config-ipsec-tunnel mode, the following commands are available for
IPsec key management.
- crypto config-type (ike|manual)
Configures the type of key management TNSR will use for this tunnel.
Internet Key Exchange (IKE). The most common method of key management. IPsec tunnels utilize IKE to dynamically handle key exchange when both parties are negotiating a security association.
Static key management.
- crypto ike
config-ipsec-crypto-ikemode to configure IPsec IKE behavior, which is the bulk of the remaining work for most IPsec tunnels.
config-ipsec-crypto-ike mode, the following commands are available to
configure basic IKE behavior:
- version <x>
Instructs TNSR to use either IKEv1 or IKEv2. Use
2for IKEv2, which is more secure, or
1for IKEv1 which is more common and more widely supported.
- lifetime <x>
Sets the maximum time for this IKE session to be valid, in seconds within the range
120..214783647. Default value is
14400seconds (4 hours). Commonly set to
28800seconds (8 hours). This value should be longer than the IKE child lifetime, discussed later.
- dpd-interval <x>
Optional time to wait between sending Dead Peer Detection (DPD) polls, given in seconds within the range
- key-renewal (reauth|rekey)
Controls the method used to update keys on an established IKE security association (SA) before the lifetime expires.
TNSR performs a full teardown and re-establishment of IKE and child SAs.
Inline rekeying while SAs stay active. Only available in IKEv2.
- proposal <name>
Configures a new IKE proposal and enters
- identity (local|remote)
Configures IKE identity validation and enters
- authentication (local|remote)
Configures IKE authentication and enters
Forces UDP encapsulation for IKE, also known as NAT Traversal or NAT-T.
Under normal conditions, UDP encapsulation will be automatically activated when NAT is detected and automatically disabled otherwise. With
udp-encapsulationset, UDP encapsulation is forcefully enabled.
UDP encapsulation cannot be disabled, it can only be automatically controlled or forcefully enabled.
config-ipsec-crypto-ike mode commands are available to configure
other aspects of the IPsec tunnel, such as proposals, identity, and
authentication. These are covered next.
This example tells TNSR to use IKE for key management, and then sets the tunnel to IKEv2 and a lifetime of 8 hours.
tnsr(config-ipsec-tunnel)# crypto config-type ike tnsr(config-ipsec-tunnel)# crypto ike tnsr(config-ipsec-crypto-ike)# version 2 tnsr(config-ipsec-crypto-ike)# lifetime 28800
Additional IKE Configuration¶
The remainder of the IKE configuration is covered in the following sections.