Configure IPsec Tunnels on Fabric IPsec Gateway VM

About this task

Perform this procedure to configure IPsec tunnels on Fabric IPsec Gateway Virtual Machine (VM).

Procedure

  1. Enter Fabric IPsec Gateway Configuration mode:

    enable

    virtual-service WORD<1-128> console

    Note

    Note

    Type CTRL+Y to exit the console.

  2. Configure the Maximum Transmission Unit (MTU) value for the specific IPsec tunnel:

    set ipsec <1-255> mtu <1300 - 9000>

    Note

    Note

    The MTU range <1300-9000> is applicable for FE tunnels with IPsec and fragmentation and reassembly capabilities.

  3. Configure the encryption key length for IPsec Tunnel:

    set ipsec <1-255> encryption-key-length <128 | 256>

    Note

    Note

    By default, the encryption key length is 128 bytes.

  4. Configure the authentication key for specific IPsec tunnel:
    set ipsec <1-255> auth-key WORD <1-32>
    Note

    Note

    You must not use special characters ?, \, &, <, >, #.

  5. Configure VXLAN destination IP address for IPsec tunnel:

    set ipsec <1-255> fe-tunnel-dest-ip {A.B.C.D}

    Note

    Note

    The VXLAN destination IP address for IPsec tunnel must be the same as the VXLAN destination IP address for FE tunnel.

  6. Configure the IPsec destination IP address for the specific tunnel deployed in decoupled mode:

    set ipsec <1-255> ipsec-dest-ip {A.B.C.D}

  7. Configure a name for the IPsec tunnel:

    set ipsec <1-255> tunnel-name WORD <1-64>

  8. Identify if the specific tunnel is a responder or initiator in Network Address Translation (NAT) cases:

    set ipsec <1-255> responder-only <true | False>

  9. Enable or disable IPsec on a specific tunnel:

    set ipsec <1-255> <enable | disable>

Example

Configuring parameters for IPsec tunnel on Fabric IPsec Gateway VM:
Switch:1> enable
Switch:1# virtual-service figw console
Connected to domain figw
Escape character is ^Y

  <cr>
FIGW> set ipsec 1 ipsec-dest-ip 192.0.2.5
FIGW> set ipsec 1 mtu 1950
FIGW> set ipsec 1 auth-key abcd
FIGW> set ipsec 1 tunnel-name Tunnel-to-BEB2
FIGW> set ipsec 1 fe-tunnel-dest-ip 192.0.2.15
FIGW> set ipsec 1 encryption-key-length 128
FIGW> set ipsec 1 admin-state enable

Variable Definitions

The following table defines parameters for the set ipsec command.

Variable Value
<1-255> Specifies the unique ID for the IPsec tunnel.
admin-state <enable | disable> Enables or disables IPsec on the specific IPsec tunnel.
auth-key WORD <1-32> Specifies the pre-shared authentication key.
Note:

You must not use special characters ?, \, &, <, >, #.

encryption-key-length <128 | 256> Specifies the encryption key length for the IPsec tunnel. The default encryption key length is 128.
fe-tunnel-dest-ip {A.B.C.D} Specifies the destination IP address for Fabric Extend (FE) tunnel.
ipsec-dest-ip {A.B.C.D} Specifies the destination IP address for IPsec tunnel.
mtu <1300-9000 Specifies the Maximum Transmission Unit (MTU) value for the FE tunnel with both IPsec and fragmentation and assembly capabilities.
responder-only <true | false> Specifies if the IPsec session in the FE tunnel will be in responder only mode or initiator mode. When in responder mode the FE tunnel will only respond to the incoming request and not initiate the IPsec connection. By default both sides of IPSec connection will be initiators in the FE tunnel. Configure the IPsec tunnel to be in responder only mode when there is Network Address Translation (NAT) between the IPsec connection. For more information about NAT, see IPsec NAT-T.
tunnel-name WORD <1-64> Specifies a name for the IPsec tunnel.