Configuration Tasks

This section explains the steps to configure an IPsec license and IPsec parameters, create an IPsec tunnel, and define an ISAKMP/IKE policy. The next section contains configuration examples.

Configuring an IPsec License

By default, and with no IPsec tunnel license, you can configure up to 10 IPsec tunnels on an ERX router. However, you can purchase licenses that support the following IPsec tunnel maximums:

The number of additional tunnels is independent of the number of ISMs installed in the router. However, the router chassis enforces the following tunnel limits:

license ipsec-tunnels

Configuring IPsec Parameters

To configure IPsec:

  1. For each endpoint, create a transform set that provides the desired encryption and authentication.
    host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5
  2. Add a preshared key that the routers use to authenticate each other.
    host1(config)#ipsec key manual pre-share host1(config-manual-key)#key customerASecret

    After you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command.

    To see the masked form of the key:

    host1#show config ipsec key manual pre-share masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO”

    To enter the masked key:

    host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
  3. Define the local endpoint used for ISAKMP/IKE negotiations for all IPsec tunnels in the router.
    host1(config)#ipsec local-endpoint transport-virtual-router vr#8
  4. (Optional) Set the global (default) lifetime for all SAs on the router.
    host1(config)#ipsec lifetime kilobytes 42000000

ipsec key manual pre-share

ipsec lifetime

ipsec local-endpoint

ipsec transform-set



Creating an IPsec Tunnel

To create an IPsec tunnel:

  1. Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface.
    host1(config)#virtual-router vrA host1:vrA(config)#
  2. Create an IPsec tunnel, and specify the transport VR.
    host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#
  3. Specify the IP address of this tunnel interface.
    host1:vrA(config-if)#ip address
  4. Specify the transform set that ISAKMP uses for SA negotiations.
    host1:vrA(config-if)#tunnel transform-set customerAprotection
  5. Configure the local endpoint of the tunnel.
    host1:vrA(config-if)#tunnel local-identity subnet
  6. Configure the peer endpoint of the tunnel.
    host1:vrA(config-if)#tunnel peer-identity subnet
  7. Specify an existing interface address that the tunnel uses as its source address.
    host1:vrA(config-if)#tunnel source
  8. Specify the address or identity of the tunnel destination endpoint.
    host1:vrA(config-if)#tunnel destination identity host1:vrA(config-if)#exit

    Note: FQDNs are used when tunnel destination endpoints do not have a fixed address, as in cable and DSL environments.

  9. For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.
    host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b
  10. (Optional) Configure PFS on this tunnel.
    host1:vrA(config-if)#tunnel pfs group 5
  11. (Optional) Set the tunnel type to signaled or manual. The default is signaled.
    host1:vrA(config-if)#tunnel signaling isakmp
  12. (Optional) Set the renegotiation time of the SAs in use by this tunnel.
    host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
  13. (Optional) Set the MTU size for the tunnel.
    host1(config-if)#tunnel mtu 2240

interface tunnel

tunnel destination

tunnel lifetime

tunnel local-identity

tunnel mtu

tunnel peer-identity

tunnel pfs group

tunnel session-key-inbound

tunnel session-key-outbound

tunnel signaling

tunnel source

tunnel transform-set

Configuring DPD and IPsec Tunnel Failover

You can use the ipsec option dpd command to enable dead peer detection (DPD) on the router. DPD is also known as IKE keepalive. If an IPsec tunnel destination backup is configured, the router redirects traffic to the alternate destination when DPD detects a disconnection between the E Series router and the regular tunnel destination. See tunnel destination backup .

To enable DPD and create an alternate IPsec tunnel destination for failover:

  1. Enable DPD on the router.
    host1(config)#ipsec option dpd
  2. Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface (that is, the transport virtual router context).
    host1(config)#virtual-router vrA host1:vrA(config)#
  3. Create an IPsec tunnel, and specify the transport VR.
    host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#
  4. Specify the address or identity of the tunnel destination backup endpoint.
    host1:vrA(config-if)#tunnel destination backup identity

ipsec option dpd

tunnel destination backup

Defining an IKE Policy

IKE policies define parameters that the router uses during IKE phase 1 negotiation.

To create an IKE policy:

host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#

You can then set the following parameters, or use the default settings:






ipsec ike-policy-rule

ipsec isakmp-policy-rule

Note: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.


Refreshing SAs

To refresh ISAKMP/IKE or IPsec SAs:

host1(config)#ipsec clear sa tunnel ipsec:Aottawa2boca phase 2

ipsec clear sa

Enabling Notification of Invalid Cookies

The IKE protocol enables peers to exchange informational messages. The payload of these messages can be a notify type or a delete type. These messages are expected to be protected (encrypted) by the keys negotiated by the peers when they establish a security association as a result of the IKE phase 1 exchange.

If a responder peer does not recognize the initiator-responder cookie pair, it can send an invalid cookie notification message to the initiator. The responder might fail to recognize the cookie pair because it has lost the cookie, or because it deleted the cookie and then the peer lost the delete notification. Upon receipt of the invalid cookie notification, the initiator peer can delete the phase 1 state.

The ability to send the invalid cookie message is disabled by default. You can issue the ipsec option tx-invalid-cookie command to enable the feature on a per-transport-VR basis.

Even when you configure this feature, the E Series router does not respond when it receives an invalid cookie notification. These notifications are unprotected by a phase 1 key exchange and therefore are subject to denial-of-service (DOS) attacks. Instead, the E Series router can determine when a phase 1 relationship has gone stale by timeouts or use of dead peer detection (DPD). For this reason, this feature is useful only when the E Series router is a responding peer for non–E Series devices that cannot detect when the phase 1 relationship goes stale.

ipsec option tx-invalid-cookie