Configuring IPSec Tunnel Profiles

This sections explains how to configure the parameters that exist in the IPSec tunnel profile configuration mode.

Limiting Interface Instantiations on Each Profile

To define the maximum number of interfaces that the IPSec tunnel profile can instantiate, use the max-interfaces command. Once the profile reaches the maximum number of interfaces, the profile rejects any new interface instantiations and generates a warning-level log. The default value (using the no version of the command) specifies unlimited interface instantiation on a given profile.

Specifying IKE Settings

This section describes how to define the IKE local identity and IKE peer identity values.

Setting the IKE Local Identity

To set the IKE local identity (phase 1 identity) used for IKE security association negotiations, use the ike local-identity command.

Note: The authentication algorithm for an IKE SA is associated with its identity. You must ensure that the client and server are set accordingly to successfully establish IKE security associations.

Setting the IKE Peer Identity

To set the IKE peer identity values, use the ike peer-identity command. You can set the profile to accept logins from users that present one of the following:

• An asn1DN as an IKE identity type (an ASN.1-encoded distinguished name) and the user-provided IKE identity contains the substring configured for the profile.
• A userFQDN or FQDN as an IKE identity type and the domain name portion of the IKE identity matches the domain name setting for this profile. An empty string (default) means that IKE identity types of userFQDN and FQDN are not allowed for logins on this profile.

  The IKE identity type of userFQDN also carries a domain name. Users presenting this identity must also pass any restrictions set for the peer domain name for this profile before they are able to log in.

• An IP address as an IKE identity type and the IP address resides within the specified network. The default of 0.0.0.0/0 allows any peer IP address to this profile.
• A userFQDN as an IKE identity type and the username portion of the IKE identity matches the username setting for this profile. An empty string (default) means that an IKE identity type of userFQDN is not allowed for logins on this profile.

  Note: You can also use the wildcard (*) for the username and domain name or as the first or last character in the username or domain name string.

Appending a Domain Suffix to a Username

The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain for authentication, you can use the domain-suffix command to append a domain suffix to the username. Using the default, no domain suffix, passes usernames transparently to AAA.

Overriding IPSec Local and Peer Identities for SA Negotiations

You can use the local ip identity and peer ip identity commands to override the local and peer identities used for SA negotiations (respectively).

Specifying an IP Profile for IP Interface Instantiations

The ip profile command specifies the IP profile that is passed from the IPSec layer to the IP layer upon request for upper layer instantiation.

Defining the Server IP Address

The local ip address command defines the specified local IP address as the server address. The router monitors UDP port 500 for incoming login requests (that is, IKE SA negotiations) from users.

Note: This address is typically made public to all users trying to connect to a VPN on this router.

This command enables you to optionally set a global preshared key for the specified server address. When using global preshared keys, keep the following in mind:

• Global preshared keys enable a group of users to share a single authentication key, simplifying the administrative job of setting up keys for multiple users.
• Specific keys for individual users have higher priority than global keys. If both individual and global keys are configured, the individual that also has a specific key must use that key or authentication fails.
• More than one profile can specify the same local endpoint and virtual router. Because the last value set overrides the other, we recommend that you avoid this type of configuration.

Specifying Local Networks

The local ip network command enables you to specify local, reachable networks through the IPSec tunnel. This type of “ split tunneling” enables a remote station to separate VPN traffic from Internet traffic. For example a client connecting to a corporate Intranet could use split-tunneling to send all traffic destined to 10.0.0.0/8 through the secure tunnel and reach the VPN. Other traffic (for example, Web browsing) would travel directly to the Internet through the local service provider without passing through the tunnel.

Note: Split tunneling functions only when supported by the client software. It is up to the client to modify its routing table with the network information for split tunneling to occur

Defining IPSec Security Association Lifetime Parameters

The lifetime command defines the IPSec SA lifetime parameters the tunnel profile can use for IPSec SA negotiations. These parameters include the phase 2 lifetime as a range in seconds or traffic volume.

Defining User Reauthentication Protocol Values

The extended-authentication command specifies the extended user authentication protocol for use during the extended user authentication protocol exchange.

The re-authenticate keyword enables the reauthentication option (a subsequent authentication procedure). When this option is enabled, rekeying of IKE SAs uses the initial authentication protocol to reauthenticate the user. When this option is disabled, authentication is only performed at the first IKE SA establishment. Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users.

Note: For maximum security, enable reauthentication.

The skip-peer-config keyword disables the router from configuring peer IP characteristics.

Specifying IPSec Security Association Transforms

The transform command specifies the IPSec transforms that IPSec SA negotiations can use for this profile. The router accepts the first transform proposed by a client that matches one of the transforms specified by this command. During an IPSec SA exchange with a client, the router proposes all transforms specified by this command and one is accepted by the client.

Note: You can specify up to six transform algorithms for this profile.

For additional information about transforms and transform sets, see Configuring IPSec.

Specifying IPSec Security Association PFS and DH Group Parameters

The pfs group command specifies the IPSec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPSec SA negotiations can use for this profile.

Note: When the client initiates the IPSec negotiation, the router can accept Diffie-Hellman prime modulus groups that are higher than those configured.

For additional information about PFS, see Configuring IPSec.

Defining the Tunnel MTU

The tunnel mtu command configures the maximum transmission unit size for the tunnel.