IPsec Configuration Example

No specific order is required for configuring the IKE map that is applied to the default SA. Any required parameter or algorithm not properly configured will display as an incomplete configuration, but will not prevent you from configuring other IKE map parameters. A suggested order of IPsec configuration is:

Configure the main mode key exchange IKE proposal for the SA. Optionally configure a quick mode data protection IKE proposal if the quick mode proposal is different from the main mode proposal.
Configure the IKE policy for the SA.
Configure the IKE map for the SA.
Enter IPsec default instance configuration mode.
Apply the IKE map to the default SA
Enable IPsec

The following configuration example will follow the IPsec configuration order suggested above.

IKE Proposal

As indicated in IKE Proposal, there are two IKE modes to which an IKE proposal is assigned:

Main, which is assigned to an IKE map
Quick, which is assigned to an IKE policy

Each IKE mode can be assigned a unique IKE proposal or the same proposal may be assigned to both modes, depending upon your configuration requirements. For this example we will configure a single IKE proposal named winRadiusPro, to be used in both IKE modes, with the following values:

IKE Diffie-Hellman key exchange group – 14
Encryption – aes128cbc
Hash – SHA1

Integrity – SHA1

System(su)->configure
System(su-config)->crypto ike-proposal winRadiusPro
System(su-crypto-proposal)->dh_group 14
System(su-crypto-proposal)->encryption aes128cbc
System(su-crypto-proposal)->hash sha1
System(su-crypto-proposal)->integrity sha1
System(su-crypto-proposal)->exit
System(su-config)->

IKE Policy

The IKE policy for this example is named winRadiusPol. The initial contact and passive mode features will not be enabled for this configuration. The winRadiusPol IKE policy is configured with the following values:

Authentication pre-shared key – testkey
Lifetime – 360 minutes
Peer address – 1.1.191.22
IKE quick proposal – winRadiusPro

IKE version – 1

System(su-config)->crypto ike-policy winRadiusPol
System(su-crypto-policy)->authentication psk testkey
System(su-crypto-policy)->lifetime time 360
System(su-crypto-policy)->peer 1.1.191.22
System(su-crypto-policy)->proposal winRadiusPro
System(su-crypto-policy)->version 1
System(su-crypto-policy)->exit
System(su-config)->

IKE Map

The IKE map for this example is named winRadius. IKE map parameters are configured with the following values:

IKE main proposal – winRadiusPro
IKE policy – winRadiusPol
Source IP address – 192.1.1.0/24
Source port – standard RADIUS port 500
Destination IP address – 192.2.2.0/24
Destination port – standard RADIUS port 500
Encapsulation type – transport
Lifetime time – 5 minutes
Lifetime bandwidth – 100000 kilobytes
The transmission protocol – udp

Encryption request – enabled

System(su-config)->crypto ike-map winRadius
System(su-crypto-map)->proposal winRadiusPro
System(su-crypto-map)->policy winRadiusPol
System(su-crypto-map)->src 192.1.1.0/24
System(su-crypto-map)->src-port 500
System(su-crypto-map)->dst 192.2.2.0/24
System(su-crypto-map)->dst-port 500
System(su-crypto-map)->encapsulation transport
System(su-crypto-map)->lifetime time 5
System(su-crypto-map)->lifetime bandwidth 100000
System(su-crypto-map)->protocol udp
System(su-crypto-map)->request
System(su-crypto-map)->exit
System(su-config)->

IPsec

For this release an IPsec default instance is configurable. You assign the IKE map winRadius to the IPsec default instance within IPsec default instance configuration mode. You enable IPsec on the router in global VRF router configuration mode. For this IPsec configuration example we will also enable IPsec traps.

System(su-config)->crypto ipsec default
System(su-crypto-ipsec-defaul)->ike map winRadius
System(su-crypto-ipsec-defaul)->exit
System(su-config)->crypto ipsec trap-enable
System(su-config)->crypto ipsec enable
System(su-config)->

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback