I recently started the blog under the tag IPsec. Anyone having background in this regard would know that this topic is too elaborate to be covered with a single article. I will be doing a series of articles to touch as many details as I can. But first things first: you need to know about the basics of IPsec. I would like to share with you a way to configure an IPsec tunnel under main mode.
Please note in advance the following is a precise configuration for when we need to use pre-shared keys as the default mechanisms. For the authenticating peers with main mode and different authentication and encryption algorithms. We will be having a question at the end of article about data transfer just to brush up the networking spark in you.
For establishing an IPsec tunnel between two sites, we have two major steps, i.e. IKE phase I and II which were described in our previous article. A link to the article is given in the reference section.
Setting up of IKE Phase I
In IKE phase I, we have to define an ‘IKE proposal, IKE policy and IKE gateway’.
IKE proposal consists of the authentication method. This is the same proposal where Diffie Hellmann aka
dh-group is defined. Here I am using authentication algorithm
md5 where as encryption algorithm
3des-cbc is applied. The lifetime for the tunnels is configured to be
86400 seconds. To attain these settings, the following set of commands are run on CLI to complete our proposal.
set security ike proposal IKE-PRO authentication-method pre-shared-keys set security ike proposal IKE-PRO dh-group group2 set security ike proposal IKE-PRO authentication-algorithm md5 set security ike proposal IKE-PRO encryption-algorithm 3des-cbc set security ike proposal IKE-PRO lifetime-seconds 86400
As already discussed before we have two modes of IPsec, main and aggressive. For now, we will be focusing on configuration using main mode. Now, we need to attach the proposal defined in previous step in following manner, and define any keyword. We use keyisF@izan for our pre-shared key as follows;
set security ike policy IKE-POL-PR mode main set security ike policy IKE-POL-PR proposals IKE-PRO set security ike policy IKE-POL-PR pre-shared-key ascii-text &lt;keyisF@izan&gt;
IKE Gateway is the last step in configuration of IKE phase I. As the name suggests it is used for setting the gateway policy for IPsec traffic. Now we are going to define the IKE gateway IP address from where the traffic is to be sent to (the remote end) and physical interface.
set security ike gateway IKE-U8-GW ike-policy IKE-POL-PR set security ike gateway IKE-U8-GW address 10.152.9.150 set security ike gateway IKE-U8-GW external-interface reth3.0
IKE Phase II
After completing the phase I, we have to now exchange parameters for our IPsec tunnel. This is done in IKE phase II, we have to define an ‘IPsec proposal, IPsec policy and IPsec VPN’.
In IPsec proposal, we define a proposal named
IPSEC-PRO and apply
esp as its protocol method. Just the way in phase I, we define authentication and encryption algorithms here. For this part,
3des-cbc are applied as follows.
set security ipsec proposal IPSEC-PRO protocol esp set security ipsec proposal IPSEC-PRO authentication-algorithm hmac-md5-96 set security ipsec proposal IPSEC-PRO encryption-algorithm 3des-cbc
In this portion, we set to define a policy in which we attach IPsec proposal from previous step like this.
set security ipsec policy IPSEC-POL proposals IPSEC-PRO
Finally, we will bind a respective logical/tunnel interface which is the actual interface for handling this VPN. A gateway policy is also defined and in the last part, we want our tunnel to get up and running immediately.
set security ipsec vpn IPSEC-08-VPN bind-interface st0.8 set security ipsec vpn IPSEC-08-VPN ike gateway IKE-U8-GW set security ipsec vpn IPSEC-08-VPN ike ipsec-policy IPSEC-POL set security ipsec vpn IPSEC-08-VPN establish-tunnels immediately
So guys, this pretty much wraps it up. We have successfully established an IPsec tunnel having the specifications mentioned in the configuration.
Food for thought
With this piece of configuration, you can get a maximum of 20 Mbps traffic on each site, what parameter(s) you choose to change in order to increase or decrease this threshold? We would love to hear back from you. Thanks for reading and stay tune for more configuration examples of IPsec.