Security Associations¶
After establishing a secure channel, the two endpoints can negotiate an IPsec security association (IPsec SA) as a “child” entry. TNSR supports adding multiple children as needed, though with routed IPsec only one is necessary.
Tip
Some vendor IPsec implementations refer to IPsec security association child entries as “Phase 2”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.
From within config-ipsec-crypto-ike
mode, the child <n>
command
configures the child noted by the given number. The child
command enters
ike-child
mode.
Within ike-child
mode, the following commands are available:
- lifetime <x>:
Sets the maximum time for this child IPsec SA to be valid before it must be rekeyed. The value is given in seconds within the range
60..86400
. Default value is3600
seconds (one hour). This value must be shorter than the IKE lifetime, discussed earlier.- replay-window (0|64):
Number of packets in replay window. The replay window is used to protect the tunnel against attacks where the sequence number is re-used or has been processed recently. Some allowance is helpful in dealing with network link issues that cause packets to arrive late or out-of-order. A value of
0
disables the replay window. A value of64
enables a 64 packet replay window.- proposal <name>:
Each child may have one or more
proposal
entries which define acceptable encryption, integrity, and DH Group (Perfect Forward Security, PFS) parameters to encrypt and validate the IPsec SA traffic.Child SA proposals work similarly to IKE/ISAKMP proposals as described in IKE Proposal.
This command enters
config-ike-child-proposal
mode to configure these proposals. inconfig-ike-child-proposal
mode, the following commands are available:- encryption <ea-name>:
Configures the encryption algorithm to use for the proposal.
- integrity <ia-name>:
Configures the integrity algorithm to use for the proposal.
- group <group-name>:
Configures the Diffie-Hellman group (DH Group) to use for the proposal.
- sequence-number (esn|noesn):
Controls whether or not TNSR will attempt to negotiate extended sequence number (ESN) support with the peer. ESN uses 64-bit sequence numbers instead of the 32-bit sequence numbers. The default is
noesn
which disables ESN negotiation.
- traffic-selector <num> local <prefix>:
Configures an optional list of individual prefixes for remote access IPsec clients to send across their tunnel. This is also known as “split tunneling”. Each entry must have a unique ID
<num>
value.When omitted, the tunnel will offer selectors which send all traffic across the VPN:
0.0.0.0/0
for IPv4 and::/0
for IPv6.Note
Not all clients support automatically receiving and honoring this list of prefixes. For example, even with this list defined, Windows clients must have manually configured routes which direct traffic for these prefixes through the IPsec client connection. See TNSR Configuration Example Recipes for additional information.
Child SA Example¶
This example only has a single child, thus child 1
. The child has a lifetime
of 3600
.
tnsr(config-ipsec-crypto-ike)# child 1
tnsr(config-ike-child)# lifetime 3600
Next, create a child SA proposal. This example uses AES-256 for encryption, SHA-256 for an authentication hash, and PFS group 14 (2048 bit modulus).
tnsr(config-ike-child)# proposal 1
tnsr(config-ike-child-proposal)# encryption aes256
tnsr(config-ike-child-proposal)# integrity sha256
tnsr(config-ike-child-proposal)# group modp2048
This completes the configuration for the IPsec tunnel, at this point after exiting back to basic mode the tunnel will attempt to establish a connection to the peer.
tnsr(config-ike-child-proposal)# exit
tnsr(config-ike-child)# exit
tnsr(config-ipsec-crypto-ike)# exit
tnsr(config-ipsec-tunnel)# exit