Security advanced configuration

Defining a static Security Association

You must create two Security Associations (one for outgoing traffic, and another for incoming traffic) per static VPN.

A SA is uniquely identified by its protocol (AH or ESP), destination address and SPI.

  • Add a static SA for AH:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}sa ah SRCADDRESS DSTADDRESS [vrf-id VRF-ID] [svti SVTI] SPI MODE AUTHALGO AUTHKEY [encapdscp] [decapdscp] [nopmtudisc]
    
    SRCADDRESS

    Source of the secure communication: IPv4 or IPv6 address in numeric form.

    DSTADDRESS

    Destination of the secure communication: IPv4 or IPv6 address in numeric form.

    VRF-ID

    VRF ID for the SA, part of the SA’s identifier (the same as the SP’s VRF ID).

    SVTI

    SVTI this SA will be attached to.

    SPI

    SPI for the SA. Either a decimal or an hexadecimal number (with leading 0x) outside of the 0-255 range. Can be shared between several SAs, provided their triples [1] differ.

    [1]

    Destination address, type of IPsec protocol (AH or ESP), SPI.

    MODE

    IPsec mode specification. Either transport or tunnel mode. Two SAs are required per IPsec rule (one in each direction).

    AUTHALGO

    Authentication algorithm specification.

    Authentication algorithm Parameter value RFC
    hmac-md5 HMAC-MD5 RFC 2403
    hmac-sha1 HMAC-SHA1 RFC 2404
    hmac-sha256 HMAC-SHA256 RFC 4868
    hmac-sha384 HMAC-SHA384 RFC 4868
    hmac-sha512 HMAC-SHA512 RFC 4868
    aes-xcbc AES-XCBC-MAC RFC 3566

    Note

    Depending on your local regulation, some algorithms may not be available.

    AUTHKEY

    Authentication/integrity key. An hexadecimal value (e.g., 0x123456789abcdef0), or an ASCII string specified between double quotes (e.g., "abcdefgh1234#=+...").

    Authentication algorithm Key length (bits) Key length (bytes)
    hmac-md5 128 16
    hmac-sha1 160 20
    hmac-sha256 256 32
    hmac-sha384 384 48
    hmac-sha512 512 64
    aes-xcbc 128 16
    encapdscp

    Optional. Copy the inner header DSCP to the outer IP header after encapsulating a packet.

    decapdscp

    Optional. Copy the outer header DSCP to the inner IP header when decapsulating a packet.

    nopmtudisc

    Optional. Don’t copy the inner header DF bit after encapsulating a packet.

  • Add a static SA for ESP:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}sa esp SRCADDRESS DSTADDRESS [vrf-id VRF-ID] [svti SVTI] SPI MODE { {CRYPTALGO CRYPTKEY}|NULL} [AUTHALGO AUTHKEY] [encapdscp] [decapdscp] [nopmtudisc]
    
    CRYPTALGO

    Cryptographic algorithm specification.

    Encryption ESP algorithm RFC
    des-cbc RFC 2405
    3des-cbc RFC 2451
    aes-cbc RFC 3394
    aes-gcm RFC 4106
    aes-gmac RFC 4543
    null RFC 2410

    Note

    Depending on your local regulation, some algorithms may not be available.

    CRYPTKEY

    Key for the selected algorithm. An hexadecimal value or a string (specified between double quotes).

    Encryption algorithm Key length (bits)
    des-cbc 64
    3des-cbc 192
    aes-cbc 128/192/256
    aes-gcm 128/192/256 + 32 (salt)
    aes-gmac 128/192/256 + 32 (salt)
    null (N/A)
  • Delete a static SA:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete sa ah SRCADDRESS DSTADDRESS SPI
    router{conf:myconfig-sec}delete sa esp SRCADDRESS DSTADDRESS SPI
    
  • Delete all static SAs:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete sa ah all
    router{conf:myconfig-sec}delete sa esp all
    

Example

router{conf:myconfig-sec}sa ah 20.0.0.1 30.0.0.1 11000 transport hmac-md5 0x000102030405060708090A0B0C0D0E0F
router{conf:myconfig-sec}sa ah 3abc::1 3def::1 11004 transport hmac-sha1 "keykeykeykeykeykeyke"
router{conf:myconfig-sec}sa esp 20.0.0.1 30.0.0.1 11001 tunnel des-cbc 0x0001020304050607
router{conf:myconfig-sec}sa esp 3abc::1 3def::1 11004 tunnel 3des-cbc "keykeykeykeykeykeykeykey"
router{conf:myconfig-sec}sa esp 3abc::1 3def::1 11005 tunnel 3des-cbc "keykeykeykeykeykeykeykey" hmac-sha1 "keykeykeykeykeykeyke"
router{conf:myconfig-sec}sa esp 10.23.4.104 10.23.4.205 12345679 tunnel aes-cbc "128Bits-16Bytes-" hmac-sha1 "160Bits-20Bytes-Key-"
router{conf:myconfig-sec}sa esp 10.23.4.104 10.23.4.205 12345680 transport aes-cbc "192Bits-24Bytes-Key-Key-" hmac-sha1 "160Bits-20Bytes-Key-"
router{conf:myconfig-sec}sa esp 10.23.4.104 10.23.4.205 12345681 transport aes-cbc "256Bits-32Bytes-Key-Key-Key-Key-" hmac-sha1 "160Bits-20Bytes-Key-"
router{conf:myconfig-sec}delete sa esp 3abc::1 3def::1 11004

Creating a new IKE VPN template

A VPN template describes a level of security to be applied to a VPN.

6WIND provides pre-defined templates, but the user can also define other templates if needed.

Note

Designing new templates is a difficult task that requires a lot of security expertise. A bad configuration may lead to either security leaks, or to very big resource consumptions that would lead to performance collapse.

Creating a new IKEv1 VPN template

New security templates have to be defined in the sec context. The new templates will be defined thanks to the following command:

router{conf:myconfig-sec}vpn-template NAME IKEV1 PH1MODE PH1CRYPT PH1HASH PH1LIFETIME PH1LIFETIMEUNIT PH1DHGROUP PH1AUTH PH1IDTYPE PH2CRYPT PH2AUTH PH2LIFETIME PH2LIFETIMEUNIT PH2PFSGROUP [encapdscp] [decapdscp] [nopmtudisc]
NAME
Name of the configured vpn template.
PH1MODE
Defines the IKE phase 1 mode to use (main or aggressive).
PH1CRYPT
Encryption algorithm to use in IKE phase 1 (des, 3des, aes, aes128, aes192 or aes256). The default aes key size is 128 bits (aes means aes128-cbc). The default mode of operation is cbc (aes means aes128-cbc).
PH1HASH
Hash algorithm to use in IKE phase 1 (md5, sha1, sha256, sha384 or sha512).
PH1LIFETIME PH1LIFETIMEUNIT
ISAKMP SA lifetime and its unit (e.g.: 3600 sec, 30 min, 1 hour).
PH1DHGROUP
Diffie Hellman Group that will be used in phase 1 (1 (for MODP768), 2 (for MODP1024), 5 (for MODP1536) or 14 (for MODP2048)).
PH1AUTH
Method used to authenticate peers in phase 1 (pre-shared-key or rsasig for certificate-based authentication).
PH1IDTYPE
Identifier type to identify peers during phase 1 authentication: address for an IPv4/IPv6 address, fqdn for DNS name, user-fqdn for email address or asn1dn for ASN.1 Distinguished Name. asn1dn can only be used with certificate-based authentication (PH1AUTH = rsasig). address can only be used with a pre-shared key based authentication (PH1AUTH = pre-shared-key). In main mode with pre-shared key authentication, the responder will need to look up the secret before the Peer’s ID payload has been decoded, so the ID must be an IP address.
PH2CRYPT
List of encryption algorithms that will be proposed in phase 2 for ESP mechanism (des, 3des, aes, aes128, aes192, aes256, aes-gcm, aes128-gcm, aes192-gcm, aes256-gcm, aes-gmac, aes128-gmac, aes192-gmac, aes256-gmac null, or a comma-separated list). The default aes key size is 128 bits (aes-gcm means aes128-gcm). The default mode of operation is cbc (aes means aes128-cbc).
PH2AUTH
List of authentication algorithms that will be proposed in phase 2 for the authentication part of the ESP mechanism (hmac-md5, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, aes-xcbc, null or a comma separated list).
PH2LIFETIME PH2LIFETIMEUNIT
IPsec SA lifetime and its unit (e.g.: 3600 sec, 30 min, 1 hour).
PH2PFSGROUP
Diffie Hellman Group that will be used in phase 2 if Perfect Forward Secrecy is enabled. (1 (for MODP768), 2 (for MODP1024), 5 (for MODP1536), 14 (for MODP2048) or none to disable PFS).
encapdscp
Optional. Copy the inner header DSCP to the outer IP header after encapsulating a packet.
decapdscp
Optional. Copy the outer header DSCP to the inner IP header when decapsulating a packet.
nopmtudisc
Optional. Don’t copy the inner header DF bit after encapsulating a packet.

Example

router{conf:myconfig-sec}vpn-template xp-cert 1 main 3des sha1 28800 sec 2 rsasig asn1dn 3des hmac-md5 3600 sec none

Creating a new IKEv2 VPN template

New IKEv2 templates have to be defined in the sec context. The new templates will be defined thanks to the following command:

router{conf:myconfig-sec}vpn-template NAME 2 PH1CRYPT PH1HASH PH1LIFETIME PH1LIFETIMEUNIT PH1DHGROUP PH1AUTH|(PH1-MY-AUTH:PH1-PEER-AUTH) (PH1IDTYPE)|(PH1-MY-IDTYPE:PH1-PEER-IDTYPE) PH2CRYPT PH2AUTH PH2LIFETIME PH2LIFETIMEUNIT PH2PFSGROUP [encapdscp] [decapdscp] [nopmtudisc]
NAME
Name of the configured vpn template.
PH1CRYPT
Encryption algorithm to use in IKE phase 1 (des, 3des, aes, aes128, aes192, aes256, aes-ctr, aes128-ctr, aes192-ctr, aes256-ctr, aes-gcm, aes128-gcm, aes192-gcm or aes256-gcm). The default aes key size is 128 bits (aes-ctr means aes128-ctr). The default mode of operation is cbc (aes means aes128-cbc).
PH1HASH
Authentication algorithm to use in IKE phase 1 (md5, sha1, sha256, sha384, sha512 or aes-xcbc). The md5 and sha algorithms are the hmac versions (sha1 means hmac-sha1).
PH1LIFETIME PH1LIFETIMEUNIT
ISAKMP SA lifetime and unit (e.g.: 3600 sec, 30 min, 1 hour).
PH1DHGROUP
Diffie Hellman Group that will be used in phase 1 (1 (for MODP768), 2 (for MODP1024), 5 (for MODP1536) or 14 (for MODP2048)).
PH1AUTH
Method used to authenticate peers in phase 1 (pre-shared-key or rsasig for certificate-based authentication).
PH1-MY-AUTH:PH1-PEER-AUTH
For non-symmetric authentication, specifies the local and remote method to authenticate peers in phase 1. PH1-MY-AUTH can be pre-shared-key or rsasig. PH1-PEER-AUTH can be pre-shared-key, rsasig or eap-radius.
PH1IDTYPE
Identifier type to identify peers during phase 1 authentication: address for an IPv4/IPv6 address, fqdn for DNS name, user-fqdn for email address or asn1dn for ASN.1 Distinguished Name. asn1dn can only be used with certificate-based authentication (PH1AUTH = rsasig). address can only be used with a pre-shared key based authentication (PH1AUTH = pre-shared-key).
PH1-MY-IDTYPE:PH1-PEER-IDTYPE
For non-symmetric authentication, specifies the local and remote identifier types used in phase 1. PH1-MY-IDTYPE and PH1-PEER-IDTYPE can be fqdn, address, user-fqdn or asn1dn.
PH2CRYPT
List of encryption algorithms that will be proposed in phase 2 for ESP mechanism (des, 3des, aes, aes128, aes192, aes256, aes-gcm, aes128-gcm, aes192-gcm, aes256-gcm, aes-gmac, aes128-gmac, aes192-gmac, aes256-gmac, null or a comma-separated list). The default aes key size is 128 bits (aes-gcm means aes128-gcm). The default mode of operation is cbc (aes means aes128-cbc)
PH2AUTH
List of authentication algorithms that will be proposed in phase 2 for the authentication part of the ESP mechanism (hmac-md5, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, aes-xcbc, null or a comma separated list).
PH2LIFETIME PH2LIFETIMEUNIT
IPsec SA lifetime and its unit (e.g.: 3600 sec, 30 min, 1 hour).
PH2PFSGROUP
Diffie Hellman Group that will be used in phase 2 if Perfect Forward Secrecy is enabled. (1 (for MODP768), 2 (for MODP1024), 5 (for MODP1536), 14 (for MODP2048) or none to disable PFS);
encapdscp
Optional. Copy the inner header DSCP to the outer IP header after encapsulating a packet.
decapdscp
Optional. Copy the outer header DSCP to the inner IP header when decapsulating a packet.
nopmtudisc
Optional. Don’t copy the inner header DF bit after encapsulating a packet.

Example

router{conf:myconfig-sec}vpn-template xp-cert 1 main 3des sha1 28800 sec 2 rsasig asn1dn 3des hmac-md5 3600 sec none

Deleting a user defined VPN template

  • Delete a user-defined VPN template:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete vpn-template VPNTEMPLATENAME
    

IKEv2 EAP authenticator

IKEv2 with EAP authentication is an asymmetric authentication method:

  • The server authenticates to the client via a classic IKE authentication method (psk or certificates)
  • The client authenticates to the server via an EAP exchange; the server proxies the EAP authentication to an external RADIUS server.

The Turbo IPsec IKEv2 daemon can act as an EAP proxy that delegates the actual authentication to a RADIUS server. In the RFC 2748 terminology, Turbo IPsec (the server) is an EAP authenticator acting as a pass-through to a backend authentication server.

An EAP RADIUS server backend defines the external RADIUS server that:

  1. receives the EAP authentication message from the Turbo IPsec IKEv2 daemon, and
  2. performs authentication.

Note

You must have selected eap-radius as the IKE phase 1 authentication method in the VPN template.

  • Define the EAP RADIUS server backend:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}eap-radius NAME A.B.C.D|X:X::X:X[[PORT]] password PASSWORD [nas-id NASID]
    
    NAME

    RADIUS server name

    A.B.C.D|X:X::X:X[[PORT]]

    RADIUS server address and, optionally, port

    PASSWORD

    RADIUS server password

    NASID

    Network access server identifier of the IKEv2 daemon

  • Delete an EAP RADIUS server backend:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete eap-radius NAME
    
  • Delete all EAP RADIUS server backends:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}delete eap-radius all