IPSec

Transform set

Define authentication and encryption algorithms

crypto ipsec transform-set IPSECTS ah hmac HMAC_ALG

Use AH mode

crypto ipsec transfor-set IPSECTS  esp {hmac HMAC_ALG |cipher CIPHER_ALG}

Use ESP mode. HMAC algorithm is not needed/ignored when using GCM cipher algorithms.

mode transport

In transport mode, the Original IP header is not changed. Only AH or ESP header is added.

Profile

Store encryption/decryption keys.

There are two ways of establishing SAs for IPSec: using static pre-defined keys and IKEv2 profiles. One should choose just one method, and using 2 methods yields inconsistency.

[no] crypto ipsec profile IPSECPROFILE

Create a new profile IPSECPROFILE.

[no] set transform-set IPSECTS

Note

An IPSec profile without Transform set is useless.

[no] set ikev2 profile IKEPROFILE

Set profile’s IKEv2 profile to establish an IKEv2 session and SAs.

Note

An IKEv2 profile should be exclusive to one profile. And a profile using an IKEv2 profile should be bound to a tunnel and can’t be used on two tunnels. So for each tunnel, we need an IKEv2 profile and an IPSec profile.

set security-association lifetime second (120-28800)

When using IKEv2, set SA rekeying criterion as time.

Note

IPSec SAs are installed when the IPSec profile protects a tunnel.

Example: Setup an IPSec profile using IKEv2 and PSK

soodar1(config)# crypto ikev2 proposal PROPOSAL
soodar1(config-ikev2-proposal)# integrity sha-96
soodar1(config-ikev2-proposal)# encryption des
soodar1(config-ikev2-proposal)# group 28
soodar1(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar1(config-ikev2-keyring)# peer PC-1
soodar1(config-ikev2-keyring-peer)# address 200.1.2.1
soodar1(config-ikev2-keyring-peer)# idnetity email pc1@local.net
soodar1(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar1(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar1(config-ikev2-profile)# identity local address 9.9.9.9
soodar1(config-ikev2-profile)# match identity remote email pc1@local.net
soodar1(config-ikev2-profile)# keyring local KEY-1
soodar1(config-ikev2-profile)# proposal PROPOSAL
soodar1(config)# crypto ipsec profile ipsec-transport-profile
soodar1(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)#  set ikev2 profile profile-ike

and in the other router:

soodar2(config)# crypto ikev2 proposal PROPOSAL
soodar2(config-ikev2-proposal)# integrity sha-96
soodar2(config-ikev2-proposal)# encryption des
soodar2(config-ikev2-proposal)# group 28
soodar2(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar2(config-ikev2-keyring)# peer PC-2
soodar2(config-ikev2-keyring-peer)# idnetity address 9.9.9.9
soodar2(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar2(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar2(config-ikev2-profile)# identity local email pc1@local.net
soodar2(config-ikev2-profile)# match identity remote address 9.9.9.9
soodar2(config-ikev2-profile)# keyring local KEY-1
soodar2(config-ikev2-profile)# proposal PROPOSAL
soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)#  set ikev2 profile profile-ike

Example: Setup an IPSec profile using IKEv2 and RSA-Sig

We have 2 routers, soodar1 and soodar2. We have a valid CA and a signed certificate for authentication on each of them. soodar1’s certificate has n1.local.net as SAN, `` and ``soodar2’s certificate has n2.local.net as SAN:

soodar1(config)# crypto ikev2 proposal PROPOSAL
soodar1(config-ikev2-proposal)# integrity sha-384
soodar1(config-ikev2-proposal)# encryption aes
soodar1(config-ikev2-proposal)# group 28
soodar1(config)# crypto ikev2 profile profile-ike
soodar1(config-ikev2-profile)# identity local fqdn n1.local.net
soodar1(config-ikev2-profile)# lifetime 2400
soodar1(config-ikev2-profile)# match identity remote fqdn n2.local.net
soodar1(config-ikev2-profile)# authentication local rsa-sig
soodar1(config-ikev2-profile)# authentication remote rsa-sig
soodar1(config-ikev2-profile)# proposal PROPOSAL
soodar1(config)# crypto ipsec profile ipsec-transport-profile
soodar1(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)#  set ikev2 profile profile-ike

and in the other router:

soodar2(config)# crypto ikev2 proposal PROPOSAL
soodar2(config-ikev2-proposal)# integrity sha-384
soodar2(config-ikev2-proposal)# encryption aes
soodar2(config-ikev2-proposal)# group 28
soodar2(config)# crypto ikev2 profile profile-ike
soodar2(config-ikev2-profile)# identity local fqdn n2.local.net
soodar2(config-ikev2-profile)# lifetime 2400
soodar2(config-ikev2-profile)# match identity remote fqdn n1.local.net
soodar2(config-ikev2-profile)# authentication local rsa-sig
soodar2(config-ikev2-profile)# authentication remote rsa-sig
soodar2(config-ikev2-profile)# proposal PROPOSAL
soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)#  set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)#  set ikev2 profile profile-ike

Logging

Debugging logs can be set in case of need.

[no] debug ipsec event

log data plane installation processes and results

[no] debug ipsec vici json

log all incoming VICI messages as json

[no] debug ipsec vici detail

log all incoming VICI messages as json and raw