Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Considering General IPsec Issues

Before you configure IPsec, it is helpful to understand some general guidelines.

  • IPv4 and IPv6 traffic and tunnels—You can configure IPsec tunnels to carry traffic in the following ways: IPv4 traffic traveling over IPv4 IPsec tunnels, IPv6 traffic traveling over IPv4 IPsec tunnels, IPv4 traffic traveling over IPv6 IPsec tunnels, and IPv6 traffic traveling over IPv6 IPsec tunnels.

  • Configuration syntax differences between the AS and MultiServices PICs and the ES PIC—There are slight differences in the configuration statements and operational mode commands that are used with the PICs that support IPsec. As a result, the syntax for the AS and MultiServices PICs cannot be used interchangeably with the syntax for the ES PIC. However, the syntax for one type of PIC can be converted to its equivalent syntax on the other PIC for interoperability. The syntax differences are highlighted in Table 1.

  • Configuring keys for authentication and encryption—When preshared keys are required for authentication or encryption, you must use the guidelines shown in Table 2 to implement the correct key size.

  • Rejection of weak and semiweak keys—The DES and 3DES encryption algorithms will reject weak and semiweak keys. As a result, do not create and use keys that contain the patterns listed in Table 3.

Table 1: Comparison of IPsec Configuration Statements and Operational Mode Commands for the AS and MultiServices PICs and ES PIC

AS and MultiServices PICs Statements and Commands

ES PIC Statements and Commands
Configuration Mode Statements

[edit service-set name ]

[edit services ipsec-vpn ike]

  • policy {...}

  • proposal {...}

[edit security ike]

  • policy {...}

  • proposal {...}

[edit services ipsec-vpn ipsec]

  • policy {...}

  • proposal {...}

[edit security ipsec]

  • policy {...}

  • proposal {...}

[edit services ipsec-vpn rule rule-name ]

  • remote-gateway address

[edit interface es- fpc / pic /port ]

  • tunnel destination address

[edit services ipsec-vpn rule rule-name term term-name]

  • from match-conditions {...} then dynamic {...}

  • from match-conditions {...} then manual {...}

[edit security ipsec]

  • security-association name dynamic {...}

  • security-association name manual {...}

[edit services ipsec-vpn rule-set]

[edit services service-set ipsec-vpn]

  • local-gateway address

[edit interface es- fpc /pic /port ]

  • tunnel source address

Operational Mode Commands

clear security pki ca-certificate

clear security pki certificate-request

clear security pki local-certificate

clear services ipsec-vpn certificates

request security pki ca-certificate enroll

request security certificate (unsigned)

request security pki ca-certificate load

request system certificate add

request security pki generate-certificate-request

request security pki generate-key-pair

request security key-pair

request security pki local-certificate enroll

request security certificate (signed)

request security pki local-certificate load

request system certificate add

show security pki ca-certificate

show system certificate

show security pki certificate-request

show security pki crl

show security pki local-certificate

show system certificate

show services ipsec-vpn certificates

show ipsec certificates

show services ipsec-vpn ike security-associations

show ike security-associations

show services ipsec-vpn ipsec security-associations

show ipsec security-associations
Table 2: Authentication and Encryption Key Lengths
 

Number of Hexadecimal Characters

Number of ASCII Characters

Authentication

    

HMAC-MD5-96

32

16

HMAC-SHA1-96

40

20

Encryption

    

AES-128-CBC

16

32

AES-192-CBC

24

48

AES-256-CBC

32

64

DES-CBC

16

8

3DES-CBC

48

24
Table 3: Weak and Semiweak Keys

Weak Keys

      

0101

0101

0101

0101

1F1F

1F1F

1F1F

1F1F

E0E0

E0E0

E0E0

E0E0

FEFE

FEFE

FEFE

FEFE
Semiweak Keys

01FE

01FE

01FE

01FE

1FE0

1FE0

0EF1

0EF1

01E0

01E0

01F1

01F1

1FFE

1FFE

0EFE

0EFE

011F

011F

010E

010E

E0FE

E0FE

F1FE

F1FE

FE01

FE01

FE01

FE01

E01F

E01F

F10E

F10E

E001

E001

F101

F101

FEF1

FEF1

FE0E

FE0E

1F01

1F01

0E01

0E01

FEE0

FEE0

FEF1

FEF1

Keep in mind the following limitations of IPsec services on the AS PIC:

  • The AS PIC does not transport packets containing IPv4 options across IPsec tunnels. If you try to send packets containing IP options across an IPsec tunnel, the packets are dropped. Also, if you issue a ping command with the record-route option across an IPsec tunnel, the ping command fails.

  • The AS PIC does not transport packets containing the following IPv6 options across IPsec tunnels: hop-by-hop, destination (Type 1 and 2), and routing. If you try to send packets containing these IPv6 options across an IPsec tunnel, the packets are dropped.

  • Destination class usage is not supported with IPsec services on the AS PIC.