Security Associations

After establishing a secure channel, the two endpoints can negotiate an IPsec security association (IPsec SA) as a “child” entry. TNSR supports adding multiple children as needed, though with routed IPsec only one is necessary.

Tip

Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.

From within config-ipsec-crypto-ike mode, the child <n> command configures the child noted by the given number. The child command enters ike-child mode.

Within ike-child mode, the following commands are available:

lifetime <x>

Sets the maximum time for this child IPsec SA to be valid before it must be rekeyed. The value is given in seconds within the range 60..86400. Default value is 3600 seconds (one hour). This value must be shorter than the IKE lifetime, discussed earlier.

replay-window (0|64)

Number of packets in replay window. The replay window is used to protect the tunnel against attacks where the sequence number is re-used or has been processed recently. Some allowance is helpful in dealing with network link issues that cause packets to arrive late or out-of-order. A value of 0 disables the replay window. A value of 64 enables a 64 packet replay window.

proposal <name>

Each child may have one or more proposal entries which define acceptable encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters to encrypt and validate the IPsec SA traffic.

Child SA proposals work similarly to IKE/ISAKMP proposals as described in IKE Proposal.

This command enters config-ike-child-proposal mode to configure these proposals. in config-ike-child-proposal mode, the following commands are available:

encryption <ea-name>

Configures the encryption algorithm to use for the proposal.

integrity <ia-name>

Configures the integrity algorithm to use for the proposal.

group <group-name>

Configures the Diffie-Hellman group (DH Group) to use for the proposal.

sequence-number (esn|noesn)

Controls whether or not TNSR will attempt to negotiate extended sequence number (ESN) support with the peer. ESN uses 64-bit sequence numbers instead of the 32-bit sequence numbers. The default is noesn which disables ESN negotiation.

traffic-selector <num> local <prefix>

Configures an optional list of individual prefixes for remote access IPsec clients to send across their tunnel. This is also known as “split tunneling”. Each entry must have a unique ID <num> value.

When omitted, the tunnel will offer selectors which send all traffic across the VPN: 0.0.0.0/0 for IPv4 and ::/0 for IPv6.

Note

Not all clients support automatically receiving and honoring this list of prefixes. For example, even with this list defined, Windows clients must have manually configured routes which direct traffic for these prefixes through the IPsec client connection. See TNSR Configuration Example Recipes for additional information.

Child SA Example

This example only has a single child, thus child 1. The child has a lifetime of 3600.

tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600

Next, create a child SA proposal. This example uses AES-128 for encryption, SHA-1 for an authentication hash, and PFS group 14 (2048 bit modulus).

tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes128
tnsr(config-ike-child-proposal)# integrity sha1
tnsr(config-ike-child-proposal)# group modp2048

This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.

tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tunnel)# exit