Note
IKE requires an IPsec Application License.
IKE¶
Internet Key Exchange (IKE) is the control plane protocol providing authentication and key exchange mechanisms to establish secure VPNs over IPsec.
IKE peers authenticate each other via native IKE methods (pre-shared keys or certificates), or via various EAP methods.
About IPsec
IPsec (Internet Protocol Security) is a suite of protocols that provides security to Internet communications at the IP layer. The most common current use of IPsec is to provide a Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway). More information is available in RFC4301.
About IKE
IKE (Internet Key Exchange) is the key negotiation and management protocol that is most commonly used to provide dynamically negotiated and updated keying material for IPsec. IPsec and IKE can be used in conjunction with both IPv4 and IPv6.
More information is available in RFC2409 and the latest update RFC7296.
The following sections explain the basics of IKE configuration, then present a couple of use cases and finally detail advanced configuration and performance tuning.
IKE configuration overview¶
Enabling IKE¶
IKE is enabled per VRF as follows:
vsr running config# vrf main
vsr running vrf main# ike
vsr running ike#
Next, a VPN must be defined to specify the security parameters and policies to apply to the traffic, as well as authentication credentials for the IKE negotiation. To simplify the configuration of VPNs, VPN templates are proposed.
VPN templates¶
The number of parameters for IKE is very high and it would be painful to repeat all of them for each VPN configuration. Therefore a template system is available to ease the configuration:
several VPNs can share the same settings by referring to the same template,
each parameter present in a template can be overridden by the VPN.
The IKE protocol consists of two phases:
The first phase performs mutual authentication of two IKE peers and establishes an IKE Security Association (IKE SA), i.e. a secure communication channel between the two parties.
The second phase enables to create or update pairs of ESP or AH SAs. Each pair of ESP or AH SAs is called a CHILD SA.
IKE policy templates¶
IKE policy templates enable to define a model of IKE SA parameters. VPNs inherit their IKE SA parameters from such template, then can override each of them.
Create an IKE policy template:
vsr running ike# ike-policy-template iketemp1
vsr running ike-policy-template iketemp1#
The IKE policy template is initialized with various default values:
vsr running ike-policy-template iketemp1# show config
ike-policy-template iketemp1
local-auth-method pre-shared-key
remote-auth-method pre-shared-key
keying-tries 1
unique-sa no
reauth-time 0s
rekey-time 4h
dpd-delay 0s
aggressive false
udp-encap false
..
One or more IKE cryptographic algorithm proposals may then be defined in the
ike-policy-template, or directly in the VPN ike-policy:
Each IKE proposal must contain either:
a list of encryption algorithms (
enc-alg).a list of authentication algorithms (
auth-alg).a list of diffie hellman groups (
dh-group) for key exchanges.optionally a list of pseudo-random function algorithms (
prf-alg). If noprf-algis provided, then the authentication algorithms will be used for generating random numbers.
Or:
a list of combined mode algorithms (
aead-alg), which provide both encryption and authentication.a list of diffie hellman groups (
dh-group) for key exchanges.a list of pseudo-random function algorithms (
prf-alg) for generating random numbers.
vsr running ike-policy-template iketemp1# ike-proposal 1
vsr running ike-proposal 1#! enc-alg aes128-cbc
vsr running ike-proposal 1#! auth-alg hmac-sha512
vsr running ike-proposal 1#! dh-group modp2048
vsr running ike-proposal 1# ..
vsr running ike-policy-template iketemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
dh-group modp2048
..
..
..
As supported by the IKE protocol, the IKE daemon may submit several IKE proposals in a negotiation, and (for IKEv2 only), each proposal may contain several algorithms of the same type (for example several encryption algorithms).
All other parameters of an ike-policy-template have a default value. Each
parameter (including ike-proposal) may be overridden by the VPN, for example
the authentication method.
IPsec policy templates¶
IPsec policy templates enable to define a model of CHILD SA parameters. VPNs inherit their IPsec SA parameters from such template, then can overridde each of them.
Create an IPsec policy template:
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1#
The IPsec policy template is initialized with various default values:
vsr running ipsec-policy-template ipsectemp1# show config
ipsec-policy-template ipsectemp1
start-action trap
close-action trap
dpd-action restart
replay-window 32
rekey-time 1h
rekey-bytes 0
rekey-packets 0
encap-copy-dscp true
decap-copy-dscp false
encap-copy-df true
..
One or more ESP and AH cryptographic algorithm proposals may then be defined in
the ipsec-policy-template, or directly in the VPN ipsec-policy.
Each ESP proposal must contain either:
a list of encryption algorithms (
enc-alg).a list of authentication algorithms (
auth-alg).
Or:
a list of combined mode algorithms (
aead-alg), which provide both encryption and authentication.
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# esp-proposal 1
vsr running esp-proposal 1#! enc-alg aes128-cbc
vsr running esp-proposal 1#! auth-alg hmac-sha256
vsr running esp-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
..
..
Each AH proposal must contain:
a list of authentication algorithms (
auth-alg).
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# ah-proposal 1
vsr running ah-proposal 1#! auth-alg hmac-sha512
vsr running ah-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
(...)
ah-proposal 1
auth-alg hmac-sha512
..
..
..
Each ESP and AH proposal may optionally activate Perfect Forward Secrecy (PFS)
by specifying a list of diffie hellman groups. This will trigger an additional
diffie hellman exchange to exchange CHILD SA keys. If no dh-group is
specified, CHILD SA keys will be derived from former keys.
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# esp-proposal 1
vsr running esp-proposal 1# dh-group modp2048
vsr running esp-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
(...)
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
..
..
..
A proposal may also optionally enable Extended Sequence Numbers (ESN) (see Extended Sequence Number (ESN)).
As supported by the IKE protocol, the IKE daemon may submit several ESP or AH proposals in a negotiation, and (for IKEv2 only), each proposal may contain several algorithms of the same type (for example several encryption algorithms).
All other parameters of an ipsec-policy-template have a default value.
Each parameter (including esp-proposal and ah-proposal) may be overridden by
the VPN, for example the replay window size.
An important parameter is start-action that defaults to trap, meaning that
the tunnel will be triggered as soon as outgoing matching traffic is detected.
See also
The command reference for details about template parameters.
To display the configuration, from the ike context, type:
vsr running ike# show config
ike
(...)
ike-policy-template iketemp1
local-auth-method pre-shared-key
remote-auth-method pre-shared-key
keying-tries 1
reauth-time 0s
rekey-time 4h
dpd-delay 0s
aggressive false
udp-encap false
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
auth-alg hmac-sha512
..
..
ipsec-policy-template ipsectemp1
start-action trap
close-action trap
dpd-action restart
replay-window 32
rekey-time 1h
rekey-bytes 0
rekey-packets 0
encap-copy-dscp true
decap-copy-dscp false
encap-copy-df true
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
ah-proposal 1
auth-alg hmac-sha512
..
..
After VPN templates have been created, you may use them in one or several VPNs.
Creating a VPN¶
A VPN defines the security parameters between the local host and a remote IKE peer (or a group of IKE peers), and the IPsec security policies to apply to the IP traffic that transits through these peers.
Creating a VPN basically consists in:
specifying which IKE and IPsec template to apply,
optionally overriding some parameters of these templates,
define identities of the peers and their credentials,
specify the IPsec security policies to apply.
Create the vpn vpn-hq, use the ike-policy-template iketemp1 and override
parameter keying-tries, use the ipsec-policy-template ipsectemp1.
vsr running vpn vpn-hq#! ike-policy
vsr running ike-policy#! template iketemp1
vsr running ike-policy#! keying-tries 10
vsr running ike-policy#! ..
vsr running vpn vpn-hq#! ipsec-policy
vsr running ipsec-policy#! template ipsectemp1
vsr running ipsec-policy#! ..
vsr running vpn vpn-hq#! local-address 192.0.2.1
vsr running vpn vpn-hq#! remote-address 198.51.100.1
vsr running vpn vpn-hq#! local-id user1.roadw.6wind.net
vsr running vpn vpn-hq#! remote-id secgw.6wind.net
Then define an IPsec security-policy trunk between subnets 192.168.0.0/24 and
192.168.99.0/24, with the default action (do ESP in tunnel mode).
vsr running vpn vpn-hq#! security-policy trunk
vsr running security-policy trunk#! local-ts subnet 192.168.0.0/24
vsr running security-policy trunk#! remote-ts subnet 192.168.99.0/24
vsr running security-policy trunk#! ..
vsr running vpn vpn-hq#! ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
..
vpn vpn-hq
ike-policy
template iketemp1
keying-tries 10
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
remote-address 198.51.100.1
local-id user1.roadw.6wind.net
remote-id secgw.6wind.net
security-policy trunk
local-ts subnet 192.168.0.0/24
remote-ts subnet 192.168.99.0/24
..
..
..
Finally, define a pre-shared key hq-secgw for mutual authentication with the remote peer:
vsr running ike# pre-shared-key hq-secgw
vsr running pre-shared-key hq-secgw#! id 198.51.100.1
vsr running pre-shared-key hq-secgw#! secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
vsr running pre-shared-key hq-secgw# ..
vsr running ike#
vsr running ike# show config nodefault
ike
pre-shared-key hq-secgw
id 198.51.100.1
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
global-options
dos-protection
..
sp-hash-ipv4
sp-hash-ipv6
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
..
vpn vpn-hq
ike-policy
template iketemp1
keying-tries 10
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
remote-address 198.51.100.1
local-id user1.roadw.6wind.net
remote-id secgw.6wind.net
security-policy trunk
local-ts subnet 192.168.0.0/24
remote-ts subnet 192.168.99.0/24
..
..
..
IKE authentication¶
Configuring IKE authentication consists in:
choosing the local and remote authentication methods (pre-shared keys, certificate signatures or an EAP method),
specifying the local (and optionally remote) authentication identity,
configuring keys, certificates or contact information of a RADIUS server.
The authentication methods of the local and remote IKE peer may be asymmetric: For example, the local host may authenticate by certificate and the remote peer by EAP.
The methods used to authenticate the local and remote peer are specified in the
ike-policy-template and may be overriden in the VPN ike-policy:
vsr running ike# vpn vpn-hq
vsr running vpn vpn-hq# ike-policy
vsr running ike-policy# local-auth-method certificate
vsr running ike-policy# remote-auth-method eap-mschapv2
vsr running ike-policy# ..
vsr running vpn vpn-hq#
If unspecified, the default authentication method is pre-shared-key.
The local IKE identity is defined in the VPN:
vsr running vpn vpn-hq# local-id server@6wind.com
If unspecified, the local IKE identity defaults to:
the peer IP address for pre-shared key
the certificate subject for certificate authentication
When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.
Optionally, the remote IKE identity may be specified. It indicates which identity to expect for the authentication round. It also enables to choose the right pre-shared key when initiating a negotiation.
If EAP authentication is used, the local or remote EAP identity is defined by a different command:
vsr running vpn vpn-to-hq# local-eap-id client1@6wind.com
If unspecified, the EAP identity defaults to the IKE identity.
If the remote EAP identity is set to %any, the client will be asked for its
EAP identity via the EAP-Identity method.
vsr running vpn vpn-hq# remote-eap-id %any
Certificate authentication¶
Certificate authentication performs authentication via RSA public key cryptography.
Contrarily to pre-shared keys, certificates do not imply that the IKE peers exchange secret keys beforehand. To authenticate remote peers, an IKE endpoint simply needs to trust the certificate authority who delivered and signed the remote peers’ certificates.
Certificates enable to easily deploy a large number of IKE clients without maintaining and distributing a large list of secret keys (one for each pair of IKE peers) or weakening the system by using a single secret key shared between all IKE peers. It also avoids to modify the configuration of each peer when a new one is added.
Each IKE peer owns a digital certificate and a private key. The certificate embeds identity information and the matching public key. The certificate is delivered and signed by a certificate autority (CA), whose public key is stored in a CA certificate. The CA certificate enables to validate the authenticity of all certificates that it delivered.
Like for bank cards, CAs may also revoke a valid certificate before its expiration, for example in case of disclosure of the public key or the departure of an employee. To proceed, the CA may deliver a signed certificate revocation list (CRL), that lists revoked certificates.
Certificates, private keys and certificate revocation lists are stored in the Privacy Enhanced Mail (PEM) format in the configuration.
Local host authentication by certificate¶
The local host certificate and private key must be installed in the
certificate list:
vsr running ike# certificate secgw-a
vsr running certificate secgw-a#! certificate "-----BEGIN CERTIFICATE-----
... MIIB9jCCAV8CAQMwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
... LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
... cnRlcnMgQXV0aG9yaXR5MB4XDTE4MDkxOTEzMjM1MloXDTE5MDkxOTEzMjM1Mlow
... NDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCjZXSU5EIFMuQS4xEDAOBgNVBAMTB1Nl
... Y0dXLUEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOuCfHphepTnllpX/emq
... IMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXdR7So
... Q9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsbvHIq
... 8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAdSmnAN5+
... eRh7WuxuAlSGJh1PWb3NzrSKcbJnMPMz1qCqVhvQiGTQNIE5rpr6AlJN7LZV/wvS
... ng4yIizgehU0fluNfAroTEOoxq06m39YZPoY6mUNk82kRq3YTEx+j9EizRjePHzk
... jfYhCQITZa0atkjpfI143bO/k1NVC9exBv0=
... -----END CERTIFICATE-----"
vsr running certificate secgw-a#! private-key "-----BEGIN PRIVATE KEY-----
... MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOuCfHphepTnllpX
... /emqIMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXd
... R7SoQ9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsb
... vHIq8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAECgYB7IBoiBUqIBNeXXf9ypS5Esgnr
... wSdFGRcmWfPVfZJ3ytB8n3n7n62+5/VfyPuQ7FoBwL3rSc2W6Xp3eCuf6ISquXy8
... zNIB2EY4dzXWpzA9E8+0nZiO8dzFyphM0BFN44pwSazrgD0ZSnXQbxzFBwm5+VvC
... cxSpR/A+53bxDklAIQJBAPnMBvgHdtZATV4rzUN42l//McSGgba1GklICul5rIk/
... GhkGLVLgRaxsJoM3myV7lwA/7jJwXX3ypnJEO2uODXECQQDxW6JTUK5N2/0idS1i
... +Y/cEhgv0c7e3zTvTK3qe5t6Q1A2+1n6mpjk4iRSAfsiEMudnUFIBqbCpyZ1/GeV
... 2JbjAkAPau1fL67BCJT94/w2VuY7mJesxpSI/2KQ9VZfFLh2fCOTOdNgUyFZxA8Y
... eD0mMhue01NTX6YVmP12/gkg2VKxAkAUMkLHDf1H7pykAYImwhNTqv/zIG9bHvpi
... +9uhv24nMPLJZwcEfWNF49Z+NkQ5eYZQThRkXoodx7bkMJbKZzFZAkEA+R+jxmK/
... /XiiT7zizYaWW5x/PQrGvpfOehmlcp11+uO3ILDolNqD7gde98P9Rlc2xXF++K8I
... 3yyFFRutrqwKjw==
... -----END PRIVATE KEY-----"
vsr running certificate secgw-a# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
certificate secgw-a
certificate "-----BEGIN CERTIFICATE-----
MIIB9jCCAV8CAQMwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
cnRlcnMgQXV0aG9yaXR5MB4XDTE4MDkxOTEzMjM1MloXDTE5MDkxOTEzMjM1Mlow
NDELMAkGA1UEBhMCRlIxEzARBgNVBAoTCjZXSU5EIFMuQS4xEDAOBgNVBAMTB1Nl
Y0dXLUEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOuCfHphepTnllpX/emq
IMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXdR7So
Q9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsbvHIq
8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAdSmnAN5+
eRh7WuxuAlSGJh1PWb3NzrSKcbJnMPMz1qCqVhvQiGTQNIE5rpr6AlJN7LZV/wvS
ng4yIizgehU0fluNfAroTEOoxq06m39YZPoY6mUNk82kRq3YTEx+j9EizRjePHzk
jfYhCQITZa0atkjpfI143bO/k1NVC9exBv0=
-----END CERTIFICATE-----"
private-key "-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOuCfHphepTnllpX
/emqIMjW35RAm3TSSHSgDvBm/QtBHgJgLd53ANGbRQ7olinx7jA+CrbrBM9BdEXd
R7SoQ9++munDep/Eb9vu55mMm/leZ8xnV4jIDjLmHCP/AMPNYzKVJHPCElDIbLsb
vHIq8A6CYaQOi7NkOrkRY9q3LiEzAgMBAAECgYB7IBoiBUqIBNeXXf9ypS5Esgnr
wSdFGRcmWfPVfZJ3ytB8n3n7n62+5/VfyPuQ7FoBwL3rSc2W6Xp3eCuf6ISquXy8
zNIB2EY4dzXWpzA9E8+0nZiO8dzFyphM0BFN44pwSazrgD0ZSnXQbxzFBwm5+VvC
cxSpR/A+53bxDklAIQJBAPnMBvgHdtZATV4rzUN42l//McSGgba1GklICul5rIk/
GhkGLVLgRaxsJoM3myV7lwA/7jJwXX3ypnJEO2uODXECQQDxW6JTUK5N2/0idS1i
+Y/cEhgv0c7e3zTvTK3qe5t6Q1A2+1n6mpjk4iRSAfsiEMudnUFIBqbCpyZ1/GeV
2JbjAkAPau1fL67BCJT94/w2VuY7mJesxpSI/2KQ9VZfFLh2fCOTOdNgUyFZxA8Y
eD0mMhue01NTX6YVmP12/gkg2VKxAkAUMkLHDf1H7pykAYImwhNTqv/zIG9bHvpi
+9uhv24nMPLJZwcEfWNF49Z+NkQ5eYZQThRkXoodx7bkMJbKZzFZAkEA+R+jxmK/
/XiiT7zizYaWW5x/PQrGvpfOehmlcp11+uO3ILDolNqD7gde98P9Rlc2xXF++K8I
3yyFFRutrqwKjw==
-----END PRIVATE KEY-----"
..
Then the local-auth-method must be set to certificate in the
ike-policy-template used by the VPN (or overriden in the VPN ike-policy).
Finally, the list of certificate candidates to use for authentication is
specified in the VPN certificate command. The certificate used for
authentication is selected based on the received certificate request payloads.
If no appropriate CA can be located, the first certificate is used.
The IKE id used by the local host must be stored in its certificate, in the
subjectName or in the subjectAltNames section.
vsr running ike# vpn siteA-roadw
vsr running vpn siteA-roadw#! ike-policy
vsr running ike-policy#! template iketemp1
vsr running ike-policy#! local-auth-method certificate
vsr running ike-policy#! ..
vsr running vpn siteA-roadw#! ipsec-policy template ipsectemp1
vsr running vpn siteA-roadw# certificate secgw-a
vsr running vpn siteA-roadw# ..
vsr running ike#
vsr running ike# show config
ike
(...)
vpn siteA-roadw
ike-policy
template iketemp1
local-auth-method certificate
..
ipsec-policy
template ipsectemp1
..
certificate secgw-a
..
..
Remote peer authentication by certificate¶
The certificate authority that issued the certificates that remote peers will
present must be declared in the certificate-authority list:
vsr running ike# certificate-authority hq-authority
vsr running certificate-authority hq-authority# certificate "-----BEGIN CERTIFICATE-----
... MIIC2zCCAkSgAwIBAgIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAMFMxEzARBgNV
... BAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQGEwJGUjEfMB0G
... A1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0eTAeFw0xODA5MTkxMzE5MTNaFw0x
... ODEwMTkxMzE5MTNaMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
... cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
... eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2mWsQQ14SSkx0Qp5eXXHMkAV
... OEyIJVD3dVPrcQkeCUR38KPrA8Dmlt/KLTrTfat6+/wxS1HywCLYR3U1+CrEQmR+
... kC/NgcNC+QqXyevb+2LTT606oHMQ6XckWIDhhD6JszN0dtcAci1SMgaKIoaoxElu
... TwIdDBkj8W7gnpn84k8CAwEAAaOBtjCBszAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
... BBSN5H+zxbYDk/kVJuqimYsT2oDGDTCBgwYDVR0jBHwweoAUjeR/s8W2A5P5FSbq
... opmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
... cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
... eYIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAA4GBAEvu9Rj1dUcQsFywseZdZcC7
... 9jxhHtml1naxqDp/krPG/GJiSiCypQOGjbcXlRa2NOtLU7DwZTKH3S3fw8TBIAen
... 7vbQFLUtzrZ07TW4wnmtBtGd7GVqAZVIoUnkldVHhHL6hGy2DM+3e8+lptx8+tb6
... U/7s2V3Bm/HkQRq8+Gji
... -----END CERTIFICATE-----"
vsr running certificate-authority hq-authority# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
certificate-authority hq-authority
certificate "-----BEGIN CERTIFICATE-----
MIIC2zCCAkSgAwIBAgIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAMFMxEzARBgNV
BAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQGEwJGUjEfMB0G
A1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0eTAeFw0xODA5MTkxMzE5MTNaFw0x
ODEwMTkxMzE5MTNaMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2mWsQQ14SSkx0Qp5eXXHMkAV
OEyIJVD3dVPrcQkeCUR38KPrA8Dmlt/KLTrTfat6+/wxS1HywCLYR3U1+CrEQmR+
kC/NgcNC+QqXyevb+2LTT606oHMQ6XckWIDhhD6JszN0dtcAci1SMgaKIoaoxElu
TwIdDBkj8W7gnpn84k8CAwEAAaOBtjCBszAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBSN5H+zxbYDk/kVJuqimYsT2oDGDTCBgwYDVR0jBHwweoAUjeR/s8W2A5P5FSbq
opmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcTBVBh
cmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhvcml0
eYIJAJpUB7T8zBYBMA0GCSqGSIb3DQEBBAUAA4GBAEvu9Rj1dUcQsFywseZdZcC7
9jxhHtml1naxqDp/krPG/GJiSiCypQOGjbcXlRa2NOtLU7DwZTKH3S3fw8TBIAen
7vbQFLUtzrZ07TW4wnmtBtGd7GVqAZVIoUnkldVHhHL6hGy2DM+3e8+lptx8+tb6
U/7s2V3Bm/HkQRq8+Gji
-----END CERTIFICATE-----"
..
vsr running ike#
Then to authenticate the remote peer by certificates, the remote-auth-method must
be set to certificate in the ike-policy-template used by the VPN (or
overriden in the VPN ike-policy).
Finally, the CA certificates to trust for the authentication of the remote peer
must be specified in the VPN remote-ca-certificate list.
The IKE id used by the remote peer must be stored in its certificate, in the
subjectName or in the subjectAltNames section.
vsr running ike# vpn siteA-roadw
vsr running vpn siteA-roadw#! ike-policy
vsr running ike-policy#! template iketemp1
vsr running ike-policy#! remote-auth-method certificate
vsr running ike-policy#! ..
vsr running vpn siteA-roadw#! ipsec-policy template ipsectemp1
vsr running vpn siteA-roadw# remote-ca-certificate hq-authority
vsr running vpn siteA-roadw# ..
vsr running ike#
vsr running ike# show config
ike
(...)
vpn siteA-roadw
ike-policy
template iketemp1
remote-auth-method certificate
..
ipsec-policy
template ipsectemp1
..
remote-ca-certificate hq-authority
..
..
Manage revocation of remote peer certificates¶
Using certificates usually implies to handle certificate revocations.
To manually add a CRL, in PEM format:
vsr running ike# certificate-authority hq-authority
vsr running certificate-authority hq-authority# crl "-----BEGIN X509 CRL-----
... MIIByjCCATMCAQEwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
... LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
... cnRlcnMgQXV0aG9yaXR5Fw0xODA5MTkxMzI2MTlaFw0xODEwMTkxMzI2MTlaMBQw
... EgIBARcNMTgwOTE5MTMyMzM0WqCBlTCBkjCBgwYDVR0jBHwweoAUjeR/s8W2A5P5
... FSbqopmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcT
... BVBhcmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhv
... cml0eYIJAJpUB7T8zBYBMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBAUAA4GBAAtY
... 3gXNIMwMjH6rafv9wI5qrDCwOp7KNdcrZbNuV/RURJ9mle8EPJ01PJSnxPMuIuzX
... VGbgjRxagWAQLlj4bkhHiqiezThi0D5xTSmmmXEZ52oK5GVDjElWU9OZeK1vssLL
... PK9DsxuURw0RP32iv6l68qwaPdI4tR0K8wcVXPn9
... -----END X509 CRL-----"
vsr running certificate-authority hq-authority# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
certificate-authority hq-authority
certificate (...)
crl "-----BEGIN X509 CRL-----
MIIByjCCATMCAQEwDQYJKoZIhvcNAQEEBQAwUzETMBEGA1UEChMKNldJTkQgUy5B
LjEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAYTAkZSMR8wHQYDVQQDExZIZWFkcXVh
cnRlcnMgQXV0aG9yaXR5Fw0xODA5MTkxMzI2MTlaFw0xODEwMTkxMzI2MTlaMBQw
EgIBARcNMTgwOTE5MTMyMzM0WqCBlTCBkjCBgwYDVR0jBHwweoAUjeR/s8W2A5P5
FSbqopmLE9qAxg2hV6RVMFMxEzARBgNVBAoTCjZXSU5EIFMuQS4xDjAMBgNVBAcT
BVBhcmlzMQswCQYDVQQGEwJGUjEfMB0GA1UEAxMWSGVhZHF1YXJ0ZXJzIEF1dGhv
cml0eYIJAJpUB7T8zBYBMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBAUAA4GBAAtY
3gXNIMwMjH6rafv9wI5qrDCwOp7KNdcrZbNuV/RURJ9mle8EPJ01PJSnxPMuIuzX
VGbgjRxagWAQLlj4bkhHiqiezThi0D5xTSmmmXEZ52oK5GVDjElWU9OZeK1vssLL
PK9DsxuURw0RP32iv6l68qwaPdI4tR0K8wcVXPn9
-----END X509 CRL-----"
..
..
To add a CRL distribution point, specify the LDAP or HTTP URI. CRLs must be encoded in DER binary format on the distribution server.
vsr running ike# certificate-authority hq-authority
vsr running certificate-authority hq-authority# crl-uri ldap://hq-authority.6wind.net
vsr running certificate-authority hq-authority# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
certificate-authority hq-authority
certificate (...)
crl (...)
crl-uri ldap://hq-authority.6wind.net
..
..
Note
IKE service can use certificates that exist in the local database just by providing the certificate’s name. Note also that the service is refreshing those certificates whenever an update is made.
See also
Check certificates management commands for more details about how certificates are managed in the local database.
EAP authentication¶
EAP is typically used by a VPN concentrator accepting IKE connections, to authenticate remote clients via external methods (legacy methods such as EAP-MD5 or EAP-MSCHAPv2, mobile network methods such as EAP-SIM or EAP-AKA…). The authentication methods are usually asymmetric: the server is authentified by pre-shared keys or a certificate, and the clients by EAP.
Local and remote peer EAP authentication¶
Local and remote EAP keys may be stored in a local database. They are similar
to pre-shared keys, but are used by EAP authentication methods. They are
configured in the eap-key list.
These keys are looked up to authenticate IKE peers if the local-auth-method or
remote-auth-method is set to eap-md5 or eap-mschapv2.
vsr running ike# eap-key user1key
vsr running eap-key user1key#! id user1@6wind.com
vsr running pre-shared-key user1key#! secret EAPpassword1
vsr running pre-shared-key user1key# ..
vsr running ike#
vsr running ike# show config
ike
(...)
eap-key user1key
id user1@6wind.com
secret EAPpassword1
..
Like pre-shared keys, EAP keys are assigned a name and are composed of two parts, a secret key and optional EAP identity selectors (a list of EAP identities).
The encodings and selection rules are the same as for pre-shared keys, except that the EAP ID is taken into account instead of the IKE ID.
To authenticate the local host by EAP keys, the local-auth-method must
be set to the right EAP method eap-mschapv2 or eap-md5 in the
ike-policy-template used by the VPN, or overriden in the VPN ike-policy.
vsr running ike# ike-policy-template ikepsk local-auth-method eap-mschapv2
vsr running ike# vpn vpn-hq ike-policy template ikepsk
or:
vsr running ike# vpn vpn-hq ike-policy local-auth-method eap-mschapv2
Similarly, to authenticate the remote peer by pre-shared keys, the
remote-auth-method must be set to eap-mschapv2 or eap-md5 in the
ike-policy-template used by the VPN, or overriden in the VPN ike-policy.
Remote peer authentication by EAP via RADIUS¶
On the server side, the EAP authentication of remote peers can be delegated to one or more RADIUS servers, the IKE daemon then acts as a simple proxy.
This delegation of EAP authentication to RADIUS servers is configured by
selecting eap-radius as the remote authentication method, and by declaring one
or more EAP RADIUS servers in the eap-radius list.
Select eap-radius as the remote authentication method in the VPN IKE policy:
router-vm running ike# vpn mytunnel
router-vm running vpn mytunnel#! ike-policy
router-vm running ike-policy#! template basic_policy
router-vm running ike-policy#! remote-auth-method eap-radius
router-vm running ike-policy#! ..
router-vm running vpn mytunnel#! ..
router-vm running ike#!
Configure an EAP RADIUS server. The minimal parameters are the server IP address and an authentication secret.
router-vm running ike# eap-radius
router-vm running eap-radius# server server-tnr
router-vm running server server-tnr#! address 10.200.0.1
router-vm running server server-tnr#! secret testing123
router-vm running server server-tnr# ..
router-vm running eap-radius# ..
Show the EAP RADIUS server configuration:
router-vm running ike# show config eap-radius
eap-radius
nas-identifier 6WINDvsr
auth-port 1812
sockets 1
retransmit-tries 4
retransmit-timeout 2.0
retransmit-base 1.4
server server-tnr
address 10.200.0.1
secret testing123
..
..
A RADIUS server may be in a VRF different from the IKE daemon, typically in a corporate network instead of the public network. It can be specified in the server configuration:
router-vm running ike# eap-radius
router-vm running eap-radius# server server-tnr
router-vm running server server-tnr# address 10.200.0.1
router-vm running server server-tnr# vrf private
router-vm running server server-tnr# ..
router-vm running eap-radius# ..
Since RADIUS exchanges are synchronous, it is recommended to enable parallel
exchanges by setting the sockets parameter: it specifies the number of
concurrent requests that can be sent to a RADIUS server (each from a different
local UDP port).
A common parameter exists:
router-vm running ike# eap-radius sockets 5
that can be overriden by a per-server parameter:
router-vm running ike# eap-radius server server-tnr sockets 5
IKE state¶
Show the IKE state:
vsr running config# vrf main
vsr running vrf main# ike
vsr running ike# show state
ike
enabled true
pre-shared-key psk-hq
id 10.125.0.2
id 10.125.0.1
secret "This is a strong password"
..
logging
daemon
default 0
..
authpriv
default disable
..
..
global-options
dos-protection
cookie-threshold 10
block-threshold 5
init-limit-half-open 0
..
threads 16
acquire-timeout 30
sa-table-size 1
sa-table-segments 1
sp-hash-ipv4 local 32 remote 32
sp-hash-ipv6 local 128 remote 128
install-routes false
routing-table 220
routing-table-prio 220
retransmit-tries 5
retransmit-timeout 4.0
retransmit-base 1.8
delete-rekeyed false
delete-rekeyed-delay 5
make-before-break false
snmp false
mobike-prefer-best-path false
..
ha
enabled false
..
vpn vpn-hq
version 2
local-address 10.125.0.1
remote-address 10.125.0.2
security-policy site2site
local-ts subnet 10.100.0.0/24
remote-ts subnet 10.200.0.0/24
action esp
mode tunnel
priority 0
..
ike-policy
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha1
dh-group modp2048
..
local-auth-method pre-shared-key
remote-auth-method pre-shared-key
keying-tries 1
unique-sa no
reauth-time 0
rekey-time 14400
dpd-delay 0s
aggressive false
udp-encap false
mobike false
..
ipsec-policy
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha1
dh-group modp2048
..
start-action trap
close-action trap
dpd-action restart
replay-window 32
rekey-time 3600
rekey-bytes 0
rekey-packets 0
encap-copy-dscp true
decap-copy-dscp false
encap-copy-df true
..
..
ike-sas
total 1
half-open 0
..
task-processing
worker-threads
total 16
idle 11
critical 4
high 0
medium 1
low 0
..
task-queues
critical 0
high 0
medium 0
low 0
scheduled 3
..
..
counters
ike-rekey-init 0
ike-rekey-resp 0
child-rekey 0
invalid 0
invalid-spi 0
ike-init-in-req 0
ike-init-in-resp 1
ike-init-out-req 1
ike-init-out-resp 0
ike-auth-in-req 0
ike-auth-in-resp 1
ike-auth-out-req 1
ike-auth-out-resp 0
create-child-in-req 0
create-child-in-resp 0
create-child-out-req 0
create-child-out-resp 0
info-in-req 0
info-in-resp 0
info-out-req 0
info-out-resp 0
..
vpn-counters name vpn-hq
ike-rekey-init 0
ike-rekey-resp 0
child-rekey 0
invalid 0
invalid-spi 0
ike-init-in-req 0
ike-init-in-resp 1
ike-init-out-req 1
ike-init-out-resp 0
ike-auth-in-req 0
ike-auth-in-resp 1
ike-auth-out-req 1
ike-auth-out-resp 0
create-child-in-req 0
create-child-in-resp 0
create-child-out-req 0
create-child-out-resp 0
info-in-req 0
info-in-resp 0
info-out-req 0
info-out-resp 0
..
ike-sa unique-id 1
name vpn-hq
version 2
state established
local-address 10.125.0.1
remote-address 10.125.0.2
local-port 500
remote-port 500
initiator-spi 6e6228d1c13daaf1
responder-spi b2f0a5217f09662a
enc-alg aes128-cbc
auth-alg hmac-sha1
prf-alg hmac-sha1
dh-group modp2048
established-time 24
rekey-time 14170
reauth-time 45567
udp-encap false
mobike false
child-sa unique-id 2
name site2site
state installed
reqid 1
protocol esp
udp-encap false
mobike false
spi-in c704d981
spi-out c3dd14b9
enc-alg aes128-cbc
auth-alg hmac-sha1
esn false
bytes-in 304
packets-in 2
bytes-out 168
packets-out 2
installed-time 24
rekey-time 3425
life-time 3936
local-ts
subnet 10.100.0.0/24
..
remote-ts
subnet 10.200.0.0/24
..
..
remote-port 500
initiator-spi 6e6228d1c13daaf1
responder-spi b2f0a5217f09662a
enc-alg aes128-cbc
auth-alg hmac-sha1
prf-alg hmac-sha1
dh-group modp2048
established-time 24
rekey-time 14170
reauth-time 45567
udp-encap false
mobike false
child-sa unique-id 2
name site2site
state installed
reqid 1
protocol esp
udp-encap false
mobike false
spi-in c704d981
spi-out c3dd14b9
enc-alg aes128-cbc
auth-alg hmac-sha1
esn false
bytes-in 304
packets-in 2
bytes-out 168
packets-out 2
installed-time 24
rekey-time 3425
life-time 3936
local-ts
subnet 10.100.0.0/24
..
remote-ts
subnet 10.200.0.0/24
..
..
..
..
The state dumps:
the applied configuration,
the number of negotiated IKE SAs (
ike-sas),information about the IKE daemon internal tasks (
task-processing),global IKEv2 message counters (
counters),per VPN IKEv2 message counters (
vpn-counters). Note that when the host is responder, some counters remain null because the IKE daemon cannot determine the involved VPN before the authentication is completed (invalid,invalid-spi,ike-init-in-req,ike-init-out-resp…),the negotiated IKE SAs and their child SAs (
ike-sa).
Note
Child SAs traffic selector proposed by the remote peer can include
unsupported stuff (like port range). In this case, the flag unsupported is
set:
- local-ts
subnet 10.100.0.0/24 protocol 17 port 50000-54000 unsupported
Route-based VPNs¶
Security policies can be bound to SVTI interfaces to configure route-based VPNs.
SVTI interfaces handle their own SPD and SAD.
Outgoing traffic routed through an SVTI interface is submitted to a security policy lookup against the SVTI interface’s own SPD and, when a matching SP is found, encrypted using an SA from its own SAD matching the SP, or dropped if no match was found.
Incoming IPsec-encrypted traffic is first decrypted with the right SA. If the SA is bound to an SVTI interface (via an svti-id), it is then submitted to a security policy check against the SVTI interface’s own SPD. If the packet is granted access, the decrypted traffic is received via the SVTI interface.
Static SVTI interfaces¶
To bind a security policy to an SVTI interface, specify the svti-id of
the interface on inbound and outbound policies:
Create SVTI interface svti100:
vsr running config# vrf main interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# /
vsr running config#
Create IKE VPN my_vpn, with a security policy bound to svti100:
vsr running config# vrf main ike vpn my_vpn
vsr running vpn my_vpn#!
(...)
vsr running vpn my_vpn# security-policy mytunnel
vsr running security-policy mytunnel# svti-id-in 100
vsr running security-policy mytunnel# svti-id-out 100
The security policy is bound to the SVTI interface with SVTI ID 100 and
link VRFID main, namely svti100.
Note
The decision to bind to an SVTI interface is done per security-policy and per direction. The configuration may differ between two security-policies and between two directions of the same security-policy. For example:
vsr running vpn my_vpn# security-policy mytunnel1 svti-id-in 100 svti-id-out 200
vsr running vpn my_vpn# security-policy mytunnel2 svti-id-out 150
vsr running vpn my_vpn# security-policy mytunnel3
See SVTI for details about creating SVTI interfaces.
Dynamic SVTI interfaces¶
SVTI interfaces may be dynamically created and attached to IKE SAs as they are established.
To proceed, first create an SVTI template:
vsr running config# / vrf main
vsr running vrf main# interface svti-template svtitemp100
vsr running svti-template svtitemp100# mtu 1300
vsr running svti-template svtitemp100# /
vsr running config#
Then create a VPN bound to this SVTI template:
vsr running config# / vrf main ike vpn my_vpn
vsr running vpn my_vpn#!
(...)
vsr running vpn my_vpn# dynamic-svti
vsr running dynamic-svti# svti-template svtitemp100
vsr running dynamic-svti# ..
vsr running vpn my_vpn#
Note
A separate SVTI interface is created for each established IKE SA spawn from this VPN definition. All its child SAs are bound to the SVTI, for both the inbound and outbound traffic.
Routes are automatically added or deleted via the dynamically created SVTI
interface as child SAs are established or torn down.
Which routes should be added is configurable in the SVTI template with the
install-routes-to command.
Add routes to the IKE SA remote host virtual IPs, if any, else to the child SA remote traffic selector. This is the default behavior:
vsr running config# / vrf main
vsr running vrf main# interface svti-template svtitemp100
vsr running svti-template svtitemp100#
vsr running svti-template svtitemp100# install-routes-to vip-or-remote-ts
Add routes to the child SA remote traffic selector:
vsr running svti-template svtitemp100# install-routes-to remote-ts
Add routes to the IKE SA remote host virtual IPs, if any:
vsr running svti-template svtitemp100# install-routes-to vip
Do not add any route:
vsr running svti-template svtitemp100# install-routes-to none
See Dynamic SVTI for details about creating SVTI interface templates.
Cross-VRF with static SVTI interfaces¶
Like other tunnel interfaces, SVTI interfaces enable to perform cross-vrf encapsulation: encapsulated packets are not in the same vrf as the original packets.
To proceed, configure the SVTI interface in the VRF of original packets, specify a link VRF equal to the VRF of encapsulated packets.
vsr running config# vrf private interface svti svti100
vsr running svti svti100#! svti-id 100
vsr running svti svti100# link-vrf wan
vsr running svti svti100# /
vsr running config#
Then configure IKE in the link VRF.
vsr running config# vrf wan ike vpn my_vpn
vsr running vpn my_vpn#!
(...)
vsr running vpn my_vpn# security-policy mytunnel
vsr running security-policy mytunnel# svti-id-in 100
vsr running security-policy mytunnel# svti-id-out 100
vsr running security-policy mytunnel# /
vsr running config#
The SVTI interface is uniquely identified by its (svti-id, link-vrf) pair.
To show the configuration:
vsr running config# show config nodefault
vrf private
interface
svti svti100
link-vrf wan
..
..
(...)
vrf wan
ike
vpn my_vpn
(...)
security-policy mytunnel
svti-id-in 100
svti-id-out 100
(...)
Cross-VRF with dynamic SVTI interfaces¶
Dynamic SVTI interfaces also enable to perform cross-vrf encapsulation. The link-vrf of a dynamic interface is the vrf of the VPN that triggered its creation.
To proceed, configure the SVTI template in the VRF of original packets.
vsr running vrf private# interface svti-template svtitemp100
vsr running svti-template svtitemp100# mtu 1300
vsr running svti-template svtitemp100# /
vsr running config#
Then create a VPN in the link VRF and bind it to the SVTI template, by specifying its name and VRF.
vsr running config# vrf wan ike vpn my_vpn
vsr running vpn my_vpn#!
(...)
vsr running vpn my_vpn# dynamic-svti
vsr running dynamic-svti# svti-template svtitemp100
vsr running dynamic-svti# vrf private
vsr running dynamic-svti# /
vsr running config#
To show the configuration:
vsr running config# show config nodefault
vrf private
interface
svti-template svtitemp100
mtu 1300
..
..
(...)
vrf wan
ike
vpn my_vpn
dynamic-svti
svti-template svtitemp100
vrf private
..
(...)
(...)
Note
If a VPN in VRF wan specifies an SVTI template, then no static SVTI
must be configured with its link VRF in wan.
Use cases¶
Use case: site to site VPN¶
In this use case, two sites A and B must be interconnected via a public network. An IPsec VPN is configured between the two security gateways SecGW-A and SecGW-B.
The IP addresses of the security gateways and of the sites are well known. The peers identify themselves with a Fully Qualified Domain Name (FQDN) and authenticate via a pre-shared key.
vsr running ike# show config nodefault
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
ah-proposal 1
auth-alg hmac-sha512
..
..
vpn siteA-siteB
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
remote-address 198.51.100.1
local-id secgwa.6wind.net
remote-id secgwb.6wind.net
security-policy trunk
local-ts subnet 192.168.0.0/24
remote-ts subnet 192.168.99.0/24
..
..
pre-shared-key siteb
id secgwb.6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
Use case: VPN concentrator¶
In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A.
IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this virtual IP from a local pool.
The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys. Remote hosts use different VPN clients that support different cryptographic algorithms and key lengths.
vsr running ike# show config nodefault
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes256-cbc
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
ike-proposal 2
aead-alg aes128-gcm-128
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
esp-proposal 2
aead-alg aes128-gcm-128
..
ah-proposal 1
auth-alg hmac-sha512
..
..
vpn siteA-roadw
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
local-id user1.roadw.6wind.net
vip-pool user-vips
security-policy hub
local-ts subnet 192.168.0.0/24
..
..
pre-shared-key user1
id user1@6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
pre-shared-key user2
id user2@6wind.net
secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
..
pool user-vips
address 192.168.99.0/24
subnet 172.16.0.0/12
subnet fc00:1234::/64
..
Use case: route-based VPN concentrator¶
In this use case, remote users must be given access to the local site A via a public network. The traffic must be secured by IPsec VPNs between users and the security gateways SecGW-A. Dynamic SVTI interfaces and cross-VRF are used.
IKE negotiations are initiated by the remote users. Their public IP addresses are dynamically assigned by their access point. Each user requests the security gateway to assign it a virtual private address. The security gateway picks this virtual IP from a local pool.
The peers identify themselves with a user Fully Qualified Domain Name (user FQDN) and authenticate via pre-shared keys.
Plaintext traffic is in VRF private, while encrypted traffic is in vrf wan.
vsr running config# show config nodefault / vrf private interface
interface
physical eth1
port pci-b0s4
ipv4
address 192.168.0.1/24
..
..
svti-template svtitemp
mtu 1300
..
..
vsr running config# show config nodefault / vrf wan interface
interface
physical eth2
port pci-b0s5
ipv4
address 192.0.2.1/24
..
..
vsr running config# show config nodefault / vrf wan ike
ike
global-options
..
ike-policy-template iketemp1
ike-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha512
prf-alg hmac-sha512
dh-group modp2048
..
..
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
start-action none
close-action none
..
vpn siteA-roadw
dynamic-svti
svti-template svtitemp
vrf private
ike-policy
template iketemp1
..
ipsec-policy
template ipsectemp1
..
local-address 192.0.2.1
local-id concentrator.6wind.net
vip-pool user-vips
security-policy hub
local-ts subnet 192.168.0.0/24
..
..
pre-shared-key user1
id user1@6wind.net
secret 0seaJ31RfzHNRvUSH0oUYg7znTW0I=
..
pre-shared-key user2
id user2@6wind.net
secret 0s3zpRt+h3g12NSaSKEx2yjY4ctak=
..
pool user-vips
address 192.168.99.0/24
subnet 172.16.0.0/12
subnet fc00:1234::/64
..
After a few negotiations and tear downs:
dut-vm running config# show state vrf private interface svti
svti dsvtiABJr_bNbVbc
mtu 1300
promiscuous false
description "vpn:siteA-roadw remote-id:user3@6wind.net svti-template:svtitemp"
enabled true
svti-id 1
link-vrf wan
oper-status UNKNOWN
counters
in-octets 0
in-unicast-pkts 0
in-discards 0
in-errors 0
out-octets 0
out-unicast-pkts 0
out-discards 0
out-errors 0
..
link-interface lo
..
svti dsvtiABJsgSSWSNQ
mtu 1300
promiscuous false
description "vpn:siteA-roadw remote-id:user42@6wind.net svti-template:svtitemp"
enabled true
svti-id 3
link-vrf wan
oper-status UNKNOWN
counters
in-octets 0
in-unicast-pkts 0
in-discards 0
in-errors 0
out-octets 0
out-unicast-pkts 0
out-discards 0
out-errors 0
..
link-interface lo
..
dut-vm running config# show state vrf private routing static
static
ipv4-route 192.168.0.3/32
next-hop dsvtiABJr_bNbVbc
..
ipv4-route 192.168.0.13/32
next-hop dsvtiABJsgSSWSNQ
..
(...)
dut-vm running config# show ike ike-sa vrf wan
VPN Local Address Local ID Remote Address Remote ID State IKE Version Child SA Count
siteA-roadw 192.0.2.1 concentrator.6wind.net 10.125.0.5 user3@6wind.net established 2 1
siteA-roadw 192.0.2.1 concentrator.6wind.net 10.175.0.7 user42@6wind.net established 2 1
Advanced configuration, performance and scalability¶
The base of the IKE control plane is the open source StrongSwan distribution.
In this section we focus on parameters useful to tune the scalability and performance of IKE.
Logging¶
The IKE service is liable to issue many log messages. The verbosity of these logs is configurable per subsystem.
Messages issued by the IKE service are classified in 5 levels:
0 |
Very basic auditing logs, (e.g. SA up/SA down) |
1 |
Generic control flow with errors, a good default to see whats going on |
2 |
More detailed debugging control flow |
3 |
Including RAW data dumps in hex |
4 |
Also include sensitive material in dumps, e.g. keys |
Messages may be issued by the following subsystems:
asn1 |
Low-level encoding/decoding (ASN.1, X.509 etc.) |
child |
CHILD_SA/IPsec SA processing |
config |
Configuration management and plugins |
daemon |
Main daemon setup/cleanup/signal handling |
encoding |
Packet encoding/decoding encryption/decryption operations |
ike |
IKE_SA/ISAKMP SA processing |
ipsec |
Libipsec library messages |
job |
Jobs queuing/processing and thread pool management |
kernel |
IPsec/Networking kernel interface |
manager |
IKE_SA manager, handling synchronization for IKE_SA access |
network |
IKE network communication |
The logs may be sent to syslog facilities daemon and authpriv.
The default configuration for ike logs is the following:
vsr running ike# show config logging
logging
daemon
default 0
..
authpriv
default disable
..
..
This configuration means that:
messages of level 0 from all subsystems are sent to syslog facility
daemon,no message from any subsystem is sent to syslog facility
authpriv.
To alter this configuration, use the following command:
vsr running ike# logging FACILITY SUBSYSTEM LEVEL
Where:
FACILITY is the syslog facility (
daemonorauthpriv),SUBSYSTEM is the subsystem (see IKE log subsystems), or
defaultto specify the default log level for all subsystems,LEVEL is the maximum log level of messages in the specified subsystem, (see IKE log levels) or
disableto disable all messages,
Example
The following commands modify which log messages are sent to facility
authpriv:
messages up to level 2 from the
ikesubsystem are logged to facilityauthpriv,messages up to level 1 from other subsystems are logged to facility
authpriv.
vsr running ike# logging
vsr running logging# authpriv
vsr running authpriv# default 1
vsr running authpriv# ike 2
vsr running authpriv# ..
vsr running logging# ..
vsr running ike#
vsr running ike# show config logging
logging
daemon
default 0
..
authpriv
default 1
ike 2
..
..
Note
Depending on the configuration, messages may be logged twice, once in
facility daemon, and a second time in facility authpriv.
According to the configuration, log messages are sent to the daemon and/or
authpriv syslog facilities with the notice severity. The severity is not
configurable.
Extended Sequence Number (ESN)¶
With throughputs getting higher and higher, the 32 bit IPsec sequence number may reach its maximum value before it is expected, so much that an Extended Sequence Number (ESN) option was defined (see RFC 4304), that extends the sequence number to 64 bits.
The use of ESN can be configured in each esp-proposal or ah-proposal in the
ipsec-policy-template or vpn ipsec-policy. By default, ESN is disabled.
Require the use of ESN:
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# esp-proposal 1
vsr running esp-proposal 1# esn true
vsr running esp-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
(...)
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
dh-group modp2048
esn true
..
..
..
vsr running ike# show config
ike
(...)
ipsec-policy-template ipsectemp1
esp-proposal 1
aead-alg aes128-gcm-128
esn true
..
..
..
Refuse the use of ESN (default behavior):
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# esp-proposal 1
vsr running esp-proposal 1# esn false
vsr running esp-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
esn false
..
..
..
To specify that ESN is not mandatory but should be negotiated, specify both
esn true and esn false, by order of preference:
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# esp-proposal 1
vsr running esp-proposal 1# esn true
vsr running esp-proposal 1# esn false
vsr running esp-proposal 1# ..
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike# show config
ike
(...)
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
esn true
esn false
..
..
..
If no esn statement is specified, then ESN is disabled.
Replay window size¶
There is no guarantee that IPsec packets are received by the security gateway in the same order as they were sent. With throughputs getting higher and higher, out-of-order IPsec packets may be dropped by the IPsec replay protection system if their lateness exceeds the replay window size. The size of the replay window can be increased to avoid such problem.
The replay window size option can be configured in the ipsec-policy-template (or vpn ipsec-policy):
vsr running ike# ipsec-policy-template ipsectemp1
vsr running ipsec-policy-template ipsectemp1# replay-window 4096
vsr running ipsec-policy-template ipsectemp1# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
ipsec-policy-template ipsectemp1
esp-proposal 1
enc-alg aes128-cbc
auth-alg hmac-sha256
..
replay-window 4096
..
..
replay-window is an integer number of packets, in the range 0 to 4096 packets
(default 32, 0 disables replay protection).
Note that the replay window size is a local choice, it does not impact the replay window size chosen by the remote peer.
Virtual IP pools¶
IKEv1 and IKEv2 enable to assign a virtual IP during an IKE negotiation, i.e. an IKE initiator may request an additional IP address from the responder to use as inner IPsec tunnel address.
Virtual IPs are exchanged using the mode config extension in IKEv1, or using configuration payloads in IKEv2.
Additional parameters may be assigned during this exchange, such as a DNS server address, a NetBIOS server address or a DHCP server address.
To proceed, the responder maintains one or more pools of virtual IPs:
vsr running vrf main# ike
vsr running ike# pool my-pool
vsr running pool my-pool#! address 192.168.1.1-192.168.2.127
vsr running pool my-pool# dns 192.168.3.99
vsr running pool my-pool# nbns 192.168.3.99
vsr running pool my-pool# dhcp 192.168.3.100
vsr running pool my-pool# subnet 172.16.0.0/12
vsr running pool my-pool# subnet fc00:1234::/64
vsr running pool my-pool# ..
vsr running ike#
addressis a list of addresses that can be assigned. Each list item can be a single address, a range of addresses or a subnet (IPv4 or IPv6).dnsis an optional list of DNS server addresses (IPv4 or IPv6).nbnsis an optional list of NetBIOS server addresses (IPv4 or IPv6).dhcpis an optional list of DHCP server addresses (IPv4 or IPv6).
A VPN can then reference a list of pools in its configuration:
vsr running ike# vpn vpn-secgw
vsr running vpn vpn-secgw# vip-pool my-pool
vsr running vpn vpn-secgw# ..
vsr running ike#
To include this dynamically assigned address in a security policy, make sure
that no remote-ts is configured, or at least that the remote-ts subnet is
unset (other fields such as the protocol may still be specified):
vsr running ike# vpn vpn-secgw
vsr running vpn vpn-secgw# security-policy dynamic-vip
vsr running security-policy dynamic-vip# local-ts subnet 10.100.0.64/26
vsr running security-policy dynamic-vip# remote-ts protocol 6
vsr running security-policy dynamic-vip# ..
vsr running vpn vpn-secgw# ..
vsr running ike#
If an IKE initiator requests a virtual IP, it will be assigned one of the addresses in the vip-pool(s), and the optional attributes (dns, nbns, dhcp).
Retransmission constants¶
The IKE daemon uses an exponential backoff algorithm to calculate the timeout of packets before retransmission: the timeout grows exponentially with the number of tries, following the formula:
timeouttry =
retransmit-timeout×retransmit-basetry
Where try ranges from 0 to retransmit-tries. After retransmit-tries
unsuccessful retransmissions, the IKE daemon gives up the negotiation.
The retransmission constants can be configured in the global-options section:
vsr running ike# global-options
vsr running global-options# retransmit-tries 3
vsr running global-options# retransmit-timeout 3.0
vsr running global-options# retransmit-base 1.0
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
retransmit-tries 3
retransmit-timeout 3.0
retransmit-base 1.0
..
..
retransmit-triesis an integer value ranging from 0 to 100 (default 5).retransmit-timeoutis a decimal value ranging from 0.000 to 60.000 (default 4.0).retransmit-baseis a decimal value ranging from 0.000 to 10.000 (default. 1.8).
For more information, see strongSwan’s IKE retransmission behavior.
Lifetime of SA acquire messages¶
By default IKE negotiations are triggered by outgoing traffic (ipsec-policy-template start-action trap).
When an outgoing packet matches a security policy that requires IPsec protection, but no suitable SA is available, an SA acquire message is raised to trigger the negotiation and a temporary IPsec SA is created in the IPsec stack.
This acquire SA prevents further acquire messages to be raised until the negotiation succeeds, or the acquire SA times out.
The default lifetime of an acquire SA is 165 seconds, this matches the total retransmission time of an IKE message that would receive no answer, with default retransmission constants.
This lifetime may be adjusted in the global-options section:
vsr running ike# global-options
vsr running global-options# acquire-timeout 60
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
acquire-timeout 60
..
..
acquire-timeout is an integer number of seconds (default 165).
DoS protection¶
The IKE daemon provides Deny of Service (DoS) protection using cookies and aggressiveness checks.
All DoS protection mechanisms are configured in the global-options
dos-protection section.
vsr running ike# global-options
vsr running global-options# dos-protection
vsr running dos-protection# cookie-threshold 12
vsr running dos-protection# block-threshold 6
vsr running dos-protection# init-limit-half-open 100
vsr running dos-protection# ..
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
dos-protection
cookie-threshold 12
block-threshold 6
init-limit-half-open 100
..
..
..
cookie-thresholdis the number of half-open IKE SAs that activate the cookie mechanism. It is an integer number or the keywordalways(default 10). 0 disables the cookie mechanism.alwaysactivates it whatever the number of half-open SAs.block-thresholdis the maximum number of half-open IKE SAs for a single peer IP. It is an integer number (default 5). 0 disables the limit.init-limit-half-openfixes a limit to the number of half open IKE SAs. New connections are refused if this limit is reached. It is an integer number (default 0). 0 disables the limit.
For more details, please refer to the charon.cookie_threshold and
charon.block_threshold and charon.init_limit_half_open options in
strongSwan’s strongswan.conf configuration file.
IKE worker threads¶
The IKE daemon is a multi-threaded application.
The total number of threads it uses may be configured in the global-options section.
vsr running ike# global-options
vsr running global-options# show config
vsr running global-options# threads 20
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
threads 20
..
..
threads is an 32 bit integer (default 16).
For more details, please refer to the charon.threads option in
strongSwan’s strongswan.conf configuration file.
IKE SA hash table parameters¶
The IKE SA hash table size can be increased to improve performance when a high number of SAs is managed by the IKE daemon. It can be split into segments to improve performance when a high number of SAs is managed by the IKE daemon on multiple cores. Each segment will get its own lock.
It can be configured in the global-options section.
vsr running ike# global-options
vsr running global-options# sa-table-size 128
vsr running global-options# sa-table-segments 16
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
sa-table-size 128
sa-table-segments 16
..
..
sa-table-sizeis the size of the SA hash table (default 1).sa-table-segmentsis the number of sergments (default 1).
For more details, please refer to the charon.ikesa_table_size option in
strongSwan’s strongswan.conf configuration file and strongSwan’s IKE SA lookup tuning.
IPsec SP hash table parameters¶
The IPsec security policy database (SPD) is an ordered list of rules, the security policies (SPs), that specify what IPsec processing must be applied to packets. They are composed of a packet selector (direction, source subnet, destination subnet, protocol, port) and an action (esp, ah, pass or drop). By default, these SPs are stored in a linked list. The time to browse this list increases with the number of SPs in O(n).
When the IKE daemon establishes a child SA, it configures SPs in the IPsec stack. If the number of SPs grows, the time to add SPs grows in O(n), which slows down the negotiation rate.
When the network stack processes traffic, it looks up for the IPsec policy to apply to outbound and inbound packets. If the number of SPs grows, the time to lookup for the right policy grows in O(n), which slows down the throughput, regardless if packets need IPsec processing or not.
To solve this scalability issue, the IPsec stack maintains a hash table of security policies. SPs are hashed based on the source and destination address of their selector. These addresses are subnets with variable prefix lengths, which prevents from hashing on all bits of the addresses. Some SPs cannot be hashed because their selector is too wide (the address prefix lengths are too small). These un-hashed SPs are stored in the linked list.
Thresholds are defined, to select which SPs will be hashed and how many bits of address will be included in the hash key:
vsr running ike# global-options
vsr running global-options# sp-hash-ipv4 local 16 remote 24
vsr running global-options# sp-hash-ipv6 local 56 remote 64
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
sp-hash-ipv4 local 16 remote 24
sp-hash-ipv6 local 56 remote 64
..
sp-hash-ipv4localandremoteare the local and remote address minimum prefix lengths of hashed IPv4 SPs. They range from 0 to 32 (default 32).sp-hash-ipv6localandremoteare the local and remote address minimum prefix lengths of hashed IPv6 SPs. They range from 0 to 128 (default 128).
SPs whose local and remote address prefix lengths are greater or equal to the thresholds are hashed (which speeds up the lookup and insertion), others are simply looked up in sequence. For hashed SPs, the high order bits of the address (up to the threshold) are included in the hash key calculation.
Example:
dir out src 10.22.0.0/20 dst 10.24.1.0/24 => hashed
dir out src 10.22.0.0/16 dst 10.24.0.0/16 => unhashed
dir in src 10.24.1.1/32 dst 10.22.0.0/16 => hashed
dir out src 3ffe:304:124:2200::/60 dst 3ffe:304:124:2401::/64 => hashed
dir out src 3ffe:304:124:2200::/56 dst 3ffe:304:124:2400::/56 => unhashed
dir in src 3ffe:304:124:2401::2/128 dst 3ffe:304:124:2200::/56 => hashed
Hash thresholds not only determine which policies will be hashed, but also the number of bits of the local and remote address that will be used to calculate the hash key. Big thresholds mean potentially fewer hashed policies, but better distribution in the hash table, and vice versa.
A good trade off must be found depending on the prefix lengths used in the SPD.
Reverse route injection¶
Routes can be inserted into a separate routing table for established IPsec tunnels. This enables to inject routes to the remote network discovered during an IKE negotiation.
vsr running ike# global-options
vsr running global-options# install-routes true
vsr running global-options# routing-table 230
vsr running global-options# routing-table-prio 230
vsr running global-options# ..
vsr running ike#
vsr running ike# show config nodefault
ike
(...)
global-options
(...)
install-routes true
routing-table 230
routing-table-prio 230
..
install-routesactivates or deactivates route installation (default false).routing-tableis the number of the routing table in which routes will be injected (Default 220).routing-table-priois the priority of the Policy-Based Routing (PBR) rule that requests to lookup in the routing table (default 220).
IKEv2 Mobility and Multihoming Protocol (MOBIKE)¶
MOBIKE (RFC 4555) allows the IP addresses associated with IKEv2 and tunnel mode IPsec Security Associations to change. A mobile Virtual Private Network (VPN) client could use MOBIKE to keep the connection with the VPN gateway active while moving from one address to another. Similarly, a multihomed host could use MOBIKE to move the traffic to a different interface if, for instance, the one currently being used stops working.
MOBIKE can be enabled in the IKE policy template:
vsr running config# / vrf main ike
vsr running ike# ike-policy-template my_policy_tmpl
vsr running ike-policy-template my_policy_tmpl# mobike true
Alternatively, it can be enabled in the vpn ike policy:
vsr running config# / vrf main ike vpn my_vpn
vsr running vpn my_vpn#! ike-policy template my_policy_tmpl
vsr running vpn my_vpn#! ipsec-policy template my_ipsec_tmpl
vsr running vpn my_vpn# ike-policy mobike true
By default, when MOBIKE is enabled, the SA addresses are not modified if
the routing path is still usable. Enabling mobike-prefer-best-path in
global options dynamically changes this behavior: on routing change, if
a cheaper path exists, the SA will be updated dynamically.
To enable the mobike-prefer-best-path option:
vsr running ike# global-options
vsr running global-options# mobike-prefer-best-path true
See also
The command reference.