Considering General IPSec Issues
Before you configure IPSec, it is helpful to understand some general guidelines.
- IPv4 and IPv6 traffic and tunnels—You can configure IPSec tunnels to carry traffic in the following ways: IPv4 traffic traveling over IPv4 IPSec tunnels, IPv6 traffic traveling over IPv4 IPSec tunnels, IPv4 traffic traveling over IPv6 IPSec tunnels, and IPv6 traffic traveling over IPv6 IPSec tunnels.
- Configuration syntax differences between the AS and MultiServices PICs and the ES PIC—There are slight differences in the configuration statements and operational mode commands that are used with the PICs that support IPSec. As a result, the syntax for the AS and MultiServices PICs cannot be used interchangeably with the syntax for the ES PIC. However, the syntax for one type of PIC can be converted to its equivalent syntax on the other PIC for interoperability. The differences are highlighted in Table 1.
- Configuring keys for authentication and encryption—When preshared keys are required for authentication or encryption, you must use the guidelines shown in Table 2 to implement the correct key size.
- Rejection of weak and semiweak keys—The DES and 3DES encryption algorithms will reject weak and semiweak keys. As a result, do not create and use keys that contain the patterns listed in Table 3.
Table 1: Comparison of IPSec Configuration Statements and Operational Mode Commands for the AS and MultiServices PICs and ES PIC
AS and MultiServices PICs Statements and Commands | ES PIC Statements and Commands |
|---|---|
| Configuration Mode Statements | |
[edit service-set name ] | – |
[edit services ipsec-vpn ike]
| [edit security ike]
|
[edit services ipsec-vpn ipsec]
| [edit security ipsec]
|
[edit services ipsec-vpn rule rule-name ]
| [edit interface es- fpc / pic /port ]
|
[edit services ipsec-vpn rule rule-name term term-name]
| [edit security ipsec]
|
[edit services ipsec-vpn rule-set] | – |
[edit services service-set ipsec-vpn]
| [edit interface es- fpc /pic /port ]
|
| Operational Mode Commands | |
clear security pki ca-certificate | – |
clear security pki certificate-request | – |
clear security pki local-certificate | – |
clear services ipsec-vpn certificates | – |
request security pki ca-certificate enroll | request security certificate (unsigned) |
request security pki ca-certificate load | request system certificate add |
request security pki generate-certificate-request | – |
request security pki generate-key-pair | request security key-pair |
request security pki local-certificate enroll | request security certificate (signed) |
request security pki local-certificate load | request system certificate add |
show security pki ca-certificate | show system certificate |
show security pki certificate-request | – |
show security pki crl | – |
show security pki local-certificate | show system certificate |
show services ipsec-vpn certificates | show ipsec certificates |
show services ipsec-vpn ike security-associations | show ike security-associations |
show services ipsec-vpn ipsec security-associations | show ipsec security-associations |
Table 2: Authentication and Encryption Key Lengths
Number of | Number of ASCII Characters | |
|---|---|---|
Authentication | ||
HMAC-MD5-96 | 32 | 16 |
HMAC-SHA1-96 | 40 | 20 |
Encryption | ||
AES-128-CBC | 16 | 32 |
AES-192-CBC | 24 | 48 |
AES-256-CBC | 32 | 64 |
DES-CBC | 16 | 8 |
3DES-CBC | 48 | 24 |
Table 3: Weak and Semiweak Keys
Weak Keys | |||
|---|---|---|---|
0101 | 0101 | 0101 | 0101 |
1F1F | 1F1F | 1F1F | 1F1F |
E0E0 | E0E0 | E0E0 | E0E0 |
FEFE | FEFE | FEFE | FEFE |
| Semiweak Keys | |||
01FE | 01FE | 01FE | 01FE |
1FE0 | 1FE0 | 0EF1 | 0EF1 |
01E0 | 01E0 | 01F1 | 01F1 |
1FFE | 1FFE | 0EFE | 0EFE |
011F | 011F | 010E | 010E |
E0FE | E0FE | F1FE | F1FE |
FE01 | FE01 | FE01 | FE01 |
E01F | E01F | F10E | F10E |
E001 | E001 | F101 | F101 |
FEF1 | FEF1 | FE0E | FE0E |
1F01 | 1F01 | 0E01 | 0E01 |
FEE0 | FEE0 | FEF1 | FEF1 |
Keep in mind the following limitations of IPSec services on the AS PIC:
- The AS PIC does not transport packets containing IPv4 options across IPSec tunnels. If you try to send packets containing IP options across an IPSec tunnel, the packets are dropped. Also, if you issue a ping command with the record-route option across an IPSec tunnel, the ping command fails.
- The AS PIC does not transport packets containing the following IPv6 options across IPSec tunnels: hop-by-hop, destination (Type 1 and 2), and routing. If you try to send packets containing these IPv6 options across an IPSec tunnel, the packets are dropped.
- Destination class usage is not supported with IPSec services on the AS PIC.
