Configure IPsec Tunnels on Fabric IPsec Gateway VM

About this task

Perform this procedure to configure IPsec tunnels on Fabric IPsec Gateway Virtual Machine (VM).

Procedure

  1. Enter Fabric IPsec Gateway Configuration mode:

    enable

    virtual-service WORD<1-128> console

    Note

    Note

    Type CTRL+Y to exit the console.

  2. Configure the Maximum Transmission Unit (MTU) value for the specific IPsec tunnel:

    set ipsec <1-255> mtu <1300 - 9000>

    Note

    Note

    The MTU range <1300-9000> is applicable for FE tunnels with IPsec and fragmentation and reassembly capabilities.

  3. Configure the ESP cipher suite for the IPsec tunnel:
    set ipsec <1-255> esp <aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256>
  4. Configure the authentication key for specific IPsec tunnel:
    set ipsec <1-255> auth-key WORD <1-32>
    Note

    Note

    Do not use special characters ?, \, &, <, >, #.

  5. Configure VXLAN destination IP address for IPsec tunnel:

    set ipsec <1-255> fe-tunnel-dest-ip {A.B.C.D}

    Note

    Note

    The VXLAN destination IP address for IPsec tunnel must be the same as the VXLAN destination IP address for FE tunnel.

  6. Configure the IPsec destination IP address for the specific tunnel deployed in decoupled mode:

    set ipsec <1-255> ipsec-dest-ip {A.B.C.D}

  7. Configure a name for the IPsec tunnel:

    set ipsec <1-255> tunnel-name WORD <1-64>

  8. Identify if the specific tunnel is a responder or initiator in Network Address Translation (NAT) cases:

    set ipsec <1-255> responder-only <true | False>

  9. Enable the IPsec on a specific tunnel:

    set ipsec <1-255> admin-state enable

Example

Configure parameters for IPsec tunnel on Fabric IPsec Gateway VM:

Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

  <cr>
FIGW> set ipsec 1 ipsec-dest-ip 192.0.2.5
FIGW> set ipsec 1 mtu 1950
FIGW> set ipsec 1 auth-key abcd
FIGW> set ipsec 1 tunnel-name Tunnel-to-BEB2
FIGW> set ipsec 1 fe-tunnel-dest-ip 192.0.2.15
FIGW> set ipsec 1 esp aes256gcm16-sha256
FIGW> set ipsec 1 admin-state enable

Variable Definitions

The following table defines parameters for the set ipsec command.

Variable Value
<1-255> Specifies the unique ID for the IPsec tunnel.
admin-state <enable | disable> Enables or disables IPsec on the specific IPsec tunnel.
auth-key WORD <1-32> Specifies the pre-shared authentication key.
Note:

Do not use special characters ?, \, &, <, >, #.

encryption-key-length <128 | 256>

Specifies the encryption key length for the IPsec tunnel. The default encryption key length is 128. As a best practice, use the newer esp parameter instead; the encryption-key-length parameter remains for backward compatibility.

esp <aes128gcm16-sha256 | aes256-sha256 | aes256gcm16-sha256>

Specifies the ESP cipher suites for the IPsec tunnel. The default is aes128gcm16-sha256. aes256-sha256 is not supported in the current release.

fe-tunnel-dest-ip {A.B.C.D}

Specifies the destination IP address for Fabric Extend (FE) tunnel.

ipsec-dest-ip {A.B.C.D}

Specifies the destination IP address for IPsec tunnel.

mtu <1300-9000

Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel with both IPsec and fragmentation and assembly capabilities.

responder-only <true | false>

Specifies if the IPsec session in the FE tunnel will be in responder only mode or initiator mode. When in responder mode the FE tunnel will only respond to the incoming request and not initiate the IPsec connection. By default both sides of IPSec connection will be initiators in the FE tunnel. Configure the IPsec tunnel to be in responder only mode when there is Network Address Translation (NAT) between the IPsec connection.

Note: IPsec Network Address Translation (NAT) is not supported on 5720 Series.
tunnel-name WORD <1-64>

Specifies a name for the IPsec tunnel.

egress-shaping-rate <1-1000>

Specifies the egress shaper rate for the IPsec tunnel.