Overview

IPsec overview

You can use the NFM-P to configure IPsec sessions and the Security Associations (SAs) that are required in a bidirectional IPsec tunnel. You can configure multiple IPsec tunnels for a VPRN.

NFM-P IPsec session configuration supports the following:

An IPsec VPN service includes IPsec tunnels that terminate on IES or VPRN IPsec gateways. These gateways support L3 forwarding through an interface that connects to an IPsec tunnel. You can use the NFM-P to configure VPRN services to which individual hosts can connect over the Internet to an IES or VPRN IPsec gateway. You can configure one or more tunnel interfaces in a VPRN service, and can configure multiple tunnel security profiles for each tunnel interface.

IKE policies are used to negotiate IPsec SAs between IPsec peers. An SA is a relationship between two or more IPsec peers that defines how the peers communicate securely. IKE policies are exchanged between IPsec peers to negotiate a secure communication channel; the policies specify how traffic is encrypted between source and destination sites in an IPsec VPN by establishing a shared security policy using authentication keys.

IPsec transform policies specify the protocol for the IPsec authentication header and the encryption protocol for the Encapsulating Security Payload (ESP) and define the attributes that are used to secure the data.

IPsec client databases provide a mechanism to create secure LAN-to-LAN tunnels between an IPsec gateway and multiple VPN clients. The system checks the client database during tunnel authentication and the database returns client credentials, a private VRF ID, private interface name, and other IPsec parameters.

See Chapter 49, Policies overview for general information about policies.

After an IPsec peer initiates an IPsec session, there are two main phases:

After the second phase, the IPsec peers exchange data over the IPsec tunnel according to the IPsec parameters in the IKE and IPsec transform policies.

You can create a tunnel template to configure shared IPsec transforms and IKE policies. Each IPsec peer configuration can include the following:

Each IPsec tunnel between IKE peers is identified by a unique remote peer IP address or a unique local IP address.

You can use the IPsec Application Function Manager to create and manage end-to-end IPsec components to form a secure VPN.

The NFM-P XML API supports IPsec VPN configuration.

IPv6 IPsec

OSPFv3 authentication requires IPv6. IPv6 IPsec requires the following:

BFD

You can use BFD for static LAN-to-LAN IPsec tunnels on supporting NEs.

Consider the following when implementing BFD over static LAN-to-LAN IPsec tunnels:

Temporary MTU

You can configure an IPSec tunnel to propagate ICMP messages for use in temporary MTU learning by configuring the parameters in the IP Fragmentation, ICMP Message Generation, and ICMPv6 Generation panels of an IPSec Tunnel, IP/GRE Tunnel, or IPSec Tunnel template.