Configuring IPsec Tunnel Profiles

This topic explains how to configure the parameters that exist in the IPsec tunnel profile configuration mode:

Limiting Interface Instantiations on Each Profile

You can define the maximum number of tunnel-service interfaces to be used on a tunnel-server port. Once the profile reaches the maximum number of interfaces, the profile rejects any new interface instantiations and generates a warning-level log. The default value (using the no version of the command) specifies unlimited interface instantiation on a given profile.

To define the maximum number of interfaces that the IPsec tunnel profile can instantiate:

Specifying IKE Settings for IPsec Tunnels

Tasks to define the IKE local identity and IKE peer identity values are:

Setting the IKE Local Identity

You can set the IKE local identity (phase 1 identity) used for IKE security association negotiations.

To set the IKE local identity used for IKE security association (SA) negotiations:

Note: The authentication algorithm for an IKE SA is associated with its identity. You must ensure that the client and server are set accordingly to successfully establish IKE security associations.

Setting the IKE Peer Identity

You can set the IKE peer identity values used for IKE security association (SA) negotiations. The ike peer-identity distinguished-name, ike peer-identity domain-name, ike peer-identity ip address, and ike peer-identity username commands are used to set the required IKE peer identity values.

To set the IKE peer identity values:

Note: You can also use the wildcard (*) for the username and domain name or as the first or last character in the username or domain name string.

Appending a Domain Suffix to a Username

The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain for authentication, you can append a domain suffix to the username. Using the default, no domain suffix, passes usernames transparently to AAA.

To append a domain suffix to user-provided usernames on a profile:

Overriding IPsec Local and Peer Identities for SA Negotiations

You can override the local and peer identities used for SA negotiations. For IPsec negotiations to succeed, the local and peer identities at one end of the tunnel must match the peer and local identities at the other end (respectively).

Specifying an IP Profile for IP Interface Instantiations

You can specify the IP profile that the IPsec layer passes on to the IP layer upon request for upper-layer instantiation.

To specify the IP profile that is passed from the IPsec layer to the IP layer:

Defining the Server IP Address

You can define the specified local IP address as the server address. The router monitors UDP port 500 for incoming login requests (that is, IKE SA negotiations) from users.

Note: This address is typically made public to all users trying to connect to a VPN on this router.

This command enables you to optionally set a global preshared key for the specified server address. When using global preshared keys, keep the following in mind:

To specify the given local IP address as a server address:

Specifying Local Networks

You can specify local, reachable networks through the IPsec tunnel. This type of “ split tunneling” enables a remote station to separate VPN traffic from Internet traffic. For example a client connecting to a corporate Intranet could use split-tunneling to send all traffic destined to 10.0.0.0/8 through the secure tunnel and reach the VPN. Other traffic (for example, Web browsing) would travel directly to the Internet through the local service provider without passing through the tunnel.

Note: Split tunneling functions only when supported by the client software. It is up to the client to modify its routing table with the network information for split tunneling to occur. You can configure up to 16 networks for this method of “split-tunneling.”

To specify networks that are reachable through the IPsec tunnel:

Defining IPsec Security Association Lifetime Parameters

You can define the IPsec SA lifetime parameters the tunnel profile can use for IPsec SA negotiations. These parameters include the phase 2 lifetime as a range in seconds or traffic volume.

To specify the IPsec lifetime parameters used on IPsec SA lifetime negotiations:

Defining User Reauthentication Protocol Values

You can specify the extended user authentication protocol for use during the extended user authentication protocol exchange. You can use the re-authenticate keyword to enable the reauthentication option (a subsequent authentication procedure). When this option is enabled, rekeying of IKE SAs uses the initial authentication protocol to reauthenticate the user. When this option is disabled, authentication is only performed at the first IKE SA establishment. Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users. You can use the skip-peer-config keyword to disable the router from configuring peer IP characteristics.

Note: For maximum security, enable reauthentication.

To specify the extended user authentication protocol for use during the extended user authentication protocol exchange:

Specifying IPsec Security Association Transforms

You can specify the IPsec transforms that IPsec SA negotiations can use for this profile. The router accepts the first transform proposed by a client that matches one of the transforms specified by this command. During an IPsec SA exchange with a client, the router proposes all transforms specified by this command and one is accepted by the client.

Note: You can specify up to six transform algorithms for this profile.

To specify the eligible transforms for this profile for IPsec security association negotiations:

Specifying IPsec Security Association PFS and DH Group Parameters

You can specify the IPsec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPsec SA negotiations can use for this profile.

Note: When the client initiates the IPsec negotiation, the router can accept Diffie-Hellman prime modulus groups that are higher than those configured.

To configure perfect forward secrecy for connections created with this IPsec tunnel configuration profile by assigning a Diffie-Hellman prime modulus group:

Defining the Tunnel MTU

You can configure the maximum transmission unit size for the tunnel.

To specify the maximum transmission unit size for a particular tunnel:

Related Documentation