Configuration Guide

IPSec Configuration Guide

10 min

introduction introduction ipsec is a suite of protocols defined by the internet engineering task force (ietf) for providing secure transmission of data over ip networks these protocols include the authentication header (ah) and encapsulation security payload (esp) the ipsec framework also includes key exchange and algorithms used for authentication and encryption these protocols allow two devices to establish an ipsec tunnel between them, so that data is securely forwarded over the ipsec tunnel ipsec configuration ipsec configuration create ipsec create ipsec true 360,164 86892124153272,136 13107875846728#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type configure ike configure ike 156,367 9274376417234,137 07256235827663#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type configure sa configure sa 160,232 93197278911563,268 06802721088434 true#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type bind ipsec to port bind ipsec to port 176,226 60357872521945,258 39642127478055#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type display and maintenance display and maintenance true 330,331#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type ipsec configuration example ipsec configuration example network requirements the enterprise wants to protect data flows between the branch subnet and the headquarters subnet an ipsec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet procedure device1 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 1/24 sonic(config if 2)# ipsec test peer ip4 1 1 1 2 sonic(config if 2)# mtu 1492 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 1 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 1 1 1 1 sonic(config ipsec test)# ike remote type ip4 data 1 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 10 1 1 0 addr end 10 1 1 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 10 1 2 0 addr end 10 1 2 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 1 1 1 1 dst ip 1 1 1 2 next hop 1 1 1 2 remote ip 10 1 2 0/24 shared interface ethernet2 device2 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 1 1 1 2/24 sonic(config if 2)# mtu 1492 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 10 1 2 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 1 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 1 1 1 1 sonic(config ipsec test)# ike traffic selector local ip4 addr start 10 1 2 0 addr end 10 1 2 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 10 1 1 0 addr end 10 1 1 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 1 1 1 2 dst ip 1 1 1 1 next hop 1 1 1 1 remote ip 10 1 1 0/24 shared interface ethernet2 example of ipsec configuration in pppoe scenario example of ipsec configuration in pppoe scenario network requirements the enterprise wants to protect data flows between the branch subnets and the headquarters subnet an ipsec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the internet the branch gateway functions as the pppoe client to obtain an ip address, so the headquarters gateway cannot obtain the branch gateway's ip address and can only respond to ipsec negotiation requests initiated by the branch gateway procedure device1 sonic(config)# interface dialer 1 sonic(config dialerif 1)# ppp chap username test1 test123 sonic(config dialerif 1)# ipsec test peer ip4 20 1 1 2 sonic(config dialerif 1)# mtu 1492 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 80 0 0 1/24 sonic(config)# interface ethernet 1 sonic(config if 1)# pppoe client 1 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 10 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 20 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 80 0 0 0 addr end 80 0 0 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 90 0 0 0 addr end 90 0 0 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 10 1 1 2 dst ip 20 1 1 2 next hop 10 1 1 1 remote ip 90 0 0 0/24 shared interface dialer1 sonic(config)# ip route 20 1 1 0/24 dialer 1 device2 sonic(config)# interface ethernet 1 sonic(config if 1)# ip address 20 1 1 2/24 sonic(config if 1)# mtu 1492 sonic(config)# interface ethernet 2 sonic(config if 2)# ip address 90 0 0 1/24 sonic(config)# ipsec test sonic(config ipsec test)# shared key mic string test1234 sonic(config ipsec test)# ike crypto alg aes cbc crypto alg size 256 integ alg sha1 96 dh modp 2048 sonic(config ipsec test)# ike local type ip4 data 20 1 1 2 sonic(config ipsec test)# ike remote type ip4 data 10 1 1 2 sonic(config ipsec test)# ike traffic selector local ip4 addr start 90 0 0 0 addr end 90 0 0 255 sonic(config ipsec test)# ike traffic selector remote ip4 addr start 80 0 0 0 addr end 80 0 0 255 sonic(config ipsec test)# sa crypto alg aes cbc crypto alg size 256 integ alg sha1 96 sonic(config ipsec test)# sa tunnel ip4 src ip 20 1 1 2 dst ip 10 1 1 2 next hop 20 1 1 1 remote ip 80 0 0 0/24 shared interface ethernet5 sonic(config)# ip route 10 1 1 0/24 20 1 1 1