[Top] [Prev] [Next] [Bottom]

Setting Up IPSec

This document provides three examples for setting up IPSec. It has the following sections:

Configuring IPSec

Configuring an IPSec Road Warrior Client

Configuring an IPSec Road Warrior Gateway

Configuring IPSec

 This section shows how to set up IPSec to protect traffic between PCs on a subnet at a branch office and a server at a headquarters office, as shown in the following illustration.

The next sections show how to set up IPSec on the headquarters router and then on the branch office router. These are the tasks you will perform:

Setting Up the Headquarters Router

Setting Up the Branch Office Router

Setting Up the Headquarters Router

 As you set up each side of an IPSec connection, keep in mind that all addresses, names, and matching rules must be mirror images of each other. In order to successfully negotiate security associations, each side must agree on authentication and encryption algorithms and methods.

This section walks you through setting up the Headquarters router to protect traffic between the finance server on the headquarters network and the subnet on the branch network.

This configuration assumes that WAN interface 1 is the default route.

Setting Up the Peer

The IPSec peer is the IPSec router interface at the branch office.

1. Add a peer called westboro. 

IPSec Config> add peer westboro
2. Set the IP address of the peer, westboro, to the address of the IPSec router interface on the branch network. 

IPSec Config> set peer westboro ip_address = 128.185.7.3
3. Display the new peer. 

IPSec Config> list peer westboro
                                        Source          Peer Type
Peer                   Peer's       IP Address to   IKE or
Name                   IP Address  use with peer    MANUAL
------------------------------------------------------------
westboro                128.185.7.3     <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: none
 Pre-shared key: (ASCII) 1234
 Peer ID type: IP-Address

By default, this peer uses the IKE transform called default. The peer also uses a preshared key to negotiate sessions. The default value for the preshared key is 1234. When you first set up two routers to run OpenROUTE IPSec, the routers can easily negotiate IKE using the default settings because the preshared keys match. However, you need to replace these values with a secure key.

Setting Up an IKE Transform

 When you add a peer, the IPSec software automatically creates an IKE transform called default that has the following properties. 

IPSec Config> list ike_transforms
IKE             Priority  Auth   Hash  Encr  DH   Lifetime    Lifetime
Transform Name       Seq  Method  Alg   Alg  Grp   Seconds     Kilobytes
-----------------------------------------------------------------------
default              10  preshare  sha  3des  768   28800        0
The settings for authentication and encryption algorithms and the Diffie-Hellman Group must match an IKE transform at the remote peer.

For this example, we will use the default transform as it is. You can change the properties of the default transform using the set ike_transform command, or you can create a new transform using the add ike_transform command.

Setting Up the SA Proposal

Add an SA proposal called sa_branch. 

IPSec Config> add sa_proposal sa_branch
IPSec Config> list sa_proposal sa_branch
SA-proposal name: sa_branch             
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
In this example, we will use the SA proposal's default settings. In particular, the proposal uses

Adding a Profile

 Add a profile called branch.

IPSec Config> add profile branch

Setting Up a Policy

 Policies for each peer are mirror images of each other. Source and destination addresses are usually symmetric. My source address is usually your destination address and vice versa.

1. Add a policy called finance to the profile branch.

When you enter a policy name, you must first specify the profile name to which the policy belongs. You do this by entering the profile name followed by the policy name. Separate the names using a period. In this example, branch is the profile name, finance is the policy name. 

IPSec Config> add policy branch.finance
2. Set the policy to use the SA Proposal sa_branch and to use the peer westboro. 

IPSec Config> set policy branch.finance sa_proposal = sa_branch peer = westboro
IPSec Config> list policy branch.finance
                                 -- *=opaque allowed --
Name               Dir  Address  Port     Protocol  Action
------------------------------------------------------------
branch.finance     both                   Any       protect
  sa_proposal=sa_branch, peer=westboro
3. Set the source and destination addresses. These are the addresses of the end stations or subnets that are communicating over IPSec.

Note: When a policy applies to traffic in both directions, add source and destination addresses as they relate to inbound packets.

a. Set the destination address to the address of the server on the headquarters network. 
IPSec Config> set policy branch.finance destination = 128.185.21.9
b. Set the source address to the address of the subnet at the branch office. 
IPSec Config> set policy branch.finance source = 10.2.2.0&255.255.255.0
IPSec Config> list policy branch.finance
                                  -- *=opaque allowed --
Name            Dir  Address       Port        Protocol  Action
---------------------------------------------------------------
branch.finance  both sa=10.2.2.0&255.255.255.0  Any      protect
                     da=128.185.21.9  
  sa_proposal=sa_branch, peer=westboro

Attaching Profiles to Interfaces

 IPSec does not run until you attach a profile to an interface.

IPSec checks packets against profiles in the order in which you add profiles to interfaces. Once IPSec matches a packet to a profile, it takes the action you defined for the profile, which completes IPSec processing for the packet.

Use the following command to attach the profile branch to interface 1. 

IPSec Config> set interface 1 profile +=branch
IPSec Config> list interface 1

                    Don't     Path
IPSec    Enable     Frag Bit  MTU
Ifc      Status     Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------------
1        On         Set       600       branch

Router Configuration Complete

 The following list command shows all of the IPSec settings for this example.

IPSec Config> list all



                Don't     Path
IPSec  Enable   Frag Bit  MTU
Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       branch

IPSec                 profile
profile               type
-----------------------------------------
branch                spd

                                          -- *=opaque allowed --
Name                Dir  Address            Port          Protocol  Action
-----------------------------------------------------------------------
branch.finance     both sa=10.2.2.0&255.255.255.0  Any         protect
                     da=128.185.21.9  
  sa_proposal=sa_branch, peer=westboro

                                        Source          Peer Type
Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
-----------------------------------------------------------------     
westboro                128.185.7.3     <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: none
 Pre-shared key: (ASCII) 1234
 Peer ID type: IP-Address

SA-proposal name: sa_branch
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000                                

IKE              Priority  Auth     Hash Encr DH  Lifetime    Lifetime
Transform Name   Seq       Method    Alg  Alg  Grp  Seconds   Kilobytes
-----------------------------------------------------------------------
default                 10  preshare  sha  3des 768  28800        0

IPSEC Globals:
--------------
 IKE Retranmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: IP-Address

Setting Up the Branch Office Router

 As you set up each side of an IPSec connection, keep in mind that all addresses, names, and matching rules must be mirror images of each other. In order to successfully negotiate security associations, each side must agree on authentication and encryption algorithms and methods.

This section walks you through setting up IPSec on the branch office router to protect traffic between the finance server on the headquarters network and the subnet on the branch network.

This configuration assumes that WAN interface 1 is the default route.

Setting Up The Peer

1. Add a peer called chicago. 

IPSec Config> add peer chicago
2. Set the IP address of the peer to the address of the IPSec router interface on the headquarters network. 

IPSec Config> set peer chicago ip_address = 128.185.3.1
3. Display the new peer. 

IPSec Config> list peer chicago
                                        Source          Peer Type
Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
-----------------------------------------------------------------
chicago                 128.185.3.1      <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: none
 Pre-shared key: (ASCII) 1234
 Peer ID type: IP-Address

By default, this peer uses the IKE transform called default. The peer also uses a preshared key to negotiate sessions. The default value for the preshared key is 1234. When you first set up two routers to run OpenROUTE IPSec, the routers can easily negotiate IKE using the default settings because the preshared keys match. However, you need to replace these values with a secure key.

Setting Up an IKE Transform

 When you add a peer, the IPSec software automatically creates an IKE transform called default that has the following properties. 

IPSec Config> list ike_transform
IKE             Priority  Auth   Hash  Encr  DH   Lifetime    Lifetime
Transform Name       Seq   Method  Alg   Alg  Grp   Seconds     Kilobytes
-----------------------------------------------------------------------
default              10  dsa_sig  sha  3des  768   28800       0
The settings for authentication and encryption algorithms and the Diffie-Hellman Group must match an IKE transform at the remote peer.

For this example, we will use the default transform as it is. You can change the properties of the default transform using the set ike_transform command, or you can create a new transform using the add ike_transform command.

Setting Up the SA Proposal

Add an SA proposal called sa_hq. 

IPSec Config> add sa_proposal sa_hq 
IPSec Config> list sa_proposal sa_hq 
SA-proposal name: sa_hq                
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
In this example, we will use the SA proposal's default settings. In particular, the proposal uses

Adding a Profile

 Add a profile called hq.

IPSec Config> add profile hq

Setting Up a Policy

1. Add a policy called finance to the profile hq.

When you enter a policy name, you must first specify the profile name to which the policy belongs. You do this by entering the profile name followed by the policy name. Separate the names using a period. In this example, hq is the profile name, finance is the policy name. 

IPSec Config> add policy hq.finance
2. Set the policy to use the SA Proposal called sa_hq and to use the peer chicago. 

IPSec Config> set policy hq.finance sa_proposal = sa_hq peer = chicago
IPSec Config> list policy hq.finance
                                            -- *=opaque allowed --
Name                     Dir  Address         Port         Protocol  Action
----------------------------------------------------------------------
hq.finance             both                            Any      protect
  sa_proposal=sa_hq, peer=chicago
3. Set the source and destination addresses. These are the addresses of the end stations or subnets that are communicating over IPSec.

Note: When a policy applies to traffic in both directions, add source and destination addresses as they relate to inbound packets.

a. Set the destination address to the address of the subnet on the branch network. 
IPSec Config> set policy hq.finance destination = 10.2.2.0&255.255.255.0
b. Set the source address to the address of the server on the headquarters network. 
IPSec Config> set policy hq.finance source = 128.185.21.9
4. Display the new policy. 

IPSec Config> list policy hq.finance 
                                            -- *=opaque allowed --
Name                     Dir  Address         Port         Protocol  Action
----------------------------------------------------------------------
hq.finance             both   sa=128.185.21.9            Any      protect
                             da= 10.2.2.0&255.255.255.0  
  sa_proposal=sa_hq, peer=chicago

Attaching Profiles to Interfaces

 IPSec does not run until you attach a profile to an interface.

IPSec checks packets against profiles in the order in which you add profiles to interfaces. Once IPSec matches a packet to a profile, it takes the action you defined for the profile, which completes IPSec processing for the packet. 

IPSec Config> set interface 1 profile +=hq
IPSec Config> list interface 1

                    Don't     Path
IPSec    Enable     Frag Bit  MTU
Ifc      Status     Handling  Ageout    Attached IPsec Profiles
------------------------------------------------------------------
1        On         Set       600        hq

Router Configuration Complete

 The following list command shows all of the IPSec settings for this example.

IPSec Config> list all

                Don't     Path
IPSec  Enable   Frag Bit  MTU
Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       hq

IPSec                 profile
profile               type
-----------------------------------------
hq                    spd

                                      -- *=opaque allowed --
Name         Dir  Address          Port       Protocol  Action
---------------------------------------------------------------
hq.finance  both sa=128.185.21.9  Any                   protect
                 da=10.2.2.0&255.255.255.0
  sa_proposal=sa_hq, peer=chicago

                                      Source          Peer Type
Peer                  Peer's          IP Address to   IKE or
Name                  IP Address      use with peer   MANUAL
--------------------------------------------------------------
chicago               128.15.3.1      <automatic>     IKE
 IKE-transform: default               IKE-mode: main
 IP Filters usage: none               NAT usage: none
 Hardware-assist usage: On
 My certificate: default              RW profile: none
 Pre-shared key: (ASCII) 1234
 Peer ID type: IP-Address               

SA-proposal name: default
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
 AH:   SPI: 00000000 auth_key: no key configured 
 ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000

SA-proposal name: sa_hq
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000                                
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000

IKE             Priority  Au     Hash  Encr  DH   Lifetime     Lifetime
Transform Name  Seq      Method  Alg   Alg   Grp   Seconds      Kilobytes
-----------------------------------------------------------------------
default         10  preshare  sha  3des 768  28800        0

IPSEC Globals:
--------------
 IKE Retranmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: IP-Address

Configuring an IPSec Road Warrior Client

 This section shows how to set up IPSec to protect traffic between a remote PC and a server at a headquarters office, as shown in the following illustration.

In order to successfully negotiate security associations, each side must agree on authentication and encryption algorithms and methods. This example uses the following settings.

IKE Phase 1 negotiation:

IKE Phase 2 negotiation:

Setting Up the Headquarters Router

 This section walks you through setting up the Headquarters router to protect traffic between the headquarters network and the PC dialing in to the headquarters network.

These are the tasks you will complete:

Adding a Profile

Setting Up the IKE Transform

Setting Up the Peer

Setting Up the SA Proposal

Setting Up a Policy

Attaching the Profile to an Interface

Note: This configuration assumes that WAN interface 1 is the default route.

Adding a Profile

 Add a profile called roadwarrior that has road warrior client as its profile type.

IPSec Config> add profile roadwarrior type = roadwarrior_client
IPSec Config> list profile
IPSec                 profile
profile               type
-----------------------------------------
roadwarrior           roadwarrior_client

Setting Up the IKE Transform

 Our example uses DES as the encryption algorithm, so set up the IKE transform to use DES. In this example, we will use the IKE transform default. The authentication method of preshared key and the hash algorithm of SHA match our example. 

IPSec Config>set ike_transform default 10 encrypt = des


IPSec Config> list ike_transforms default
IKE             Priority  Auth     Hash Encr DH   Lifetime    Lifetime
Transform Name  Seq       Method    Alg  Alg  Grp  Seconds      Kilobytes
-----------------------------------------------------------------------
default         10        preshare  sha  des  768  28800        0

Setting Up the Peer

 The IPSec peer is the remote PC.

1. Add a peer called win98. 

IPSec Config> add peer win98
2. Set the preshared key. 

IPSec Config> set peer win98 pre_shared_key ascii_for_preshared_key =
SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
3. Set the peer ID type to e-mail and enter the e-mail address as the peer ID. 

IPSec Config> set peer win98 peer_id_type = email_(User_Fully_Qualified_Domain_Name)


IPSec Config> set peer win98 peer_id_value ascii_for_peer_id = abc@nxnetworks.com
4. Set the road warrior profile that this peer uses. 

IPSec Config> set peer win98 rw_profile = roadwarrior
5. Set the Peer IP address to 0.0.0.0. 

IPSec Config> set peer win98 ip_address = 0.0.0.0
6. Display your peer configuration. 

IPSec Config>list peer


Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
-----------------------------------------------------------------
win98                   0.0.0.0         <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 My certificate: default                RW profile: roadwarrior
 Pre-shared key: (ASCII)  SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: Email
 Peer ID value: (ASCII) abc@nxnetworks.com

Setting Up the SA Proposal

 Set the authentication and encryption algorithms and methods to match those that the road warrior client is using.

IPSec Config> set sa_proposal default AH_auth_method = none ESP_auth_method = hmac_sha ESP_encr_method = des


IPSec Config> list sa
 SA-proposal name: default
 AH_auth: none                          ESP_auth: hmac_sha
 ESP_encr: des                          Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000

Setting Up a Policy

 Add a policy called fin to the profile roadwarrior.

When you enter a policy name, you must first specify the profile name to which the policy belongs. You do this by entering the profile name followed by the policy name. Separate the names using a period. For example: 

IPSec Config> add policy roadwarrior.fin

Attaching the Profile to an Interface

 IPSec does not run until you attach a profile to an interface. Use the following command to attach the profile roadwarrior to interface 1. 

IPSec Config> set interface 1 profile +=roadwarrior
IPSec Config> list interface 1

                    Don't     Path
IPSec    Enable     Frag Bit  MTU
Ifc      Status     Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------------
1        On         Set       600       roadwarrior

Router Configuration Complete

 The following list command shows all of the IPSec settings for this example.

IPSec Config> list all

                Don't     Path
IPSec  Enable   Frag Bit  MTU
Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       roadwarrior

IPSec                 profile
profile               type
-----------------------------------------
roadwarrior           roadwarrior_client

                                  -- *=opaque allowed --
Name                Dir  Address    Port          Protocol  Action
---------------------------------------------------------------
roadwarrior.fin    both           Any                    protect
  sa_proposal=default, peer=default

                                        Source          Peer Type
Peer                    Peer's         IP Address to   IKE or
Name                    IP Address     use with peer   MANUAL
--------------------------------------------------------------
win98                   0.0.0.0         <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 My certificate: default                RW profile: roadwarrior
 Pre-shared key: (ASCII) SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: Email
 Peer ID value: (ASCII) abc@nxnetworks.com

 SA-proposal name: default
 AH_auth: none                          ESP_auth: hmac_sha
 ESP_encr: des                          Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000 

IKE      Priority  Auth      Hash Encr DH   Lifetime     Lifetime
Transform Name     Seq  Method     Alg  Alg  Grp  Seconds      Kilobytes
-----------------------------------------------------------------------
default            10   preshare   sha  des 768  28800        0


IPSEC Globals:
--------------
 IKE Retranmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: IP-Address

Displaying the Active Session

 Once IPSec is up and running you can display the active sessions. These displays show the actual IP addresses and policies that IPSec is using.

To display active IKE SA sessions, enter show ike. 

IPSec> SHOW IKE
Remote Address:    10.3.7.155 (UDP port 500)
Remote ID type:  Email
Remote ID value: (ASCII) abc@nxnetworks.com
Local Address:   128.185.3.1 (UDP port 500)
Local ID type:   IP-Address
Local ID value:  128.185.3.1
Transforms:      sharedKey, HMAC_SHA, DES, DHGroup1
State:           QM_IDLE
Lifetime:
  Traffic:       380 bytes protected (max none)
  Age:           70 seconds elapsed (max 28800 sec)
IKE negotiates SAs in a bundle. The IKE software takes the information in your SA proposal and creates SA bundles. The show sa command shows the actual bundles running on the router.

Note: The IP address 10.3.7.155 is the actual dynamically-assigned IP address that the road warrior client is using.

IPSec> SHOW SA

Interface 1 is ENABLED
Decap Q: cur=0 ovfl=0  Encap Q: cur=0 ovfl=0

INBundle (ike, 10.3.7.155->128.185.3.1) Associated Policy=
roadwarrior.fin          in   sa=10.3.7.155                              Protect

                              da=128.185.21.9
  sa_proposal=default, peer=win98
  Lifesecs=28800 (Rekey after=24480, Current=81) Key-PFS=none
  LifeKB=0 (Rekey after=0, Current=0)  Pkt-cnt=0
  ESP SA (Up) SPI C1931F4C Auth=HMAC_SHA, Anti-replay=On
                           Encr=DES

OUTBundle (ike, 128.185.3.1->10.3.7.155)
  LifeKB=0 (Rekey after=0, Current=0)  Pkt-cnt=0
  ESP SA (Up) SPI D3A5CE56 Auth=HMAC_SHA, Anti-replay=On
                           Encr=DES

Configuring an IPSec Road Warrior Gateway

 This section shows how to set up IPSec to protect traffic between a remote branch office that uses dynamic IP addressing for its Internet connection and a server at a headquarters office. The following illustration shows this scenario.

The next sections show how to set up IPSec on the headquarters router and then on the branch office router.

Note: This example uses the default settings for IKE transforms and SA proposals.

Setting Up the Headquarters Router

 This section walks you through setting up the Headquarters router to protect traffic between the finance server on the headquarters network and the subnet on the branch network.

This configuration assumes that WAN interface 1 is the default route.

Adding a Profile

Add a profile called branch that has road warrior gateway as its profile type.

IPSec Config> add profile branch type = roadwarrior_gateway
IPSec Config> list profile
IPSec                 profile
profile               type
-----------------------------------------
branch                roadwarrior_gateway

Setting Up the Peer

 The IPSec peer is the IPSec router interface at the branch office.

1. Add a peer called westboro. 

IPSec Config> add peer westboro
2. Set the peer ID type to domain name and enter the domain name wbobranch.com as the peer ID. 

IPSec Config> set peer westboro peer_id_type = domain_name_(Fully_Qualified_Domain_Name)


IPSec Config> set peer westboro peer_id_value ascii_for_peer_id = wbobranch.com
3. Set the road warrior profile that this peer uses. 

IPSec Config> set peer westboro rw_profile = branch
4. Set the preshared key. 

IPSec Config> set peer westboro pre_shared_key ascii_for_preshared_key =
SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
5. Set the peer IP address to 0.0 0.0. 

IPSec Config> set peer westboro ip_address = 0.0.0.0
6. Display your peer configuration. 

IPSec Config> list peer westboro
                                  Source          Peer Type
Peer                  Peer's      IP Address to   IKE or
Name                  IP Address  use with peer   MANUAL
------------------------------------------------------------
westboro              0.0.0.0     <automatic>     IKE
 IKE-transform: default           IKE-mode: main
 IP Filters usage: none           NAT usage: none
 Hardware-assist usage: On
 My certificate: default          RW profile: branch
 Pre-shared key: (ASCII) SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: Domain-Name
 Peer ID value: (ASCII) wbobranch.com

Setting Up a Policy

1. Add a policy called finance to the profile branch.

When you enter a policy name, you must first specify the profile name to which the policy belongs. You do this by entering the profile name followed by the policy name. Separate the names using a period. In this example, branch is the profile name, finance is the policy name. 

IPSec Config> add policy branch.finance
2. Set the policy to use peer westboro. 

IPSec Config> set policy branch.finance peer = westboro
3. Display your policy configuration. 

IPSec Config> list policy
                                  -- *=opaque allowed --
Name              Dir  Address     Port          Protocol  Action
---------------------------------------------------------------
branch.finance   both             Any                   protect
  sa_proposal=default, peer=westboro

Attaching the Profiles to an Interface

 IPSec does not run until you attach a profile to an interface. Use the following command to attach the profile branch to interface 1. 

IPSec Config> set interface 1 profile += branch
IPSec Config> list interface 1

                    Don't     Path
IPSec    Enable     Frag Bit  MTU
Ifc      Status     Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------------
1        On         Set       600       branch

Router Configuration Complete

 The following list command shows all of the IPSec settings for the headquarters router in this example.

IPSec Config> list all



                Don't     Path
IPSec  Enable   Frag Bit  MTU
Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       branch


IPSec                 profile
profile               type
-----------------------------------------
branch                roadwarrior_gateway

                                     -- *=opaque allowed --
Name              Dir  Address       Port          Protocol  Action
-----------------------------------------------------------------------
branch.finance    both                Any                     protect
  sa_proposal=default, peer=westboro

                                        Source          Peer Type
Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
-----------------------------------------------------------------    
westboro                0.0.0.0         <automatic>     IKE
 IKE-transform: default                 IKE-mode: main
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: branch
 Pre-shared key: (ASCII) SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: Domain-Name
 Peer ID value: (ASCII) wbobranch.com


SA-proposal name: default
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
 AH:   SPI: 00000000 auth_key: no key configured 
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000

IKE              Priority  Auth    Hash Encr DH   Lifetime   Lifetime
Transform Name   Seq       Method  Alg  Alg  Grp  Seconds    Kilobytes
-----------------------------------------------------------------------
default          10        preshare sha 3des 768  28800        0


IPSEC Globals:
--------------
 IKE Retranmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: IP-Address

Setting Up the Branch Office Router

 This section walks you through setting up IPSec on the branch office router to protect traffic between the finance server on the headquarters network and the subnet on the branch network.

This configuration assumes that WAN interface 1 is the default route.

Setting IDs

To identify this router to the peer (the headquarters router), you set the My ID parameters.

1. Set the ID type to domain name and enter the domain name wbobranch.com as the ID. (Notice that this ID type and name are the same as the peer ID we set on the headquarters router.) 

IPSec Config> set global my_id_type = domain_name_(Fully_Qualified_Domain_Name)


IPSec Config> set global my_id_value ascii_for_myid = wbobranch.com

Add a Profile

 Add a profile called hq. 

IPSec Config> add profile hq

Setting Up The Peer

1. Add a peer called chicago. 

IPSec Config> add peer chicago
2. Set the preshared key. 

IPSec Config> set peer chicago pre_shared_key ascii_for_preshared_key =
SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
3. Set the peer IP address to 128.185.3.1. 

IPSec Config> set peer chicago ip_address = 128.185.3.1
4. Set the IKE mode to aggressive since road warriors must always initiate in aggressive mode. 

IPSec Config> set peer chicago ike_mode = aggressive
5. Display your peer configuration. 

IPSec Config> list peer chicago
                                        Source          Peer Type
Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
------------------------------------------------------------
chicago                 128.185.3.1     <automatic>     IKE
 IKE-transform: default                 IKE-mode: aggressive
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: none
 Pre-shared key: (ASCII) SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: IP-Address

Setting Up a Policy

1. Add a policy called finance to the profile hq.

When you enter a policy name, you must first specify the profile name to which the policy belongs. You do this by entering the profile name followed by the policy name. Separate the names using a period. In this example, hq is the profile name, finance is the policy name. 

IPSec Config> add policy hq.finance
2. Set the policy to use peer chicago. 

IPSec Config> set policy hq.finance peer = chicago
3. Set the source and destination addresses. These are the addresses of the end stations or subnets that are communicating over IPSec.

Note: Add source and destination address as they relate to inbound packets.

a. Set the destination address to the address of the subnet on the branch network. 
IPSec Config> set policy hq.finance da = 10.2.2.0&255.255.255.0
b. Set the source address to the address of the server on the headquarters network. 
IPSec Config> set policy hq.finance src = 128.185.21.9
4. Display the policy. 

IPSec Config> list policy hq.finance
                                        -- *=opaque allowed --
Name            Dir  Address            Port          Protocol  Action
----------------------------------------------------------------------
hq.finance      both sa=128.185.21.9    Any                    protect
                     da=10.2.2.0&255.255.255.0
  sa_proposal=default, peer=chicago

Attaching Profiles to Interfaces

 IPSec does not run until you attach a profile to an interface. Use the following command to attach the profile hq to interface 1.

IPSec Config> set interface 1 profile += hq
IPSec Config> list interface 1

                Don't     Path
IPSec  Enable   Frag Bit  MTU
Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       hq

Router Configuration Complete

 The following list command shows all of the IPSec settings for the branch office router in this example. 

IPSec Config> list all

                Don't     Path
IPSec  Enable   Frag Bit  MTU


Ifc    Status   Handling  Ageout    Attached IPsec Profiles
----------------------------------------------------------
1      On       Set       600       hq    

IPSec                 profile
profile               type
-----------------------------------------
hq                    spd

                                        -- *=opaque allowed --
Name             Dir  Address            Port          Protocol  Action
-----------------------------------------------------------------------
hq.finance               both sa=128.185.21.9                  Any       protect
                              da=10.2.2.0&255.255.255.0
  sa_proposal=default, peer=chicago

                                        Source          Peer Type
Peer                    Peer's          IP Address to   IKE or
Name                    IP Address      use with peer   MANUAL
-----------------------------------------------------------------
chicago                 128.185.3.1     <automatic>     IKE          
IKE-transform: default                 IKE-mode: aggressive
 IP Filters usage: none                 NAT usage: none
 Hardware-assist usage: On
 My certificate: default                RW profile: none
 Pre-shared key: (ASCII) SiH61hfRtyP5902wnIkJgfdUiphy815KkSdfJgLh
 Peer ID type: IP-Address

SA-proposal name: default
 AH_auth: hmac_sha                      ESP_auth: none
 ESP_encr: 3des                         Comp_alg: none
 Lifetime in seconds: 0                 Lifetime in kilobytes:  0
 Perfect Forward Secrecy: none
 Outbound Manual SPI and Key Values:
 AH:   SPI: 00000000 auth_key: no key configured
 ESP:  SPI: 00000000 auth_key: no key configured         
 COMP: SPI: 0000
 Inbound Manual SPI and Key Values:
  AH:   SPI: 00000000 auth_key: no key configured
  ESP:  SPI: 00000000 auth_key: no key configured
                      encr_key: no key configured
  COMP: SPI: 0000

IKE             Priority   Auth    Hash Encr DH   Lifetime   Lifetime
Transform Name  Seq        Method   Alg  Alg  Grp  Seconds      Kilobytes
-----------------------------------------------------------------------
default         10       preshare  sha  3des 768  28800        0


IPSEC Globals:
--------------
 IKE Retranmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: Domain-Name
 My ID value: (ASCII) wbobranch.com

Displaying the Active Session

 Once IPSec is up and running you can display the active sessions. These are displays of active sessions on the Headquarters router. The displays show the actual IP addresses and policies that IPSec is using.

To display active IKE SA sessions, enter show ike. 

IPSec> SHOW IKE
Remote Address:  14.13.12.2 (UDP port 500)
Remote ID type:  Domain-Name
Remote ID value: (ASCII) wbobranch.com
Local Address:   128.185.3.1 (UDP port 500)
Local ID type:   IP-Address
Local ID value:  128.185.3.1
Transforms:      sharedKey, HMAC_SHA, 3DES, DHGroup1
State:           QM_IDLE
Lifetime:
  Traffic:       404 bytes protected (max none)
  Age:           56 seconds elapsed (max 28800 sec)
IKE negotiates SAs in a bundle. The IKE software takes the information in your SA proposal and creates SA bundles. The show sa command shows the actual bundles running on the router.

Note: The IP address 14.13.12.2 is the actual dynamically-assigned IP address that the road warrior client is using.

IPSec> show sa

Interface 0 is DISABLED
Decap Q: cur=0 ovfl=0  Encap Q: cur=0 ovfl=0

 There are no IPSec SAs active on interface 0

Interface 1 is ENABLED
Decap Q: cur=0 ovfl=0  Encap Q: cur=0 ovfl=0

INBundle (ike, 14.13.12.2->128.185.3.1) Associated Policy=
branch.finance           in   sa=10.2.2.0&255.255.255.0
Protect                 da=128.185.21.9
  sa_proposal=default, peer=westboro
  Lifesecs=0 (Rekey after=71582734, Current=88) Key-PFS=none
  LifeKB=0 (Rekey after=0, Current=11)  Pkt-cnt=93
  AH SA (Up) SPI 96A2C293 Auth=HMAC_SHA, Anti-replay=On
  ESP SA (Up) SPI 2CF7CF6B Encr=3DES

OUTBundle (ike, 128.185.3.1->14.13.12.2)
  LifeKB=0 (Rekey after=0, Current=11)  Pkt-cnt=93
  AH SA (Up) SPI 51AAC381 Auth=HMAC_SHA, Anti-replay=On
  ESP SA (Up) SPI 9072AE08 Encr=3DES

[Top] [Prev] [Next] [Bottom]

Copyright © 2001, Nx Networks, Inc. All rights reserved.