Use cases

Use case: site to site VPN

In this use case, two sites A and B must be interconnected via a public network. An IPsec VPN is configured between the two security gateways SecGW-A and SecGW-B.

../../../../_images/ike-site-to-site.svg

The IP addresses of the security gateways and of the sites are well known. The peers identify themselves with a Fully Qualified Domain Name (FQDN) and authenticate via a pre-shared key.

vsr running ike# show config nodefault
ike
    global-options
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..
    vpn siteA-siteB
        ike-policy
            template iketemp1
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        remote-address 198.51.100.1
        local-id secgwa.6wind.net
        remote-id secgwb.6wind.net
        security-policy trunk
            local-ts subnet 192.168.0.0/24
            remote-ts subnet 192.168.99.0/24
            ..
        ..
    pre-shared-key siteb
        id secgwb.6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..

Use case: VPN concentrator

In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A.

../../../../_images/ike-vpn-aggregator.svg

IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this VIP from a local pool.

The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys. Remote hosts use different VPN clients that support different cryptographic algorithms and key lengths.

vsr running ike# show config nodefault
ike
    global-options
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes256-cbc
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ike-proposal 2
            aead-alg aes128-gcm-128
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        esp-proposal 2
            aead-alg aes128-gcm-128
            ..
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..
    vpn siteA-roadw
        ike-policy
            template iketemp1
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        local-id user1.roadw.6wind.net
        vip-pool user-vips
        security-policy hub
            local-ts subnet 192.168.0.0/24
            ..
        ..
    pre-shared-key user1
        id user1@6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..
    pre-shared-key user2
        id user2@6wind.net
        secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
        ..
    pool user-vips
        address 192.168.99.0/24
        subnet 172.16.0.0/12
        subnet fc00:1234::/64
        ..

Use case: route-based VPN concentrator

In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A. Dynamic SVTI interfaces and cross-VRF are used.

../../../../_images/ike-vpn-aggregator-route-based.svg

IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this VIP from a local pool.

The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys.

Plaintext traffic is in VRF private, while encrypted traffic is in VRF wan.

vsr running config# show config nodefault / vrf private interface
interface
    physical eth1
        port pci-b0s4
        ipv4
            address 192.168.0.1/24
            ..
        ..
    svti-template svtitemp
        mtu 1300
        ..
    ..

vsr running config# show config nodefault / vrf wan interface
interface
    physical eth2
        port pci-b0s5
        ipv4
            address 192.0.2.1/24
            ..
        ..

vsr running config# show config nodefault / vrf wan ike
ike
    global-options
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        start-action none
        close-action none
        ..
    vpn siteA-roadw
        dynamic-svti
            svti-template svtitemp
            vrf private
        ike-policy
            template iketemp1
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        local-id concentrator.6wind.net
        vip-pool user-vips
        security-policy hub
            local-ts subnet 192.168.0.0/24
            ..
        ..
    pre-shared-key user1
        id user1@6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..
    pre-shared-key user2
        id user2@6wind.net
        secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
        ..
    pool user-vips
        address 192.168.99.0/24
        subnet 172.16.0.0/12
        subnet fc00:1234::/64
        ..

After a few negotiations and tear downs:

dut-vm running config# show state vrf private interface svti
svti dsvtiABJr_bNbVbc
    mtu 1300
    promiscuous false
    description "vpn:siteA-roadw remote-id:user3@6wind.net svti-template:svtitemp"
    enabled true
    svti-id 1
    link-vrf wan
    oper-status UNKNOWN
    counters
        in-octets 0
        in-unicast-pkts 0
        in-discards 0
        in-errors 0
        out-octets 0
        out-unicast-pkts 0
        out-discards 0
        out-errors 0
        ..
    link-interface lo
    ..
svti dsvtiABJsgSSWSNQ
    mtu 1300
    promiscuous false
    description "vpn:siteA-roadw remote-id:user42@6wind.net svti-template:svtitemp"
    enabled true
    svti-id 3
    link-vrf wan
    oper-status UNKNOWN
    counters
        in-octets 0
        in-unicast-pkts 0
        in-discards 0
        in-errors 0
        out-octets 0
        out-unicast-pkts 0
        out-discards 0
        out-errors 0
        ..
    link-interface lo
    ..

dut-vm running config# show state vrf private routing static
static
    ipv4-route 192.168.0.3/32
        next-hop dsvtiABJr_bNbVbc
        ..
    ipv4-route 192.168.0.13/32
        next-hop dsvtiABJsgSSWSNQ
        ..
    (...)

dut-vm running config# show ike ike-sa vrf wan
VPN         Local Address Local ID   Remote Address Remote ID  State       IKE Version Child SA Count
siteA-roadw 192.0.2.1     concentrator.6wind.net 10.125.0.5 user3@6wind.net  established 2 1
siteA-roadw 192.0.2.1     concentrator.6wind.net 10.175.0.7 user42@6wind.net established 2 1

See also

The command reference.