49.2. IPSEC Resource

49.2. IPSEC Resource
	Chapter 49. IPSEC - Internet Protocol SECurity

49.2.1. Activating the IPSEC resource

Add the resource to the Abilis system with the following command:

[15:50:39] ABILIS_CPX:a res:ipsec

RES:IPSEC ALREADY EXISTS

The IPSEC resource may already exist in the system, but may not yet be active: set it active with the command:

[15:50:43] ABILIS_CPX:s act res:ipsec

COMMAND EXECUTED

	Caution
	After adding or setting the IPSEC active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis).

[17:14:59] ABILIS_CPX:s p ipsec act:yes

COMMAND EXECUTED

[17:15:17] ABILIS_CPX:d p ipsec

RES:Ipsec - Not Saved (SAVE CONF), Not Refreshed (INIT) ----------------------
Run    DESCR:IP_Security_Protocol
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:COPY
       ECN:NOCARE     DF:CLEAR   TCP-MSS-CLAMP:YES        TCP-MSS-VALUE:1334

Warning

	Warning
To activate IPSEC resource 16 MB of free RAM are requested. Verify it with the command d i; for example: [17:39:21] ABILIS_CPX:`d i` Abilis CPX - Ver. 8.3.1/STD - Build 4031.12 - Branch 8.3 - 12/11/2015 (c) 1994/2015 - Abilis ABILIS-ID: 800733 Free/Total Memory (in byte): 1,682,112/260,046,848 Free/Used/Total HD/CF space (in Kibyte): 57,279/67,169/124,448

To activate IPSEC resource 16 MB of free RAM are requested. Verify it with the command d i; for example:

[17:39:21] ABILIS_CPX:d i

    Abilis CPX - Ver. 8.3.1/STD - Build 4031.12 - Branch 8.3 - 12/11/2015     
                            (c) 1994/2015 - Abilis                            

ABILIS-ID: 800733

Free/Total Memory (in byte): 1,682,112/260,046,848
Free/Used/Total HD/CF space (in Kibyte): 57,279/67,169/124,448

49.2.2. IPSEC resource parameters

Use the following command to display the parameters of the resource; the below command shows the meaning parameters.

[09:58:41] ABILIS_CPX:d p ipsec

RES:IpSec ---------------------------------------------------------------------
Run    DESCR:IP_Security_Protocol
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:COPY
       ECN:FORBIDDEN  DF:CLEAR   TCP-MSS-CLAMP:YES        TCP-MSS-VALUE:1334

Meaning of the most important parameters:

LOG: Logging functionalities activation/deactivation.
ACT: Runtime IPSEC activation/deactivation.
MODE: Working mode of IPSEC port [MANUAL; IKE].
mxps: Maximum length of IP datagram which can be processed.
IN-CHK: Inbound policy check flag.
TTL: Specifies the Time-To-Live field for the outer IP header in tunnel mode [COPY: TTL field will be copied from the inner IP header to the tunnel one; 1..255].
ECN: Specifies ECN (Explicit Congestion Notification) consideration mode on IPSEC tunnels in tunnel mode. ECN is an experimental addition to the IP architecture that provides notification of onset of congestion to delay- or loss-sensitive applications [ALLOWED; FORBIDDEN; NOCARE].
DF: DF (Don't Fragment) bit manipulation in tunnel mode during encapsulation [CLEAR: clear DF bit on outer IP header; SET: set DF bit on outer IP header; COPY: copy DF bit from inner to outer IP header].
TCP-MSS-CLAMP: Activates/deactivates the TCP MSS (Maximum Segment Size) Clamping procedure used to control the size of TCP segments.
TCP-MSS-VALUE: TCP MSS clamping value.

The command that allows the configuration of the resource to be modified has the following syntax:

s p ipsec par:val...

	Caution
	To activate the changes made on the upper case parameters, execute the initialization command init res:ipsec; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command).

49.2.3. IPSEC tables

A particular SA may protect IP datagrams using only one of security protocol between: AH or ESP.

The enhanced security policy may be implemented using multiple SAs.

The term “security association bundle” or “SA bundle” is applied to a sequence of SAs through which traffic must be processed to satisfy a security policy. The order of the sequence is defined by the policy.

49.2.3.1. Security Associations table

This table is used only when mode parameter is set to MANUAL.

The Security Associations table can store up to 256 entries, indexed starting from 0 up to 255.

Changes made in the table are activated by executing the command init res:ipsec.

Commands for the handling Security Associations table are:

d/a/c/s ipsec sa:"id-num" [par:val...]

The d ipsec sa ? command displays the meaning of parameters.

[11:46:52] ABILIS_CPX:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     BUNDLE:      TUNNEL: IPRES: SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
                *** NO IPSEC SECURITY ASSOCIATIONS DEFINED ***

Meaning of the most important parameters:

SPI: Specifies Security Parameter Index (SPI).
BUNDLE: Number of SA bundle group.
SRC-IP: Source IP address for the Security Association.
DST-IP: Destination IP address for the Security Association.
PROT: Protocol for this security association record [AH, ESP].
AUTH: authentication method for the AH or ESP protocols [NONE, MD5, SHA].
AUTHKEY: Authentication key for the AH or ESP protocols (only for AUTH not equal to NONE). ASCII printable string. For MD5 authentication key: exactly 16 characters are required. For SHA authentication key: exactly 20 characters are required.
CIPHER: Encryption algorithm for the ESP protocol [NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256].
ENCKEY: Encryption key for the ESP protocol (only for PROT:ESP and CIPHER not equal to NONE). For DES encryption key: exactly 8 characters are required. For IDEA, CAST, BLOWFISH, AES128 encryption key: exactly 16 characters. For 3DES, AES192 encryption key: exactly 24 characters are required. For AES256 encryption key: exactly 32 characters are required.
TUNNEL: Tunnel mode flag.
IPRES: Tunnel IP resource.
SIDE: Tunnel side [NONE, AUTO, INSIDE, OUTSIDE, VPN, DMZ].

49.2.3.2. Policy table

This table is used only when mode parameter is set to MANUAL.

The Policy table can store up to 256 entries, indexed starting from 0 up to 255.

Changes made in the table are activated by executing the command init res:ipsec.

Commands for the handling Policy table are:

d/a/c/s ipsec policy:"id-num" [par:val...]

By typing d ipsec policy ?, it's possible to display the meaning of the parameters.

[11:46:54] ABILIS_CPX:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
                  *** NO IPSEC SECURITY POLICIES DEFINED ***

Meaning of the most important parameters:

DIR: Direction for the policy record [OUT: outbound direction (used as packet filter); IN: inbound direction (used for inbound policy check)].
BUNDLE: Number of SA bundle group associated with this policy record.
RULE: Rule for the policy record [BYPASS: packet will be bypassed by IPSEC (outbound direction only); DROP: packet will be dropped by IPSEC (outbound direction only); IPSEC: packet will be processed by IPSEC].
NET-SRC: Source subnet address and mask in Slash Notation.
NET-DST: Destination subnet address and mask in Slash Notation.
PROT-SRC: Source port of the upper protocol (TCP, UDP).
PROT-DST: Destination port of the upper protocol (TCP, UDP).