Configuring IPsec using IKEv2 protocol
The Blue Cedar Connect Gateway supports IKEv2 as the protocol for configuring IPsec tunnels. These are the high-level steps for configuring IPsec tunnels using IKEv2 on the gateway. For further details about specific steps, see the references that are provided.
Configure public and private ports with IP addresses in their respective IPv4 networks. (See Configuring basic connections and administrative user for the gateway for details.)
Configure an addressing pool-type (static, DHCP, or NAT) that will be attached to an IPsec tunnel. (See Configuring gateway address pools for details.)
- Note: If pool-type is static, then configure the pool elements to ensure that the pool addressing matches the subnet used on the private interface and enable pool.
Configure the IKE phase1 attributes, using the port configured in Step 1. (See instructions in Configuring IKEv2 Phase 1 and Phase 2 tunnels for details.)
Optional. Configure IKE/IPsec phase 2 attributes using the addressing pool configured in Step 2 to the Phase 1 Tunnel. (See instructions in Configuring IKEv2 Phase 1 and Phase 2 tunnels for details.)
Configure the "Don’t Fragment Policy." This policy controls if the gateway copies, clears, or sets the IPv4 header "don't fragment" flag on outgoing NAT-T ESP packets. Useful in environments where routers/switches are set to drop fragments.
Enable the IKE server via its admin-state parameter. Use the command show status to see if the IKE server is operational. To configure the IKE server to run, use this command:
- BASH
% set security ike default admin-state up
Configuring IKEv2 Phase 1 and Phase 2 tunnels
The gateway supports the IKEv2 protocol to establish an IPsec tunnel from the Blue Cedar-secured app on a mobile device to the gateway.
Parameters for the IKE Phase 1 tunnel
The following table lists the available parameters for configuring an IKEv2 Phase 1 tunnel for the Blue Cedar Connect Gateway:
IKE configuration parameter | Valid values | Description |
| address-pool-list | comma separated list of address-pool names | Optional. A list of address pools as defined in Configuring gateway address pools. Default: Use all configured |
admin-state | up/down | IKE Server administrative state Note: When you start configuring the gateway, the initial setting for the "admin-state" parameter is "down". This means that the gateway does not allow any IKE tunnels. To enable IKE tunnels, you must change the setting of “admin-state” to “up”. |
cipher | aes128 | Only one cipher setting is selectable at any time. Any of the cipher values will be accepted in an IKE Phase 1 tunnel. |
| client-dpd dpd-seconds | <uint32> | Optional. Client Dead-Peer-Detections interval. Controls the length of the interval before the client checks to see if the gateway-side of the connection is still active. Valid values: 30-6000 (in seconds) |
dh-group | 5, 14, 15, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30 | The DH group to be accepted in IKE proposals. Only one dh-group setting is selectable at any time. |
dpd | <uint32> | IKE Server Dead-Peer-Detections interval (in minutes). Controls the length of the interval before the gateway and client check to see if the client-side of the connection is still active. This parameter configures Dead Peer Detection for the gateway and client, unless you set the client DPD separately. |
fragment-enable | on/off | IKE Server Allow/Disallow fragmentation of IKE packets (Applicable to Main Mode only) Default: on |
hash | sha2_256 | Only one hash setting is selectable at any time. (IKE Server Accept xxx HASH in IKE Proposals). |
life-secs-max | <uint32> | Lifetime maximum in seconds for an IPSec SA.
|
| security-parameter-set | A string matching a security parameter set's reference name. |
Setting IKE Phase 1 parameters
Use this template to configure a IKEv2 Phase 1 tunnel:
% set security ike default parameter_name_1 value_1 parameter_name_2 value_2 parameter_name_n value_nThe following example shows a CLI command for setting the IKEv2 Phase 1 parameters and using the show config command to display the current values for the Phase 1 parameters:
Set example
% set security ike default admin-state up auth-type psk psk acme dpd 5 dh-group 2Show example
> show config
configuration {
context default {
security {
ike {
fragment-enable off;
cipher aes256;
hash sha2_256;
life-secs-max 0;
life-kbytes-max 0;
df-bit-policy clear;
admin-state up;
dpd 5;
dh-group 2;
}Parameters for the IKE/IPSec Phase 2 tunnel
The following table lists the available parameters for configuring the IKEv2/IPSec Phase 2 tunnels for the gateway:
IKE configuration parameter | Valid values | Description |
cipher | aes128 | The available ciphers for the IPSec Encryption Algorithm. Only one cipher setting is selectable at any time. |
hmac | sha2_256 | The available hash-based message authentication codes for the IPSec Authentication Algorithm. |
life-kbytes-max | <unint32> | Lifetime maximum in kilobytes for an IPSec Security Association (SA). Possible values:
|
life-secs-max | <unint32> | Lifetime maximum in seconds for an IPSec SA.
|
pfs | On/off | IPSec Quick Mode Perfect Forward Secrecy using phase 1 Diffie-Hellman group. |
Setting IKE/IPSec Phase 2 parameters
The following commands set the IKEv2/IPSec Phase 2 parameters and display the current values for the Phase 2 parameters:
Set example
% set security security-parameter-set default cipher aes256 hmac sha2_256 life-kbytes-max 1000 life-secs-max 6000 pfs onShow example
% show security
security {
ike default {
admin-state down;
dpd 10;
fragment-enable on;
dh-group 14;
cipher aes256;
hash sha2_256;
life-secs-max 86400;
security-parameter-set default;
mode proprietary;
}
security-parameter-set default {
cipher aes256;
hmac sha2_256;
life-kbytes-max 1000;
life-secs-max 6000;
pfs on;
}
}