IPSec
Transform set
Define authentication and encryption algorithms
- crypto ipsec transform-set IPSECTS ah hmac HMAC_ALG
Use AH mode
- crypto ipsec transfor-set IPSECTS esp {hmac HMAC_ALG |cipher CIPHER_ALG}
Use ESP mode. HMAC algorithm is not needed/ignored when using GCM cipher algorithms.
- mode transport
In transport mode, the Original IP header is not changed. Only AH or ESP header is added.
- mode tunnel
A new IP header is added in tunnel mode in front of the original IP header.
Example :
soodar(config)# crypto ipsec transform-set ipsec-tunnel-TS esp hmac sha-96 cipher aes-192 soodar(cfg-crypto-trans)# mode transport
Profile
Store encryption/decryption keys.
There are two ways of establishing SAs for IPSec: using static pre-defined keys and IKEv2 profiles. One should choose just one method, and using 2 methods yields inconsistency.
- crypto ipsec profile IPSECPROFILE
Create a new profile IPSECPROFILE.
- set transform-set IPSECTS
Note
An IPSec profile without Transform set is useless.
- set ikev2 profile IKEPROFILE
Set profile’s IKEv2 profile to establish an IKEv2 session and SAs.
Note
An IKEv2 profile should be exclusive to one profile. And a profile using an IKEv2 profile should be bound to a tunnel and can’t be used on two tunnels. So for each tunnel, we need an IKEv2 profile and an IPSec profile.
- set security-association lifetime second (120-28800)
When using IKEv2, set SA rekeying criterion as time.
Note
IPSec SAs are installed when the IPSec profile protects a tunnel.
Example: Setup an IPSec profile using IKEv2 and PSK
soodar1(config)# crypto ikev2 proposal PROPOSAL
soodar1(config-ikev2-proposal)# integrity sha-96
soodar1(config-ikev2-proposal)# encryption des
soodar1(config-ikev2-proposal)# group 28
soodar1(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar1(config-ikev2-keyring)# peer PC-1
soodar1(config-ikev2-keyring-peer)# address 200.1.2.1
soodar1(config-ikev2-keyring-peer)# idnetity email pc1@local.net
soodar1(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar1(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar1(config-ikev2-profile)# identity local address 9.9.9.9
soodar1(config-ikev2-profile)# match identity remote email pc1@local.net
soodar1(config-ikev2-profile)# keyring local KEY-1
soodar1(config-ikev2-profile)# proposal PROPOSAL
soodar1(config)# crypto ipsec profile ipsec-transport-profile
soodar1(ipsec-profile)# set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)# set ikev2 profile profile-ike
and in the other router:
soodar2(config)# crypto ikev2 proposal PROPOSAL
soodar2(config-ikev2-proposal)# integrity sha-96
soodar2(config-ikev2-proposal)# encryption des
soodar2(config-ikev2-proposal)# group 28
soodar2(config-ikev2-proposal)# crypto ikev2 keyring KEY-1
soodar2(config-ikev2-keyring)# peer PC-2
soodar2(config-ikev2-keyring-peer)# idnetity address 9.9.9.9
soodar2(config-ikev2-keyring-peer)# pre-shared-key PSKPASS
soodar2(config-ikev2-keyring-peer)# crypto ikev2 profile profile-ike
soodar2(config-ikev2-profile)# identity local email pc1@local.net
soodar2(config-ikev2-profile)# match identity remote address 9.9.9.9
soodar2(config-ikev2-profile)# keyring local KEY-1
soodar2(config-ikev2-profile)# proposal PROPOSAL
soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)# set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)# set ikev2 profile profile-ike
Example: Setup an IPSec profile using IKEv2 and RSA-Sig
We have 2 routers, soodar1 and soodar2. We have a valid CA and a signed certificate for authentication on each of them.
soodar1’s certificate has n1.local.net as SAN, `` and ``soodar2’s certificate has n2.local.net as SAN:
soodar1(config)# crypto ikev2 proposal PROPOSAL
soodar1(config-ikev2-proposal)# integrity sha-384
soodar1(config-ikev2-proposal)# encryption aes
soodar1(config-ikev2-proposal)# group 28
soodar1(config)# crypto ikev2 profile profile-ike
soodar1(config-ikev2-profile)# identity local fqdn n1.local.net
soodar1(config-ikev2-profile)# lifetime 2400
soodar1(config-ikev2-profile)# match identity remote fqdn n2.local.net
soodar1(config-ikev2-profile)# authentication local rsa-sig
soodar1(config-ikev2-profile)# authentication remote rsa-sig
soodar1(config-ikev2-profile)# proposal PROPOSAL
soodar1(config)# crypto ipsec profile ipsec-transport-profile
soodar1(ipsec-profile)# set transform-set ipsec-tunnel-TS
soodar1(ipsec-profile)# set ikev2 profile profile-ike
and in the other router:
soodar2(config)# crypto ikev2 proposal PROPOSAL
soodar2(config-ikev2-proposal)# integrity sha-384
soodar2(config-ikev2-proposal)# encryption aes
soodar2(config-ikev2-proposal)# group 28
soodar2(config)# crypto ikev2 profile profile-ike
soodar2(config-ikev2-profile)# identity local fqdn n2.local.net
soodar2(config-ikev2-profile)# lifetime 2400
soodar2(config-ikev2-profile)# match identity remote fqdn n1.local.net
soodar2(config-ikev2-profile)# authentication local rsa-sig
soodar2(config-ikev2-profile)# authentication remote rsa-sig
soodar2(config-ikev2-profile)# proposal PROPOSAL
soodar2(config)# crypto ipsec profile ipsec-transport-profile
soodar2(ipsec-profile)# set transform-set ipsec-tunnel-TS
soodar2(ipsec-profile)# set ikev2 profile profile-ike
Troubleshooting
To track ipsec/ikev2 profiles state and their initiation state, users can view logs( for initiation state/errors) and SA details.
Logging
Debugging logs can be set in case of need.
- debug ipsec event
log data plane installation processes and results
- debug ipsec vici json
log all incoming VICI messages as json
- debug ipsec vici detail
log all incoming VICI messages as json and raw
To view IPSec detailed logs, use show log ipsec command to view StrongSwan logs.
Show commands
To view current state of ipsec SAs or IKEv2 SAs the following commands are provided in the router:
- show crypto ikev2 sa [detailed] [json]
Shows installed IKEv2 SAs details
soodar# show crypto ikev2 sa
Profile ike-n1-n2
Status: ESTABLISHED
Local: 200.1.2.1
Remote: 200.1.2.2/500
Encr: AES_CBC-128
Hash: HMAC_SHA2_384_192
DH Grp: ECP_256_BP
Life/Active Time: 240/190 sec
soodar# show crypto ikev2 sa detailed
Profile ike-n1-n2
Status: ESTABLISHED
Local: 200.1.2.1
Remote: 200.1.2.2/500
Encr: AES_CBC-128
Hash: HMAC_SHA2_384_192
DH Grp: ECP_256_BP
Life/Active Time: 240/195 sec
Local ID: n1.local.net
Remote ID: n2.local.net
Local SPI: 8b545f20ca649813
Remote SPI: 8b545f20ca649813
Configured DPD: 10 sec
Rekey in: 33 sec
soodar# show crypto ikev2 sa json
[
{
"name": "ike-n1-n2",
"id": "3",
"state": "ESTABLISHED",
"dpd": 10,
"lifetime": 240,
"local-host": "200.1.2.1",
"local-port": "500",
"local-id": "n1.local.net",
"remote-host": "200.1.2.2",
"remote-port": "500",
"remote-id": "n2.local.net",
"initiator": false,
"initiator-spi": "39afd77a4c51edc0",
"responder-spi": "39afd77a4c51edc0",
"established": "218",
"rekey-time": "21",
"encr-alg": "AES_CBC-128",
"integ-alg": "HMAC_SHA2_384_192",
"prf-alg": "PRF_HMAC_SHA2_384",
"dh-group": "ECP_256_BP",
"child-sas": [
{
"name": "ipsec-n1-n2",
"id": "13",
"state": "INSTALLED",
"mode": "TUNNEL",
"protocol": "ESP",
"spi-in": "ccb6c76d",
"spi-out": "c6ccd9e1",
"encr-alg": "AES_CBC-128",
"integ-alg": "HMAC_SHA2_256_128",
"bytes-in": "0",
"packets-in": "0",
"bytes-out": "0",
"packets-out": "0",
"rekey-time": "32",
"life-time": "45",
"install-time": "21"
}
]
}
]
- show crypto ipsec sa [detailed] [json]
Shows installed IPSec SAs details
soodar# show crypto ipsec sa
Profile ipsec-n1-n2
Status: INSTALLED
IKEv2 Profile: ike-n1-n2
Mode: TUNNEL
Protocol: ESP
Encr: AES_CBC-128
Hash: HMAC_SHA2_256_128
Life/Active Time: 66/32 sec
soodar# show crypto ipsec sa detailed
Profile ipsec-n1-n2
Status: INSTALLED
IKEv2 Profile: ike-n1-n2
Mode: TUNNEL
Protocol: ESP
Encr: AES_CBC-128
Hash: HMAC_SHA2_256_128
Life/Active Time: 66/32 sec
Bytes Decrypted: 0
Packets Decrypted: 0
Bytes Encrypted: 0
Packets Encrypted: 0
Inbound SPI: c322afbc
Outbound SPI: c9211ed0
Rekey in: 25 sec
soodar# show crypto ipsec sa json
[
{
"name": "ike-n1-n2",
"id": "4",
"state": "ESTABLISHED",
"dpd": 10,
"lifetime": 240,
"local-host": "200.1.2.1",
"local-port": "500",
"local-id": "n1.local.net",
"remote-host": "200.1.2.2",
"remote-port": "500",
"remote-id": "n2.local.net",
"initiator": false,
"initiator-spi": "9fc4c36e3ecc04ca",
"responder-spi": "9fc4c36e3ecc04ca",
"established": "133",
"rekey-time": "85",
"encr-alg": "AES_CBC-128",
"integ-alg": "HMAC_SHA2_384_192",
"prf-alg": "PRF_HMAC_SHA2_384",
"dh-group": "ECP_256_BP",
"child-sas": [
{
"name": "ipsec-n1-n2",
"id": "16",
"state": "INSTALLED",
"mode": "TUNNEL",
"protocol": "ESP",
"spi-in": "c93bfde8",
"spi-out": "caaea224",
"encr-alg": "AES_CBC-128",
"integ-alg": "HMAC_SHA2_256_128",
"bytes-in": "0",
"packets-in": "0",
"bytes-out": "0",
"packets-out": "0",
"rekey-time": "48",
"life-time": "56",
"install-time": "10"
}
]
}
]