Tip

This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.

IPsec Keys

Inside config-ipsec-tunnel mode, the following commands are available for IPsec key management.

crypto config-type (ike|manual):

Configures the type of key management TNSR will use for this tunnel.

ike:

Internet Key Exchange (IKE). The most common method of key management. IPsec tunnels utilize IKE to dynamically handle key exchange when both parties are negotiating a security association.

manual:

Static key management.

crypto ike:

Enters IKE config-ipsec-crypto-ike mode to configure IPsec IKE behavior, which is the bulk of the remaining work for most IPsec tunnels.

IKE Configuration

Inside config-ipsec-crypto-ike mode, the following commands are available to configure basic IKE behavior:

version <x>:

Instructs TNSR to use either IKEv1 or IKEv2. Use 2 for IKEv2, which is more secure, or 1 for IKEv1 which is more common and more widely supported.

lifetime <x>:

Sets the maximum time for this IKE session to be valid, in seconds within the range 120..214783647. Default value is 14400 seconds (4 hours). Commonly set to 28800 seconds (8 hours). This value should be longer than the IKE child lifetime, discussed later.

dpd-interval <x>:

Optional time to wait between sending Dead Peer Detection (DPD) polls, given in seconds within the range 0-65535.

key-renewal (reauth|rekey):

Controls the method used to update keys on an established IKE security association (SA) before the lifetime expires.

reauth:

TNSR performs a full teardown and re-establishment of IKE and child SAs.

rekey:

Inline rekeying while SAs stay active. Only available in IKEv2.

proposal <name>:

Configures a new IKE proposal and enters config-ike-proposal mode.

identity (local|remote):

Configures IKE identity validation and enters config-ike-identity mode.

authentication (local|remote):

Configures IKE authentication and enters config-ike-auth mode.

udp-encapsulation:

Forces UDP encapsulation for IKE, also known as NAT Traversal or NAT-T.

Under normal conditions, UDP encapsulation will be automatically activated when NAT is detected and automatically disabled otherwise. With udp-encapsulation set, UDP encapsulation is forcefully enabled.

Note

UDP encapsulation cannot be disabled, it can only be automatically controlled or forcefully enabled.

remote-access address-pools (ipv4-range|ipv6-range) <first-addr> to <last-addr>:

Configures IPv4 or IPv6 address pools for use with remote access IPsec. The first and last addresses given must be of the given address family and should lie within the prefix defined on the IPIP interface.

Note

The IPsec daemon limits the possible size of an address pool to around 2^31 addresses. If a /64 IPv6 prefix range is defined for the pool, it may be truncated down to a /97 or smaller.

remote-access dns resolver <num> address <address>:

Configures a list of individual DNS server IP addresses which are passed to connecting remote access IPsec clients. Each entry must have a unique ID <num> value.

Additional config-ipsec-crypto-ike mode commands are available to configure other aspects of the IPsec tunnel, such as proposals, identity, and authentication. These are covered next.

IKE Example

This example tells TNSR to use IKE for key management, and then sets the tunnel to IKEv2 and a lifetime of 8 hours.

tnsr(config-ipsec-tunnel)# crypto config-type ike
tnsr(config-ipsec-tunnel)# crypto ike
tnsr(config-ipsec-crypto-ike)# version 2
tnsr(config-ipsec-crypto-ike)# lifetime 28800

Additional IKE Configuration

The remainder of the IKE configuration is covered in the following sections.