Configuring IPsec Tunnel Profiles

• Limiting Interface Instantiations on Each Profile
• Specifying IKE Settings for IPsec Tunnels
• Appending a Domain Suffix to a Username
• Overriding IPsec Local and Peer Identities for SA Negotiations
• Specifying an IP Profile for IP Interface Instantiations
• Defining the Server IP Address
• Specifying Local Networks
• Defining IPsec Security Association Lifetime Parameters
• Defining User Reauthentication Protocol Values
• Specifying IPsec Security Association Transforms
• Specifying IPsec Security Association PFS and DH Group Parameters
• Defining the Tunnel MTU

Limiting Interface Instantiations on Each Profile

You can define the maximum number of tunnel-service interfaces to be used on a tunnel-server port. Once the profile reaches the maximum number of interfaces, the profile rejects any new interface instantiations and generates a warning-level log. The default value (using the no version of the command) specifies unlimited interface instantiation on a given profile.

To define the maximum number of interfaces that the IPsec tunnel profile can instantiate:

• From IPsec Tunnel Profile Configuration mode, define the maximum number of interfaces.
  host1(config-ipsec-tunnel-profile)#max-interfaces 500

  Use the no version to return the maximum value to unlimited, indicating no limit to the number of interfaces that can be instantiated on this profile.

Specifying IKE Settings for IPsec Tunnels

• Setting the IKE Local Identity
• Setting the IKE Peer Identity

Setting the IKE Local Identity

You can set the IKE local identity (phase 1 identity) used for IKE security association negotiations.

To set the IKE local identity used for IKE security association (SA) negotiations:

• From IPsec Tunnel Profile Configuration mode, set the IKE local identity.
  host1(config-ipsec-tunnel-profile)#ike local-identity domain-name domain1

  Use the no version to remove the specified IKE local identity.

Note: The authentication algorithm for an IKE SA is associated with its identity. You must ensure that the client and server are set accordingly to successfully establish IKE security associations.

Setting the IKE Peer Identity

You can set the IKE peer identity values used for IKE security association (SA) negotiations. The ike peer-identity distinguished-name, ike peer-identity domain-name, ike peer-identity ip address, and ike peer-identity username commands are used to set the required IKE peer identity values.

To set the IKE peer identity values:

• From IPsec Tunnel Profile Configuration mode, set the specified IKE peer identity value.
  host1(config-ipsec-tunnel-profile)#ike peer-identity domain-name domain2

  Use the no version to remove the specified IKE peer identity.

Note: You can also use the wildcard (*) for the username and domain name or as the first or last character in the username or domain name string.

Appending a Domain Suffix to a Username

The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain for authentication, you can append a domain suffix to the username. Using the default, no domain suffix, passes usernames transparently to AAA.

To append a domain suffix to user-provided usernames on a profile:

• From IPsec Tunnel Profile Configuration mode, append a domain suffix.
  host1(config-ipsec-tunnel-profile)#domain-suffix domain2

  Use the no version to restore the default value, no domain suffix, and usernames are passed transparently to AAA.

Overriding IPsec Local and Peer Identities for SA Negotiations

You can override the local and peer identities used for SA negotiations. For IPsec negotiations to succeed, the local and peer identities at one end of the tunnel must match the peer and local identities at the other end (respectively).

• To override the local identity (phase 2 identity) used for IPsec security association negotiations:

  From IPsec Tunnel Profile Configuration mode, override the local identity.

  host1(config-ipsec-tunnel-profile)#local ip identity range 10.30.11.1 10.30.11.50

  Use the no version to restore the default value, the internal IP address allocated for the subscriber.

• To override the peer identity (phase 2 identity) used for IPsec security association negotiations:

  From IPsec Tunnel Profile Configuration mode, override the peer identity.

  host1(config-ipsec-tunnel-profile)#peer ip identity address 10.227.1.2

  Use the no version to restore the default value, the internal IP address allocated for the subscriber.

Specifying an IP Profile for IP Interface Instantiations

You can specify the IP profile that the IPsec layer passes on to the IP layer upon request for upper-layer instantiation.

To specify the IP profile that is passed from the IPsec layer to the IP layer:

• From IPsec Tunnel Profile Configuration mode, specify the IP profile.
  host1(config-ipsec-tunnel-profile)#ip profile ipProfile1

  Use the no version to remove the association with this profile.

Defining the Server IP Address

You can define the specified local IP address as the server address. The router monitors UDP port 500 for incoming login requests (that is, IKE SA negotiations) from users.

Note: This address is typically made public to all users trying to connect to a VPN on this router.

This command enables you to optionally set a global preshared key for the specified server address. When using global preshared keys, keep the following in mind:

• Global preshared keys enable a group of users to share a single authentication key, simplifying the administrative job of setting up keys for multiple users.
• Specific keys for individual users have higher priority than global keys. If both individual and global keys are configured, the individual that also has a specific key must use that key or authentication fails.
• More than one profile can specify the same local endpoint and virtual router. Because the last value set overrides the other, we recommend that you avoid this type of configuration.

To specify the given local IP address as a server address:

• From IPsec Tunnel Profile Configuration mode, specify the local IP address.
  host1(config-ipsec-tunnel-profile)#local ip address 192.2.52.12

  Use the no version to stop the router from monitoring UDP port 500 for user requests and remove any preshared key associations with the local IP address.

Specifying Local Networks

You can specify local, reachable networks through the IPsec tunnel. This type of “ split tunneling” enables a remote station to separate VPN traffic from Internet traffic. For example a client connecting to a corporate Intranet could use split-tunneling to send all traffic destined to 10.0.0.0/8 through the secure tunnel and reach the VPN. Other traffic (for example, Web browsing) would travel directly to the Internet through the local service provider without passing through the tunnel.

Note: Split tunneling functions only when supported by the client software. It is up to the client to modify its routing table with the network information for split tunneling to occur. You can configure up to 16 networks for this method of “split-tunneling.”

To specify networks that are reachable through the IPsec tunnel:

• From IPsec Tunnel Profile Configuration mode, specify the network.
  host1(config-ipsec-tunnel-profile)#local ip network 10.0.0.0 255.255.255.252

  Use the no version to remove the specified network from the reachable list.

Defining IPsec Security Association Lifetime Parameters

You can define the IPsec SA lifetime parameters the tunnel profile can use for IPsec SA negotiations. These parameters include the phase 2 lifetime as a range in seconds or traffic volume.

To specify the IPsec lifetime parameters used on IPsec SA lifetime negotiations:

• From IPsec Tunnel Profile Configuration mode, specify the IPsec lifetime parameters.
  host1(config-ipsec-tunnel-profile)#lifetime seconds 5000 25000

  Use the no version to return the lifetime to its default value, 28800 seconds (8 hours) and no traffic volume limit.

Defining User Reauthentication Protocol Values

You can specify the extended user authentication protocol for use during the extended user authentication protocol exchange. You can use the re-authenticate keyword to enable the reauthentication option (a subsequent authentication procedure). When this option is enabled, rekeying of IKE SAs uses the initial authentication protocol to reauthenticate the user. When this option is disabled, authentication is only performed at the first IKE SA establishment. Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users. You can use the skip-peer-config keyword to disable the router from configuring peer IP characteristics.

Note: For maximum security, enable reauthentication.

To specify the extended user authentication protocol for use during the extended user authentication protocol exchange:

• From IPsec Tunnel Profile Configuration mode, specify the extended user authentication.
  host1(config-ipsec-tunnel-profile)#extended-authentication chap

  Use the no version to reset the extended authentication to the default protocol, pap.

Specifying IPsec Security Association Transforms

You can specify the IPsec transforms that IPsec SA negotiations can use for this profile. The router accepts the first transform proposed by a client that matches one of the transforms specified by this command. During an IPsec SA exchange with a client, the router proposes all transforms specified by this command and one is accepted by the client.

Note: You can specify up to six transform algorithms for this profile.

To specify the eligible transforms for this profile for IPsec security association negotiations:

• From IPsec Tunnel Profile Configuration mode, specify the eligible transforms.
  host1(config-ipsec-tunnel-profile)#transform ah-hmac-md5

  Use the no version to reset the transform to the default, esp-3des-sha1.

Specifying IPsec Security Association PFS and DH Group Parameters

You can specify the IPsec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPsec SA negotiations can use for this profile.

Note: When the client initiates the IPsec negotiation, the router can accept Diffie-Hellman prime modulus groups that are higher than those configured.

To configure perfect forward secrecy for connections created with this IPsec tunnel configuration profile by assigning a Diffie-Hellman prime modulus group:

• From IPsec Tunnel Profile Configuration mode, specify the perfect forward secrecy.
  host1(config-ipsec-tunnel-profile)#pfs group 5

  Use the no version to remove PFS from the profile.

Defining the Tunnel MTU

You can configure the maximum transmission unit size for the tunnel.

To specify the maximum transmission unit size for a particular tunnel:

• From IPsec Tunnel Profile Configuration mode, configure the size.
  host1(config-ipsec-tunnel-profile)#tunnel mtu 3000

  Use the no version to restores the default value, an MTU size of 1400 bytes.

Related Documentation

• Creating an IPsec Tunnel Profile
• extended-authentication
• ike local-identity
• ike peer-identity distinguished-name.
• ike peer-identity domain-name.
• ike peer-identity ip address.
• ike peer-identity username.
• ip profile
• lifetime
• local ip address
• local ip identity
• local ip network
• max-interfaces
• peer ip identity
• pfs group
• transform
• tunnel mtu