Tip
This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.
IPsec Keys¶
Inside config-ipsec-tun
mode, the following commands are available for
IPsec key management.
- crypto config-type (ike|manual):
Configures the type of key management TNSR will use for this tunnel.
- ike:
Internet Key Exchange (IKE). The most common method of key management. IPsec tunnels utilize IKE to dynamically handle key exchange when both parties are negotiating a security association.
- manual:
Static key management.
- crypto ike:
Enters IKE
config-ipsec-crypto-ike
mode to configure IPsec IKE behavior, which is the bulk of the remaining work for most IPsec tunnels.
IKE Configuration¶
Inside config-ipsec-crypto-ike
mode, the following commands are available to
configure basic IKE behavior:
- version <x>:
Instructs TNSR to use either IKEv1 or IKEv2. Use
2
for IKEv2, which is more secure, or1
for IKEv1 which is more common and more widely supported.- lifetime <x>:
Sets the maximum time for this IKE session to be valid, in seconds within the range
120..214783647
. Default value is14400
seconds (4 hours). Commonly set to28800
seconds (8 hours). This value should be longer than the IKE child lifetime, discussed later.- dpd-interval <x>:
Optional time to wait between sending Dead Peer Detection (DPD) polls, given in seconds within the range
0-65535
.- key-renewal (reauth|rekey):
Controls the method used to update keys on an established IKE security association (SA) before the lifetime expires.
- reauth:
TNSR performs a full teardown and re-establishment of IKE and child SAs.
- rekey:
Inline rekeying while SAs stay active. Only available in IKEv2.
- proposal <name>:
Configures a new IKE proposal and enters
config-ike-proposal
mode.- identity (local|remote):
Configures IKE identity validation and enters
config-ike-identity
mode.- authentication (local|remote):
Configures IKE authentication and enters
config-ike-auth
mode.- udp-encapsulation:
Forces UDP encapsulation for IKE, also known as NAT Traversal or NAT-T.
Under normal conditions, UDP encapsulation will be automatically activated when NAT is detected and automatically disabled otherwise. With
udp-encapsulation
set, UDP encapsulation is forcefully enabled.Note
UDP encapsulation cannot be disabled, it can only be automatically controlled or forcefully enabled.
Additional config-ipsec-crypto-ike
mode commands are available to configure
other aspects of the IPsec tunnel, such as proposals, identity, and
authentication. These are covered next.
IKE Example¶
This example tells TNSR to use IKE for key management, and then sets the tunnel to IKEv2 and a lifetime of 8 hours.
tnsr(config-ipsec-tun)# crypto config-type ike
tnsr(config-ipsec-tun)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800
Additional IKE Configuration¶
The remainder of the IKE configuration is covered in the following sections.