| 47.3. IKE Resource | ||
|---|---|---|
 | Chapter 47. IPSEC - Internet Protocol SECurity |  |
| 47.3. IKE Resource | ||
|---|---|---|
| | Chapter 47. IPSEC - Internet Protocol SECurity | |
Add the resource to the Abilis system with the following command:
[15:50:39] ABILIS_CPX:a res:ike
RES:IKE ALREADY EXISTSThe IKE resource may already exist in the system, but may not yet be active: set it active with the command:
[15:50:43] ABILIS_CPX:s act res:ike
COMMAND EXECUTED![[Caution]](../images/caution.png) | Caution |
|---|---|
After adding or setting the IKE active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis). |
[17:14:59] ABILIS_CPX:s p ike act:yesCOMMAND EXECUTED [17:15:17] ABILIS_CPX:d p ikeRES:Ike - Not Saved (SAVE CONF), Not Refreshed (INIT) ------------------------- ------------------------------------------------------------------------ DESCR:Internet_Keys_Exchange_Protocol LOG:DS ACT:NO mxps:2048 max-hosts:16 TOS:0-N NRTY:3 TB:10 NATT:AUTO NATT-N-IKE:YES NATT-PF:YES NATT-KA:20 MODE-CFG-DNS:# WDIR:C:\APP\IKE\ ASN1-DN-SYS:
Use the following command to display the parameters of the resource. The d p ike ? command shows the meaning of parameters.
[09:58:41] ABILIS_CPX:d p ikeRES:Ike ----------------------------------------------------------------------- Run DESCR:Internet_Keys_Exchange_Protocol LOG:DS ACT:YES mxps:2048 max-hosts:16 TOS:0-N NRTY:3 TB:10 NATT:AUTO NATT-N-IKE:YES NATT-PF:YES NATT-KA:20 MODE-CFG-DNS:# WDIR:C:\APP\IKE\ ASN1-DN-SYS:
Meaning of the most important parameters:
LOGLogging functionalities activation/deactivation.
ACTRuntime IPSEC activation/deactivation.
mxpsMaximum length of UDP datagram that can be processed.
max-hostsMaximum number of simultaneous clients [1..255].
Type Of Service octet or Differentiated Services Field (DS):
-' p-t', i.e. PRECEDENCE and TOS values, where 'p' can be [0..7] and 't' can be [N=None, D=Min. Delay, T=Max. Throughput, R=Max. Reliability, C=Min. Monetary Cost]
- 'bbbbbb', i.e. DS value bit by bit, where 'b' can be [0, 1].
NRTYMaximum number of packet retransmissions.
TBRetransmission delay.
WDIRWorking directory; it cannot be empty (physical full path in DOS notation).
NATTNAT traversal activation. If NAT traversal is enabled, IPsec AH algorithm must be disabled.
NATT-N-IKENAT traversal NON-IKE marker activation.
NATT-PFNAT traversal NAT traversal port floating activation.
NATT-KANAT traversal keep-alive timer.
MODE-CFG-DNSIP address of DNS server for the MODE-CFG mode [#, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x].
ASN1-DN-SYSSpecifies system Distinguished Name.
The command that allows the configuration of the resource to be modified has the following syntax:
s p ike par:val...
| Caution |
|---|---|
To activate the changes made on the upper case parameters, execute the initialization command init res:ike; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command). |
IKE tables define the control and cryptographic characteristics of the Hosts and Clients:
The Host connections table defines the mechanisms to establish the Security Association and the encryption algorithms;
The Client connections table defines the characteristics and the security parameters for a single IPSec VPN;
The Preshared Keys Table contains the secret key for mutual authentication.
The Host connections table can store up to 128 entries, indexed starting from 0 up to 127.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Host connections table are:
d/a/c/s ike host:"id-num" [par:val...]
The d ike host ? command displays the meaning of parameters.
[18:47:07] ABILIS_CPX:d ike host- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- HOST: NAME: LOC-IP: NATT: XAUTH: AUTH: HASH: DH: CIPHER: REM-IP: SIDE: MODE-CFG: XAUTH-USER: XAUTH-PWD: ------------------------------------------------------------------------------- 0 Agent_01 080.080.080.080 SYS NO PSK MD5 MODP1024 3DES * INSIDE NO ------------------------------------------------------------------------------- [20:33:37] ABILIS_CPX:d ike host:0- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- Parameter: | Value: ------------+------------------------------------------------------------------ HOST: 0 NAME: Agent_01 LOC-IP: 080.080.080.080 REM-IP: * NATT: SYS AUTH: PSK HASH: MD5 DH: MODP1024 CIPHER: 3DES SIDE: INSIDE XAUTH: NO XAUTH-USER: XAUTH-PWD: MODE-CFG: NO KEYING-TRIES: 3 LIFE-TIME: 3600 DPD-ENABLE: NO DPD-DELAY: 30 DPD-TIMEOUT: 120 DPD-ACTION: STOP ID-TYPE: IP IP: 080.080.080.080 PEER-ID-TYPE: IP PEER-IP: 192.168.101.001 -------------------------------------------------------------------------------
Meaning of the most important parameters:
LOC-IPIP address that IKE will use as source address.
REM-IPPeer's IP address for this connection.
NATTNAT traversal activation [SYS,
NO, YES,
AUTO]
AUTHAuthentication method for the ISAKMP/OAKLEY negotiation
[PSK, RSASIG].
HASHHash algorithm for the ISAKMP/OAKLEY negotiation
[MD5, SHA-1,
SHA-256, SHA-384,
SHA-512].
DHDiffi-Hellman group for the ISAKMP/OAKLEY negotiation
[MODP768 for Group 1,
MODP1024 for Group 2,
MODP1536 for Group 5,
MODP2048 for Group 14]
CIPHEREncryption algorithm for the ISAKMP/OAKLEY negotiation
[DES, 3DES,
IDEA, CAST,
BLOWFISH, AES128,
AES192, AES256].
SIDENAT side assigned to the tunnel [NONE,
AUTO, INSIDE,
OUTSIDE, VPN,
DMZ].
XAUTHType of XAUTH [NO,
SERVER, CLIENT] (for cisco
compatibility).
XAUTH-USERXAUTH user name for host connection.
XAUTH-PWDXAUTH password for host connection.
MODE-CFGType of Mode config [NO,
SRV-PUSH, SRV-REQUEST]
(for iphone compatibility).
KEYING-TRIESSpecifies how many times IKE should try to negotiate an
SA, either for the first time or for rekeying
[INFINITE,
1..100].
LIFE-TIMESpecifies how long IKE will propose that an ISAKMP SA be allowed to live. The range is [600..86400] sec.
DPD-ENABLEEnables/disables DPD (Dead peer detection) procedure
support (the function must necessarily supported by the IPSec
client) [NO, YES]. DPD is
a keepalive mechanism that enables the router to detect when the
connection between the router and a remote IPSec peer has been
lost. DPD enables the router to reclaim resources and to
optionally redirect traffic to an alternate failover
destination. If DPD is not enabled, the traffic continues to be
sent to the unavailable destination.
DPD-DELAYTime interval between DPD checks. It must be lower than
DPD-TIMEOUT.
DPD-TIMEOUTTime interval of missing DPD replies after which peer is
declared dead. It must be greater then
DPD-DELAY.
DPD-ACTIONAction executed upon peer is detected dead
[STOP, RESTART].
ID-TYPEType of local host for the connection
[AUTO: local ID will be set automatically in
run-time as local IP address; IP: local ID is
local IP address; FQDN: local ID is
fully-qualified domain name (FQDN);
USER-FQDN: local ID is fully-qualified user
domain name (FQDN)].
IPLocal ID IP address (only for ID-TYPE
not equal to AUTO).
FQDNLocal ID fully-qualified domain name (FQDN) or user-FQDN.
PEER-ID-TYPEPeer's ID type [AUTO,
IP, FQDN,
USER-FQDN].
PEER-IPPeer's ID IP address (only for
PEER-ID-TYPE not equal to
AUTO).
PEER-FQDNPeer's ID fully-qualified domain name (FQDN) or user-FQDN.
![[Note]](../images/note.png) | Note |
|---|---|
The |
The Client connections table can store up to 128 entries, indexed starting from 0 up to 127.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Client connections table are:
d/a/c/s ike cli:"id-num" [par:val...]
The d ike cli ? command displays the meaning of the parameters.
[18:47:32] ABILIS_CPX:d ike cli- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- CLI: NAME: HOST-ID: RULE: LIFE-TIME: PFS: ESP: ESP-CIPHER: ESP-AUTH: PASSIVE: PERMANENT: NET-LOC: AH: AH-AUTH: TUNNEL: NET-REM: MODE-CFG-DNS: ------------------------------------------------------------------------------- 0 Agent_Cli1 0 IPSEC 28800 YES YES 3DES MD5 YES YES 192.168.001.000/24 NO MD5 YES 192.168.101.001/32 SYS ------------------------------------------------------------------------------- [20:46:06] ABILIS_CPX:d ike cli:0- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- Parameter: | Value: ------------+------------------------------------------------------------------ CLI: 0 NAME: Agent_Cli1 HOST-ID: 0 RULE: IPSEC PASSIVE: YES PERMANENT: YES TUNNEL: YES ESP: YES ESP-CIPHER: 3DES ESP-AUTH: MD5 AH: NO AH-AUTH: MD5 LIFE-TIME: 28800 PFS: YES NET-LOC: 192.168.001.000/24 NET-REM: 192.168.101.001/32 MODE-CFG-DNS: SYS -------------------------------------------------------------------------------
Meaning of the most important parameters:
RULERule for this client connection
[BYPASS, DROP,
IPSEC]
PASSIVEMode of negotiation. [NO: negotiation
can be started as initiator and as responder;
YES: negotiation can be started as responder
only; it's useful for a server]. If related host
LOC-IP is set to an “IP
resource”, PASSIVE must be forced to
NO; if related host REM-IP
is set to *, PASSIVE must
be forced to YES, even if
LOC-IP is set to an “IP
resource” .
PERMANENTMode of negotiation [NO: after driver
starting or after init command
(re-)negotiation will not be started automatically as initiator;
YES: after driver starting or after
init command (re-)negotiation of this
connection will be started automatically as initiator].
TUNNELMode of IPSEC negotiation [NO:
Transport mode, YES: Tunnel mode].
ESPEnables/disables IPSEC ESP protocol .
ESP-CIPHEREncryption algorithm for IPSEC ESP protocol
[NONE, DES,
3DES, IDEA,
CAST, BLOWFISH,
AES128, AES192,
AES256].
ESP-AUTHAuthentication algorithm for IPSEC ESP protocol
[NONE, MD5,
SHA-1, SHA-256,
SHA-384, SHA-512].
AHEnables/disables IPSEC AH protocol.
AH-AUTHAuthentication algorithm for IPSEC AH protocol
[MD5, SHA].
LIFE-TIMESpecifies how long IKE will propose that an IPSEC SA be allowed to live. The range is [600..86400] sec.
PFSEnables/disables Perfect Forward Secrecy. PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys.
NET-LOCLocal subnet address and mask in Slash Notation.
NET-REMRemote subnet address and mask in Slash Notation.
MODE-CFG-DNSIP address of DNS server for the MODE-CFG mode.
| Note |
|---|---|
More clients can be referred to a same IKE Host. |
The Pre-shared keys table can store up to 64 entries, indexed starting from 0 up to 127.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Host connections table are:
d/a/c/s ike psk:"id-num" [par:val...]
The d ike psk ? command displays the meaning of parameters.
[18:47:53] ABILIS_CPX:d ike psk
-------------------------------------------------------------------------------
PSK: KEY: ID-TYPE: IP: FQDN:
-------------------------------------------------------------------------------
1 ******** ANONYMOUSMeaning of the most important parameters:
KEYSpecifies preshared key for this record.
ID-TYPEType of peer ID [UNDEF,
IP, FQDN,
USER-FQDN,
ANONYMOUS].
IPRemote IP address.
FQDNRemote fully-qualified domain name (FQDN) or user-FQDN.
| |  | |
| 47.2. IPSEC Resource |  | 47.4. IPSEC and IKE diagnostics and statistics |