IPsec Configuration Example

No specific order is required for configuring the IKE map that is applied to the default SA. Any required parameter or algorithm not properly configured will display as an incomplete configuration, but will not prevent you from configuring other IKE map parameters. A suggested order of IPsec configuration is:

  1. Configure the main mode key exchange IKE proposal for the SA. Optionally configure a quick mode data protection IKE proposal if the quick mode proposal is different from the main mode proposal.
  2. Configure the IKE policy for the SA.
  3. Configure the IKE map for the SA.
  4. Enter IPsec default instance configuration mode.
  5. Apply the IKE map to the default SA
  6. Enable IPsec

The following configuration example will follow the IPsec configuration order suggested above.

IKE Proposal

As indicated in IKE Proposal, there are two IKE modes to which an IKE proposal is assigned:

  • Main, which is assigned to an IKE map
  • Quick, which is assigned to an IKE policy

Each IKE mode can be assigned a unique IKE proposal or the same proposal may be assigned to both modes, depending upon your configuration requirements. For this example we will configure a single IKE proposal named winRadiusPro, to be used in both IKE modes, with the following values:

  • IKE Diffie-Hellman key exchange group – 14
  • Encryption – aes128cbc
  • Hash – SHA1
  • Integrity – SHA1
    System(su)->configure
    System(su-config)->crypto ike-proposal winRadiusPro
    System(su-crypto-proposal)->dh_group 14
    System(su-crypto-proposal)->encryption aes128cbc
    System(su-crypto-proposal)->hash sha1
    System(su-crypto-proposal)->integrity sha1
    System(su-crypto-proposal)->exit
    System(su-config)->

IKE Policy

The IKE policy for this example is named winRadiusPol. The initial contact and passive mode features will not be enabled for this configuration. The winRadiusPol IKE policy is configured with the following values:

  • Authentication pre-shared key – testkey
  • Lifetime – 360 minutes
  • Peer address – 1.1.191.22
  • IKE quick proposal – winRadiusPro
  • IKE version – 1
    System(su-config)->crypto ike-policy winRadiusPol
    System(su-crypto-policy)->authentication psk testkey
    System(su-crypto-policy)->lifetime time 360
    System(su-crypto-policy)->peer 1.1.191.22
    System(su-crypto-policy)->proposal winRadiusPro
    System(su-crypto-policy)->version 1
    System(su-crypto-policy)->exit
    System(su-config)->

IKE Map

The IKE map for this example is named winRadius. IKE map parameters are configured with the following values:

  • IKE main proposal – winRadiusPro
  • IKE policy – winRadiusPol
  • Source IP address – 192.1.1.0/24
  • Source port – standard RADIUS port 500
  • Destination IP address – 192.2.2.0/24
  • Destination port – standard RADIUS port 500
  • Encapsulation type – transport
  • Lifetime time – 5 minutes
  • Lifetime bandwidth – 100000 kilobytes
  • The transmission protocol – udp
  • Encryption request – enabled
    System(su-config)->crypto ike-map winRadius
    System(su-crypto-map)->proposal winRadiusPro
    System(su-crypto-map)->policy winRadiusPol
    System(su-crypto-map)->src 192.1.1.0/24
    System(su-crypto-map)->src-port 500
    System(su-crypto-map)->dst 192.2.2.0/24
    System(su-crypto-map)->dst-port 500
    System(su-crypto-map)->encapsulation transport
    System(su-crypto-map)->lifetime time 5
    System(su-crypto-map)->lifetime bandwidth 100000
    System(su-crypto-map)->protocol udp
    System(su-crypto-map)->request
    System(su-crypto-map)->exit
    System(su-config)->

IPsec

For this release an IPsec default instance is configurable. You assign the IKE map winRadius to the IPsec default instance within IPsec default instance configuration mode. You enable IPsec on the router in global VRF router configuration mode. For this IPsec configuration example we will also enable IPsec traps.

System(su-config)->crypto ipsec default
System(su-crypto-ipsec-defaul)->ike map winRadius
System(su-crypto-ipsec-defaul)->exit
System(su-config)->crypto ipsec trap-enable
System(su-config)->crypto ipsec enable
System(su-config)->