*A:ALA-49>config# info
----------------------------------------------
...
card 1
card-type iom2-20g
mda 1
mda-type m10-1gb-sfp
exit
mda 2
mda-type isa-tunnel
exit
exit
...
----------------------------------------------
*A:ALA-49>config#
The following output displays a tunnel group configuration in the ISA context. The primary command identifies the card/slot number where the IPSec ISA is the primary module for the IPSec group.
*A:ALA-49>config# info
----------------------------------------------
...
isa
tunnel-group 1 create
primary 1/2
no shutdown
exit
exit
...
----------------------------------------------
*A:ALA-49>config#
*A:ALA-49>config# info
----------------------------------------------
...
router
interface "internet"
address 10.10.7.118/24
port 1/1/1
exit
interface "system"
address 10.20.1.118/32
exit
autonomous-system 123
exit
...
----------------------------------------------
*A:ALA-49>config#
*A:ALA-49>config# info
----------------------------------------------
...
ipsec
ike-policy 1 create
ipsec-lifetime 300
isakmp-lifetime 600
pfs
auth-algorithm md5
dpd interval 10 max-retries 5
exit
ipsec-transform 1 create
esp-auth-algorithm sha1
esp-encryption-algorithm aes128
exit
exit
...
----------------------------------------------
*A:ALA-49>config#
The following output displays an IES and VPRN service with IPSec parameters configured.
*A:ALA-49>config# info
----------------------------------------------
...
service
ies 100 customer 1 create
interface "ipsec-public" create
address 10.10.10.1/24
sap tunnel-1.public:1 create
exit
exit
no shutdown
exit
vprn 200 customer 1 create
ipsec
security-policy 1 create
entry 1 create
local-ip 172.17.118.0/24
remote-ip 172.16.91.0/24
exit
exit
exit
route-distinguisher 1:1
ipsec-interface "ipsec-private" tunnel create
sap tunnel-1.private:1 create
ipsec-tunnel "remote-office" create
security-policy 1
local-gateway-address 10.10.10.118 peer 10.10.7.91 delivery-service 100
dynamic-keying
ike-policy 1
pre-shared-key "humptydumpty"
transform 1
exit
no shutdown
exit
exit
exit
interface "corporate-network" create
address 172.17.118.118/24
sap 1/1/2 create
exit
exit
static-route 172.16.91.0/24 ipsec-tunnel "remote-office"
no shutdown
exit
exit
...
----------------------------------------------
*A:ALA-49>config#
admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsa
admin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-dn "C=US,ST=CA,CN=7750" file 7750_req.csr
note: since 12.0R1, the system encodes the common name field as UTF8 instead of a printable string format. If a printable string is required for compatibility add the option "use-printable" to the request for legacy behavior.
admin certificate import type key input cf3:/key_plain_rsa2048 output key1_rsa2048 format der
admin certificate import type cert input cf3:/7750_cert.pem output 7750cert format pem
admin certificate import type cert input cf3:/CA_1_cert.pem output ca_cert format pem
admin certificate import type crl input cf3:/CA_1_crl.pem output ca_crl format pem
config>system>security>pki# info
----------------------------------------------
ca-profile "alu-root" create
cert-file "alu_root.cert"
crl-file "alu_root.crl"
no shutdown
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 1 create
ike-version 2
auth-method cert-auth
exit
ipsec-transform 1 create
exit
cert-profile "segw" create
entry 1 create
cert segw.cert
key segw.key
exit
no shutdown
exit
trust-anchor-profile "alu" create
trust-anchor "alu-root"
exit
config>service>vprn>if>sap
----------------------------------------------
ipsec-tunnel "t50" create
security-policy 1
local-gateway-address 192.168.55.30 peer 192.168.33.100 delivery-service 300
dynamic-keying
ike-policy 1
transform 1
cert
trust-anchor-profile "alu"
cert-profile "segw"
exit
exit
no shutdown
exit
*A:SR-7/Dut-A# admin certificate import type cert input cf3:/pre-import/R1-0cert.pem output R1-0cert.der format pem
*A:SR-7/Dut-A# admin certificate export type cert input R1-0cert.der output cf3:/R1-0cert.pem format pem
config>redundancy>multi-chassis
----------------------------------------------
peer 2.2.2.2 create
mc-ipsec
bfd-enable
tunnel-group 1 create
peer-group 2
priority 120
no shutdown
exit
exit
no shutdown
exit
The peer’s tunnel-group id is not necessarily the same as the local tunnel-group id With bfd-enable, the BFD parameters are specified under the interface that the MIMP source address resides on, which must be a loopback interface in the base routing instance. The default source address of MIMP is the system address.
The keep-alive-interval and
hold-on-neighbor-failure define the MIMP alive parameter, however, BFD could be used for faster chassis failure detection.
The SR OS also provides a tool command to manually trigger the switchover such as:
tools perform redundancy multi-chassis mc-ipsec force-switchover tunnel-group 1
config>redundancy>multi-chassis>
----------------------------------------------
peer 2.2.2.2 create
sync
ipsec
tunnel-group 1 sync-tag "sync_tag_1" create
no shutdown
exit
The sync-tag must matched on both chassis for the corresponding tunnel-groups.
config>router>policy-options>
----------------------------------------------
policy-statement "exportOSPF"
entry 10
from
protocol ipsec
state ipsec-master-with-peer
exit
action accept
metric set 500
exit
exit
entry 20
from
protocol ipsec
state ipsec-non-master
exit
action accept
metric set 1000
exit
exit
entry 30
from
protocol ipsec
state ipsec-master-without-peer
exit
action accept
metric set 1000
exit
exit
exit
config>service>ies>
interface "ipsec-pub" create
address 172.16.100.254/24
sap tunnel-1.public:100 create
exit
static-tunnel-redundant-next-hop 1.1.1.1
exit
config>service>vprn>
interface "ipsec-priv" tunnel create
…
static-tunnel-redundant-next-hop 7.7.7.1
exit
static-tunnel-redundant-next-hop — Shunting nexthop for a static tunnel.
dynamic-tunnel-redundant-next-hop — Shunting next-hop for a dynamic tunnel.
config>system>security>pki>ca-profile
cmpv2
url <url-string> [service-id <service-id>]
response-signing-cert <filename>
key-list
key <password> reference <reference-number>
The url command specifies the HTTP URL of the CMPv2 server, the service specifies the routing instance that the system used to access the CMPv2 server (if omitted, then system will use base routing instance).
The response-signing-cert command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used.
The keylist specifies a list of pre-shared-key used for CMPv2 initial registration message protection.
config>system>security>pki>ca-profile>
cmpv2
url "http://cmp.example.com/request" service-id 100
key-list
key passwordToBeUsed reference "1"
If there is no key-list defined under the
cmpv2 configuration, the system will default to the
cmpv2 transaction input for the command line in regards to authenticating a message without a senderID. Also, if there is no senderID in the response message, and there IS a key-list defined, it will choose the lexicographical first entry only, if that fails, it will have a fail result for the transaction.
config>system>security>pki>ca-profile>
ocsp
responder-url <url-string>
service <service-id>
The responder-url command specifies the HTTP URL of the OCSP responder. The
service command specifies the routing instance that system used to access the OCSP responder.
config>system>security>pki>ca-profile>
ocsp
responder-url “http://ocsp.example.com/request”
service 100
config>service>ies>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-tun>
cert
status-verify
primary {ocsp|crl}
secondary {ocsp|crl}
default-result {revoked|good}
config>service>ies>if>sap>ipsec-gw>
cert
status-verify
primary ocsp
secondary crl
config>system>security>pki# info
----------------------------------------------
ca-profile "ALU-ROOT" create
cert-file "ALU-ROOT.cert"
crl-file "ALU-ROOT.crl"
no shutdown
exit
----------------------------------------------
A:SeGW>config>aaa# info
----------------------------------------------
radius-server-policy "femto-aaa" create
servers
router "management"
server 1 name “svr-1"
exit
exit
----------------------------------------------
A:SeGW>config>router# info
----------------------------------------------
radius-server
server “svr-1" address 10.10.10.1 secret "KR35xB3W4aUXtL8o3WzPD." hash2 create
exit
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 1 create
ike-version 2
auth-method cert-radius
exit
ipsec-transform 1 create
exit
tunnel-template 1 create
transform 1
exit
cert-profile "c1" create
entry 1 create
cert SeGW2.cert
key SeGW2.key
exit
no shutdown
exit
trust-anchor-profile "tap-1" create
trust-anchor "ALU-ROOT"
exit
radius-authentication-policy "femto-auth" create
include-radius-attribute
calling-station-id
called-station-id
exit
password "DJzlyYKCefyhomnFcFSBuLZovSemMKde" hash2
radius-server-policy "femto-aaa"
exit
radius-accounting-policy "femto-acct" create
include-radius-attribute
calling-station-id
framed-ip-addr
exit
radius-server-policy "femto-aaa"
exit
----------------------------------------------
config>service>ies# info
----------------------------------------------
interface "pub" create
address 172.16.100.0/31
tos-marking-state untrusted
sap tunnel-1.public:100 create
ipsec-gw "rw"
cert
trust-anchor-profile "tap-1"
cert-profile "c1"
exit
default-secure-service 400 interface "priv"
default-tunnel-template 1
ike-policy 1
local-gateway-address 172.16.100.1
radius-accounting-policy "femto-acct"
radius-authentication-policy "femto-auth"
no shutdown
exit
exit
exit
no shutdown
----------------------------------------------
A:SeGW>config>service>vprn# info
----------------------------------------------
route-distinguisher 400:11
interface "priv" tunnel create
address 20.20.20.1/24
sap tunnel-1.private:200 create
exit
exit
interface "l1" create
address 9.9.9.9/32
loopback
exit
no shutdown
----------------------------------------------
|
•
|
Configure the tunnel-template or ipsec-transform. (This is the same as configuring a dynamic LAN-to-LAN tunnel.)
|
config>system>security>pki# info
----------------------------------------------
ca-profile "smallcell-root" create
cert-file "smallcell-root-ca.cert"
revocation-check crl-optional
no shutdown
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 3 create
ike-version 2
auth-method cert-auth
nat-traversal
exit
ipsec-transform 1 create
exit
cert-profile "segw-mlab" create
entry 1 create
cert SeGW-MLAB.cert
key SeGW-MLAB.key
exit
no shutdown
exit
trust-anchor-profile "sc-root" create
trust-anchor "smallcell-root"
exit
tunnel-template 1 create
transform 1
exit
----------------------------------------------
config>service>ies# info
----------------------------------------------
interface "pub" create
address 172.16.100.253/24
tos-marking-state untrusted
sap tunnel-1.public:100 create
ipsec-gw "rw"
default-secure-service 400 interface "priv"
default-tunnel-template 1
ike-policy 3
local-address-assignment
ipv6
address-source router 400 dhcp-server "d6" pool "1"
exit
no shutdown
exit
local-gateway-address 172.16.100.1
cert
trust-anchor-profile "sc-root"
cert-profile "segw-mlab"
status-verify
default-result good
exit
exit
local-id type fqdn value segwmobilelab.alu.com
no shutdown
exit
exit
exit
no shutdown
----------------------------------------------
config>service>vprn# info
----------------------------------------------
dhcp6
local-dhcp-server "d6" create
use-pool-from-client
pool "1" create
options
dns-server 2001::808:808
exit
exclude-prefix 2001:beef::101/128
prefix 2001:beef::/96 failover access-driven pd wan-host create
exit
exit
no shutdown
exit
exit
route-distinguisher 400:1
interface "priv" tunnel create
ipv6
address 2001:beef::101/96
exit
sap tunnel-1.private:200 create
exit
exit
no shutdown
----------------------------------------------
