After establishing a secure channel, the two endpoints can negotiate an IPsec security association (IPsec SA) as a “child” entry. TNSR supports adding multiple children as needed, though with routed IPsec only one is necessary.
Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.
config-ipsec-crypto-ike mode, the
child <n> command
configures the child noted by the given number. The
child command enters
ike-child mode, the following commands are available:
- lifetime <x>
Sets the maximum time for this child IPsec SA to be valid before it must be rekeyed. The value is given in seconds within the range
120..214783647. Default value is
3600seconds (one hour). This value must be shorter than the IKE lifetime, discussed earlier.
- replay-window (0|64)
Number of packets in replay window. The replay window is used to protect the tunnel against attacks where the sequence number is re-used or has been processed recently. Some allowance is helpful in dealing with network link issues that cause packets to arrive late or out-of-order. A value of
0disables the replay window. A value of
64enables a 64 packet replay window.
- proposal <name>
Each child may have one or more
proposalentries which define acceptable encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters to encrypt and validate the IPsec SA traffic.
Child SA proposals work similarly to IKE/ISAKMP proposals as described in IKE Proposal.
This command enters
config-ike-child-proposalmode to configure these proposals. in
config-ike-child-proposalmode, the following commands are available:
- encryption <ea-name>
Configures the encryption algorithm to use for the proposal.
- integrity <ia-name>
Configures the integrity algorithm to use for the proposal.
- group <group-name>
Configures the Diffie-Hellman group (DH Group) to use for the proposal.
- sequence-number (esn|noesn)
Controls whether or not TNSR will attempt to negotiate extended sequence number (ESN) support with the peer. ESN uses 64-bit sequence numbers instead of the 32-bit sequence numbers. The default is
noesnwhich disables ESN negotiation.
Child SA Example¶
This example only has a single child, thus
child 1. The child has a lifetime
tnsr(config-ipsec-crypto-ike)# child 1 tnsr(config-ike-child)# lifetime 3600
Next, create a child SA proposal. This example uses AES-128 for encryption, SHA-1 for an authentication hash, and PFS group 14 (2048 bit modulus).
tnsr(config-ike-child)# proposal 1 tnsr(config-ike-child-proposal)# encryption aes128 tnsr(config-ike-child-proposal)# integrity sha1 tnsr(config-ike-child-proposal)# group modp2048
This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.
tnsr(config-ike-child-proposal)# exit tnsr(config-ike-child)# exit tnsr(config-ipsec-crypto-ike)# exit tnsr(config-ipsec-tun)# exit