Overview

IPsec overview

You can use the NFM-P to configure IPsec sessions and the Security Associations (SAs) that are required in a bidirectional IPsec tunnel. You can configure multiple IPsec tunnels for a VPRN.

NFM-P IPsec session configuration supports the following:

• encryption methods such as DES, 3DES, AES-128, AES-192, and AES-256

• authentication and hashing methods such as HMAC-MD5, HMAC-SHA1, and HMAC-SHA2

• key distribution methods such as IKE shared secret with PFS, and manual exchange

• key generation algorithms such as Diffie-Hellman

• IPsec modes

• shared secret authentication

• NAT traversal for IKEv1 and IKEv2

• DPD for the IPsec tunnel

An IPsec VPN service includes IPsec tunnels that terminate on IES or VPRN IPsec gateways. These gateways support L3 forwarding through an interface that connects to an IPsec tunnel. You can use the NFM-P to configure VPRN services to which individual hosts can connect over the Internet to an IES or VPRN IPsec gateway. You can configure one or more tunnel interfaces in a VPRN service, and can configure multiple tunnel security profiles for each tunnel interface.

IKE policies are used to negotiate IPsec SAs between IPsec peers. An SA is a relationship between two or more IPsec peers that defines how the peers communicate securely. IKE policies are exchanged between IPsec peers to negotiate a secure communication channel; the policies specify how traffic is encrypted between source and destination sites in an IPsec VPN by establishing a shared security policy using authentication keys.

IPsec transform policies specify the protocol for the IPsec authentication header and the encryption protocol for the Encapsulating Security Payload (ESP) and define the attributes that are used to secure the data.

IPsec client databases provide a mechanism to create secure LAN-to-LAN tunnels between an IPsec gateway and multiple VPN clients. The system checks the client database during tunnel authentication and the database returns client credentials, a private VRF ID, private interface name, and other IPsec parameters.

See Chapter 49, Policies overview for general information about policies.

After an IPsec peer initiates an IPsec session, there are two main phases:

• authentication and protection of IPsec peer identities and negotiation of matching IKE SA policies between peers to establish a secure channel for negotiating IPsec SAs in the next phase

• IPsec SA parameter negotiation and establishment of matching peer SAs

After the second phase, the IPsec peers exchange data over the IPsec tunnel according to the IPsec parameters in the IKE and IPsec transform policies.

You can create a tunnel template to configure shared IPsec transforms and IKE policies. Each IPsec peer configuration can include the following:

• one or more configured IPsec transforms

• one IKE policy

• one unique IPsec tunnel

• one tunnel filter defined in the IPsec tunnel configuration

Each IPsec tunnel between IKE peers is identified by a unique remote peer IP address or a unique local IP address.

You can use the IPsec Application Function Manager to create and manage end-to-end IPsec components to form a secure VPN.

The NFM-P XML API supports IPsec VPN configuration.

IPv6 IPsec

OSPFv3 authentication requires IPv6. IPv6 IPsec requires the following:

• IPsec transport mode — required because the NE acts as an OSPFv3 authentication host

• IPsec static security association — defines the SPI values, algorithms, protocol, and keys to be used, and requires the same configuration at each end of the tunnel

• AH and ESP

• MD5, SHA1, and SHA2

BFD

You can use BFD for static LAN-to-LAN IPsec tunnels on supporting NEs.

Consider the following when implementing BFD over static LAN-to-LAN IPsec tunnels:

• You can have only one BFD session between a source/destination address pair.

• Each tunnel can be associated with only one BFD session. However, one or more tunnels, to a maximum of 500, can be associated with the same BFD session.

• If one BFD session is associated with multiple tunnels, the tunnel that carries the BFD traffic must be operationally up before any of the other tunnels can be operationally up.

• When the NFM-P does not receive BFD packets from a peer before the detection time expires or a signal down notification is sent from a remote peer, the BFD session is considered down.

  When the NFM-P sets the associated IPsec tunnels in a down state, the NFM-P performs the following:

  • sends a Delete Payload message to each remote peer from each associated tunnel and SA

  • removes the state and table entries from each associated tunnel and SA

Temporary MTU

You can configure an IPSec tunnel to propagate ICMP messages for use in temporary MTU learning by configuring the parameters in the IP Fragmentation, ICMP Message Generation, and ICMPv6 Generation panels of an IPSec Tunnel, IP/GRE Tunnel, or IPSec Tunnel template.