Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Multitask Example: Configuring IPsec Services

The following example-based instructions show how to configure IPsec services. The configuration involves defining an IKE policy, an IPsec policy, IPsec rules, trace options, and service sets.

This topic includes the following tasks:

  1. Configuring the IKE Proposal
  2. Configuring the IKE Policy (and Referencing the IKE Proposal)
  3. Configuring the IPsec Proposal
  4. Configuring the IPsec Policy (and Referencing the IPsec Proposal)
  5. Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies)
  6. Configuring IPsec Trace Options
  7. Configuring the Access Profile (and Referencing the IKE and IPsec Policies)
  8. Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule)

Configuring the IKE Proposal

The IKE proposal configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. For more information about IKE proposals, see Configuring IKE Proposals.

To define the IKE proposaI:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the authentication method, which is pre-shared keys in this example:
    [edit services ipsec-vpn]user@host# set ike proposal test-IKE-proposal authentication-method pre-shared-keys
  3. Configure the Diffie-Hellman Group and specify a name—for example, group1:
    [edit services ipsec-vpn]user@host# set ike proposal test-IKE-proposal dh-group group1
  4. Configure the authentication algorithm, which is sha1 in this example:
    [edit services ipsec-vpn]user@host# set ike proposal test-IKE-proposal authentication-algorithm sha1
  5. Configure the encryption algorithm, which is aes-256-cbc in this example:
    [edit services ipsec-vpn]user@host# set ike proposal test-IKE-proposal encryption-algorithm aes-256-cbc

The following sample output shows the configuration of the IKE proposal:

[edit services ipsec-vpn]
user@host# show ike 
proposal test-IKE-proposal {
    authentication-method pre-shared-keys;
    dh-group group1;
    authentication-algorithm sha1;
    encryption-algorithm aes-256-cbc;
}

Configuring the IKE Policy (and Referencing the IKE Proposal)

The IKE policy configuration defines the proposal, mode, addresses, and other security parameters used during IKE negotiation. For more information about IKE policies, see Configuring IKE Policies.

To define the IKE policy and reference the IKE proposal:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the IKE first phase mode—for example, main:
    [edit services ipsec-vpn]user@host# set ike policy test-IKE-policy mode main
  3. Configure the proposal, which is test-IKE-proposal in this example:
    [edit services ipsec-vpn]user@host# set ike policy test-IKE-policy proposals test-IKE-proposal
  4. Configure the local identification with an IPv4 address—for example, 192.168.255.2:
    [edit services ipsec-vpn]user@host# set ike policy test-IKE-policy local-id ipv4_addr 192.168.255.2
  5. Configure the preshared key in ASCII text format, which is TEST in this example:
    [edit services ipsec-vpn]user@host# set ike policy test-IKE-policy pre-shared-key ascii-text TEST

The following sample output shows the configuration of the IKE policy:

[edit services ipsec-vpn]
user@host# show ike 
policy test-IKE-policy {
    mode main;
    proposals test-IKE-proposal;
    local-id ipv4_addr 192.168.255.2;
    pre-shared-key ascii-text TEST;
}

Configuring the IPsec Proposal

The IPsec proposal configuration defines the protocols and algorithms (security services) that are required to negotiate with the remote IPsec peer. For more information about IPsec proposals, see Configuring IPsec Proposals.

To define the IPsec proposal:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the IPsec protocol for the proposal—for example, esp:
    [edit services ipsec-vpn]user@host# set ipsec proposal test-IPsec-proposal protocol esp
  3. Configure the authentication algorithm for the proposal, which is hmac-sha1-96 in this example:
    [edit services ipsec-vpn]user@host# set ipsec proposal test-IPsec-proposal authentication-algorithm hmac-sha1-96
  4. Configure the encryption algorithm for the proposal, which is aes-256-cbc in this example:
    [edit services ipsec-vpn]user@host# set ipsec proposal test-IPsec-proposal encryption-algorithm aes-256-cbc

The following sample output shows the configuration of the IPsec proposal:

[edit services ipsec-vpn]
user@host# show ike 
proposal test-IPsec-proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
}

Configuring the IPsec Policy (and Referencing the IPsec Proposal)

The IPsec policy configuration defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines PFS and the proposals needed for the connection. For more information about IPsec policies, see Configuring IPsec Policies.

To define the IPsec policy and reference the IPsec proposal:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the keys for perfect forward secrecy in the IPsec policy—for example, group1:
    [edit services ipsec-vpn]user@host# set ipsec policy test-IPsec-policy perfect-forward-secrecy keys group1
  3. Configure a set of IPsec proposals in the IPsec policy—for example, test-IPsec-proposal:
    [edit services ipsec-vpn]user@host# set ipsec policy test-IPsec-policy proposals test-IPsec-proposal

The following sample output shows the configuration of the IPsec policy:

[edit services ipsec-vpn]
user@host# show ipsec policy test-IPsec-policy 
perfect-forward-secrecy {
    keys group1;
}
proposals test-IPsec-proposal;

Configuring the IPsec Rule (and Referencing the IKE and IPsec Policies)

The IPsec rule configuration defines the direction that specifies whether the match is applied on the input or output side of the interface. The configuration also consists of a set of terms that specify the match conditions and applications that are included and excluded and also specify the actions and action modifiers to be performed by the router software. For more information about IPsec rules, see Configuring IPsec Rules.

To define the IPsec rule and reference the IKE and IPsec policies:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the IP destination address for the IPsec term in the IPsec rule—for example, 192.168.255.2/32:
    [edit services ipsec-vpn]user@host# set rule test-IPsec-rule term 10 from destination-address 192.168.255.2/32
  3. Configure the remote gateway address for the IPsec term in the IPsec rule—for example, 0.0.0.0:
    [edit services ipsec-vpn]user@host# set rule test-IPsec-rule term 10 then remote-gateway 0.0.0.0
  4. Configure a dynamic security association for IKE policy for the IPsec term in the IPsec rule, which is test-IKE-policy in this example:
    [edit services ipsec-vpn]user@host# set rule test-IPsec-rule term 10 then dynamic ike-policy test-IKE-policy
  5. Configure a dynamic security association for IKE proposal for the IPsec term in the IPsec rule, which is test-IPsec-proposal in this example:
    [edit services ipsec-vpn]user@host# set rule test-IPsec-rule term 10 then dynamic ipsec-policy test-IPsec-policy
  6. Configure a direction for which the rule match is being applied in the IPsec rule—for example, input:
    [edit services ipsec-vpn]user@host# set rule test-IPsec-rule match-direction input

The following sample output shows the configuration of the IPsec rule:

[edit services ipsec-vpn]
user@host# show rule test-IPsec-rule  
term 10 {
    from {
        destination-address {
            192.168.255.2/32;
        }
    }
    then {
        remote-gateway 0.0.0.0;
        dynamic {
            ike-policy test-IKE-policy;
            ipsec-policy test-IPsec-policy;
        }
    }
}
match-direction input;

Configuring IPsec Trace Options

The IPsec trace options configuration tracks IPsec events and records them in a log file in the /var/log directory. By default, this file is named /var/log/kmd. For more information about IPsec rules, see Tracing IPsec Operations.

To define the IPsec trace options:

  1. In configuration mode, go to the following hierarchy level:
    user@host# edit services ipsec-vpn
  2. Configure the trace file, which is ipsec.log in this example:
    [edit services ipsec-vpn]user@host# set traceoptions file ipsec.log
  3. Configure all the tracing parameters with the option all in this example:
    [edit services ipsec-vpn]user@host# set traceoptions flag all

The following sample output shows the configuration of the IPsec trace options:

[edit services ipsec-vpn]
user@host# show traceoptions 
file ipsec.log;
flag all;

Configuring the Access Profile (and Referencing the IKE and IPsec Policies)

The access profile configuration defines the access profile and references the IKE and IPsec policies. For more information about access profile, see Configuring an IKE Access Profile.

To define the access profile and reference the IKE and IPsec policies:

  1. In configuration mode, go to the following hierarchy level:
    user@host# [edit access]
  2. Configure the list of local and remote proxy identity pairs with the allowed-proxy-pair option. In this example, 10.0.0.0/24 is the IP address for local proxy identity and 10.0.1.0/24 is the IP address for remote proxy identity:
    [edit access]user@host# set profile IKE-profile-TEST client * ike allowed-proxy-pair local 10.0.0.0/24 remote 10.0.1.0/24
  3. Configure the IKE policy—for example, test-IKE-policy:
    [edit access]user@host# set profile IKE-profile-TEST client * ike ike-policy test-IKE-policy
  4. Configure the IPsec policy—for example, test-IPsec-policy:
    [edit access]user@host# set profile IKE-profile-TEST client * ike ipsec-policy test-IPsec-policy
  5. Configure the identity of logical service interface pool, which is TEST-intf in this example:
    [edit access]user@host# set profile IKE-profile-TEST client * ike interface-id TEST-intf

The following sample output shows the configuration of the access profile:

[edit access]
user@host# show 
profile IKE-profile-TEST {
    client * {
        ike {
            allowed-proxy-pair local 10.0.0.0/24 remote 10.0.1.0/24;
            ike-policy test-IKE-policy;
            ipsec-policy test-IPsec-policy; # new statement
            interface-id TEST-intf;
        }
    }
}

Configuring the Service Set (and Referencing the IKE Profile and the IPsec Rule)

The service set configuration defines IPsec service sets that require additional specifications and references the IKE profile and the IPsec rule. For more information about IPsec service sets, see Configuring IPsec Service Sets.

To define the service set configuration with the next-hop service sets and IPsec VPN options:

  1. In configuration mode, go to the following hierarchy level:
    user@host# [edit services]
  2. Configure a service set with parameters for next hop service interfaces for the inside network—for example, sp-1/2/0.1:
    [edit services]user@host# set service-set TEST next-hop-service inside-service-interface sp-1/2/0.1
  3. Configure a service set with parameters for next hop service interfaces for the outside network—for example, sp-1/2/0.2:
    [edit services]user@host# set service-set TEST next-hop-service outside-service-interface sp-1/2/0.2
  4. Configure the IPsec VPN options with the address and routing instance for the local gateway—for example, 192.168.255.2:
    [edit services]user@host# set service-set TEST ipsec-vpn-options local-gateway 192.168.255.2
  5. Configure the IPsec VPN options with the IKE access profile for dynamic peers, which is IKE-profile-TEST in this example:
    [edit services]user@host# set service-set TEST ipsec-vpn-options ike-access-profile IKE-profile-TEST
  6. Configure a service set with IPsec VPN rules, which is test-IPsec-rule in this example:
    [edit services]user@host# set service-set TEST ipsec-vpn-rules test-IPsec-rule

The following sample output shows the configuration of the service set configuration referencing the IKE profile and the IPsec rule:

[edit services]user@host# show service-set TEST  
next-hop-service {
    inside-service-interface sp-1/2/0.1;
    outside-service-interface sp-1/2/0.2;
}
ipsec-vpn-options {
    local-gateway 192.168.255.2;
    ike-access-profile IKE-profile-TEST;
}
ipsec-vpn-rules test-IPsec-rule;
 

Related Documentation

 

Published: 2013-08-29

Previous Page Next Page