Considering General IPSec Issues

Before you configure IPSec, it is helpful to understand some general guidelines.

• IPv4 and IPv6 traffic and tunnels—You can configure IPSec tunnels to carry traffic in the following ways: IPv4 traffic traveling over IPv4 IPSec tunnels, IPv6 traffic traveling over IPv4 IPSec tunnels, IPv4 traffic traveling over IPv6 IPSec tunnels, and IPv6 traffic traveling over IPv6 IPSec tunnels.
• Configuration syntax differences between the AS PIC and the ES PIC—There are slight differences in the configuration statements and operational mode commands that are used with the PICs that support IPSec. As a result, the syntax for the AS PIC cannot be used interchangeably with the syntax for the ES PIC. However, the syntax for one PIC can be converted to its equivalent syntax on the other PIC for interoperability. The differences are highlighted in Table 38.

Table 38: Comparison of IPSec Configuration Statements and
Operational Mode Commands for the AS PIC and ES PIC

AS PIC Statements and Commands	ES PIC Statements and Commands
Configuration Mode Statements
[edit service-set name]	—
[edit services ipsec-vpn ike] policy {...} proposal {...}	[edit security ike] policy {...} proposal {...}
[edit services ipsec-vpn ipsec] policy {...} proposal {...}	[edit security ipsec] policy {...} proposal {...}
[edit services ipsec-vpn rule rule-name] remote-gateway address	[edit interface es-fpc/pic/port] tunnel destination address
[edit services ipsec-vpn rule rule-name term term-name] from match-conditions {...} then dynamic {...} from match-conditions {...} then manual {...}	[edit security ipsec] security-association name dynamic {...} security-association name manual {...}
[edit services ipsec-vpn rule-set]	—
[edit services service-set ipsec-vpn] local-gateway address	[edit interface es-fpc/pic/port] tunnel source address
Operational Mode Commands
clear security pki ca-certificate	—
clear security pki certificate-request	—
clear security pki local-certificate	—
clear services ipsec-vpn certificates	—
request security pki ca-certificate enroll	request security certificate (unsigned)
request security pki ca-certificate load	request system certificate add
request security pki generate-certificate-request	—
request security pki generate-key-pair	request security key-pair
request security pki local-certificate enroll	request security certificate (signed)
request security pki local-certificate load	request system certificate add
show security pki ca-certificate	show system certificate
show security pki certificate-request	—
show security pki local-certificate	show system certificate
show services ipsec-vpn certificates	show ipsec certificates
show services ipsec-vpn ike security-associations	show ike security-associations
show services ipsec-vpn ipsec security-associations	show ipsec security-associations

NOTE: Keep in mind the following limitations of IPSec services on the AS PIC: The AS PIC does not transport packets containing IPv4 options across IPSec tunnels. If you try to send packets containing IP options across an IPSec tunnel, the packets are dropped. Also, if you issue a ping command with the record-route option across an IPSec tunnel, the ping fails. The AS PIC does not transport packets containing the following IPv6 options across IPSec tunnels: hop-by-hop, destination (Type 1 and 2), and routing. If you try to send packets containing these IPv6 options across an IPSec tunnel, the packets are dropped. Destination class usage is not supported with IPSec services on the AS PIC.

• Configuring keys for authentication and encryption—When preshared keys are required for authentication or encryption, you must use the guidelines shown in Table 39 to implement the correct key size.
  
  
  Table 39: Authentication and Encryption Key Lengths

  	Number of Hexadecimal Characters	Number of ASCII Characters
  Authentication
  HMAC-MD5-96	32	16
  HMAC-SHA1-96	40	20
  Encryption
  AES-128-CBC	16	32
  AES-192-CBC	24	48
  AES-256-CBC	32	64
  DES-CBC	16	8
  3DES-CBC	48	24

  
  
• Rejection of weak and semi-weak keys—The DES and 3DES encryption algorithms will reject weak and semi-weak keys. As a result, do not create and use keys that contain the patterns listed in Table 40.
  
  
  Table 40: Weak and Semi-Weak Keys

  Weak Keys
  0101	0101	0101	0101
  1F1F	1F1F	1F1F	1F1F
  E0E0	E0E0	E0E0	E0E0
  FEFE	FEFE	FEFE	FEFE
  Semi-Weak Keys
  01FE	01FE	01FE	01FE
  1FE0	1FE0	0EF1	0EF1
  01E0	01E0	01F1	01F1
  1FFE	1FFE	0EFE	0EFE
  011F	011F	010E	010E
  E0FE	E0FE	F1FE	F1FE
  FE01	FE01	FE01	FE01
  E01F	E01F	F10E	F10E
  E001	E001	F101	F101
  FEF1	FEF1	FE0E	FE0E
  1F01	1F01	0E01	0E01
  FEE0	FEE0	FEF1	FEF1