Skip to main content
Skip table of contents

Configuring IPsec using IKEv2 protocol

The Blue Cedar Connect Gateway supports IKEv2 as the protocol for configuring IPsec tunnels. These are the high-level steps for configuring IPsec tunnels using IKEv2 on the gateway. For further details about specific steps, see the references that are provided.

Configure public and private ports with IP addresses in their respective IPv4 networks. (See Configuring basic connections and administrative user for the gateway for details.)

Configure an addressing pool-type (static, DHCP, or NAT) that will be attached to an IPsec tunnel. (See Configuring gateway address pools for details.)

  • Note: If pool-type is static, then configure the pool elements to ensure that the pool addressing matches the subnet used on the private interface and enable pool.

Configure the IKE phase1 attributes, using the port configured in Step 1. (See instructions in Configuring IKEv2 Phase 1 and Phase 2 tunnels for details.)

Optional. Configure IKE/IPsec phase 2 attributes using the addressing pool configured in Step 2 to the Phase 1 Tunnel. (See instructions in Configuring IKEv2 Phase 1 and Phase 2 tunnels for details.)

Configure the "Don’t Fragment Policy." This policy controls if the gateway copies, clears, or sets the IPv4 header "don't fragment" flag on outgoing NAT-T ESP packets. Useful in environments where routers/switches are set to drop fragments.

Enable the IKE server via its admin-state parameter. Use the command show status to see if the IKE server is operational. To configure the IKE server to run, use this command:

  • BASH
    % set security ike default admin-state up

Configuring IKEv2 Phase 1 and Phase 2 tunnels

The gateway supports the IKEv2 protocol to establish an IPsec tunnel from the Blue Cedar-secured app on a mobile device to the gateway. 

Parameters for the IKE Phase 1 tunnel

The following table lists the available parameters for configuring an IKEv2 Phase 1 tunnel for the Blue Cedar Connect Gateway:

IKE configuration parameter

Valid values

Description

address-pool-listcomma separated list of address-pool names

Optional. A list of address pools as defined in Configuring gateway address pools.

Default: Use all configured

admin-state

up/down

IKE Server administrative state

Note: When you start configuring the gateway, the initial setting for the "admin-state" parameter is "down". This means that the gateway does not allow any IKE tunnels. To enable IKE tunnels, you must change the setting of “admin-state” to “up”.

cipher

aes128
aes128gcm128
aes128gcm64
aes128gcm96
aes192
aes192gcm128
aes192gcm64
aes192gcm96
aes256
aes256gcm128
aes256gcm64
aes256gcm96

Only one cipher setting is selectable at any time. Any of the cipher values will be accepted in an IKE Phase 1 tunnel.

client-dpd dpd-seconds<uint32>

Optional. Client Dead-Peer-Detections interval. Controls the length of the interval before the client checks to see if the gateway-side of the connection is still active.

Valid values: 30-6000 (in seconds)

dh-group

5, 14, 15, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30

The DH group to be accepted in IKE proposals. Only one dh-group setting is selectable at any time.

dpd

<uint32>

IKE Server Dead-Peer-Detections interval (in minutes). Controls the length of the interval before the gateway and client check to see if the client-side of the connection is still active. This parameter configures Dead Peer Detection for the gateway and client, unless you set the client DPD separately.

fragment-enable

on/off

IKE Server Allow/Disallow fragmentation of IKE packets (Applicable to Main Mode only)

Default: on

hash

sha2_256
sha2_256_96
sha2_384
sha2_512

Only one hash setting is selectable at any time. (IKE Server Accept xxx HASH in IKE Proposals).

life-secs-max  

<uint32>

Lifetime maximum in seconds for an IPSec SA.

  • 0: no limit
  • Otherwise, the range is 300–604800 sec (5 minutes to 7 days)
security-parameter-set

A string matching a security parameter set's reference name.

Setting IKE Phase 1 parameters

Use this template to configure a IKEv2 Phase 1 tunnel:

BASH
% set security ike default parameter_name_1 value_1 parameter_name_2 value_2 parameter_name_n value_n

The following example shows a CLI command for setting the IKEv2 Phase 1 parameters and using the show config command to display the current values for the Phase 1 parameters:

Set example

BASH
% set security ike default admin-state up auth-type psk psk acme dpd 5 dh-group 2

Show example

BASH
> show config
configuration {
  context default {
    security {
      ike {
        fragment-enable off;
        cipher          aes256;
        hash            sha2_256;
        life-secs-max   0;
        life-kbytes-max 0;
        df-bit-policy   clear;
        admin-state     up;
        dpd             5;
        dh-group        2;
      }

Parameters for the IKE/IPSec Phase 2 tunnel

The following table lists the available parameters for configuring the IKEv2/IPSec Phase 2 tunnels for the gateway:

IKE configuration parameter

Valid values

Description

cipher

aes128
aes128gcm128
aes128gcm64
aes128gcm96
aes192
aes192gcm128
aes192gcm64
aes192gcm96
aes256
aes256gcm128
aes256gcm64
aes256gcm96

The available ciphers for the IPSec Encryption Algorithm. Only one cipher setting is selectable at any time.

hmac

sha2_256
sha2_256_96
sha2_384
sha2_512

The available hash-based message authentication codes for the IPSec Authentication Algorithm.

life-kbytes-max

<unint32>

Lifetime maximum in kilobytes for an IPSec Security Association (SA). Possible values:

  • 0: no limit
  • Otherwise, the range is 100–10,000 KB

life-secs-max  

<unint32>

Lifetime maximum in seconds for an IPSec SA.

  • 0: no limit
  • Otherwise, the range is 300–604800 sec (5 minutes to 7 days)

pfs

On/off

IPSec Quick Mode Perfect Forward Secrecy using phase 1 Diffie-Hellman group.

Setting IKE/IPSec Phase 2 parameters

The following commands set the IKEv2/IPSec Phase 2 parameters and display the current values for the Phase 2 parameters:

Set example

BASH
% set security security-parameter-set default cipher aes256 hmac sha2_256 life-kbytes-max 1000 life-secs-max 6000 pfs on

Show example

BASH
% show security
security {
  ike default {
    admin-state            down;
    dpd                    10;
    fragment-enable        on;
    dh-group               14;
    cipher                 aes256;
    hash                   sha2_256;
    life-secs-max          86400;
    security-parameter-set default;
    mode                   proprietary;
  }
  security-parameter-set default {
    cipher          aes256;
    hmac            sha2_256;
    life-kbytes-max 1000;
    life-secs-max   6000;
    pfs             on;
  }
}



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.