IPSec

Transform set

Define authentication and encryption algorithms

crypto ipsec transform-set IPSECTS ah hmac HMAC_ALG

Use AH mode

crypto ipsec transfor-set IPSECTS  esp {hmac HMAC_ALG |cipher CIPHER_ALG}

Use ESP mode.

mode transport

In transport mode, Original IP header is not changed. only AH or ESP header is added.

mode tunnel

In tunnel mode, a new IP header is added in front of original IP header.

Example :

soodar(config)# crypto ipsec transform-set ipsec-tunnel-TS esp hmac md5 cipher aes-192
soodar(cfg-crypto-trans)# mode transport

Profile

Store encryption/decryption keys.

There are two ways of establishing SAs for IPSec: using static pre-defined keys and using IKEv2 profiles. One should choose just one method and using 2 methods combined, yields inconsistency.

[no] crypto ipsec profile IPSECPROFILE

Create a new profile IPSECPROFILE.

[no] set transform-set IPSECTS

Note

An IPSec profile without Transform set is useless.

[no] set session-key inbound (256-4294967295) {cipher WORD|authenticator WORD}

Set inbound session-key for given SPI. two keys can be provided depending on Transform-set. cipher key and authenticator key.

Note

Key’s length should comply with algorithm.

[no] set session-key outbound (256-4294967295) {cipher WORD|authenticator WORD}

Set outbound session-key for given SPI. two keys can be provided depending on Transform-set. cipher key and authenticator key.

Note

Key’s length should comply with algorithm.

Note

The keys act as encryption( outbound)/decryption( inbound) keys. So, receiver’s inbound key and SPI, should be the same as sender’s outbound key and SPI. Also this relation is between receiver’s outbound and sender’s inbound.

[no] set ikev2 profile IKEPROFILE

Set profile’s IKEv2 profile to establish an IKEv2 session and SAs.

Note

An IKEv2 profile should be exclusive to one profile. and a profile using IKEv2 profile should be bound to a tunnel and can’t be used on two tunnels. So for each tunnel, we need an IKEv2 profile and an IPSec profile.

set security-association lifetime kilobytes (2560-4294967295)

When using IKEv2, set SA rekeying criterion as passed kilobytes. After traffic exceeds determined value, new keys are assigned to SAs.

set security-association lifetime second (120-2592000)

When using IKEv2, set SA rekeying criterion as time.

Example :

soodar1(config)# crypto ipsec profile ipsec-tunnel-profile
soodar1(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)#  set session-key inbound 300 authenticator 1234 cipher 4321
soodar1(ipsec-profile)#  set session-key outbound 6132 authenticator 4567 cipher 7654

and in other router:

soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)#  set session-key inbound 6132 authenticator 4567 cipher 7654
soodar2(ipsec-profile)#  set session-key outbound 300 authenticator 1234 cipher 4321

soodar1(config)# crypto ikev2 proposal PROPOSAL
soodar1(config-ikev2-proposal)# integrity md5
soodar1(config-ikev2-proposal)# encryption des
soodar1(config-ikev2-proposal)# group 5
soodar1(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar1(config-ikev2-keyring)# peer PC-1
soodar1(config-ikev2-keyring-peer)# address 200.1.2.1
soodar1(config-ikev2-keyring-peer)# idnetity email pc1@local.net
soodar1(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar1(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar1(config-ikev2-profile)# identity local address 9.9.9.9
soodar1(config-ikev2-profile)# match identity remote email pc1@local.net
soodar1(config-ikev2-profile)# keyring local KEY-1
soodar1(config-ikev2-profile)# proposal PROPOSAL
soodar1(config)# crypto ipsec profile ipsec-transport-profile
soodar1(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)#  set ikev2 profile profile-ike

and in other router:

soodar2(config)# crypto ikev2 proposal PROPOSAL
soodar2(config-ikev2-proposal)# integrity md5
soodar2(config-ikev2-proposal)# encryption des
soodar2(config-ikev2-proposal)# group 5
soodar2(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar2(config-ikev2-keyring)# peer PC-2
soodar2(config-ikev2-keyring-peer)# address 200.1.2.2
soodar2(config-ikev2-keyring-peer)# idnetity address 9.9.9.9
soodar2(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar2(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar2(config-ikev2-profile)# identity local email pc1@local.net
soodar2(config-ikev2-profile)# match identity remote address 9.9.9.9
soodar2(config-ikev2-profile)# keyring local KEY-1
soodar2(config-ikev2-profile)# proposal PROPOSAL
soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)#  set ikev2 profile profile-ike

Crypto map

By using a crypto map, the admin can define target packets for encryption( using an ACL).

Note

Currently crypto maps are not supporting IKEv2.

[no] crypto map CRYPTOMAP (1-65535)

Enter crypto map config mode for CRYPTOMAP. the number in input, is the sequence of rule to be inserted.

[no] set profile IPSECPROFILE

Use given profile to encrypt/decrypt

[no] match address ACL

Match packets regarding ACL

[no] crypto map CRYPTOMAP

Apply a crypto map to interface

Example :

soodar(config)# crypto map 10 cmap-1-3 ipsec-manual
soodar(config-crypto-map)#  set profile ipsec-transport-profile
soodar(config-crypto-map)#  match acl-ipsec-1-to-3
soodar(config-crypto-map)# quit
soodar(config)# interface ge0
soodar(config-if)#  crypto map cmap-1-3