Synopsis

I recently started the blog under the tag IPsec. Anyone having background in this regard would know that this topic is too elaborate to be covered with a single article. I will be doing a series of articles to touch as many details as I can. But first things first: you need to know about the basics of IPsec. I would like to share with you a way to configure an IPsec tunnel under main mode.

Configuration

Please note in advance the following is a precise configuration for when we need to use pre-shared keys as the default mechanisms. For the authenticating peers with main mode and different authentication and encryption algorithms.  We will be having a question at the end of article about data transfer just to brush up the networking spark in you.

For establishing an IPsec tunnel between two sites, we have two major steps, i.e. IKE phase I and II which were described in our previous article.  A link to the article is given in the reference section.

Setting up of IKE Phase I

In IKE phase I, we have to define an ‘IKE proposal, IKE policy and IKE gateway’.

IKE Proposal

IKE proposal consists of the authentication method. This is the same proposal where Diffie Hellmann aka dh-group is defined. Here I am using authentication algorithm md5 where as encryption algorithm 3des-cbc is applied. The lifetime for the tunnels is configured to be 86400 seconds. To attain these settings, the following set of commands are run on CLI to complete our proposal.

set security ike proposal IKE-PRO authentication-method pre-shared-keys 
set security ike proposal IKE-PRO dh-group group2 
set security ike proposal IKE-PRO authentication-algorithm md5 
set security ike proposal IKE-PRO encryption-algorithm 3des-cbc 
set security ike proposal IKE-PRO lifetime-seconds 86400

IKE Policy

As already discussed before we have two modes of IPsec, main and aggressive. For now, we will be focusing on configuration using main mode.  Now, we need to attach the proposal defined in previous step in following manner, and define any keyword.  We use keyisF@izan for our pre-shared key as follows;

set security ike policy IKE-POL-PR mode main 
set security ike policy IKE-POL-PR proposals IKE-PRO 
set security ike policy IKE-POL-PR pre-shared-key ascii-text <keyisF@izan>

IKE Gateway

IKE Gateway is the last step in configuration of IKE phase I.  As the name suggests it is used for setting  the gateway policy for IPsec traffic.  Now we are going to  define the IKE gateway IP address from where the traffic is to be sent to (the remote end) and physical interface.

set security ike gateway IKE-U8-GW ike-policy IKE-POL-PR 
set security ike gateway IKE-U8-GW address 10.152.9.150 
set security ike gateway IKE-U8-GW external-interface reth3.0

IKE Phase II

After completing the phase I, we have to now exchange parameters for our IPsec tunnel.  This is done in IKE phase II, we have to define an ‘IPsec proposal, IPsec policy and IPsec VPN’.

IPsec Proposal

In IPsec proposal, we define a proposal named IPSEC-PRO and apply esp as its protocol method.  Just the way in phase I, we define authentication and encryption algorithms here. For this part, hmac-md5-96 and 3des-cbc are applied as follows.

set security ipsec proposal IPSEC-PRO protocol esp 
set security ipsec proposal IPSEC-PRO authentication-algorithm hmac-md5-96 
set security ipsec proposal IPSEC-PRO encryption-algorithm 3des-cbc

IPsec Policy

In this portion, we set to define a policy in which we attach IPsec proposal from previous step like this.

set security ipsec policy IPSEC-POL proposals IPSEC-PRO

IPsec VPN

Finally, we will bind a respective logical/tunnel interface which is the actual interface for handling this VPN.  A gateway policy is also defined and in the last part, we want our tunnel to get up and running immediately.

set security ipsec vpn IPSEC-08-VPN bind-interface st0.8 
set security ipsec vpn IPSEC-08-VPN ike gateway IKE-U8-GW 
set security ipsec vpn IPSEC-08-VPN ike ipsec-policy IPSEC-POL 
set security ipsec vpn IPSEC-08-VPN establish-tunnels immediately

So guys, this pretty much wraps it up. We have successfully established an IPsec tunnel having the specifications mentioned in the configuration.

Food for thought

With this piece of configuration, you can get a maximum of 20 Mbps traffic on each site, what parameter(s) you choose to change in order to increase or decrease this threshold? We would love to hear back from you. Thanks for reading and stay tune for more configuration examples of IPsec.

References