IPSec Configurationon
IPSec configurationon
Section titled “IPSec configurationon”show ipsec
Section titled “show ipsec”[Command]
show ipsec
[Purpose]
Display ipsec information
[View]
System view
[Use Cases]
sonic# show ips
ipsec name
Section titled “ipsec name”[Command]
ipsec name
[Purpose]
Create and enter ipsec view
[View]
System configuration view
[Use Cases]
sonic# ipsec test
ike crypto_alg
Section titled “ike crypto_alg”[Command]
ike crypto_alg {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size 0-65535 integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256} dh {none|modp-768|modp-1024|modp-1536|modp-2048|modp-3072|modp-4096|modp-6144|modp-8192|ecp-192|ecp-256|ecp-384|ecp-512|modp-1024-160|modp-2048-224|modp-2048-256}
[Purpose]
IKE authentication algorithm, key length, encryption algorithm, DH algorithm
[View]
IPSec configuration view
[Parameter]
crypto_alg encryption algorithm
crypto_alg_size key length
integ_alg authentication algorithm
dh DH algorithm
[Use Cases]
sonic(config-ipsec-test)# ike crypto_alg des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096
ike local type {ip4|ip6|rfc822|fqdn} data value
Section titled “ike local type {ip4|ip6|rfc822|fqdn} data value”[Command]
ike local type {ip4|ip6|rfc822|fqdn} data value
[Purpose]
Configure the ID type and ID of the local user in IKE users.
[View]
IPSec configuration view
[Parameter]
type ID type
data ID value
[Use Cases]
sonic(config-ipsec-test)# ike local type ip4 data 1.1.1.1
ike remote type {ip4|ip6|rfc822|fqdn} data value
Section titled “ike remote type {ip4|ip6|rfc822|fqdn} data value”[Command]
ike remote type {ip4|ip6|rfc822|fqdn} data value
[Purpose]
Configure the ID ty and ID of the remote user in IKE users.
[View]
IPSec configuration view
[Parameter]
type ID type
data ID value
[Use Cases]
sonic(config-ipsec-test)# ike remote type ip4 data 1.1.1.1
ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255
Section titled “ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255”[Command]
ike traffic_selector {local|remote} {ip4|ip6} addr_start A.B.C.D addr_end A.B.C.D port_start 0-65535 port_end 0-65535 protocol 0-255
[Purpose]
Configure the data streams to be protected
[View]
IPSec configuration view
[Parameter]
local|remote local ip or remote ip
ip4|ip6 ip type
addr_start start ip address
addr_end end ip address
port_start start port
port_end end port
protocol protocol
[Use Cases]
sonic(config-ipsec-test)# ike traffic_selector local ip4 addr_start 1.1.1.1 addr_end 2.2.2.2 port_start 0 port_end 65535 protocol 6
[Command]
sa {des-iv64|des|3des|rc5|idea|cast|blowfish|3idea|des-iv32|null|aes-cbc|aes-ctr|aes-gcm-16} crypto_alg_size 0-65535 integ_alg {none|md5-96|sha1-96|des-mac|kpdk-md5|aes-xcbc-96|md5-128|sha1-160|cmac-96|aes-128-gmac|aes-192-gmac|aes-256-gmac|hmac-sha2-256-128|hmac-sha2-384-192|hmac-sha2-512-256}
[Purpose]
sa authentication algorithm, key length, encryption algorithm
[View]
IPSec configuration view
[Parameter]
sa encryption algorithm
crypto_alg_size key length
integ_alg authentication algorithm
[Use Cases]
sonic(config-ipsec-test)# sa des-iv64 crypto_alg_size 128 integ_alg md5-128 dh modp-4096
sa lifetime value [jitter value] [handover value] [max_bytes value]
Section titled “sa lifetime value [jitter value] [handover value] [max_bytes value]”[Command]
sa lifetime value [jitter value] [handover value] [max_bytes value]
[Purpose]
sa negotiation configuration
[View]
IPSec configuration view
[Parameter]
lifetime lifetime of sa
jitter Random jitter time (seconds), to avoid simultaneous renegotiation at both ends
handover Smooth transition time (seconds), old SA retention time to ensure that traffic is not interrupted before the new SA is established.
max_bytes SA data transfer limit; renegotiation triggered when limit is exceeded
[Use Cases]
sonic(config-ipsec-test)# sa lifetime 600 jitter 300 hadover 120 max_bytes 10000
sa natt {enable|disable}
Section titled “sa natt {enable|disable}”[Command]
sa natt {enable|disable}
[Purpose]
NAT traversal detection switch
[View]
IPSec configuration view
[Use Cases]
sonic(config-ipsec-test)# sa natt enable
sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name
Section titled “sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name”[Command]
sa tunnel {ip4|ip6} src_ip A.B.C.D dst_ip A.B.C.D next_hop A.B.C.D remote_ip A.B.C.D/M shared_interface name
[Purpose]
Configure ipsec tunnel
[View]
IPSec configuration view
[Parameter]
ip4|ip6 tunnel ip type
src_ip ike local ip
dst_ip ike remote ip
next_hop next node
remote_ip router to destination
shared_interface IPsec tunnel port
[Use Cases]
sonic(config-ipsec-test)# sa tunnel ip4 src_ip 10.1.1.101 dst_ip 20.1.1.2 next_hop 10.1.1.1 remote_ip 90.0.0.0/24 shared_interface Dialer1
shared_key_mic {string|hex} value
Section titled “shared_key_mic {string|hex} value”[Command]
shared_key_mic {string|hex} value
[Purpose]
Configure shared keys
[View]
IPSec configuration view
[Parameter]
value shared key
[Use Cases]
sonic(config-ipsec-test)# shared_key_mic string 12345678
ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X
Section titled “ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X”[Command]
ipsec name peer {ip4|ip6} A.B.C.D|X:X::X:X
[Purpose]
Port IPSec configuration
[View]
Interface configuration view
[Parameter]
name IPsec configuration group name
A.B.C.D|X:X::X:X Peer IPv4/IPv6 address
[Use Cases]
sonic(config-if-16)# ipsec test peer ip4 1.1.1.1