Tip
This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.
Security Associations¶
After establishing a secure channel, the two endpoints can negotiate an IPsec security association (IPsec SA) as a “child” entry. TNSR supports adding multiple children as needed, though with routed IPsec only one is necessary.
Tip
Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.
From within config-ipsec-crypto-ike
mode, the child <n>
command
configures the child noted by the given number. The child
command enters
ike-child
mode.
Within ike-child
mode, the following commands are available:
- lifetime <x>:
Sets the maximum time for this child IPsec SA to be valid before it must be rekeyed. The value is given in seconds within the range
120..214783647
. Default value is3600
seconds (one hour). This value must be shorter than the IKE lifetime, discussed earlier.- replay-window (0|64):
Number of packets in replay window. The replay window is used to protect the tunnel against attacks where the sequence number is re-used or has been processed recently. Some allowance is helpful in dealing with network link issues that cause packets to arrive late or out-of-order. A value of
0
disables the replay window. A value of64
enables a 64 packet replay window.- proposal <name>:
Each child may have one or more
proposal
entries which define acceptable encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters to encrypt and validate the IPsec SA traffic.Child SA proposals work similarly to IKE/ISAKMP proposals as described in IKE Proposal.
This command enters
config-ike-child-proposal
mode to configure these proposals. inconfig-ike-child-proposal
mode, the following commands are available:- encryption <ea-name>:
Configures the encryption algorithm to use for the proposal.
- integrity <ia-name>:
Configures the integrity algorithm to use for the proposal.
- group <group-name>:
Configures the Diffie-Hellman group (DH Group) to use for the proposal.
- sequence-number (esn|noesn):
Controls whether or not TNSR will attempt to negotiate extended sequence number (ESN) support with the peer. ESN uses 64-bit sequence numbers instead of the 32-bit sequence numbers. The default is
noesn
which disables ESN negotiation.
Child SA Example¶
This example only has a single child, thus child 1
. The child has a lifetime
of 3600
.
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
Next, create a child SA proposal. This example uses AES-128 for encryption, SHA-1 for an authentication hash, and PFS group 14 (2048 bit modulus).
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes128
tnsr(config-ike-child-proposal)# integrity sha1
tnsr(config-ike-child-proposal)# group modp2048
This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tun)# exit