provides the following security services for data packets in the IP layer:
· Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting the packets from being eavesdropped en route.
· Data integrity—The receiver verifies the packets received from the sender to make sure they are not tampered with during transmission.
· Data origin authentication—The receiver verifies the authenticity of the sender.
· Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
Benefits of IPsec
IPsec delivers the following benefits:
· Reduced key negotiation overhead and simplified maintenance by supporting the IKE protocol. IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance.
· Good compatibility. You can apply IPsec to all IP-based application systems and services without modifying them.
· Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility and greatly enhances IP security.
Security protocols
IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide.
· AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure 3. AH can provide data origin authentication, data integrity, and anti-replay services to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data. AH supports authentication algorithms HMAC-MD5 and HMAC-SHA1.
· ESP (protocol 50) defines the encapsulation of the ESP header and trailer in an IP packet, as shown in Figure 3. ESP can provide data encryption, data origin authentication, data integrity, and anti-replay services. Unlike AH, ESP can guarantee data confidentiality because it can encrypt the data before encapsulating the data to IP packets. ESP supports encryption algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. ESP supports NAT traversal.
Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
Encapsulation modes
IPsec supports the following encapsulation modes: transport mode and tunnel mode.
Transport mode
The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications, as shown in Figure 1.
|
|
NOTE: NAT traversal is not available for IPsec in transport mode. |
Figure 1 IPsec protection in transport mode
Tunnel mode
The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications, as shown in Figure 2.
Figure 2 IPsec protection in tunnel mode
Figure 3 shows how the security protocols encapsulate an IP packet in different encapsulation modes.
Figure 3 Security protocol encapsulations in different modes
Security association
A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA includes the following parameters for data protection:
· Security protocols (AH, ESP, or both).
· Encapsulation mode (transport mode or tunnel mode).
· Authentication algorithm (HMAC-MD5 or HMAC-SHA1).
· Encryption algorithm (DES, 3DES, or AES).
· Shared keys and their lifetimes.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional communication. If two peers want to use both AH and ESP to protect data flows between them, they construct an independent SA for each protocol in each direction.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination IP address, and security protocol identifier. An SPI is a 32-bit number. It is transmitted in the AH/ESP header.
An SA can be set up manually or through IKE.
· Manual mode—Configure all parameters for the SA through commands. This configuration mode is complex and does not support some advanced features (such as periodic key update), but it can implement IPsec without IKE. This mode is mainly used in small and static networks or when the number of IPsec peers in the network is small.
· IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration mode is simple and has good expansibility. As a best practice, set up SAs through IKE negotiations in medium- and large-scale dynamic networks.
A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types:
· Time-based lifetime—Defines how long the SA can be valid after it is created.
· Traffic-based lifetime—Defines the maximum traffic that the SA can process.
If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation.
Authentication and encryption
Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid. IPsec uses the Hash-based Message Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure.
Encryption algorithms
IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The following encryption algorithms are available for IPsec on the device:
· DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest algorithm.
· 3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits. It provides moderate security strength and is slower than DES.
· AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES.
Crypto engine
The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks.
The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.
For more information about crypto engines, see "Configuring crypto engines."
IPsec-protected traffic
IPsec tunnels can protect the following types of traffic:
· Packets that match specific ACLs.
· Packets routed to a tunnel interface.
· Packets of IPv6 routing protocols.
Two peers use security policies (IPsec profiles) to protect packets between them. An IPsec profile defines the range of packets to be protected by IPsec and the security parameters used for the protection.
The following information describes how IPsec protects packets:
· When an IPsec peer identifies the packets to be protected according to the security policy, it sets up an IPsec tunnel and sends the packet to the remote peer through the tunnel. The IPsec tunnel can be manually configured beforehand, or it can be set up through IKE negotiation triggered by the packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are protected by the inbound SA, and the outbound packets are protected by the outbound SA.
· When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly forwards the packet according to the configured IPsec profile.
Tunnel interface-based IPsec
To implement tunnel interface-based IPsec, configure an IPsec profile and apply the IPsec profile to a tunnel interface. All traffic routed to the tunnel interface is protected by IPsec. Tunnel interface-based IPsec supports only the tunnel encapsulation mode.
For tunnel interface-based IPsec, packet encapsulation and decapsulation are performed on the tunnel interfaces.
Figure 4 Tunnel interface encapsulation
As shown in Figure 4, a tunnel interface encapsulates an IP packet as follows:
1. Upon receiving a clear text packet, the inbound interface sends the packet to the forwarding module for routing.
2. If the packet requires IPsec protection, the forwarding module sends the packet to the tunnel interface.
3. The tunnel interface encapsulates the packet into a new IP packet. The source and destination IP addresses in the new IP header are the source and destination IP addresses of the tunnel interface. Then, the tunnel interface sends the packet back to the forwarding module.
4. The forwarding module looks up the routing table again and sends the packet out of the physical output interface of the tunnel interface.
Figure 5 Tunnel interface de-encapsulation
As shown in Figure 5, a tunnel interface de-encapsulates an IP packet as follows:
1. Upon receiving an encrypted packet, the inbound interface sends the packet to the forwarding module for routing.
2. Because the packet is destined for the tunnel interface' source address and the payload protocol is AH or ESP, the forwarding module sends the packet to the tunnel interface.
3. The tunnel interface de-encapsulates the packet (removes the outer IP header) and sends the de-encapsulated packet back to the forwarding module.
4. The forwarding module looks up the routing table again and sends the packet out of the physical output interface of the tunnel interface.
IPv6 routing protocol-based IPsec
You can implement IPv6 routing protocol-based IPsec by binding an IPsec profile to an IPv6 routing protocol. All packets of the protocol are encapsulated with IPsec. Supported IPv6 routing protocols include OSPFv3, IPv6 BGP, and RIPng.
All packets of the applications that are not bound to IPsec and the IPsec packets that failed to be de-encapsulated are dropped.
In one-to-many communication scenarios, you must configure the IPsec SAs for an IPv6 routing protocol in manual mode because of the following reasons:
· The automatic key exchange mechanism protects communications between two points. In one-to-many communication scenarios, automatic key exchange cannot be implemented.
· One-to-many communication scenarios require that all the devices use the same SA parameters (SPI and key) to receive and send packets. IKE negotiated SAs cannot meet this requirement.
IPsec profile
IPsec profiles define the parameters used to establish IPsec tunnels between two peers and the range of packets to be protected.
IPsec profile
An IPsec profile is uniquely identified by a name and does not support ACL configuration.
IPsec profiles can be classified into the following types:
· Manual IPsec profile—A manual IPsec profile is used to protect IPv6 routing protocols. It specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the SAs.
· IKE-based IPsec profile—An IKE-based IPsec profile is applied to tunnel interfaces to protect tunneled traffic. It specifies the IPsec transform sets used for protecting data flows, and the IKE profile used for IKE negotiation.
Protocols and standards
· RFC 2401, Security Architecture for the Internet Protocol
· RFC 2402, IP Authentication Header
· RFC 2406, IP Encapsulating Security Payload
· RFC 4552, Authentication/Confidentiality for OSPFv3
Restrictions and guidelines: IPsec configuration
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec configured. In addition, make sure UDP port 4500 for NAT traversal is open.
IPsec tasks at a glance
Configuring IPsec for IPv6 routing protocols
To configure IPsec protection for IPv6 routing protocols, perform the following tasks:
1. Configuring an IPsec transform set
2. Configuring and applying a manual IPsec profile
3. (Optional.) Configuring accessibility features
¡ Setting the maximum number of IPsec tunnels
¡ Configuring the global IPsec SA lifetime and idle timeout
4. (Optional.) Configuring logging and SNMP notification for IPsec.
¡ Enabling logging for IPsec packets
¡ Configuring SNMP notifications for IPsec
Configuring IPsec for tunnel interfaces
Restrictions and guidelines
The IPsec configuration for tunnel interfaces takes effect only on the MIC-SEC-M card. To protect traffic that arrives on a tunnel interface, you must specify a MIC-SEC-M card to process IPsec traffic for that interface by using the service command.
Tasks at a glance
To configure IPsec protection for tunnel interfaces, perform the following tasks:
1. Configuring an IPsec transform set
2. Configuring and applying an IKE-based IPsec profile
3. (Optional.) Configuring accessibility features
¡ Setting the maximum number of IPsec tunnels
¡ Configuring the global IPsec SA lifetime and idle timeout
¡ Configuring IPsec anti-replay
¡ Configuring the DF bit of IPsec packets
4. (Optional.) Configuring logging and SNMP notification for IPsec.
¡ Enabling logging for IPsec packets
¡ Configuring SNMP notifications for IPsec
Configuring an IPsec transform set
About this task
An IPsec transform set defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Restrictions and guidelines
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.
The transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel. IPsec transform sets used in IPsec profiles for IPv6 routing protocols support only the transport mode.
The tunnel mode typically applies when the source and destination IP addresses of data flows are different from those of the IPsec tunnel. IPsec transform sets used in IPsec profiles for tunnels support only the tunnel mode.
When you configure the Perfect Forward Secrecy (PFS) feature in an IPsec transform set, follow these guidelines:
· In IKEv1, the security level of the DH group of the initiator must be higher than or equal to that of the responder. This restriction does not apply to IKEv2.
· The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end.
You can specify multiple authentication or encryption algorithms for the same security protocol. The algorithm specified earlier has a higher priority.
Some algorithms are available only for IKEv2. See Table 1.
Table 1 Algorithms available only for IKEv2
|
Type |
Algorithms |
|
Encryption algorithm |
aes-ctr-128 aes-ctr-192 aes-ctr-256 camellia-cbc-128 camellia-cbc-192 camellia-cbc-256 gmac-128 gmac-192 gmac-256 gcm-128 gcm-192 gcm-256 |
|
Authentication algorithm |
aes-xcbc-mac |
|
PFS algorithm |
dh-group19 dh-group20 |
Procedure
1. Enter system view.
system-view
2. Create an IPsec transform set and enter its view.
ipsec transform-set transform-set-name
3. Specify the security protocol for the IPsec transform set.
protocol { ah | ah-esp | esp }
By default, the ESP security protocol is used.
4. Specify the encryption algorithms for ESP. Skip this step if the protocol ah command is configured.
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm4-cbc } *
By default, no encryption algorithm is specified for ESP.
5. Specify the authentication algorithms for ESP. Skip this step if the protocol ah command is configured.
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
By default, no authentication algorithm is specified for ESP.
The aes-xcbc-mac algorithm is available only for IKEv2.
6. Specify the authentication algorithms for AH. Skip this step if the protocol esp command is configured.
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
By default, no authentication algorithm is specified for AH.
The aes-xcbc-mac algorithm is available only for IKEv2.
7. Specify the packet encapsulation mode.
encapsulation-mode { transport | tunnel }
By default, the security protocol encapsulates IP packets in tunnel mode.
8. (Optional.) Enable the Extended Sequence Number (ESN) feature.
esn enable [ both ]
By default, the ESN feature is disabled.
Configuring and applying a manual IPsec profile
Manual IPsec profile configuration and application tasks at a glance
1. Configuring a manual IPsec profile
2. Applying the IPsec profile to an IPv6 routing protocol
Configuring a manual IPsec profile
About this task
A manual IPsec profile specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the SAs.
Restrictions and guidelines
When you configure a manual IPsec profile, make sure the IPsec profile configuration at both tunnel ends meets the following requirements:
· The IPsec transform set specified in the IPsec profile at the two tunnel ends must have the same security protocol, encryption and authentication algorithms, and packet encapsulation mode.
· The local inbound and outbound IPsec SAs must have the same SPI and key.
· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For IPv6 BGP, the scope consists of IPv6 BGP peers or an IPv6 BGP peer group.
· The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the local end uses a key in hexadecimal format, the remote end must also use a key in hexadecimal format. If you configure a key in both the character and the hexadecimal formats, only the most recent configuration takes effect.
· If you configure a key in character format for ESP, the device automatically generates an authentication key and an encryption key for ESP.
Procedure
1. Enter system view.
system-view
2. Create a manual IPsec profile and enter its view.
ipsec profile profile-name manual
The manual keyword is not needed if you enter the view of an existing IPsec profile.
3. (Optional.) Configure a description for the IPsec profile.
description text
By default, no description is configured.
4. Specify an IPsec transform set.
transform-set transform-set-name
By default, no IPsec transform set is specified in an IPsec profile.
The specified IPsec transform set must use the transport mode.
5. Configure an SPI for an SA.
sa spi { inbound | outbound } { ah | esp } spi-number
By default, no SPI is configured for an SA.
6. Configure keys for the IPsec SA.
¡ Configure an authentication key in hexadecimal format for AH.
sa hex-key authentication { inbound | outbound } ah { cipher | simple } string
¡ Configure an authentication key in character format for AH.
sa string-key { inbound | outbound } ah { cipher | simple } string
¡ Configure a key in character format for ESP.
sa string-key { inbound | outbound } esp { cipher | simple } string
¡ Configure an authentication key in hexadecimal format for ESP.
sa hex-key authentication { inbound | outbound } esp { cipher | simple }
¡ Configure an encryption key in hexadecimal format for ESP.
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
By default, no keys are configured for the IPsec SA.
Configure a key for the security protocol (AH, ESP, or both) you have specified.
Applying the IPsec profile to an IPv6 routing protocol
For information about the configuration procedure, see IPv6 BGP, OSPFv3, and RIPng configuration in Layer 3—IP Routing Configuration Guide.
Configuring and applying an IKE-based IPsec profile
IKE-based IPsec profile configuration and application tasks at a glance
1. Configuring an IKE-based IPsec profile
2. Applying an IKE-based IPsec profile to a tunnel interface
3. Configuring the device as responder-only for IPsec SA negotiation
Configuring an IKE-based IPsec profile
An IKE-based IPsec profile specifies the IPsec transform sets used for protecting data flows, and the IKE profile used for IKE negotiation.
Restrictions and guidelines
The IPsec profiles at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
The IPsec profiles at the two tunnel ends must have the same IKE profile parameters.
An IKE-based IPsec profile can use a maximum of six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.
The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.
Procedure
1. Enter system view.
system-view
2. Create an IKE-based IPsec profile and enter its view.
ipsec profile profile-name isakmp
The isakmp keyword is not needed if you enter the view of an existing IPsec profile.
3. (Optional.) Configure a description for the IPsec profile.
description text
By default, no description is configured.
4. Specify IPsec transform sets.
transform-set transform-set-name&<1-6>
By default, no IPsec transform sets are specified in an IPsec profile.
The specified IPsec transform sets must use the tunnel mode.
5. Specify an IKE profile.
ike-profile profile-name
By default, no IKE profile is specified for an IPsec profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured in system view, the globally configured IKE settings are used.
You can specify only one IKE profile for an IPsec profile.
For more information about IKE profiles, see "Configuring IKE."
6. (Optional.) Set the IPsec SA lifetime.
sa duration { time-based seconds | traffic-based kilobytes }
By default, the global SA lifetime is used.
7. (Optional.) Set the IPsec SA idle timeout.
sa idle-time seconds
By default, the global SA idle timeout is used.
8. (Optional.) Specify a primary slot for processing IPsec traffic.
service slot slot-number
By default, no primary slot for processing IPsec traffic is specified.
9. (Optional.) Specify a backup slot for processing IPsec traffic.
service standby slot slot-number
By default, no backup slot for processing IPsec traffic is specified.
Applying an IKE-based IPsec profile to a tunnel interface
About this task
After an IKE-based IPsec profile is applied to a tunnel interface, the peers negotiate an IPsec tunnel through IKE to protect data transmitted through the tunnel interface.
Restrictions and guidelines
After you apply an IPsec profile to a tunnel interface, you must specify the slot installed with a MIC-SEC-M card as the primary slot for processing IPsec traffic in the profile by using the service command.
Procedure
1. Enter system view.
system-view
2. Create a tunnel interface and enter its view.
interface tunnel number mode { advpn { gre | udp } [ ipv6 ] | ipsec [ ipv6 ] | gre [ ipv6 ] }
3. Apply an IKE-based IPsec profile to the tunnel interface.
tunnel protection ipsec profile profile-name
By default, no IPsec profile is applied to a tunnel interface.
Configuring the device as responder-only for IPsec SA negotiation
About this task
By default, two IPsec peers will both initiate the establishment of an IPsec SA when they both use an IKE-based IPsec profile to established IPsec SAs. In this case, the two IPsec peers use two IPsec negotiation processes to establish one IPsec SA, wasting CPU resources.
To resolve this issue, you can enable the responder-only mode. After you configure a device as a responder-only device, the device will not initiate IPsec SAs but respond to negotiations initiated by its peers.
Restrictions and guidelines
As a best practice, configure this feature on the hub device in a hub-spoke network.
When you use this feature on the hub device in a hub-and-spoke network, configure IKE DPD on both the hub and spokes. This configuration prevents occurrence of residual IPsec SAs upon reboot of the hub device to ensure successful IPsec SA negotiation.
Procedure
1. Enter system view.
system-view
2. Create an IKE-based IPsec profile and enter IPsec profile view.
ipsec profile profile-name isakmp
You can enter the view of an existing IKE-based IPsec profile without the isakmp keyword.
3. Enable the responder-only mode for IPsec SA negotiation.
responder-only enable
By default, the responder-only mode is disabled.
Setting the maximum number of IPsec tunnels
Restrictions and guidelines
To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels. To ensure service availability when memory is insufficient, decrease the maximum number of IPsec tunnels.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of IPsec tunnels.
ipsec limit max-tunnel tunnel-limit
The number of IPsec tunnels is not limited.
Configuring the global IPsec SA lifetime and idle timeout
About this task
If the IPsec SA lifetime and idle timeout are not configured in an IPsec policy, IPsec policy template, or IPsec profile, the global settings are used.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.
Procedure
1. Enter system view.
system-view
2. Set the global IPsec SA lifetime or idle timeout.
¡ Set the global IPsec SA lifetime.
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is 1843200 kilobytes.
¡ Set the global SA idle timeout.
ipsec sa idle-time seconds
By default, the global IPsec SA idle timeout feature is disabled.
Configuring IPsec anti-replay
About this task
IPsec anti-replay protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not required, and the de-encapsulation process consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay can check and discard replayed packets before de-encapsulation.
In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Restrictions and guidelines
IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IKE-based IPsec SAs support anti-replay.
Set the anti-replay window size as small as possible to reduce the impact on system performance.
IPsec anti-replay requires that packets on the same interface be processed on the same slot. To perform IPsec anti-replay on the device for a global interface, use the service command in interface view to specify a service processing slot for that interface. A global interface is a virtual interface that might have physical ports across the slots of the device.
Failure to detect anti-replay attacks might result in denial of services. If you want to disable IPsec anti-replay, make sure you understand the impact of the operation on network security.
Procedure
1. Enter system view.
system-view
2. Enable IPsec anti-replay.
ipsec anti-replay check
By default, IPsec anti-replay is enabled.
3. Set the size of the IPsec anti-replay window.
ipsec anti-replay window width
The default size is 64.
Configuring the DF bit of IPsec packets
About this task
Perform this task to configure the Don't Fragment (DF) bit in the new IP header of IPsec packets in one of the following ways:
· clear—Clears the DF bit in the new header.
· set—Sets the DF bit in the new header.
· copy—Copies the DF bit in the original IP header to the new IP header.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting.
Restrictions and guidelines for DF bit configuration for IPsec packets
The DF bit setting takes effect only in tunnel mode, and it changes the DF bit in the new IP header rather than the original IP header.
Configure the same DF bit setting on the interfaces where the same IPsec policy bound to a source interface is applied.
If the DF bit is set, the devices on the path cannot fragment the IPsec packets. To prevent IPsec packets from being discarded, make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.
Configuring the DF bit of IPsec packets on an interface
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the DF bit of IPsec packets on the interface.
ipsec df-bit { clear | copy | set }
By default, the interface uses the global DF bit setting.
Configuring the DF bit of IPsec packets globally
1. Enter system view.
system-view
2. Configure the DF bit of IPsec packets globally.
ipsec global-df-bit { clear | copy | set }
By default, IPsec copies the DF bit in the original IP header to the new IP header.
Enabling logging for IPsec packets
About this task
Perform this task to enable logging for IPsec packets that are discarded for reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, SPI value, and sequence number of a discarded IPsec packet, and the reason for the discard.
Procedure
1. Enter system view.
system-view
2. Enable logging for IPsec packets.
ipsec logging packet enable
By default, logging for IPsec packets is disabled.
Configuring SNMP notifications for IPsec
About this task
After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. For the notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
To generate and output SNMP notifications for a specific IPsec failure or event type, perform the following tasks:
1. Enable SNMP notifications for IPsec globally.
2. Enable SNMP notifications for the failure or event type.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for IPsec globally.
snmp-agent trap enable ipsec global
By default, SNMP notifications for IPsec are disabled.
3. Enable SNMP notifications for the specified failure or event types.
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach | tunnel-start | tunnel-stop ] *
By default, SNMP notifications for all failure and event types are disabled.
Display and maintenance commands for IPsec
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPsec history error information. |
display ipsec history-error |
|
Display IPsec profile information. |
display ipsec profile [ profile-name ] |
|
Display IPsec transform set information. |
display ipsec transform-set [ transform-set-name ] |
|
Display IPsec SA information. |
display ipsec sa [ brief | count | interface interface-type interface-number [ brief | count ] | { ipv6-policy | policy } policy-name [ seq-number ] [ brief | count ] | profile profile-name [ brief | count ] | remote [ ipv6 ] ip-address [ brief | count ] ] |
|
Display IPsec statistics. |
display ipsec statistics [ tunnel-id tunnel-id ] |
|
Display IPsec tunnel information. |
display ipsec tunnel [ brief | count | tunnel-id tunnel-id ] |
|
Clear IPsec history error information. |
reset ipsec history-error |
|
Clear IPsec SAs. |
reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ] |
|
Clear IPsec statistics. |
reset ipsec statistics [ tunnel-id tunnel-id ] |
IPsec configuration examples
Example: Configuring IPsec for RIPng
Network configuration
As shown in Figure 6, Router A, Router B, and Router C learn IPv6 routes through RIPng.
Establish an IPsec tunnel between the routers to protect the RIPng packets transmitted in between. Specify the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1 for the IPsec tunnel.
Analysis
To meet the network configuration requirements, perform the following tasks:
1. Configure basic RIPng.
For more information about RIPng configuration, see Layer 3—IP Routing Configuration Guide.
2. Configure an IPsec profile.
¡ The IPsec profiles on all the routers must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.
¡ The SPI and key configured for the inbound SA and those for the outbound SA must be the same on each router.
¡ The SPI and key configured for the SAs on all the routers must be the same.
3. Apply the IPsec profile to a RIPng process or to an interface.
Procedure
1. Configure Router A:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<RouterA> system-view
[RouterA] ripng 1
[RouterA-ripng-1] quit
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterA-Ten-GigabitEthernet3/0/1] quit
# Create and configure the IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterA] ipsec profile profile001 manual
[RouterA-ipsec-profile-manual-profile001] transform-set tran1
[RouterA-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterA] ripng 1
[RouterA-ripng-1] enable ipsec-profile profile001
[RouterA-ripng-1] quit
2. Configure Router B:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<RouterB> system-view
[RouterB] ripng 1
[RouterB-ripng-1] quit
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ripng 1 enable
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Create and configure the IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterB] ipsec profile profile001 manual
[RouterB-ipsec-profile-manual-profile001] transform-set tran1
[RouterB-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterB] ripng 1
[RouterB-ripng-1] enable ipsec-profile profile001
[RouterB-ripng-1] quit
3. Configure Router C:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure basic RIPng.
<RouterC> system-view
[RouterC] ripng 1
[RouterC-ripng-1] quit
[RouterC] interface ten-gigabitethernet 3/0/1
[RouterC-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterC-Ten-GigabitEthernet3/0/1] quit
# Create and configure the IPsec transform set named tran1.
[RouterC] ipsec transform-set tran1
[RouterC-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran1] protocol esp
[RouterC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterC] ipsec profile profile001 manual
[RouterC-ipsec-profile-manual-profile001] transform-set tran1
[RouterC-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterC] ripng 1
[RouterC-ripng-1] enable ipsec-profile profile001
[RouterC-ripng-1] quit
Verifying the configuration
After the configuration is completed, Router A, Router B, and Router C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the routers to protect RIPng packets. This example uses Router A to verify the configuration.
# Display the RIPng configuration. The output shows that IPsec profile profile001 has been applied to RIPng process 1.
[RouterA] display ripng 1
RIPng process : 1
Preference : 100
Checkzero : Enabled
Default Cost : 0
Maximum number of load balanced routes : 8
Update time : 30 secs Timeout time : 180 secs
Suppress time : 120 secs Garbage-Collect time : 120 secs
Update output delay: 20(ms) Output count: 3
Graceful-restart interval: 60 secs
Triggered Interval : 5 50 200
Number of periodic updates sent : 186
Number of triggered updates sent : 1
IPsec profile name: profile001
# Display the established IPsec SAs.
[RouterA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------
-----------------------------
IPsec profile: profile001
Mode: Manual
-----------------------------
Encapsulation mode: transport
[Inbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
Example: Establishing an IPsec tunnel to protect traffic on a tunnel interface based on an IPsec profile
Network configuration
As shown in Figure 7, configure an IPsec tunnel between Device A and Device B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. This example uses the following settings:
· Use tunnel-mode encapsulation.
· Use ESP as the security protocol.
· Use the 128-bit AES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
· Use IKE to establish IPsec SAs.
· Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
Procedure
1. Configure Router A:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<RouterA> system-view
[RouterA] interface tunnel 1 mode ipsec
[RouterA-Tunnel1] source ten-gigabitethernet 3/0/2
[RouterA-Tunnel1] destination 2.2.3.1
[RouterA-Tunnel1] ip address 10.1.3.1 24
# Apply IPsec profile 1 to the tunnel interface.
[RouterA-Tunnel1] tunnel protection ipsec profile 1
[RouterA-Tunnel1] quit
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the 128-bit AES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create and configure an IKE keychain named keychain1.
[RouterA] ike keychain keychain1
# Set the pre-shared key for IKE negotiation with the peer at 2.2.3.1 to 123456TESTplat&! in plain text.
[RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[RouterA-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[RouterA] ike profile profile1
[RouterA-ike-profile-profile1] keychain keychain1
[RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec profile.
[RouterA] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[RouterA-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for IKE negotiation.
[RouterA-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[RouterA-ipsec-profile-isakmp-1] service slot 1
[RouterA-ipsec-profile-isakmp-1] quit
# Configure a static route from Router A to Router B.
[RouterA] ip route-static 10.1.2.0 24 Tunnel 1
2. Configure Router B:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<RouterB> system-view
[RouterB] interface tunnel 1 mode ipsec
[RouterB-Tunnel1] source ten-gigabitethernet 3/0/2
[RouterB-Tunnel1] destination 2.2.2.1
[RouterB-Tunnel1] ip address 10.1.4.1 24
# Apply IPsec profile 1 to the tunnel interface.
[RouterB-Tunnel1] tunnel protection ipsec profile 1
[RouterB-Tunnel1] quit
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the 128-bit AES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create and configure an IKE keychain named keychain1.
[RouterB] ike keychain keychain1
[RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[RouterB-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[RouterB] ike profile profile1
[RouterB-ike-profile-profile1] keychain keychain1
[RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec profile.
[RouterB] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for the IPsec profile.
[RouterB-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for IKE negotiation.
[RouterB-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[RouterB-ipsec-profile-isakmp-1] service slot 1
[RouterB-ipsec-profile-isakmp-1] quit
# Configure a static route from Router B to Router A.
[RouterA] ip route-static 10.1.1.0 24 Tunnel 1
Verifying the configuration
# Send packets between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.
# Execute the following command to verify that IPsec SAs have been successfully established.
[RouterA] display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1443
Transmitting entity: Initiator
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
# Repeat the previous steps on Router B to verify that it has established IPsec SAs successfully to protect the IPv4 packets of interest. (Details not shown.)
Configuring IKE
Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1.
About IKE
Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec.
Benefits of IKE
IKE provides the following benefits for IPsec:
· Automatically negotiates IPsec parameters.
· Performs DH exchanges to calculate shared keys, making sure each SA has a key that is independent of other keys.
· Automatically negotiates SAs when the sequence number in the AH or ESP header overflows, making sure IPsec can provide the anti-replay service by using the sequence number.
Relationship between IPsec and IKE
As shown in Figure 8, IKE negotiates SAs for IPsec and transfers the SAs to IPsec, and IPsec uses the SAs to protect IP packets.
Figure 8 Relationship between IKE and IPsec
IKE negotiation process
IKE negotiates keys and SAs for IPsec in two phases:
1. Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication.
2. Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
Phase 1 negotiation can use either main mode or aggressive mode.
IKE exchange process in main mode
As shown in Figure 9, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
· SA exchange—Used for negotiating the IKE security policy.
· Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets.
· ID and authentication data exchange—Used for identity authentication.
Figure 9 IKE exchange process in main mode
IKE exchange process in aggressive mode
As shown in Figure 10, the process of phase 1 IKE negotiation in aggressive mode is as follows:
1. The initiator (peer 1) sends a message containing the local IKE information to peer 2. The message includes parameters used for IKE SA establishment, keying data, and peer 1's identity information.
2. Peer 2 chooses the IKE establishment parameters to use, generate the key, and authenticate peer 1's identity. Then it sends the IKE data to peer 1.
3. Peer 1 generates the key, authenticates peer 2's identity, and sends the results to peer 1.
After the preceding process, an IKE SA is established between peer 1 and peer 2.
The aggressive mode is faster than the main mode but it does not provide identity information protection. The main mode provides identity information protection but is slower. Choose the appropriate negotiation mode according to your requirements.
Figure 10 IKE exchange process in aggressive mode
IKE security mechanism
IKE has a series of self-protection mechanisms and supports secure identity authentication, key distribution, and IPsec SA establishment on insecure networks.
Identity authentication
The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers. The device supports the following identity authentication methods:
· Pre-shared key authentication—Two communicating peers use the pre-configured shared key for identity authentication.
· RSA signature authentication and DSA signature authentication—Two communicating peers use the digital certificates issued by the CA for identity authentication.
The pre-shared key authentication method does not require certificates and is easy to configure. It is usually deployed in small networks.
The signature authentication methods provide higher security and are usually deployed in networks with the headquarters and some branches. When deployed in a network with many branches, a signature authentication method can simplify the configuration because only one PKI domain is required. If you use the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node.
DH algorithm
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.
PFS
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys have no derivative relations with IKE keys and a broken key brings no threats to other keys.
Protocols and standards
· RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
· RFC 2409, The Internet Key Exchange (IKE)
· RFC 2412, The OAKLEY Key Determination Protocol
· Internet Draft, draft-ietf-ipsec-isakmp-xauth-06
· Internet Draft, draft-dukes-ike-mode-cfg-02
IKE tasks at a glance
To configure IKE, perform the following tasks:
1. (Optional.) Configuring an IKE profile
b. Configuring peer IDs for the IKE profile
c. Specifying the IKE keychain or PKI domain
d. Configuring the IKE phase 1 negotiation mode
e. Specifying IKE proposals for the IKE profile
f. Configuring the local ID for the IKE profile
g. Configuring optional features for the IKE profile
2. Configuring an IKE proposal
3. Configuring an IKE keychain
4. (Optional.) Configuring the global identity information
5. (Optional.) Configuring the IKE keepalive feature
6. (Optional.) Configuring global IKE DPD
7. (Optional.) Enabling invalid SPI recovery
8. (Optional.) Setting the maximum number of IKE SAs
9. (Optional.) Configuring IKE negotiation compatibility
10. (Optional.) Configuring SNMP notifications for IKE
Prerequisites for IKE configuration
Determine the following parameters prior to IKE configuration:
· The algorithms to be used during IKE negotiation, including the identity authentication method, encryption algorithm, authentication algorithm, and DH group.
¡ Different algorithms provide different levels of protection. A stronger algorithm provides more resistance to decryption but uses more resources.
¡ A DH group that uses more bits provides higher security but needs more time for processing.
· The pre-shared key or PKI domain for IKE negotiation. For more information about PKI, see "Configuring PKI."
· The IKE-based IPsec policies for the communicating peers. If you do not specify an IKE profile in an IPsec policy, the device selects an IKE profile for the IPsec policy. If no IKE profile is configured, the globally configured IKE settings are used. For more information about IPsec, see "Configuring IPsec."
· You can modify IKE settings. The modifications take effect only on new IKE SAs. For the modifications to take effect also on existing IKE SAs, execute the reset ike sa command.
Configuring an IKE profile
Creating an IKE profile
About this task
Perform this task to create an IKE profile.
An IKE profile is intended to provide a set of parameters for IKE negotiation.
Procedure
1. Enter system view.
system-view
2. Create an IKE profile and enter its view.
ike profile profile-name
Configuring peer IDs for the IKE profile
About this task
Perform this task to configure the peer IDs for IKE profile matching. When the device needs to select an IKE profile for IKE negotiation with a peer, it compares the received peer ID with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.
Restrictions and guidelines
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Two IKE peers must both have or both not have peer IDs configured.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Configure a peer ID for the IKE profile.
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | domain fqdn-domain-name | fqdn fqdn-name | user-fqdn user-fqdn-name } }
Specifying the IKE keychain or PKI domain
Restrictions and guidelines
Configure the IKE keychain or PKI domain for the IKE proposals to use. To use digital signature authentication, configure a PKI domain. To use pre-shared key authentication, configure an IKE keychain.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Specify the keychain for pre-shared key authentication or the PKI domain used to request a certificate for digital signature authentication.
¡ Specify the keychain.
keychain keychain-name
¡ Specify the PKI domain.
certificate domain domain-name
By default, no IKE keychain or PKI domain is specified in an IKE profile.
Configuring the IKE phase 1 negotiation mode
Restrictions and guidelines
Specify the IKE phase 1 negotiation mode (main, aggressive, or GM-main) that the device uses as the initiator. When the device acts as the responder, it uses the IKE negotiation mode of the initiator.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Specify the IKE negotiation mode for phase 1.
exchange-mode { aggressive | gm-main | main }
By default, IKE negotiation in phase 1 uses the main mode.
Specifying IKE proposals for the IKE profile
Restrictions and guidelines
Specify the IKE proposals that the device can use as the initiator. An IKE proposal specified earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals configured in system view to match the IKE proposals received from the initiator. If no matching proposal is found, the negotiation fails.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Specify IKE proposals for the IKE profile.
proposal proposal-number&<1-6>
By default, no IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.
Configuring the local ID for the IKE profile
Restrictions and guidelines
For digital signature authentication, the device can use an ID of any type. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses the FQDN (the device name configured by using the sysname command) instead.
For pre-shared key authentication, the device can use an ID of any type other than the DN.
Procedure
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Configure the local ID.
local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system view. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy is applied as the local ID.
Configuring optional features for the IKE profile
1. Enter system view.
system-view
2. Enter IKE profile view.
ike profile profile-name
3. Configure optional features as needed.
¡ Configure IKE DPD.
dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, IKE DPD is not configured for an IKE profile and an IKE profile uses the DPD settings configured in system view. If IKE DPD is not configured in system view either, the device does not perform dead IKE peer detection.
The IKE DPD settings configured in the IKE profile view take precedence over those configured in system view.
¡ Specify the local interface or IP address to which the IKE profile can be applied.
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
By default, an IKE profile can be applied to any local interface or IP address.
An IKE profile configured with this command has a higher priority over those not configured with this command.
¡ Specify a priority for the IKE profile.
priority priority
By default, the priority of an IKE profile is 100.
The device selects a local IKE profile for IKE negotiation as follows:
- First, it selects an IKE profile with the match local address command configured.
- If a tie exists, it selects the IKE profile with a smaller priority number.
- If a tie still exists, it selects the IKE profile configured earlier.
Configuring an IKE proposal
About this task
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation:
· The initiator sends its IKE proposals to the peer.
¡ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified in the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
¡ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
Procedure
1. Enter system view.
system-view
2. Create an IKE proposal and enter its view.
ike proposal proposal-number
By default, a default IKE proposal exists.
3. Configure a description for the IKE proposal.
description
By default, an IKE proposal does not have a description.
4. Specify an encryption algorithm for the IKE proposal.
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | sm4-cbc }
By default, the 56-bit DES encryption algorithm in CBC mode is used .
5. Specify an authentication method for the IKE proposal.
authentication-method { dsa-signature | pre-share | rsa-de | rsa-signature | sm2-de }
By default, the pre-shared key authentication method is used.
If the SM2 digital envelope authentication method is used by configuring the parameter sm2-de, the IKE phase 1 negotiation mode supports only the GM main mode. In this case, the authentication algorithm for the IKE proposal is HMAC-SM3 authentication algorithm (configuring the authentication-algorithm sm3 command). Otherwise, do not use the HMAC-SM3 authentication algorithm.
6. Specify an authentication algorithm for the IKE proposal.
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }
By default, the HMAC-SHA1 authentication algorithm is used.
7. Specify a DH group for key negotiation in phase 1.
dh { group1 | group14 | group2 | group24 | group5 }
DH group 1 (the 768-bit DH group) is used by default.
8. (Optional.) Set the IKE SA lifetime for the IKE proposal.
sa duration seconds
By default, the IKE SA lifetime is 86400 seconds.
Configuring an IKE keychain
About this task
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
· Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
· You can specify the local address configured in IPsec policy view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
· The device determines the priority of an IKE keychain as follows:
a. The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority number has a higher priority.
c. If a tie still exists, the device prefers an IKE keychain configured earlier.
Procedure
1. Enter system view.
system-view
2. Create an IKE keychain and enter its view.
ike keychain keychain-name [ vpn-instance vpn-instance-name ]
3. Configure a pre-shared key.
pre-shared-key { address { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | domain fqdn-domain-name | hostname host-name } key { cipher | simple } string
By default, no pre-shared key is configured.
4. (Optional.) Specify a local interface or IP address to which the IKE keychain can be applied.
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
By default, an IKE keychain can be applied to any local interface or IP address.
5. (Optional.) Specify a priority for the IKE keychain.
priority priority
The default priority is 100.
Configuring the global identity information
Restrictions and guidelines
The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.
When signature authentication is used, you can set any type of the identity information.
When pre-shared key authentication is used, you cannot set the DN as the identity.
Procedure
1. Enter system view.
system-view
2. Configure the global identity to be used by the local end.
ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
By default, the IP address of the interface to which the IPsec policy is applied is used as the IKE identity.
3. (Optional.) Configure the local device to always obtain the identity information from the local certificate for signature authentication.
ike signature-identity from-certificate
By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication.
Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication.
Configuring the IKE keepalive feature
About this task
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Restrictions and guidelines
Configure IKE DPD instead of IKE keepalive unless IKE DPD is not supported on the peer. The IKE keepalive feature sends keepalives at regular intervals, which consumes network bandwidth and resources.
The keepalive timeout time configured on the local device must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout three times as long as the keepalive interval.
Procedure
1. Enter system view.
system-view
2. Set the IKE SA keepalive interval.
ike keepalive interval interval
By default, no keepalives are sent to the peer.
3. Set the IKE SA keepalive timeout time.
ike keepalive timeout seconds
By default, IKE SA keepalive never times out.
Configuring global IKE DPD
About this task
DPD detects dead peers. It can operate in periodic mode or on-demand mode.
· Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead peers, but consumes more bandwidth and CPU.
· On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to send and is not aware of the liveness of the peer, it sends a DPD message to query the status of the peer. If the device has no traffic to send, it never sends DPD messages. As a best practice, use the on-demand mode.
The IKE DPD works as follows:
1. The local device sends a DPD message to the peer, and waits for a response from the peer.
2. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message.
3. If still no response is received within the retry interval, the local end sends the DPD message again. The system allows a maximum of four retries.
4. If the local device receives no response after four retries, the device considers the peer to be dead, and deletes the IKE SA along with the IPsec SAs it negotiated.
5. If the local device receives a response from the peer during the detection process, the peer is considered alive. The local device performs a DPD detection again when the triggering interval is reached or it has traffic to send, depending on the DPD mode.
Restrictions and guidelines
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection is not triggered during a DPD retry.
Procedure
1. Enter system view.
system-view
2. Enable sending IKE DPD messages.
ike dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, IKE DPD is disabled.
Enabling invalid SPI recovery
About this task
An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Restrictions and guidelines
Use caution when you enable the invalid SPI recovery feature because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
Procedure
1. Enter system view.
system-view
2. Enable invalid SPI recovery.
ike invalid-spi-recovery enable
By default, the invalid SPI recovery is disabled.
Setting the maximum number of IKE SAs
About this task
You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
· The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
· The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }
By default, the maximum number of half-open IKE SAs and IPsec SAs is 200, and the number of established IKE SAs is not limited.
Configuring IKE negotiation compatibility
About this task
IKE negotiation between two peers using the SM4-CBC encryption algorithm will fail if the peers use different SM4-CBC key lengths. You can enable SM4-CBC key length compatibility on the device, so the device can successfully negotiate with a remote peer that uses a different SM4-CBC key length.
IKE peers running different software versions might have the GM main mode compatibility issue (signature verification failure) during IKE negotiation. If the device encounters this issue with its peer, you can enable the GM mode compatibility on the device. Do not enable GM mode compatibility on the device if the device does not have the compatibility issue with its peers.
Procedure
1. Enter system view.
system-view
2. Enable SM4-CBC key length compatibility.
ike compatible-sm4 enable
By default, SM4-CBC key length compatibility is disabled.
3. Enable GM main mode compatibility.
ike compatible-gm-main enable
By default, the GM main mode compatibility is disabled.
Configuring SNMP notifications for IKE
About this task
After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. For the notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.
To generate and output SNMP notifications for a specific IKE failure or event type, perform the following tasks:
1. Enable SNMP notifications for IKE globally.
2. Enable SNMP notifications for the failure or event type.
Procedure
1. Enter system view
system-view
2. Enable SNMP notifications for IKE globally.
snmp-agent trap enable ike global
By default, SNMP notifications for IKE are enabled.
3. Enable SNMP notifications for the specified failure or event types.
snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
By default, SNMP notifications for all failure and event types are disabled.
Display and maintenance commands for IKE
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IKE history error information. |
display ike history-error [ latest number | remote-address [ ipv6 ] remote-address ] |
|
Display IKE-negotiated IPsec SA deletion information. |
display ike phase2-offline-info |
|
Display configuration information about all IKE proposals. |
display ike proposal |
|
Display information about the current IKE SAs. |
display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-instance-name ] ] ] |
|
Display IKE statistics. |
display ike statistics |
|
Clear IKE history error information. |
reset ike history-error |
|
Clear IKE-negotiated IPsec SA deletion information. |
reset ike phase2-offline-info |
|
Delete IKE SAs. |
reset ike sa [ connection-id connection-id ] |
|
Clear IKE MIB statistics. |
reset ike statistics |
IKE configuration examples
Example: Configuring main mode IKE with pre-shared key authentication
Network configuration
As shown in Figure 11, configure an IKE-based IPsec tunnel between Device A and Device B to protect the data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
· Configure Device A and Device B to use IKE to establish IPsec SAs.
· Use the default IKE proposal for IKE negotiation.
· Use pre-shared key authentication.
· Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
Procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceA> system-view
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] source ten-gigabitethernet 3/0/1
[DeviceA-Tunnel1] destination 2.2.2.2
[DeviceA-Tunnel1] ip address 10.1.3.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceA-Tunnel1] tunnel protection ipsec profile 1
[DeviceA-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the 128-bit AES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[DeviceA] ike keychain keychain1
# Set the pre-shared key for IKE negotiation with the peer at 2.2.2.2 to 123456TESTplat&! in plain text.
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[DeviceA] ike profile profile1
# Specify IKE keychain keychain1 for the IKE profile.
[DeviceA-ike-profile-profile1] keychain keychain1
# Configure the local ID with the identity type as IP address and the value as 1.1.1.1.
[DeviceA-ike-profile-profile1] local-identity address 1.1.1.1
# Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/16.
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ike-profile-profile1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceA] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceA-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for IKE negotiation.
[DeviceA-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceA-ipsec-profile-isakmp-1] service slot 1
[DeviceA-ipsec-profile-isakmp-1] quit
# Configure a static route from Device A to Device B.
[DeviceA] ip route-static 10.1.2.0 24 Tunnel 1
2. Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceB> system-view
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] source ten-gigabitethernet 3/0/1
[DeviceB-Tunnel1] destination 1.1.1.1
[DeviceB-Tunnel1] ip address 10.1.4.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceB-Tunnel1] tunnel protection ipsec profile 1
[DeviceB-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the 128-bit AES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[DeviceB]ike keychain keychain1
# Set the pre-shared key for IKE negotiation with the peer at 1.1.1.1 to 123456TESTplat&! in plain text.
[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.0.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[DeviceB] ike profile profile1
# Specify IKE keychain keychain1 for IKE negotiation.
[DeviceB-ike-profile-profile1] keychain keychain1
# Configure the local ID with the identity type as IP address and the value as 2.2.2.2.
[DeviceB-ike-profile-profile1] local-identity address 2.2.2.2
# Configure a peer ID with the identity type as IP address and the value as 1.1.1.1/16.
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[DeviceB-ike-profile-profile1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceB] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceB-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for the IPsec policy.
[DeviceB-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceB-ipsec-profile-isakmp-1] service slot 1
[DeviceB-ipsec-profile-isakmp-1] quit
# Configure a static route from Device B to Device A.
[DeviceB] ip route-static 10.1.1.0 24 Tunnel 1
Verifying the configuration
Verify that IKE negotiation is triggered when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
# Display the IKE proposal configuration on Device A and Device B. This example displays the default IKE proposal, because no IKE proposals have been configured.
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# Display the IKE SA on Device A.
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Display IPsec SA information on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
# Repeat the previous steps on Device B to verify that it has established the IKE SA and IPsec SAs successfully. (Details not shown.)
Example: Configuring aggressive mode IKE with RSA signature authentication
Network configuration
As shown in Figure 12, configure an IKE-based IPsec tunnel between Device A and Device B to protect the data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
· Configure Device A and Device B to use IKE to establish IPsec SAs.
· Configure Device A and Device B to use RSA signature authentication.
· Use aggressive mode for IKE phase 1 negotiation.
· Configure Device A as the initiator and use dynamic IP allocation for the subnets attached to Device A.
· Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
Procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceA> system-view
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] source ten-gigabitethernet 3/0/1
[DeviceA-Tunnel1] destination 2.2.2.2
[DeviceA-Tunnel1] ip address 10.1.3.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceA-Tunnel1] tunnel protection ipsec profile 1
[DeviceA-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the DES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity1.
[DeviceA] pki entity entity1
# Configure a common name for entity entity1.
[DeviceA-pki-entity-entity1] common-name routera
[DeviceA-pki-entity-entity1] quit
# Create a PKI domain named domain1.
[DeviceA] pki domain domain1
# Set the certificate request mode to auto and set the password for certificate revocation.
[DeviceA-pki-domain-domain1] certificate request mode auto password simple 123
# Set the MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA.
[DeviceA-pki-domain-domain1] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. (The URL in this example is for illustration only. Replace it with the actual URL used on the real network.)
[DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceA-pki-domain-domain1] certificate request from ca
# Specify the PKI entity for certificate request.
[DeviceA-pki-domain-domain1] certificate request entity entity1
# Specify the RSA key pair for certificate request.
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] quit
# Create an IKE profile named profile1.
[DeviceA] ike profile profile1
# Specify PKI domain domain1 for IKE negotiation.
[DeviceA-ike-profile-profile1] certificate domain domain1
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceA-ike-profile-profile1] exchange-mode aggressive
# Specify FQDN name routera.example.com as the local ID.
[DeviceA-ike-profile-profile1] local-identity fqdn routera.example.com
# Specify the peer ID to match. In this example, the peer ID is FQDN name www.example.com.
[DeviceA-ike-profile-profile1] match remote identity fqdn www.example.com
[DeviceA-ike-profile-profile1] quit
# Create an IKE proposal numbered 10.
[DeviceA] ike proposal 10
# Set the authentication algorithm to HMAC-MD5.
[DeviceA-ike-proposal-10] authentication-algorithm md5
# Specify the RSA authentication method.
[DeviceA-ike-proposal-10] authentication-method rsa-signature
[DeviceA-ike-proposal-10] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceA] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceA-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for IKE negotiation.
[DeviceA-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceA-ipsec-profile-isakmp-1] service slot 1
[DeviceA-ipsec-profile-isakmp-1] quit
# Configure a static route from Device A to Device B.
[DeviceA] ip route-static 10.1.2.0 24 Tunnel 1
2. Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceB> system-view
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] source ten-gigabitethernet 3/0/1
[DeviceB-Tunnel1] destination 1.1.1.1
[DeviceB-Tunnel1] ip address 10.1.4.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceB-Tunnel1] tunnel protection ipsec profile 1
[DeviceB-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the DES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity2.
[DeviceB] pki entity entity2
# Configure a common name for entity entity1.
[DeviceB-pki-entity-entity2] common-name routerb
[DeviceB-pki-entity-entity2] quit
# Create a PKI domain named domain2.
[DeviceB] pki domain domain2
# Set the certificate request mode to auto and set the password for certificate revocation.
[DeviceB-pki-domain-domain2] certificate request mode auto password simple 123
# Set the MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA.
[DeviceB-pki-domain-domain2] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. (The URL in this example is for illustration only. Replace it with the actual URL used on the real network.)
[DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceB-pki-domain-domain2] certificate request from ca
# Specify the PKI entity for certificate request.
[DeviceB-pki-domain-domain2] certificate request entity entity2
# Specify the RSA key pair for certificate request.
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] quit
# Create an IKE profile named profile2.
[DeviceB] ike profile profile2
# Specify PKI domain domain2 for IKE negotiation.
[DeviceB-ike-profile-profile2] certificate domain domain2
# Specify the IKE negotiation mode in phase 1 as the aggressive mode.
[DeviceB-ike-profile-profile2] exchange-mode aggressive
# Specify FQDN name www.example.com as the local ID.
[DeviceB-ike-profile-profile2] local-identity fqdn www.example.com
# Specify the peer ID to match. In this example, the peer ID is FQDN name routera.example.com.
[DeviceB-ike-profile-profile2] match remote identity fqdn routera.example.com
[DeviceB-ike-profile-profile2] quit
# Create an IKE proposal numbered 10.
[DeviceB] ike proposal 10
# Set the authentication algorithm to HMAC-MD5.
[DeviceB-ike-proposal-10] authentication-algorithm md5
# Specify the RSA authentication method.
[DeviceB-ike-proposal-10] authentication-method rsa-signature
[DeviceB-ike-proposal-10] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceB] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceB-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1 for IKE negotiation.
[DeviceB-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceB-ipsec-profile-isakmp-1] service slot 1
[DeviceB-ipsec-profile-isakmp-1] quit
# Configure a static route from Device B to Device A.
[DeviceB] ip route-static 10.1.1.0 24 Tunnel 1
Verifying the configuration
Verify that IKE negotiation is triggered when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
# Display the IKE proposal configuration on Device A and Device B.
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# Display the IKE SA on Device A.
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Display information about the obtained CA certificate on Device A.
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# Display the obtained local certificate on Device A.
[DeviceA] display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# Display IPsec SA information on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
# Repeat the previous steps on Device B to verify that it has successfully established the IKE SA and IPsec SAs, and has obtained the CA certificate and local certificate. (Details not shown.)
Troubleshooting IKE
IKE negotiation failed because no matching IKE proposals were found
Symptom
1. The IKE SA is in Unknown state.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 192.168.222.5/500 Unknown IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
2. When IKE event debugging and packet debugging are enabled, the following messages appear:
IKE event debugging message:
The attributes are unacceptable.
IKE packet debugging message:
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IKE proposal settings are incorrect.
Solution
1. Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals.
2. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals.
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly
Symptom
1. The IKE SA is in Unknown state.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 192.168.222.5/500 Unknown IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
2. The following IKE event debugging or packet debugging message appeared:
IKE event debugging message:
Notification PAYLOAD_MALFORMED is received.
IKE packet debugging message:
Construct notification packet: PAYLOAD_MALFORMED.
Analysis
· If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal:
Failed to find proposal 1 in profile profile1.
· If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain:
Failed to find keychain keychain1 in profile profile1.
Solution
· Verify that the matched IKE proposal (IKE proposal 1 in this debugging message example) is specified for the IKE profile (IKE profile 1 in the example).
· Verify that the matched IKE keychain (IKE keychain 1 in this debugging message example) is specified for the IKE profile (IKE profile 1 in the example).
IPsec SA negotiation failed because no matching IPsec transform sets were found
Symptom
1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
2. The following IKE debugging message appeared:
The attributes are unacceptable.
Or:
Construct notification packet: NO_PROPOSAL_CHOSEN.
Analysis
Certain IPsec policy settings are incorrect.
Solution
1. Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets.
2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets.
IPsec SA negotiation failed due to invalid identity information
Symptom
1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
2. The following IKE debugging message appeared:
Notification INVALID_ID_INFORMATION is received.
Or:
Failed to get IPsec policy when renegotiating IPsec SA. Delete IPsec SA.
Construct notification packet: INVALID_ID_INFORMATION.
Analysis
Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows:
1. Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is using an IKE profile, the IPsec SA negotiation fails.
# Verify that matching IKE profiles were found in IKE negotiation phase 1.
<Sysname> display ike sa verbose
-----------------------------------------------
Connection ID: 3
Outside VPN:
Inside VPN:
Profile:
Transmitting entity: Responder
-----------------------------------------------
Local IP/port: 192.168.222.5/500
Local ID type: IPV4_ADDR
Local ID: 192.168.222.5
Remote IP/port: 192.168.222.71/500
Remote ID type: IPV4_ADDR
Remote ID: 192.168.222.71
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: MD5
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 85847
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
# Verify that the IPsec policy is using an IKE profile.
[Sysname] display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: Ten-GigabitEthernet3/0/1
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Description:
Security data flow: 3000
Selector mode: aggregation
Local address: 192.168.222.5
Remote address: 192.168.222.71
Transform set: transform1
IKE profile: profile1
SA duration(time based):
SA duration(traffic based):
SA idle time:
2. Verify that the ACL specified for the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
For example, if the initiator's ACL defines a flow from one network segment to another but the responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
# On the initiator:
[Sysname] display acl 3000
Advanced IPv4 ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
# On the responder:
[Sysname] display acl 3000
Advanced IPv4 ACL 3000, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0
3. Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured.
If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will fail:
[Sysname] display ipsec policy
-------------------------------------------
IPsec Policy: policy1
Interface: Ten-GigabitEthernet3/0/1
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: ISAKMP
-----------------------------
Security data flow: 3000
Selector mode: aggregation
Local address: 192.168.222.5
Remote address:
Transform set: transform1
IKE profile: profile1
SA duration(time based):
SA duration(traffic based):
SA idle time:
Solution
1. If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE negotiation, perform one of the following tasks on the responder:
¡ Remove the specified IKE profile from the IPsec policy.
¡ Modify the specified IKE profile to match the IKE profile of the initiator.
2. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the initiator's ACL.
For example:
[Sysname] display acl 3000
Advanced IPv4 ACL 3000, 2 rules,
ACL's step is 5
rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255
3. Configure the missing settings (for example, the remote address).
Configuring IKEv2
About IKEv2
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
IKEv2 negotiation process
Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and INFORMATIONAL exchange.
As shown in Figure 13, IKEv2 uses two exchanges during the initial exchange process: IKE_SA_INIT and IKE_AUTH, each with two messages.
· IKE_SA_INIT exchange—Negotiates IKE SA parameters and exchanges keys.
· IKE_AUTH exchange—Authenticates the identity of the peer and establishes IPsec SAs.
After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a minimum of six messages.
To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional two-message exchange—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE SAs and Child SAs.
IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and notifications.
Figure 13 IKEv2 Initial exchange process
New features in IKEv2
DH guessing
In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message that contains the DH group that it wants to use. The initiator then uses the DH group selected by the responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more flexible DH group configuration and enables the initiator to adapt to different responders.
Cookie challenging
Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the validity of the initiators and must maintain half-open IKE SAs, which makes the responder susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with forged source IP addresses to the responder, exhausting the responder's system resources.
IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.
The cookie challenging mechanism automatically stops working when the number of half-open IKE SAs drops below the threshold.
IKEv2 SA rekeying
For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two peers.
IKEv2 message retransmission
Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the Message ID field in the message header to identify the request/response pair. If an initiator sends a request but receives no response with the same Message ID value within a specific period of time, the initiator retransmits the request.
It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must use the same Message ID value.
Protocols and standards
· RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
· RFC 4306, Internet Key Exchange (IKEv2) Protocol
· RFC 4718, IKEv2 Clarifications and Implementation Guidelines
· RFC 2412, The OAKLEY Key Determination Protocol
· RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)
IKEv2 tasks at a glance
To configure IKEv2, perform the following tasks:
1. Configuring an IKEv2 profile
b. Specifying the local and remote identity authentication methods
c. Configuring the IKEv2 keychain or PKI domain
d. Configuring the local ID for the IKEv2 profile
e. Configuring peer IDs for the IKEv2 profile
f. Configuring optional features for the IKEv2 profile
2. Configuring an IKEv2 policy
3. Configuring an IKEv2 proposal
If you specify an IKEv2 proposal in an IKEv2 policy, you must configure the IKEv2 proposal.
4. Configuring an IKEv2 keychain
This task is required when either end or both ends use the pre-shared key authentication method.
5. (Optional.) Enabling the cookie challenging feature
The cookie challenging feature takes effect only on IKEv2 responders.
6. (Optional.) Configuring the IKEv2 DPD feature
7. (Optional.) Configuring the IKEv2 NAT keepalive feature
Prerequisites for IKEv2 configuration
Determine the following parameters prior to IKEv2 configuration:
· The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
· The local and remote identity authentication methods.
¡ To use the pre-shared key authentication method, you must determine the pre-shared key.
¡ To use the RSA digital signature authentication method, you must determine the PKI domain for the local end to use. For information about PKI, see "Configuring PKI."
· You can modify IKEv2 settings. The modifications take effect only on new IKEv2 SAs. For the modifications to take effect also on existing IKEv2 SAs, execute the reset ikev2 sa command.
Configuring an IKEv2 profile
Creating an IKEv2 profile
About this task
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation.
Procedure
1. Enter system view.
system-view
2. Create an IKEv2 profile and enter its view.
ikev2 profile profile-name
Specifying the local and remote identity authentication methods
Restrictions and guidelines
The local and remote identity authentication methods must both be specified and they can be different. You can specify only one local identity authentication method and multiple remote identity authentication methods.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Specify the local and remote identity authentication methods.
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
By default, no local or remote identity authentication method is configured.
Configuring the IKEv2 keychain or PKI domain
Restrictions and guidelines
Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use. To use digital signature authentication, configure a PKI domain. To use pre-shared key authentication, configure an IKEv2 keychain.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Specify the keychain for pre-shared key authentication or the PKI domain used to request a certificate for digital signature authentication.
¡ Specify the keychain.
keychain keychain-name
¡ Specify the PKI domain.
certificate domain domain-name [ sign | verify ]
By default, no IKEv2 keychain or PKI domain is specified for an IKEv2 profile.
Configuring the local ID for the IKEv2 profile
Restrictions and guidelines
For digital signature authentication, the device can use an ID of any type. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses the FQDN as the local ID. The FQDN is the device name configured by using the sysname command.
For pre-shared key authentication, the device can use an ID of any type other than the DN.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Configure the local ID.
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }
By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.
Configuring peer IDs for the IKEv2 profile
About this task
Perform this task to configure the peer ID for IKEv2 profile matching. When the device needs to select an IKEv2 profile for IKEv2 negotiation with a peer, it compares the received peer ID with the peer IDs of its local IKE profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for negotiation. IKEv2 profiles will be compared in descending order of their priorities.
Procedure
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Configure a peer ID.
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | domain fqdn-domain-name | email email-string | fqdn fqdn-name | key-id key-id-string } }
You must configure a minimum of one peer ID on each of the two peers.
Configuring optional features for the IKEv2 profile
1. Enter system view.
system-view
2. Enter IKEv2 profile view.
ikev2 profile profile-name
3. Configure optional features as needed.
¡ Configure IKEv2 DPD.
dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, IKEv2 DPD is not configured for an IKEv2 profile and an IKEv2 profile uses the DPD settings configured in system view. If IKEv2 DPD is not configured in system view either, the device does not perform dead IKEv2 peer detection.
¡ Specify the local interface or IP address to which the IKEv2 profile can be applied.
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
By default, an IKEv2 profile can be applied to any local interface or local IP address.
Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
¡ Specify a priority for the IKEv2 profile.
priority priority
By default, the priority of an IKEv2 profile is 100.
When the device needs to select an IKEv2 profile for IKEv2 negotiation with a peer, it compares the received peer ID with the peer ID of its local IKEv2 profiles in descending order of their priorities
¡ Set the IKEv2 SA lifetime for the IKEv2 profile.
sa duration seconds
By default, the IKEv2 SA lifetime is 86400 seconds.
The local and remote ends can use different IKEv2 SA lifetimes and they do not negotiate the lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime expires.
¡ Set the IKEv2 NAT keepalive interval.
nat-keepalive seconds
By default, the global IKEv2 NAT keepalive setting is used.
Configure this command when the device is behind a NAT gateway. The device sends NAT keepalive packets regularly to its peer to prevent the NAT session from being aged because of no matching traffic.
¡ Enable the configuration exchange feature.
config-exchange { request | set { accept | send } }
By default, all configuration exchange options are disabled.
This feature applies to scenarios where the headquarters and branches communicate through virtual tunnels. It enables exchanges of IP address request and set messages between the IPsec gateway at a branch and the IPsec gateway at the headquarters.
Table 2 Parameter descriptions
|
Parameter |
Description |
|
request |
Enables the IPsec gateway at a branch to submit IP address request messages to the IPsec gateway at the headquarters. |
|
set accept |
Enables the IPsec gateway at a branch to accept the IP addresses pushed by the IPsec gateway at the headquarters. |
|
set send |
Enables the IPsec gateway at the headquarters to push IP addresses to IPsec gateways at branches. |
Configuring an IKEv2 policy
About this task
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
· If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an incomplete proposal, the IKE_SA_INIT exchange fails.
· If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the priority of an IKEv2 policy:
1. First, the device examines the existence of the match local address command. An IKEv2 policy with the match local address command configured has a higher priority.
2. If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority number has a higher priority.
3. If a tie still exists, the device prefers an IKEv2 policy configured earlier.
Procedure
1. Enter system view.
system-view
2. Create an IKEv2 policy and enter its view.
ikev2 policy policy-name
By default, an IKEv2 policy named default exists.
3. Specify the local interface or address used for IKEv2 policy matching.
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.
4. Specify an IKEv2 proposal for the IKEv2 policy.
proposal proposal-name
By default, no IKEv2 proposal is specified for an IKEv2 policy.
5. Specify a priority for the IKEv2 policy.
priority priority
By default, the priority of an IKEv2 policy is 100.
Configuring an IKEv2 proposal
About this task
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority.
Restrictions and guidelines
A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Procedure
1. Enter system view.
system-view
2. Create an IKEv2 proposal and enter its view.
ikev2 proposal proposal-name
By default, an IKEv2 proposal named default exists.
The default proposal uses the following settings:
¡ Encryption algorithms AES-CBC-128 and 3DES.
¡ Integrity protection algorithms HMAC-SHA1 and HMAC-MD5.
¡ PRF algorithms HMAC-SHA1 and HMAC-MD5.
¡ DH groups 2 and 5.
3. Specify the encryption algorithms.
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
By default, an IKEv2 proposal does not have any encryption algorithms.
4. Specify the integrity protection algorithms.
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal does not have any integrity protection algorithms.
5. Specify the DH groups.
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
By default, an IKEv2 proposal does not have any DH groups.
6. Specify the PRF algorithms.
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
Configuring an IKEv2 keychain
About this task
An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.
An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).
An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the matching criterion to search for a peer.
Procedure
1. Enter system view.
system-view
2. Create an IKEv2 keychain and enter its view.
ikev2 keychain keychain-name
3. Create an IKEv2 peer and enter its view.
peer name
4. Configure a host name for the peer:
hostname name
By default, no host name is configured for an IKEv2 peer.
5. Configure a host IP address or address range for the peer:
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
By default, no host IP address or address range is configured for an IKEv2 peer.
You must configure different host IP addresses/address ranges for different peers.
6. Configure an ID for the peer:
identity { address { ipv4-address | range low-ipv4-address high-ipv4-address | ipv6 { ipv6-address | range low-ipv6-address high-ipv6-address } } | domain fqdn-domain-name | email email-string | fqdn fqdn-name | key-id key-id-string }
By default, no identity information is configured for an IKEv2 peer.
7. Configure a pre-shared key for the peer.
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
By default, an IKEv2 peer does not have a pre-shared key.
Configure global IKEv2 parameters
Enabling the cookie challenging feature
About this task
Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests.
Procedure
1. Enter system view.
system-view
2. Enable IKEv2 cookie challenging.
ikev2 cookie-challenge number
By default, IKEv2 cookie challenging is disabled.
Configuring the IKEv2 DPD feature
About this task
IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.
· Periodic IKEv2 DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular intervals.
· On-demand IKEv2 DPD—Verifies the liveness of an IKEv2 peer by sending DPD messages before sending data.
¡ Before the device sends data, it identifies the time interval for which the last IPsec packet has been received from the peer. If the time interval exceeds the DPD interval, it sends a DPD message to the peer to detect its liveliness.
¡ If the device has no data to send, it never sends DPD messages.
Restrictions and guidelines
If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
Procedure
1. Enter system view.
system-view
2. Configure global IKEv2 DPD.
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
By default, global DPD is disabled.
Configuring the IKEv2 NAT keepalive feature
About this task
Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
This feature takes effect after the device detects the NAT device.
Procedure
1. Enter system view.
system-view
2. Set the IKEv2 NAT keepalive interval.
ikev2 nat-keepalive seconds
By default, the IKEv2 NAT keepalive interval is 10 seconds.
Display and maintenance commands for IKEv2
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the IKEv2 proposal configuration. |
display ikev2 proposal [ name | default ] |
|
Display the IKEv2 policy configuration. |
display ikev2 policy [ policy-name | default ] |
|
Display the IKEv2 profile configuration. |
display ikev2 profile [ profile-name ] |
|
Display the IKEv2 SA information. |
display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ] |
|
Display IKEv2 statistics. |
display ikev2 statistics |
|
Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs. |
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ] |
|
Clear IKEv2 statistics. |
reset ikev2 statistics |
IKEv2 configuration examples
Example: Configuring IKEv2 with pre-shared key authentication
Network configuration
As shown in Figure 14, configure an IPsec tunnel between Device A and Device B to protect the data flows between subnet 192.168.1.0/24 and subnet 192.168.2.0/24.
· Use IKEv2 on Device A and Device B to establish IPsec SAs.
· Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
Procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceA> system-view
[DeviceA] interface Tunnel 1 mode ipsec
[DeviceA-Tunnel1] source ten-gigabitEthernet 3/0/1
[DeviceA-Tunnel1] destination 2.2.2.2
[DeviceA-Tunnel1] ip address 10.1.3.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceA-Tunnel1] tunnel protection ipsec profile 1
[DeviceA-Tunnel1] quit
# Create IPsec transform set 1.
[DeviceA] ipsec transform-set 1
# Use ESP as the security protocol.
[DeviceA-ipsec-transform-set-1] protocol esp
# Specify the AES-CBC-256 and HMAC-SHA-256 algorithms for encryption and authentication, respectively.
[DeviceA-ipsec-transform-set-1] esp encryption-algorithm aes-cbc-256
[DeviceA-ipsec-transform-set-1] esp authentication-algorithm sha256
[DeviceA-ipsec-transform-set-1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceA] ipsec profile 1 isakmp
# Specify IPsec transform set 1 to apply its security parameters for IPsec protection.
[DeviceA-ipsec-profile-isakmp-1] transform-set 1
# Specify IKEv2 profile 1 for IKE negotiation.
[DeviceA-ipsec-profile-isakmp-1] ikev2-profile 1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceA-ipsec-profile-isakmp-1] service slot 1
[DeviceA-ipsec-profile-isakmp-1] quit
# Specify the IKEv2 keychain used for pre-shared key authentication.
[DeviceA] ikev2 profile 1
[DeviceA-ikev2-profile-1] keychain 1
# Specify peer address 2.2.2.2 as the peer ID for IKEv2 profile matching.
[DeviceA-ikev2-profile-1] match remote identity address 2.2.2.2 255.255.255.0
# Specify the local authentication method as pre-shared key authentication.
[DeviceA-ikev2-profile-1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key authentication.
[DeviceA-ikev2-profile-1] authentication-method remote pre-share
# Create IKEv2 keychain 1 and enter its view.
[DeviceA] ikev2 keychain 1
# Create IKEv2 peer 1.
[DeviceA-ikev2-keychain-1] peer 1
# Set the host address of IKEv2 peer 1 to 2.2.2.2/16.
[DeviceA-ikev2-keychain-1-peer-1] address 2.2.2.2 255.255.255.0
# Specify identity information for IKEv2 peer 1.
[DeviceA-ikev2-keychain-1-peer-1] identity address 2.2.2.2
# Specify 123456 in plain text as the pre-shared key for authentication with IKEv2 peer 1.
[DeviceA-ikev2-keychain-1-peer-1] pre-shared-key plaintext 123456
[DeviceA-ikev2-keychain-keychain1-peer-peer1] quit
# Configure a static route from Device A to Device B.
[DeviceA] ip route-static 192.168.2.0 24 Tunnel 1
2. Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceB> system-view
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] source ten-gigabitEthernet 3/0/1
[DeviceB-Tunnel1] destination 1.1.1.1
[DeviceB-Tunnel1] ip address 10.1.4.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceB-Tunnel1] tunnel protection ipsec profile 1
[DeviceB-Tunnel1] quit
# Create IPsec transform set 1.
[DeviceB] ipsec transform-set 1
# Use ESP as the security protocol.
[DeviceB-ipsec-transform-set-1] protocol esp
# Configure ESP to use the MD5 and HMAC-SHA-256 algorithms for encryption and authentication, respectively.
[DeviceB-ipsec-transform-set-1] esp authentication-algorithm md5
[DeviceB-ipsec-transform-set-1] esp authentication-algorithm sha256
[DeviceB-ipsec-transform-set-1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceB] ipsec profile 1 isakmp
# Specify IPsec transform set 1 to apply its security parameters for IPsec protection.
[DeviceB-ipsec-profile-isakmp-1] transform-set 1
# Specify IKEv2 profile 1 for IKE negotiation.
[DeviceB-ipsec-profile-isakmp-1] ikev2-profile 1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceB-ipsec-profile-isakmp-1] service slot 1
[DeviceB-ipsec-profile-isakmp-1] quit
# Specify the IKEv2 keychain used for pre-shared key authentication.
[DeviceB] ikev2 profile 1
[DeviceB-ikev2-profile-1] keychain 1
# Specify peer address 2.2.2.2 as the peer ID for IKEv2 profile matching.
[DeviceB-ikev2-profile-1] match remote identity address 1.1.1.1 255.255.255.0
# Specify the local authentication method as pre-shared key authentication.
[DeviceB-ikev2-profile-1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key authentication.
[DeviceB-ikev2-profile-1] authentication-method remote pre-share
# Create IKEv2 keychain 1 and enter its view.
[DeviceB] ikev2 keychain 1
# Create IKEv2 peer 1.
[DeviceB-ikev2-keychain-1] peer 1
# Set the host address of IKEv2 peer 1 to 0.0.0.0/16.
[DeviceB-ikev2-keychain-1-peer-1] address 2.2.2.2 255.255.255.0
# Specify identity information for IKEv2 peer 1.
[DeviceB-ikev2-keychain-1-peer-1] identity address 2.2.2.2
# Specify 123456 in plain text as the pre-shared key for authentication with IKEv2 peer 1.
[DeviceB-ikev2-keychain-1-peer-1] pre-shared-key plaintext 123456
[DeviceB-ikev2-keychain-1-peer-1] quit
# Configure a static route from Device B to Device A.
[DeviceB] ip route-static 192.168.1.0 24 Tunnel 1
Verifying the configuration
Verify that IKEv2 negotiation is triggered when there is traffic between subnet 192.168.1.0/24 and subnet 192.168.2.0/24.
# Verify that the tunnel has been successfully established.
[DeviceA] display interface Tunnel
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1444
Internet address: 1.1.1.1/24 (primary)
Tunnel source 1.1.1.1 (Ten-GigabitEthernet3/0/1), destination 2.2.2.2
Tunnel TTL 255
Tunnel protocol/transport IPsec/IP
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 2 packets, 128 bytes, 0 drops
Output: 2 packets, 128 bytes, 0 drops
# Verify that the IKEv2 SA has been successfully established.
[DeviceA]display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
# Verify that Device A has successfully established IPsec SAs through IKEv2 negotiation.
[DeviceA]display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 9504
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3805627989 (0xe2d54655)
Connection ID: 12884901888
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3600
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 1652227937 (0x627aff61)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA256
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3600
Max sent sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
# Repeat the previous steps on Device B to verify that it has successfully established the IKEv2 SA and IPsec SAs. (Details not shown.)
Example: Configuring IKEv2 with RSA signature authentication
Network configuration
As shown in Figure 15, configure an IPsec tunnel between Device A and Device B to protect the data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
· Use IKEv2 on Device A and Device B to establish IPsec SAs.
· Configure Device A and Device B to use RSA signature authentication.
· Configure Device A as the initiator and use dynamic IP allocation for the subnets attached to Device A.
· Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
Procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceA> system-view
[DeviceA] interface tunnel 1 mode ipsec
[DeviceA-Tunnel1] source ten-gigabitEthernet 3/0/1
[DeviceA-Tunnel1] destination 2.2.2.2
[DeviceA-Tunnel1] ip address 10.1.3.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceA-Tunnel1] tunnel protection ipsec profile 1
[DeviceA-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the DES and HMAC-SHA1 algorithms for encryption and authentication, respectively.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity1.
[DeviceA] pki entity entity1
# Configure a common name for entity entity1.
[DeviceA-pki-entity-entity1] common-name routera
[DeviceA-pki-entity-entity1] quit
# Create a PKI domain named domain1.
[DeviceA]pki domain domain1
# Set the certificate request mode to auto and set the password for certificate revocation.
[DeviceA-pki-domain-domain1] certificate request mode auto password simple 123
# Set the MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA.
[DeviceA-pki-domain-domain1] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. (The URL in this example is for illustration only. Replace it with the actual URL used on the real network.)
[DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceA-pki-domain-domain1] certificate request from ca
# Specify the PKI entity for certificate request.
[DeviceA-pki-domain-domain1] certificate request entity entity1
# Specify the RSA key pair for certificate request.
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] quit
# Create an IKEv2 profile named profile1.
[DeviceA] ikev2 profile profile1
# Specify the local authentication method as RSA signature authentication.
[DeviceA-ikev2-profile-profile1] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signature authentication.
[DeviceA-ikev2-profile-profile1] authentication-method remote rsa-signature
# Specify PKI domain domain1 for the IKE profile.
[DeviceA-ikev2-profile-profile1] certificate domain domain1
# Specify FQDN name routera.example.com as the local ID.
[DeviceA-ikev2-profile-profile1] identity local fqdn routera.example.com
# Specify the peer ID to match. In this example, the peer ID is FQDN name www.example.com.
[DeviceA-ikev2-profile-profile1] match remote identity fqdn www.example.com
[DeviceA-ikev2-profile-profile1] quit
# Create IKEv2 proposal 10.
[DeviceA] ikev2 proposal 10
# Set the integrity protection algorithm to HMAC-MD5.
[DeviceA-ikev2-proposal-10] integrity md5
# Set the encryption algorithm to 3DES.
[DeviceA-ikev2-proposal-10] encryption 3des-cbc
# Specify DH group 1.
[DeviceA-ikev2-proposal-10] dh group1
# Set the PRF algorithm to HMAC-MD5.
[DeviceA-ikev2-proposal-10] prf md5
[DeviceA-ikev2-proposal-10] quit
# Create IKEv2 policy 1.
[DeviceA] ikev2 policy 1
# Specify IKEv2 proposal 10.
[DeviceA-ikev2-policy-1] proposal 10
[DeviceA-ikev2-policy-1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceA] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceA-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1.
[DeviceA-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceA-ipsec-profile-isakmp-1] service slot 1
[DeviceA-ipsec-profile-isakmp-1] quit
# Configure a static route from Device A to Device B.
[DeviceA] ip route-static 10.1.2.0 24 Tunnel 1
2. Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Create a tunnel interface and set its tunnel mode to IPsec/IPv4.
<DeviceB> system-view
[DeviceB] interface tunnel 1 mode ipsec
[DeviceB-Tunnel1] source ten-gigabitEthernet 3/0/1
[DeviceB-Tunnel1] destination 1.1.1.1
[DeviceB-Tunnel1] ip address 10.1.4.1 24
# Apply IPsec profile 1 to the tunnel interface.
[DeviceB-Tunnel1] tunnel protection ipsec profile 1
[DeviceB-Tunnel1] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel mode.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Configure ESP to use the DES and HMAC-SHA-1-96 algorithms for encryption and authentication, respectively.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity2.
[DeviceB] pki entity entity2
# Configure a common name for entity entity1.
[DeviceB-pki-entity-entity2] common-name routerb
[DeviceB-pki-entity-entity2] quit
# Create a PKI domain named domain2.
[DeviceB] pki domain domain2
# Set the certificate request mode to auto and set the password for certificate revocation.
[DeviceB-pki-domain-domain2] certificate request mode auto password simple 123
# Set the MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA.
[DeviceB-pki-domain-domain2] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. (The URL in this example is for illustration only. Replace it with the actual URL used on the real network.)
[DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceB-pki-domain-domain2] certificate request from ca
# Specify the PKI entity for certificate request.
[DeviceB-pki-domain-domain2] certificate request entity entity2
# Specify the RSA key pair for certificate request.
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] quit
# Create an IKEv2 profile named profile2.
[DeviceB] ikev2 profile profile2
# Specify the local authentication method as RSA signature authentication.
[DeviceB-ikev2-profile-profile2] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signature authentication.
[DeviceB-ikev2-profile-profile2] authentication-method remote rsa-signature
# Specify FQDN name www.example.com as the local ID.
[DeviceB-ikev2-profile-profile2] identity local fqdn www.example.com
# Specify the peer ID to match. In this example, the peer ID is FQDN name routera.example.com.
[DeviceB-ikev2-profile-profile2] match remote identity fqdn routera.example.com
[DeviceB-ikev2-profile-profile2] quit
# Create IKEv2 proposal 10.
[DeviceB] ikev2 proposal 10
# Set the integrity protection algorithm to HMAC-MD5.
[DeviceB-ikev2-proposal-10] integrity md5
# Set the encryption algorithm to 3DES.
[DeviceB-ikev2-proposal-10] encryption 3des-cbc
# Specify DH group 1.
[DeviceB-ikev2-proposal-10] dh group1
# Set the PRF algorithm to HMAC-MD5.
[DeviceB-ikev2-proposal-10] prf md5
[DeviceB-ikev2-proposal-10] quit
# Create IKEv2 policy 1.
[DeviceB] ikev2 policy 1
# Specify IKEv2 proposal 10.
[DeviceB-ikev2-policy-1] proposal 10
[DeviceB-ikev2-policy-1] quit
# Create IPsec profile 1, the profile applied to the Tunnel1 interface. The profile uses IKE for IPsec SA setup.
[DeviceB] ipsec profile 1 isakmp
# Specify IPsec transform set tran1 for protection of data flows.
[DeviceB-ipsec-profile-isakmp-1] transform-set tran1
# Specify IKE profile profile1.
[DeviceB-ipsec-profile-isakmp-1] ike-profile profile1
# Specify the slot installed with a MIC-SEC-M card as the primary slot for IPsec traffic processing.
[DeviceB-ipsec-profile-isakmp-1] service slot 1
[DeviceB-ipsec-profile-isakmp-1] quit
# Configure a static route from Device B to Device A.
[DeviceB] ip route-static 10.1.1.0 24 Tunnel 1
Verifying the configuration
Verify that IKEv2 negotiation is triggered when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
# Display the IKEv2 proposal configuration on Device A and Device B.
[DeviceA] display ikev2 proposal 10
IKEv2 proposal : 10
Encryption : 3DES-CBC
Integrity : MD5
PRF : MD5
DH Group : MODP768/Group1
[DeviceB] display ikev2 proposal 10
IKEv2 proposal : 10
Encryption : 3DES-CBC
Integrity : MD5
PRF : MD5
DH Group : MODP768/Group1
# Display the IKEv2 policy configuration on Device A and Device B.
[DeviceA] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
[DeviceB] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
# Display the IKEv2 SA on Device A.
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
# Display information about the obtained CA certificate on Device A.
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# Display the obtained local certificate on Device A.
[DeviceA]display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# Display IPsec SA information on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Tunnel1
-------------------------------
-----------------------------
IPsec profile: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 141733920771
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 141733920770
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
Anti-replay check enable: Y
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
# Repeat the previous steps on Device B to verify that it has successfully established the IKEv2 SA and IPsec SAs, and has obtained the CA certificate and local certificate. (Details not shown.)
Troubleshooting IKEv2
IKEv2 negotiation failed because no matching IKEv2 proposals were found
Symptom
The IKEv2 SA is in IN-NEGO status.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
5 123.234.234.124/500 123.234.234.123/500 IN-NEGO
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
Analysis
Certain IKEv2 proposal settings are incorrect.
Solution
1. Examine the IKEv2 proposal configuration to see whether the two ends have matching IKEv2 proposals.
2. Modify the IKEv2 proposal configuration to make sure the two ends have matching IKEv2 proposals.
IPsec SA negotiation failed because no matching IPsec transform sets were found
Symptom
The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status. The display ipsec sa command shows that the expected IPsec SAs have not been negotiated yet.
Analysis
Certain IPsec policy settings are incorrect.
Solution
1. Examine the IPsec configuration to see whether the two ends have matching IPsec policy settings, including IPsec transform sets, encryption algorithm, and authentication algorithm.
2. Modify the IPsec configuration to make sure the two ends have matching IPsec policy settings.
IPsec tunnel establishment failed
Symptom
The ACLs and IKEv2 proposals are correctly configured on both ends. The two ends cannot establish an IPsec tunnel or cannot communicate through the established IPsec tunnel.
Analysis
The IKEv2 SA or IPsec SAs on either end are lost. The reason might be that the network is unstable and the device reboots.
Solution
1. Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
2. Use the display ipsec sa command to examine whether IPsec SAs exist on both ends. If the IPsec SAs on one end are lost, delete the IPsec SAs on the other end by using the reset ipsec sa command and trigger new negotiation.
