IKE

Internet Key Exchange (IKE) is the control plane protocol providing authentication and key exchange mechanisms to establish secure VPNs over IPsec.

Either pre-shared keys or certificates can be used for authentication.

About IPsec

IPsec (Internet Protocol Security) is a suite of protocols that provides security to Internet communications at the IP layer. The most common current use of IPsec is to provide a Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway). More information is available in RFC4301.

About IKE

IKE (Internet Key Exchange) is the key negotiation and management protocol that is most commonly used to provide dynamically negotiated and updated keying material for IPsec. IPsec and IKE can be used in conjunction with both IPv4 and IPv6.

More information is available in RFC2409 and the latest update RFC7296.

The following sections explain the basics of IKE configuration, then present a couple of use cases and finally detail advanced configuration and performance tuning.

IKE configuration overview

Enabling IKE

IKE is enabled per VRF as follows:

vrouter running config# vrf main
vrouter running vrf main# ike
vrouter running ike#

Next, a VPN must be defined to specify the security parameters and policies to apply to the traffic, as well as authentication credentials for the IKE negotiation. To simplify the configuration of VPNs, VPN templates are proposed.

VPN templates

The number of parameters for IKE is very high and it would be painful to repeat all of them for each VPN configuration. Therefore a template system is available to ease the configuration:

  • several VPNs can share the same settings by referring to the same template,

  • each parameter present in a template can be overridden by the VPN.

The IKE protocol consists of two phases:

  • The first phase performs mutual authentication of two IKE peers and establishes an IKE Security Association (IKE SA), i.e. a secure communication channel between the two parties.

  • The second phase enables to create or update pairs of ESP or AH SAs. Each pair of ESP or AH SAs is called a CHILD SA.

IKE policy templates

IKE policy templates enable to define a model of IKE SA parameters. VPNs inherit their IKE SA parameters from such template, then can override each of them.

Create an IKE policy template:

vrouter running ike# ike-policy-template iketemp1
vrouter running ike-policy-template iketemp1#

The IKE policy template is initialized with various default values:

vrouter running ike-policy-template iketemp1# show config
ike-policy-template iketemp1
    local-auth-method pre-shared-key
    remote-auth-method pre-shared-key
    keying-tries 1
    unique-sa no
    reauth-time 0s
    rekey-time 4h
    dpd-delay 0s
    aggressive false
    udp-encap false
    ..

One or more IKE cryptographic algorithm proposals may then be defined in the ike-policy-template, or directly in the VPN ike-policy:

Each IKE proposal must contain either:

  • a list of encryption algorithms (enc-alg).

  • a list of authentication algorithms (auth-alg).

  • a list of diffie hellman groups (dh-group) for key exchanges.

  • optionally a list of pseudo-random function algorithms (prf-alg). If no prf-alg is provided, then the authentication algorithms will be used for generating random numbers.

Or:

  • a list of combined mode algorithms (aead-alg), which provide both encryption and authentication.

  • a list of diffie hellman groups (dh-group) for key exchanges.

  • a list of pseudo-random function algorithms (prf-alg) for generating random numbers.

vrouter running ike-policy-template iketemp1# ike-proposal 1
vrouter running ike-proposal 1#! enc-alg aes128-cbc
vrouter running ike-proposal 1#! auth-alg hmac-sha512
vrouter running ike-proposal 1#! dh-group modp2048
vrouter running ike-proposal 1# ..
vrouter running ike-policy-template iketemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ..

As supported by the IKE protocol, the IKE daemon may submit several IKE proposals in a negotiation, and (for IKEv2 only), each proposal may contain several algorithms of the same type (for example several encryption algorithms).

All other parameters of an ike-policy-template have a default value. Each parameter (including ike-proposal) may be overridden by the VPN, for example the authentication method.

IPsec policy templates

IPsec policy templates enable to define a model of CHILD SA parameters. VPNs inherit their IPsec SA parameters from such template, then can overridde each of them.

Create an IPsec policy template:

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1#

The IPsec policy template is initialized with various default values:

vrouter running ipsec-policy-template ipsectemp1# show config
ipsec-policy-template ipsectemp1
    start-action trap
    close-action trap
    dpd-action restart
    replay-window 32
    rekey-time 1h
    rekey-bytes 0
    rekey-packets 0
    encap-copy-dscp true
    decap-copy-dscp false
    encap-copy-df true
    ..

One or more ESP and AH cryptographic algorithm proposals may then be defined in the ipsec-policy-template, or directly in the VPN ipsec-policy.

Each ESP proposal must contain either:

  • a list of encryption algorithms (enc-alg).

  • a list of authentication algorithms (auth-alg).

Or:

  • a list of combined mode algorithms (aead-alg), which provide both encryption and authentication.

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# esp-proposal 1
vrouter running esp-proposal 1#! enc-alg aes128-cbc
vrouter running esp-proposal 1#! auth-alg hmac-sha256
vrouter running esp-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ..
    ..

Each AH proposal must contain:

  • a list of authentication algorithms (auth-alg).

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# ah-proposal 1
vrouter running ah-proposal 1#! auth-alg hmac-sha512
vrouter running ah-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        (...)
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..
    ..

Each ESP and AH proposal may optionally activate Perfect Forward Secrecy (PFS) by specifying a list of diffie hellman groups. This will trigger an additional diffie hellman exchange to exchange CHILD SA keys. If no dh-group is specified, CHILD SA keys will be derived from former keys.

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# esp-proposal 1
vrouter running esp-proposal 1# dh-group modp2048
vrouter running esp-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        (...)
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            dh-group modp2048
            ..
        ..
    ..

A proposal may also optionally enable Extended Sequence Numbers (ESN) (see Extended Sequence Number (ESN)).

As supported by the IKE protocol, the IKE daemon may submit several ESP or AH proposals in a negotiation, and (for IKEv2 only), each proposal may contain several algorithms of the same type (for example several encryption algorithms).

All other parameters of an ipsec-policy-template have a default value. Each parameter (including esp-proposal and ah-proposal) may be overridden by the VPN, for example the replay window size.

An important parameter is start-action that defaults to trap, meaning that the tunnel will be triggered as soon as outgoing matching traffic is detected.

See also

The command reference for details about template parameters.

To display the configuration, from the ike context, type:

vrouter running ike# show config
ike
    (...)
    ike-policy-template iketemp1
        local-auth-method pre-shared-key
        remote-auth-method pre-shared-key
        keying-tries 1
        reauth-time 0s
        rekey-time 4h
        dpd-delay 0s
        aggressive false
        udp-encap false
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            dh-group modp2048
            auth-alg hmac-sha512
            ..
        ..
    ipsec-policy-template ipsectemp1
        start-action trap
        close-action trap
        dpd-action restart
        replay-window 32
        rekey-time 1h
        rekey-bytes 0
        rekey-packets 0
        encap-copy-dscp true
        decap-copy-dscp false
        encap-copy-df true
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..

After VPN templates have been created, you may use them in one or several VPNs.

Creating a VPN

A VPN defines the security parameters between the local host and a remote IKE peer (or a group of IKE peers), and the IPsec security policies to apply to the IP traffic that transits through these peers.

Creating a VPN basically consists in:

  • specifying which IKE and IPsec template to apply,

  • optionally overriding some parameters of these templates,

  • define identities of the peers and their credentials,

  • specify the IPsec security policies to apply.

Create the vpn vpn-hq, use the ike-policy-template iketemp1 and override parameter keying-tries, use the ipsec-policy-template ipsectemp1.

vrouter running vpn vpn-hq#! ike-policy
vrouter running ike-policy#! template iketemp1
vrouter running ike-policy#! keying-tries 10
vrouter running ike-policy#! ..
vrouter running vpn vpn-hq#! ipsec-policy
vrouter running ipsec-policy#! template ipsectemp1
vrouter running ipsec-policy#! ..
vrouter running vpn vpn-hq#! local-address 192.0.2.1
vrouter running vpn vpn-hq#! remote-address 198.51.100.1
vrouter running vpn vpn-hq#! local-id user1.roadw.6wind.net
vrouter running vpn vpn-hq#! remote-id secgw.6wind.net

Then define an IPsec security-policy trunk between subnets 192.168.0.0/24 and 192.168.99.0/24, with the default action (do ESP in tunnel mode).

vrouter running vpn vpn-hq#! security-policy trunk
vrouter running security-policy trunk#! local-ts subnet 192.168.0.0/24
vrouter running security-policy trunk#! remote-ts subnet 192.168.99.0/24
vrouter running security-policy trunk#! ..
vrouter running vpn vpn-hq#! ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ..
    vpn vpn-hq
        ike-policy
            template iketemp1
            keying-tries 10
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        remote-address 198.51.100.1
        local-id user1.roadw.6wind.net
        remote-id secgw.6wind.net
        security-policy trunk
            local-ts subnet 192.168.0.0/24
            remote-ts subnet 192.168.99.0/24
            ..
        ..
    ..

Finally, define a pre-shared key hq-secgw for mutual authentication with the remote peer:

vrouter running ike# pre-shared-key hq-secgw
vrouter running pre-shared-key hq-secgw#! id 198.51.100.1
vrouter running pre-shared-key hq-secgw#! secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
vrouter running pre-shared-key hq-secgw# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    pre-shared-key hq-secgw
        id 198.51.100.1
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..
    global-options
        dos-protection
            ..
        sp-hash-ipv4
        sp-hash-ipv6
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ..
    vpn vpn-hq
        ike-policy
            template iketemp1
            keying-tries 10
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        remote-address 198.51.100.1
        local-id user1.roadw.6wind.net
        remote-id secgw.6wind.net
        security-policy trunk
            local-ts subnet 192.168.0.0/24
            remote-ts subnet 192.168.99.0/24
            ..
        ..
    ..

IKE authentication

Configuring IKE authentication consists in:

  • choosing the local and remote authentication methods (pre-shared keys, certificate signatures or an EAP method),

  • specifying the local (and optionally remote) authentication identity,

  • configuring keys, certificates or contact information of a RADIUS server.

The authentication methods of the local and remote IKE peer may be asymmetric: For example, the local host may authenticate by certificate and the remote peer by EAP.

The methods used to authenticate the local and remote peer are specified in the ike-policy-template and may be overriden in the VPN ike-policy:

vrouter running ike# vpn vpn-hq
vrouter running vpn vpn-hq# ike-policy
vrouter running ike-policy# local-auth-method certificate
vrouter running ike-policy# remote-auth-method eap-mschapv2
vrouter running ike-policy# ..
vrouter running vpn vpn-hq#

If unspecified, the default authentication method is pre-shared-key.

The local IKE identity is defined in the VPN:

vrouter running vpn vpn-hq# local-id server@6wind.com

If unspecified, the local IKE identity defaults to:

  • the peer IP address for pre-shared key

  • the certificate subject for certificate authentication

When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.

Optionally, the remote IKE identity may be specified. It indicates which identity to expect for the authentication round. It also enables to choose the right pre-shared key when initiating a negotiation.

If EAP authentication is used, the local or remote EAP identity is defined by a different command:

vrouter running vpn vpn-to-hq# local-eap-id client1@6wind.com

If unspecified, the EAP identity defaults to the IKE identity.

If the remote EAP identity is set to %any, the client will be asked for its EAP identity via the EAP-Identity method.

vrouter running vpn vpn-hq# remote-eap-id %any

Pre-shared key authentication

Pre-shared keys are secret symmetric keys shared by two IKE peers. They are configured in the pre-shared-key list.

When using pre-shared key authentication for the local host or remote peer authentication, the shared key must be declared as follows:

vrouter running ike# pre-shared-key hq-secgw
vrouter running pre-shared-key hq-secgw#! id 198.51.100.1
vrouter running pre-shared-key hq-secgw#! secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
vrouter running pre-shared-key hq-secgw# ..
vrouter running ike#
vrouter running ike# show config
ike
    (...)
    pre-shared-key hq-secgw
        id secgw.6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..

Each pre-shared key has a name and is composed of two parts, a key and optional IKE identifier selectors (a list of IKE identifiers).

The secret key itself, secret, may be encoded either:

  • as a sequence of characters delimited by double-quotes,

secret "this is a weak password"
  • as an hexadecimal binary value, prefixed by 0x:

secret 0xd2c79a277d517f31cd46f5121f4a14620ef39d35b4
  • a base64 binary value, prefixed by 0s:

secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=

The IKE identifier selectors id, specify for which peers this key must be used. To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is used.

An entry with a single selector matches if the peer ID matches the selector. An entry with multiple selectors matches if both the local host ID and peer ID each match one of the selectors. An entry with no ID matches all peers, it is the default pre-shared key.

For more information, see strongSwan’s IKE secrets ID selectors.

To authenticate the local host by pre-shared keys, the local-auth-method must be set to pre-shared-key in the ike-policy-template used by the VPN, or overriden in the VPN ike-policy.

vrouter running ike# ike-policy-template ikepsk local-auth-method pre-shared-key
vrouter running ike# vpn vpn-hq ike-policy template ikepsk

or:

vrouter running ike# vpn vpn-hq ike-policy local-auth-method pre-shared-key

Similarly, to authenticate the remote peer by pre-shared keys, the remote-auth-method must be set to pre-shared-key in the ike-policy-template used by the VPN, or overriden in the VPN ike-policy.

Pre-shared keys is the default authentication method.

Certificate authentication

Certificate authentication performs authentication via RSA public key cryptography.

Contrarily to pre-shared keys, certificates do not imply that the IKE peers exchange secret keys beforehand. To authenticate remote peers, an IKE endpoint simply needs to trust the certificate authority who delivered and signed the remote peers’ certificates.

../../../_images/ike-certificate-authority.svg

Certificates enable to easily deploy a large number of IKE clients without maintaining and distributing a large list of secret keys (one for each pair of IKE peers) or weakening the system by using a single secret key shared between all IKE peers. It also avoids to modify the configuration of each peer when a new one is added.

../../../_images/ike-certificates.svg

Each IKE peer owns a digital certificate and a private key. The certificate embeds identity information and the matching public key. The certificate is delivered and signed by a certificate autority (CA), whose public key is stored in a CA certificate. The CA certificate enables to validate the authenticity of all certificates that it delivered.

Like for bank cards, CAs may also revoke a valid certificate before its expiration, for example in case of disclosure of the public key or the departure of an employee. To proceed, the CA may deliver a signed certificate revocation list (CRL), that lists revoked certificates.

Certificates, private keys and certificate revocation lists are stored in the Privacy Enhanced Mail (PEM) format in the configuration.

Local host authentication by certificate

The local host certificate and private key must be installed in the certificate list:

vrouter running ike# certificate secgw-a
vrouter running certificate secgw-a#! certificate "-----BEGIN CERTIFICATE-----
... MIIB9jCCAV8CAQMwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
... LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
... cnRlcnMgQXV0aG9yaXR5MB4XDTE4MDkxOTEzMjM1MloXDTE5MDkxOTEzMjM1Mlow
... NDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCjZXSU5EIFMuQS4xEDAOBgNVBAMTB1Nl
... Y0dXLUEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOuCfHphepTnllpX/emq
... IMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXdR7So
... Q9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsbvHIq
... 8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAdSmnAN5+
... eRh7WuxuAlSGJh1PWb3NzrSKcbJnMPMz1qCqVhvQiGTQNIE5rpr6AlJN7LZV/wvS
... ng4yIizgehU0fluNfAroTEOoxq06m39YZPoY6mUNk82kRq3YTEx+j9EizRjePHzk
... jfYhCQITZa0atkjpfI143bO/k1NVC9exBv0=
... -----END CERTIFICATE-----"
vrouter running certificate secgw-a#! private-key "-----BEGIN PRIVATE KEY-----
... MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOuCfHphepTnllpX
... /emqIMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXd
... R7SoQ9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsb
... vHIq8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAECgYB7IBoiBUqIBNeXXf9ypS5Esgnr
... wSdFGRcmWfPVfZJ3ytB8n3n7n62+5/VfyPuQ7FoBwL3rSc2W6Xp3eCuf6ISquXy8
... zNIB2EY4dzXWpzA9E8+0nZiO8dzFyphM0BFN44pwSazrgD0ZSnXQbxzFBwm5+VvC
... cxSpR/A+53bxDklAIQJBAPnMBvgHdtZATV4rzUN42l//McSGgba1GklICul5rIk/
... GhkGLVLgRaxsJoM3myV7lwA/7jJwXX3ypnJEO2uODXECQQDxW6JTUK5N2/0idS1i
... +Y/cEhgv0c7e3zTvTK3qe5t6Q1A2+1n6mpjk4iRSAfsiEMudnUFIBqbCpyZ1/GeV
... 2JbjAkAPau1fL67BCJT94/w2VuY7mJesxpSI/2KQ9VZfFLh2fCOTOdNgUyFZxA8Y
... eD0mMhue01NTX6YVmP12/gkg2VKxAkAUMkLHDf1H7pykAYImwhNTqv/zIG9bHvpi
... +9uhv24nMPLJZwcEfWNF49Z+NkQ5eYZQThRkXoodx7bkMJbKZzFZAkEA+R+jxmK/
... /XiiT7zizYaWW5x/PQrGvpfOehmlcp11+uO3ILDolNqD7gde98P9Rlc2xXF++K8I
... 3yyFFRutrqwKjw==
... -----END PRIVATE KEY-----"
vrouter running certificate secgw-a# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    certificate secgw-a
        certificate "-----BEGIN CERTIFICATE-----
MIIB9jCCAV8CAQMwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
cnRlcnMgQXV0aG9yaXR5MB4XDTE4MDkxOTEzMjM1MloXDTE5MDkxOTEzMjM1Mlow
NDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCjZXSU5EIFMuQS4xEDAOBgNVBAMTB1Nl
Y0dXLUEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOuCfHphepTnllpX/emq
IMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXdR7So
Q9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsbvHIq
8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAdSmnAN5+
eRh7WuxuAlSGJh1PWb3NzrSKcbJnMPMz1qCqVhvQiGTQNIE5rpr6AlJN7LZV/wvS
ng4yIizgehU0fluNfAroTEOoxq06m39YZPoY6mUNk82kRq3YTEx+j9EizRjePHzk
jfYhCQITZa0atkjpfI143bO/k1NVC9exBv0=
-----END CERTIFICATE-----"
        private-key "-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOuCfHphepTnllpX
/emqIMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXd
R7SoQ9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsb
vHIq8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAECgYB7IBoiBUqIBNeXXf9ypS5Esgnr
wSdFGRcmWfPVfZJ3ytB8n3n7n62+5/VfyPuQ7FoBwL3rSc2W6Xp3eCuf6ISquXy8
zNIB2EY4dzXWpzA9E8+0nZiO8dzFyphM0BFN44pwSazrgD0ZSnXQbxzFBwm5+VvC
cxSpR/A+53bxDklAIQJBAPnMBvgHdtZATV4rzUN42l//McSGgba1GklICul5rIk/
GhkGLVLgRaxsJoM3myV7lwA/7jJwXX3ypnJEO2uODXECQQDxW6JTUK5N2/0idS1i
+Y/cEhgv0c7e3zTvTK3qe5t6Q1A2+1n6mpjk4iRSAfsiEMudnUFIBqbCpyZ1/GeV
2JbjAkAPau1fL67BCJT94/w2VuY7mJesxpSI/2KQ9VZfFLh2fCOTOdNgUyFZxA8Y
eD0mMhue01NTX6YVmP12/gkg2VKxAkAUMkLHDf1H7pykAYImwhNTqv/zIG9bHvpi
+9uhv24nMPLJZwcEfWNF49Z+NkQ5eYZQThRkXoodx7bkMJbKZzFZAkEA+R+jxmK/
/XiiT7zizYaWW5x/PQrGvpfOehmlcp11+uO3ILDolNqD7gde98P9Rlc2xXF++K8I
3yyFFRutrqwKjw==
-----END PRIVATE KEY-----"
        ..

Then the local-auth-method must be set to certificate in the ike-policy-template used by the VPN (or overriden in the VPN ike-policy).

Finally, the list of certificate candidates to use for authentication is specified in the VPN certificate command. The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used.

The IKE id used by the local host must be stored in its certificate, in the subjectName or in the subjectAltNames section.

vrouter running ike# vpn siteA-roadw
vrouter running vpn siteA-roadw#! ike-policy
vrouter running ike-policy#! template iketemp1
vrouter running ike-policy#! local-auth-method certificate
vrouter running ike-policy#! ..
vrouter running vpn siteA-roadw#! ipsec-policy template ipsectemp1
vrouter running vpn siteA-roadw# certificate secgw-a
vrouter running vpn siteA-roadw# ..
vrouter running ike#
vrouter running ike# show config
ike
    (...)
    vpn siteA-roadw
        ike-policy
            template iketemp1
            local-auth-method certificate
            ..
        ipsec-policy
            template ipsectemp1
            ..
        certificate secgw-a
        ..
    ..

Remote peer authentication by certificate

The certificate authority that issued the certificates that remote peers will present must be declared in the certificate-authority list:

vrouter running ike# certificate-authority hq-authority
vrouter running certificate-authority hq-authority# certificate "-----BEGIN CERTIFICATE-----
... MIIC2zCCAkSgAwIBAgIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAMFMxEzARBgNV
... BAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQGEwJGUjEfMB0G
... A1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0eTAeFw0xODA5MTkxMzE5MTNaFw0x
... ODEwMTkxMzE5MTNaMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
... cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
... eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2mWsQQ14SSkx0Qp5eXXHMkAV
... OEyIJVD3dVPrcQkeCUR38KPrA8Dmlt/KLTrTfat6+/wxS1HywCLYR3U1+CrEQmR+
... kC/NgcNC+QqXyevb+2LTT606oHMQ6XckWIDhhD6JszN0dtcAci1SMgaKIoaoxElu
... TwIdDBkj8W7gnpn84k8CAwEAAaOBtjCBszAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
... BBSN5H+zxbYDk/kVJuqimYsT2oDGDTCBgwYDVR0jBHwweoAUjeR/s8W2A5P5FSbq
... opmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
... cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
... eYIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAA4GBAEvu9Rj1dUcQsFywseZdZcC7
... 9jxhHtml1naxqDp/krPG/GJiSiCypQOGjbcXlRa2NOtLU7DwZTKH3S3fw8TBIAen
... 7vbQFLUtzrZ07TW4wnmtBtGd7GVqAZVIoUnkldVHhHL6hGy2DM+3e8+lptx8+tb6
... U/7s2V3Bm/HkQRq8+Gji
... -----END CERTIFICATE-----"
vrouter running certificate-authority hq-authority# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    certificate-authority hq-authority
        certificate "-----BEGIN CERTIFICATE-----
MIIC2zCCAkSgAwIBAgIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAMFMxEzARBgNV
BAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQGEwJGUjEfMB0G
A1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0eTAeFw0xODA5MTkxMzE5MTNaFw0x
ODEwMTkxMzE5MTNaMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2mWsQQ14SSkx0Qp5eXXHMkAV
OEyIJVD3dVPrcQkeCUR38KPrA8Dmlt/KLTrTfat6+/wxS1HywCLYR3U1+CrEQmR+
kC/NgcNC+QqXyevb+2LTT606oHMQ6XckWIDhhD6JszN0dtcAci1SMgaKIoaoxElu
TwIdDBkj8W7gnpn84k8CAwEAAaOBtjCBszAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBSN5H+zxbYDk/kVJuqimYsT2oDGDTCBgwYDVR0jBHwweoAUjeR/s8W2A5P5FSbq
opmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
eYIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAA4GBAEvu9Rj1dUcQsFywseZdZcC7
9jxhHtml1naxqDp/krPG/GJiSiCypQOGjbcXlRa2NOtLU7DwZTKH3S3fw8TBIAen
7vbQFLUtzrZ07TW4wnmtBtGd7GVqAZVIoUnkldVHhHL6hGy2DM+3e8+lptx8+tb6
U/7s2V3Bm/HkQRq8+Gji
-----END CERTIFICATE-----"
        ..
vrouter running ike#

Then to authenticate the remote peer by certificates, the remote-auth-method must be set to certificate in the ike-policy-template used by the VPN (or overriden in the VPN ike-policy).

Finally, the CA certificates to trust for the authentication of the remote peer must be specified in the VPN remote-ca-certificate list.

The IKE id used by the remote peer must be stored in its certificate, in the subjectName or in the subjectAltNames section.

vrouter running ike# vpn siteA-roadw
vrouter running vpn siteA-roadw#! ike-policy
vrouter running ike-policy#! template iketemp1
vrouter running ike-policy#! remote-auth-method certificate
vrouter running ike-policy#! ..
vrouter running vpn siteA-roadw#! ipsec-policy template ipsectemp1
vrouter running vpn siteA-roadw# remote-ca-certificate hq-authority
vrouter running vpn siteA-roadw# ..
vrouter running ike#
vrouter running ike# show config
ike
    (...)
    vpn siteA-roadw
        ike-policy
            template iketemp1
            remote-auth-method certificate
            ..
        ipsec-policy
            template ipsectemp1
            ..
        remote-ca-certificate hq-authority
        ..
    ..

Manage revocation of remote peer certificates

Using certificates usually implies to handle certificate revocations.

To manually add a CRL, in PEM format:

vrouter running ike# certificate-authority hq-authority
vrouter running certificate-authority hq-authority# crl "-----BEGIN X509 CRL-----
... MIIByjCCATMCAQEwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
... LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
... cnRlcnMgQXV0aG9yaXR5Fw0xODA5MTkxMzI2MTlaFw0xODEwMTkxMzI2MTlaMBQw
... EgIBARcNMTgwOTE5MTMyMzM0WqCBlTCBkjCBgwYDVR0jBHwweoAUjeR/s8W2A5P5
... FSbqopmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcT
... BVBhcmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhv
... cml0eYIJAJpUB7T8zBYBMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBAUAA4GBAAtY
... 3gXNIMwMjH6rafv9wI5qrDCwOp7KNdcrZbNuV/RURJ9mle8EPJ01PJSnxPMuIuzX
... VGbgjRxagWAQLlj4bkhHiqiezThi0D5xTSmmmXEZ52oK5GVDjElWU9OZeK1vssLL
... PK9DsxuURw0RP32iv6l68qwaPdI4tR0K8wcVXPn9
... -----END X509 CRL-----"
vrouter running certificate-authority hq-authority# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    certificate-authority hq-authority
        certificate (...)
        crl "-----BEGIN X509 CRL-----
MIIByjCCATMCAQEwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
cnRlcnMgQXV0aG9yaXR5Fw0xODA5MTkxMzI2MTlaFw0xODEwMTkxMzI2MTlaMBQw
EgIBARcNMTgwOTE5MTMyMzM0WqCBlTCBkjCBgwYDVR0jBHwweoAUjeR/s8W2A5P5
FSbqopmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcT
BVBhcmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhv
cml0eYIJAJpUB7T8zBYBMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBAUAA4GBAAtY
3gXNIMwMjH6rafv9wI5qrDCwOp7KNdcrZbNuV/RURJ9mle8EPJ01PJSnxPMuIuzX
VGbgjRxagWAQLlj4bkhHiqiezThi0D5xTSmmmXEZ52oK5GVDjElWU9OZeK1vssLL
PK9DsxuURw0RP32iv6l68qwaPdI4tR0K8wcVXPn9
-----END X509 CRL-----"
        ..
    ..

To add a CRL distribution point, specify the ldap or http URI. CRLs must be encoded in Distinguished Encoding Rules (DER) binary format on the distribution server.

vrouter running ike# certificate-authority hq-authority
vrouter running certificate-authority hq-authority# crl-uri ldap://hq-authority.6wind.net
vrouter running certificate-authority hq-authority# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    certificate-authority hq-authority
        certificate (...)
        crl (...)
        crl-uri ldap://hq-authority.6wind.net
        ..
    ..

EAP authentication

EAP is typically used by a VPN concentrator accepting IKE connections, to authenticate remote clients via external methods (legacy methods such as EAP-MD5 or EAP-MSCHAPv2, mobile network methods such as EAP-SIM or EAP-AKA…). The authentication methods are usually asymmetric: the server is authentified by pre-shared keys or a certificate, and the clients by EAP.

Local and remote peer EAP authentication

Local and remote EAP keys may be stored in a local database. They are similar to pre-shared keys, but are used by EAP authentication methods. They are configured in the eap-key list.

These keys are looked up to authenticate IKE peers if the local-auth-method or remote-auth-method is set to eap-md5 or eap-mschapv2.

vrouter running ike# eap-key user1key
vrouter running eap-key user1key#! id user1@6wind.com
vrouter running pre-shared-key user1key#! secret EAPpassword1
vrouter running pre-shared-key user1key# ..
vrouter running ike#
vrouter running ike# show config
ike
    (...)
    eap-key user1key
        id user1@6wind.com
        secret EAPpassword1
        ..

Like pre-shared keys, EAP keys are assigned a name and are composed of two parts, a secret key and optional EAP identity selectors (a list of EAP identities).

The encodings and selection rules are the same as for pre-shared keys, except that the EAP ID is taken into account instead of the IKE ID.

To authenticate the local host by EAP keys, the local-auth-method must be set to the right EAP method eap-mschapv2 or eap-md5 in the ike-policy-template used by the VPN, or overriden in the VPN ike-policy.

vrouter running ike# ike-policy-template ikepsk local-auth-method eap-mschapv2
vrouter running ike# vpn vpn-hq ike-policy template ikepsk

or:

vrouter running ike# vpn vpn-hq ike-policy local-auth-method eap-mschapv2

Similarly, to authenticate the remote peer by pre-shared keys, the remote-auth-method must be set to eap-mschapv2 or eap-md5 in the ike-policy-template used by the VPN, or overriden in the VPN ike-policy.

Remote peer authentication by EAP via RADIUS

On the server side, the EAP authentication of remote peers can be delegated to one or more RADIUS servers, the IKE daemon then acts a simple proxy.

This delegation of EAP authentication to RADIUS servers is configured by selecting eap-radius as the remote authentication method, and by declaring one or more EAP RADIUS servers in the eap-radius list.

Select eap-radius as the remote authentication method in the VPN IKE policy:

router-vm running ike# vpn mytunnel
router-vm running vpn mytunnel#! ike-policy
router-vm running ike-policy#! template basic_policy
router-vm running ike-policy#! remote-auth-method eap-radius
router-vm running ike-policy#! ..
router-vm running vpn mytunnel#! ..
router-vm running ike#!

Configure an EAP RADIUS server. The minimal parameters are the server IP address and an authentication secret.

router-vm running ike# eap-radius
router-vm running eap-radius# server server-tnr
router-vm running server server-tnr#! address 10.200.0.1
router-vm running server server-tnr#! secret testing123
router-vm running server server-tnr# ..
router-vm running eap-radius# ..

Show the EAP RADIUS server configuration:

router-vm running ike# show config eap-radius
eap-radius
    nas-identifier 6WINDvRouter
    auth-port 1812
    sockets 1
    retransmit-tries 4
    retransmit-timeout 2.0
    retransmit-base 1.4
    server server-tnr
        address 10.200.0.1
        secret testing123
        ..
    ..

IKE state

Show the IKE state:

vrouter running config# vrf main
vrouter running vrf main# ike
vrouter running ike# show state
ike
    enabled true
    pre-shared-key psk-hq
        id 10.125.0.2
        id 10.125.0.1
        secret "This is a strong password"
        ..
    logging
        daemon
            default 0
            ..
        authpriv
            default disable
            ..
        ..
    global-options
        dos-protection
            cookie-threshold 10
            block-threshold 5
            init-limit-half-open 0
            ..
        threads 16
        acquire-timeout 30
        sa-table-size 1
        sa-table-segments 1
        sp-hash-ipv4 local 32 remote 32
        sp-hash-ipv6 local 128 remote 128
        install-routes false
        routing-table 220
        routing-table-prio 220
        retransmit-tries 5
        retransmit-timeout 4.0
        retransmit-base 1.8
        delete-rekeyed false
        delete-rekeyed-delay 5
        make-before-break false
        snmp false
        mobike-prefer-best-path false
        ..
    ha
        enabled false
        ..
    vpn vpn-hq
        version 2
        local-address 10.125.0.1
        remote-address 10.125.0.2
        security-policy site2site
            local-ts subnet 10.100.0.0/24
            remote-ts subnet 10.200.0.0/24
            action esp
            mode tunnel
            priority 0
            ..
        ike-policy
            ike-proposal 1
                enc-alg aes128-cbc
                auth-alg hmac-sha1
                dh-group modp2048
                ..
            local-auth-method pre-shared-key
            remote-auth-method pre-shared-key
            keying-tries 1
            unique-sa no
            reauth-time 0
            rekey-time 14400
            dpd-delay 0s
            aggressive false
            udp-encap false
            mobike false
            ..
        ipsec-policy
            esp-proposal 1
                enc-alg aes128-cbc
                auth-alg hmac-sha1
                dh-group modp2048
                ..
            start-action trap
            close-action trap
            dpd-action restart
            replay-window 32
            rekey-time 3600
            rekey-bytes 0
            rekey-packets 0
            encap-copy-dscp true
            decap-copy-dscp false
            encap-copy-df true
            ..
        ..
    ike-sas
        total 1
        half-open 0
        ..
    task-processing
        worker-threads
            total 16
            idle 11
            critical 4
            high 0
            medium 1
            low 0
            ..
        task-queues
            critical 0
            high 0
            medium 0
            low 0
            scheduled 3
            ..
        ..
    counters
        ike-rekey-init 0
        ike-rekey-resp 0
        child-rekey 0
        invalid 0
        invalid-spi 0
        ike-init-in-req 0
        ike-init-in-resp 1
        ike-init-out-req 1
        ike-init-out-resp 0
        ike-auth-in-req 0
        ike-auth-in-resp 1
        ike-auth-out-req 1
        ike-auth-out-resp 0
        create-child-in-req 0
        create-child-in-resp 0
        create-child-out-req 0
        create-child-out-resp 0
        info-in-req 0
        info-in-resp 0
        info-out-req 0
        info-out-resp 0
        ..
    vpn-counters name vpn-hq
        ike-rekey-init 0
        ike-rekey-resp 0
        child-rekey 0
        invalid 0
        invalid-spi 0
        ike-init-in-req 0
        ike-init-in-resp 1
        ike-init-out-req 1
        ike-init-out-resp 0
        ike-auth-in-req 0
        ike-auth-in-resp 1
        ike-auth-out-req 1
        ike-auth-out-resp 0
        create-child-in-req 0
        create-child-in-resp 0
        create-child-out-req 0
        create-child-out-resp 0
        info-in-req 0
        info-in-resp 0
        info-out-req 0
        info-out-resp 0
        ..
    ike-sa unique-id 1
        name vpn-hq
        version 2
        state established
        local-address 10.125.0.1
        remote-address 10.125.0.2
        local-port 500
        remote-port 500
        initiator-spi 6e6228d1c13daaf1
        responder-spi b2f0a5217f09662a
        enc-alg aes128-cbc
        auth-alg hmac-sha1
        prf-alg hmac-sha1
        dh-group modp2048
        established-time 24
        rekey-time 14170
        reauth-time 45567
        udp-encap false
        mobike false
        child-sa unique-id 2
            name site2site
            state installed
            reqid 1
            protocol esp
            udp-encap false
            mobike false
            spi-in c704d981
            spi-out c3dd14b9
            enc-alg aes128-cbc
            auth-alg hmac-sha1
            esn false
            bytes-in 304
            packets-in 2
            bytes-out 168
            packets-out 2
            installed-time 24
            rekey-time 3425
            life-time 3936
            local-ts
                subnet 10.100.0.0/24
                ..
            remote-ts
                subnet 10.200.0.0/24
                ..
            ..
        remote-port 500
        initiator-spi 6e6228d1c13daaf1
        responder-spi b2f0a5217f09662a
        enc-alg aes128-cbc
        auth-alg hmac-sha1
        prf-alg hmac-sha1
        dh-group modp2048
        established-time 24
        rekey-time 14170
        reauth-time 45567
        udp-encap false
        mobike false
        child-sa unique-id 2
            name site2site
            state installed
            reqid 1
            protocol esp
            udp-encap false
            mobike false
            spi-in c704d981
            spi-out c3dd14b9
            enc-alg aes128-cbc
            auth-alg hmac-sha1
            esn false
            bytes-in 304
            packets-in 2
            bytes-out 168
            packets-out 2
            installed-time 24
            rekey-time 3425
            life-time 3936
            local-ts
                subnet 10.100.0.0/24
                ..
            remote-ts
                subnet 10.200.0.0/24
                ..
            ..
        ..
    ..

The state dumps:

  • the applied configuration,

  • the number of negotiated IKE SAs (ike-sas),

  • information about the IKE daemon internal tasks (task-processing),

  • global IKEv2 message counters (counters),

  • per VPN IKEv2 message counters (vpn-counters). Note that when the host is responder, some counters remain null because the IKE daemon cannot determine the involved VPN before the authentication is completed (invalid, invalid-spi, ike-init-in-req, ike-init-out-resp…),

  • the negotiated IKE SAs and their child SAs (ike-sa).

Use cases

Use case: site to site VPN

In this use case, two sites A and B must be interconnected via a public network. An IPsec VPN is configured between the two security gateways SecGW-A and SecGW-B.

../../../_images/ike-site-to-site.svg

The IP addresses of the security gateways and of the sites are well known. The peers identify themselves with a Fully Qualified Domain Name (FQDN) and authenticate via a pre-shared key.

vrouter running ike# show config nodefault
ike
    global-options
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..
    vpn siteA-siteB
        ike-policy
            template iketemp1
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        remote-address 198.51.100.1
        local-id secgwa.6wind.net
        remote-id secgwb.6wind.net
        security-policy trunk
            local-ts subnet 192.168.0.0/24
            remote-ts subnet 192.168.99.0/24
            ..
        ..
    pre-shared-key siteb
        id secgwb.6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..

Use case: VPN concentrator

In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A.

../../../_images/ike-vpn-aggregator.svg

IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this virtual IP from a local pool.

The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys. Remote hosts use different VPN clients that support different cryptographic algorithms and key lengths.

vrouter running ike# show config nodefault
ike
    global-options
        ..
    ike-policy-template iketemp1
        ike-proposal 1
            enc-alg aes256-cbc
            enc-alg aes128-cbc
            auth-alg hmac-sha512
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ike-proposal 2
            aead-alg aes128-gcm-128
            prf-alg hmac-sha512
            dh-group modp2048
            ..
        ..
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        esp-proposal 2
            aead-alg aes128-gcm-128
            ..
        ah-proposal 1
            auth-alg hmac-sha512
            ..
        ..
    vpn siteA-roadw
        ike-policy
            template iketemp1
            ..
        ipsec-policy
            template ipsectemp1
            ..
        local-address 192.0.2.1
        local-id user1.roadw.6wind.net
        vip-pool user-vips
        security-policy hub
            local-ts subnet 192.168.0.0/24
            ..
        ..
    pre-shared-key user1
        id user1@6wind.net
        secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
        ..
    pre-shared-key user2
        id user2@6wind.net
        secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
        ..
    pool user-vips
        address 192.168.99.0/24
        ..

Advanced configuration, performance and scalability

The base of the IKE control plane is the open source StrongSwan distribution.

In this section we focus on parameters useful to tune the scalability and performance of IKE.

Logging

The IKE service is liable to issue many log messages. The verbosity of these logs is configurable per subsystem.

Messages issued by the IKE service are classified in 5 levels:

0

Very basic auditing logs, (e.g. SA up/SA down)

1

Generic control flow with errors, a good default to see whats going on

2

More detailed debugging control flow

3

Including RAW data dumps in hex

4

Also include sensitive material in dumps, e.g. keys

Messages may be issued by the following subsystems:

asn1

Low-level encoding/decoding (ASN.1, X.509 etc.)

child

CHILD_SA/IPsec SA processing

config

Configuration management and plugins

daemon

Main daemon setup/cleanup/signal handling

encoding

Packet encoding/decoding encryption/decryption operations

ike

IKE_SA/ISAKMP SA processing

ipsec

Libipsec library messages

job

Jobs queuing/processing and thread pool management

kernel

IPsec/Networking kernel interface

manager

IKE_SA manager, handling synchronization for IKE_SA access

network

IKE network communication

The logs may be sent to syslog facilities daemon and authpriv.

The default configuration for ike logs is the following:

vrouter running ike# show config logging
logging
    daemon
        default 0
        ..
    authpriv
        default disable
        ..
    ..

This configuration means that:

  • messages of level 0 from all subsystems are sent to syslog facility daemon,

  • no message from any subsystem is sent to syslog facility authpriv.

To alter this configuration, use the following command:

vrouter running ike# logging FACILITY SUBSYSTEM LEVEL

Where:

  • FACILITY is the syslog facility (daemon or authpriv),

  • SUBSYSTEM is the subsystem (see IKE log subsystems), or default to specify the default log level for all subsystems,

  • LEVEL is the maximum log level of messages in the specified subsystem, (see IKE log levels) or disable to disable all messages,

Example

The following commands modify which log messages are sent to facility authpriv:

  • messages up to level 2 from the ike subsystem are logged to facility authpriv,

  • messages up to level 1 from other subsystems are logged to facility authpriv.

vrouter running ike# logging
vrouter running logging# authpriv
vrouter running authpriv# default 1
vrouter running authpriv# ike 2
vrouter running authpriv# ..
vrouter running logging# ..
vrouter running ike#
vrouter running ike# show config logging
logging
    daemon
        default 0
        ..
    authpriv
        default 1
        ike 2
        ..
    ..

Note

Depending on the configuration, messages may be logged twice, once in facility daemon, and a second time in facility authpriv.

According to the configuration, log messages are sent to the daemon and/or authpriv syslog facilities with the notice severity. The severity is not configurable.

Extended Sequence Number (ESN)

With throughputs getting higher and higher, the 32 bit IPsec sequence number may reach its maximum value before it is expected, so much that an Extended Sequence Number (ESN) option was defined (see RFC 4304), that extends the sequence number to 64 bits.

The use of ESN can be configured in each esp-proposal or ah-proposal in the ipsec-policy-template or vpn ipsec-policy. By default, ESN is disabled.

Require the use of ESN:

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# esp-proposal 1
vrouter running esp-proposal 1# esn true
vrouter running esp-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        (...)
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            dh-group modp2048
            esn true
            ..
        ..
    ..
vrouter running ike# show config
ike
    (...)
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            aead-alg aes128-gcm-128
            esn true
            ..
        ..
    ..

Refuse the use of ESN (default behavior):

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# esp-proposal 1
vrouter running esp-proposal 1# esn false
vrouter running esp-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            esn false
            ..
        ..
    ..

To specify that ESN is not mandatory but should be negotiated, specify both esn true and esn false, by order of preference:

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# esp-proposal 1
vrouter running esp-proposal 1# esn true
vrouter running esp-proposal 1# esn false
vrouter running esp-proposal 1# ..
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike# show config
ike
    (...)
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            esn true
            esn false
            ..
        ..
    ..

If no esn statement is specified, then ESN is disabled.

Replay window size

There is no guarantee that IPsec packets are received by the security gateway in the same order as they were sent. With throughputs getting higher and higher, out-of-order IPsec packets may be dropped by the IPsec replay protection system if their lateness exceeds the replay window size. The size of the replay window can be increased to avoid such problem.

The replay window size option can be configured in the ipsec-policy-template (or vpn ipsec-policy):

vrouter running ike# ipsec-policy-template ipsectemp1
vrouter running ipsec-policy-template ipsectemp1# replay-window 4096
vrouter running ipsec-policy-template ipsectemp1# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    ipsec-policy-template ipsectemp1
        esp-proposal 1
            enc-alg aes128-cbc
            auth-alg hmac-sha256
            ..
        replay-window 4096
        ..
    ..

replay-window is an integer number of packets, in the range 0 to 4096 packets (default 32, 0 disables replay protection).

Note that the replay window size is a local choice, it does not impact the replay window size chosen by the remote peer.

Virtual IP pools

IKEv1 and IKEv2 enable to assign a virtual IP during an IKE negotiation, i.e. an IKE initiator may request an additional IP address from the responder to use as inner IPsec tunnel address.

Virtual IPs are exchanged using the mode config extension in IKEv1, or using configuration payloads in IKEv2.

Additional parameters may be assigned during this exchange, such as a DNS server address, a NetBIOS server address or a DHCP server address.

To proceed, the responder maintains one or more pools of virtual IPs:

vrouter running vrf main# ike
vrouter running ike# pool my-pool
vrouter running pool my-pool#! address 192.168.1.1-192.168.2.127
vrouter running pool my-pool# dns 192.168.3.99
vrouter running pool my-pool# nbns 192.168.3.99
vrouter running pool my-pool# dhcp 192.168.3.100
vrouter running pool my-pool# ..
vrouter running ike#
  • address is a list of addresses that can be assigned. Each list item can be a single address, a range of addresses or a subnet (IPv4 or IPv6).

  • dns is an optional list of DNS server addresses (IPv4 or IPv6).

  • nbns is an optional list of NetBIOS server addresses (IPv4 or IPv6).

  • dhcp is an optional list of DHCP server addresses (IPv4 or IPv6).

A VPN can then reference a list of pools in its configuration:

vrouter running ike# vpn vpn-secgw
vrouter running vpn vpn-secgw# vip-pool my-pool
vrouter running vpn vpn-secgw# ..
vrouter running ike#

To include this dynamically assigned address in a security policy, make sure that no remote-ts is configured, or at least that the remote-ts subnet is unset (other fields such as the protocol may still be specified):

vrouter running ike# vpn vpn-secgw
vrouter running vpn vpn-secgw# security-policy dynamic-vip
vrouter running security-policy dynamic-vip# local-ts subnet 10.100.0.64/26
vrouter running security-policy dynamic-vip# remote-ts protocol 6
vrouter running security-policy dynamic-vip# ..
vrouter running vpn vpn-secgw# ..
vrouter running ike#

If an IKE initiator requests a virtual IP, it will be assigned one of the addresses in the vip-pool(s), and the optional attributes (dns, nbns, dhcp).

Retransmission constants

The IKE daemon uses an exponential backoff algorithm to calculate the timeout of packets before retransmission: the timeout grows exponentially with the number of tries, following the formula:

timeouttry = retransmit-timeout × retransmit-basetry

Where try ranges from 0 to retransmit-tries. After retransmit-tries unsuccessful retransmissions, the IKE daemon gives up the negotiation.

The retransmission constants can be configured in the global-options section:

vrouter running ike# global-options
vrouter running global-options# retransmit-tries 3
vrouter running global-options# retransmit-timeout 3.0
vrouter running global-options# retransmit-base 1.0
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        retransmit-tries 3
        retransmit-timeout 3.0
        retransmit-base 1.0
        ..
    ..
  • retransmit-tries is an integer value ranging from 0 to 100 (default 5).

  • retransmit-timeout is a decimal value ranging from 0.000 to 60.000 (default 4.0).

  • retransmit-base is a decimal value ranging from 0.000 to 10.000 (default. 1.8).

For more information, see strongSwan’s IKE retransmission behavior.

Lifetime of SA acquire messages

By default IKE negotiations are triggered by outgoing traffic (ipsec-policy-template start-action trap).

When an outgoing packet matches a security policy that requires IPsec protection, but no suitable SA is available, an SA acquire message is raised to trigger the negotiation and a temporary IPsec SA is created in the IPsec stack.

This acquire SA prevents further acquire messages to be raised until the negotiation succeeds, or the acquire SA times out.

The default lifetime of an acquire SA is 165 seconds, this matches the total retransmission time of an IKE message that would receive no answer, with default retransmission constants.

This lifetime may be adjusted in the global-options section:

vrouter running ike# global-options
vrouter running global-options# acquire-timeout 60
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        acquire-timeout 60
        ..
    ..

acquire-timeout is an integer number of seconds (default 165).

DoS protection

The IKE daemon provides Deny of Service (DoS) protection using cookies and aggressiveness checks.

All DoS protection mechanisms are configured in the global-options dos-protection section.

vrouter running ike# global-options
vrouter running global-options# dos-protection
vrouter running dos-protection# cookie-threshold 12
vrouter running dos-protection# block-threshold 6
vrouter running dos-protection# init-limit-half-open 100
vrouter running dos-protection# ..
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        dos-protection
            cookie-threshold 12
            block-threshold 6
            init-limit-half-open 100
            ..
        ..
    ..
  • cookie-threshold is the number of half-open IKE SAs that activate the cookie mechanism. It is an integer number or the keyword always (default 10). 0 disables the cookie mechanism. always activates it whatever the number of half-open SAs.

  • block-threshold is the maximum number of half-open IKE SAs for a single peer IP. It is an integer number (default 5). 0 disables the limit.

  • init-limit-half-open fixes a limit to the number of half open IKE SAs. New connections are refused if this limit is reached. It is an integer number (default 0). 0 disables the limit.

For more details, please refer to the charon.cookie_threshold and charon.block_threshold and charon.init_limit_half_open options in strongSwan’s strongswan.conf configuration file.

IKE worker threads

The IKE daemon is a multi-threaded application.

The total number of threads it uses may be configured in the global-options section.

vrouter running ike# global-options
vrouter running global-options# show config
vrouter running global-options# threads 20
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        threads 20
        ..
    ..

threads is an 32 bit integer (default 16).

For more details, please refer to the charon.threads option in strongSwan’s strongswan.conf configuration file.

IKE SA hash table parameters

The IKE SA hash table size can be increased to improve performance when a high number of SAs is managed by the IKE daemon. It can be split into segments to improve performance when a high number of SAs is managed by the IKE daemon on multiple cores. Each segment will get its own lock.

It can be configured in the global-options section.

vrouter running ike# global-options
vrouter running global-options# sa-table-size 128
vrouter running global-options# sa-table-segments 16
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        sa-table-size 128
        sa-table-segments 16
        ..
    ..
  • sa-table-size is the size of the SA hash table (default 1).

  • sa-table-segments is the number of sergments (default 1).

For more details, please refer to the charon.ikesa_table_size option in strongSwan’s strongswan.conf configuration file and strongSwan’s IKE SA lookup tuning.

IPsec SP hash table parameters

The IPsec security policy database (SPD) is an ordered list of rules, the security policies (SPs), that specify what IPsec processing must be applied to packets. They are composed of a packet selector (direction, source subnet, destination subnet, protocol, port) and an action (esp, ah, pass or drop). By default, these SPs are stored in a linked list. The time to browse this list increases with the number of SPs in O(n).

When the IKE daemon establishes a child SA, it configures SPs in the IPsec stack. If the number of SPs grows, the time to add SPs grows in O(n), which slows down the negotiation rate.

When the network stack processes traffic, it looks up for the IPsec policy to apply to outbound and inbound packets. If the number of SPs grows, the time to lookup for the right policy grows in O(n), which slows down the throughput, regardless if packets need IPsec processing or not.

To solve this scalability issue, the IPsec stack maintains a hash table of security policies. SPs are hashed based on the source and destination address of their selector. These addresses are subnets with variable prefix lengths, which prevents from hashing on all bits of the addresses. Some SPs cannot be hashed because their selector is too wide (the address prefix lengths are too small). These un-hashed SPs are stored in the linked list.

Thresholds are defined, to select which SPs will be hashed and how many bits of address will be included in the hash key:

vrouter running ike# global-options
vrouter running global-options# sp-hash-ipv4 local 16 remote 24
vrouter running global-options# sp-hash-ipv6 local 56 remote 64
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        sp-hash-ipv4 local 16 remote 24
        sp-hash-ipv6 local 56 remote 64
    ..
  • sp-hash-ipv4 local and remote are the local and remote address minimum prefix lengths of hashed IPv4 SPs. They range from 0 to 32 (default 32).

  • sp-hash-ipv6 local and remote are the local and remote address minimum prefix lengths of hashed IPv6 SPs. They range from 0 to 128 (default 128).

SPs whose local and remote address prefix lengths are greater or equal to the thresholds are hashed (which speeds up the lookup and insertion), others are simply looked up in sequence. For hashed SPs, the high order bits of the address (up to the threshold) are included in the hash key calculation.

Example:

dir out src 10.22.0.0/20 dst 10.24.1.0/24 => hashed
dir out src 10.22.0.0/16 dst 10.24.0.0/16 => unhashed
dir in  src 10.24.1.1/32 dst 10.22.0.0/16 => hashed

dir out src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 => hashed
dir out src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 => unhashed
dir in  src 3ffe:304:124:2401::2/128 dst 3ffe:304:124:2200::/56 => hashed

Hash thresholds not only determine which policies will be hashed, but also the number of bits of the local and remote address that will be used to calculate the hash key. Big thresholds mean potentially fewer hashed policies, but better distribution in the hash table, and vice versa.

A good trade off must be found depending on the prefix lengths used in the SPD.

Reverse route injection

Routes can be inserted into a separate routing table for established IPsec tunnels. This enables to inject routes to the remote network discovered during an IKE negotiation.

vrouter running ike# global-options
vrouter running global-options# install-routes true
vrouter running global-options# routing-table 230
vrouter running global-options# routing-table-prio 230
vrouter running global-options# ..
vrouter running ike#
vrouter running ike# show config nodefault
ike
    (...)
    global-options
        (...)
        install-routes true
        routing-table 230
        routing-table-prio 230
    ..
  • install-routes activates or deactivates route installation (default false).

  • routing-table is the number of the routing table in which routes will be injected (Default 220).

  • routing-table-prio is the priority of the Policy-Based Routing (PBR) rule that requests to lookup in the routing table (default 220).

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

MOBIKE (RFC 4555) allows the IP addresses associated with IKEv2 and tunnel mode IPsec Security Associations to change. A mobile Virtual Private Network (VPN) client could use MOBIKE to keep the connection with the VPN gateway active while moving from one address to another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for instance, the one currently being used stops working.

MOBIKE can be enabled in the IKE policy template:

vrouter running config# / vrf main ike
vrouter running ike# ike-policy-template my_policy_tmpl
vrouter running ike-policy-template my_policy_tmpl# mobike true

Alternatively, it can be enabled in the vpn ike policy:

vrouter running config# / vrf main ike vpn my_vpn
vrouter running vpn my_vpn#! ike-policy template my_policy_tmpl
vrouter running vpn my_vpn#! ipsec-policy template my_ipsec_tmpl
vrouter running vpn my_vpn# ike-policy mobike true

By default, when MOBIKE is enabled, the SA addresses are not modified if the routing path is still usable. Enabling mobike-prefer-best-path in global options dynamically changes this behavior: on routing change, if a cheaper path exists, the SA will be updated dynamically.

To enable the mobike-prefer-best-path option:

vrouter running ike# global-options
vrouter running global-options# mobike-prefer-best-path true

SVTI

Security policies can be associated to SVTI interfaces to configure route-based VPNs.

SVTI interfaces handle their own SPD and SAD.

Outgoing traffic routed through an SVTI interface is submitted to a security policy lookup against the SVTI interface’s own SPD and, when a matching SP is found, encrypted using an SA from its own SAD matching the SP, or dropped if no match was found.

Incoming IPsec-encrypted traffic is first decrypted with the right SA. If the SA is bound to an SVTI interface (via an svti-id), it is then submitted to a security policy check against the SVTI interface’s own SPD. If the packet is granted access, the decrypted traffic is received via the SVTI interface.

To associate a security policy to an SVTI interface, specify the svti-id of the interface on inbound and outbound policies:

vrouter running vpn mytunnel-17# security-policy mytunnel
vrouter running security-policy mytunnel-17# svti-id-in 100
vrouter running security-policy mytunnel-17# svti-id-out 100

See SVTI for details about creating SVTI interfaces.

See also

The command reference for details.