The Internet Protocol Security port (IPsec)

Revised for CPX 4.8.0.

Introduction
Terminology
Configuration of the IPsec port
Diagnostics of the IPsec port
Statistics of the IPsec port

Configuration of the IPsec port tables

The Internet Key Exchange port (IKE)

Configuration examples (CPX-to-CPX).
Configuration examples (CPX-to-Win2k/XP).

Introduction

IPsec driver is designed to provide interoperable, high quality, cryptographically-based security for IP.
The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.

Terminology

VPN. Virtual Private Network, a network which can safely be used as if it were private, even though some of its communication uses insecure connections. All traffic on those connections is encrypted. IPSEC. Internet Protocol Security, security functions authentication and encryption implemented at the IP level of the protocol stack.

AH. The IPsec Authentication Header protocol, added after the IP header and provides authentication service.

ESP. Encapsulated Security Payload, the IPsec protocol which provides encryption. It can also provide authentication service and may be used with null encryption (which we do not recommend).

SA. Security Association, the channel negotiated by the higher levels of an IPsec implementation and used by the lower ESP and AH protocols. SAs are unidirectional; you need a pair of them for two-way communication. An SA is defined by three things: the destination, the protocol (AH or ESP) and the SPI, security parameters index. It is used as an index to look up other things such as session keys and intialisation vectors.

SA bundle. or "security association bundle" is a sequence of SAs through which traffic must be processed to satisfy a security policy.

SPI. Security Parameter Index, an index used within IPsec to keep connections distinct. A Security Association (SA) is defined by destination, protocol and SPI. Without the SPI, two connections to the same gateway using the same protocol could not be distinguished.

Transport mode. An IPsec application in which the IPsec gateway is the destination of the protected packets, a machine acts as its own gateway. Contrast with tunnel mode.

Tunnel mode. An IPsec application in which an IPsec gateway provides protection for packets to and from other systems. Contrast with transport mode.

Configuration of the IPsec port

The IPsec port is referred by the "IPsec" abbreviation and it has all the parameters described in this chapter.

Here is an example of the IPsec port parameters.

[18:18:41] ABILIS_CPX: D P PO:IPsec

PO:920 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:0    
       ECN:FORBIDDEN  DF:CLEAR

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
The changes made on the LOG: parameter are immediately active.

The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.

The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.

Details of the IPsec port parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

ACT:	Runtime activation/deactivation of IPsec
NO	NO, YES

This parameter allows to run-time activate/deactive IPsec functionalities.

When it is set to "YES", the port is configured, active, and the IPsec driver performs its activities.

When it is set to "NO", the port is configured, active, but the IPsec driver does not execute any action.

MODE:	Working mode of IPsec
MANUAL	MANUAL, IKE

It specifies working mode of IPsec port.

When it is set to "MANUAL", the IPsec port is in manual mode and manipulates manually-keyed IPsec connections.

When it is set to "IKE", the IPsec port is in automatic IKE mode and manipulates automatically-keyed IPsec connections.
For IKE mode IKE driver must be configured and activated.

mxps:	Maximum length of IP datagram which can be processed by IPsec
2048	2048-4096

It specifies maximum length of IP datagram which can be processed by IPsec driver port.

This value cannot be changed without CPX restart.

IN-CHK:	Runtime activation/deactivation of IPsec inbound policy check
YES	NO, YES

Specifies inbound policy check flag of IPsec port.

When it is set to "YES", inbound policy check is ON.

When it is set to "NO", inbound policy check is OFF.

TTL:	IPsec IP Time-To-Live option
0	0, 1-255

Specifies the Time-To-Live field for the outer IP header in IPsec TUNNEL mode.

If value is not specified (equal to 0), TTL field will be copied from the inner IP header to the outer (tunnel) one.

If value is specified, TTL field of the outer IP header will be set to the specified value from the config.

ECN:	IPsec ECN consideration mode
FORBIDDEN	ALLOWED, FORBIDDEN, NOCARE

Specifies ECN consideration mode on IPsec tunnels in TUNNEL mode.

ALLOWED: draft-ietf-ipsec-ecn-02.txt - ECN-friendly IPSEC tunnel.

Encapsulate. Copy TOS bits except for ECN CE from inner to outer IP header. Set ECN CE bit to 0.
Decapsulate. Use inner TOS bits with some change. If outer ECN CE bit is 1, enable ECN CE bit on the inner IP header.

FORBIDDEN: draft-ietf-ipsec-ecn-02.txt - ECN-friendly IPSEC tunnel.

Encapsulate. Copy TOS bits except for ECN from inner to outer IP header. Set ECN bits to 0.
Decapsulate. Drop TOS bits on outer IP header. Use inner TOS bits as is.

NOCARE: RFC2401 - normal IPsec tunnel. No consideration for ECN.

Encapsulate. Copy all TOS bits from inner to outer IP header.
Decapsulate. Drop TOS bits on outer IP header. Use inner TOS bits as is.

General strategy for configuration is as follows:

if both IPsec tunnel endpoint are capable of ECN-friendly behavior, you'd better configure both end to "ECN allowed".
if the other end is very strict about TOS bit, use "RFC2401".
in other cases, use "ECN forbidden"

DF:	IPsec DF (Don't Fragment) bit manipulation mode
CLEAR	CLEAR, SET, COPY

Specifies DF (Don't Fragment) bit manipulation in IPsec TUNNEL mode during encapsulation.

CLEAR: Clear DF bit on outer IP header.

SET: Set DF bit on outer IP header.

COPY: Copy DF bit from inner to outer IP header.

Diagnostics of the IPsec port

Example on how to show state and diagnostics of the IPsec through the command D S:

[15:00:45] ABILIS_CPX:D S PO:IPsec

PO:920 ------------------------------------------------------------------------
IPSEC  STATE:ACTIVE         MODE:IKE         IN-CHK:YES
       POLICY-IN :1         SA-IN :1         SA-BND-IN :1
       POLICY-OUT:1         SA-OUT:1         SA-BND-OUT:1
       - Security Associations diagnostics: -----------------------------------
       SA  Bundle State   SPI      SrcIp           Auth     SoftTime
           Prot   Tunnel           DstIp           Cipher   HardTime
       ------------------------------------------------------------------------
       0   0      MATURE  C4DCB36E 192.168.006.002 MD5      INFINITE
           ESP    YES              192.168.006.001 3DES     INFINITE
       ------------------------------------------------------------------------
       1   1      MATURE  1969FC22 192.168.006.001 MD5      INFINITE
           ESP    YES              192.168.006.002 3DES     INFINITE
       ------------------------------------------------------------------------

Detailes of the IPsec port diagnostics

STATE:	Current state of the IPsec port.
	INACTIVE, ACTIVE

It shows the current state of the IPsec port driver.

Driver	States	Description	Values shown in:
Driver	States	Description	System Log	Events Log	Display LCD
IPsec	INACTIVE	IPsec port is running, but the ACT: parameter is set to "NO".			dn
IPsec	ACTIVE	IPsec port is fully ready to work.			RD

MODE:	Working mode of the IPsec port.
	MANUAL, IKE

It shows the current working mode of the IPsec port driver.

MANUAL: The IPsec port is in manual mode.
IKE: The IPsec port is in IKE mode. It is controlled by IKE driver.

IN-CHK:	IPsec port inbound policy check flag.
	NO, YES

It shows state of the IPsec port inbound policy check flag.

POLICY-IN:	Number of inbound security policies.
	0-63

It shows number of installed inbound (IN) security policies in the policy table.

POLICY-OUT:	Number of outbound security policies.
	0-63

It shows number of installed outbound (OUT) security policies in the policy table.

SA-IN:	Number of inbound Security Associations.
	0-127

It shows number of installed inbound (IN) Security Associations in the SA table.

SA-OUT:	Number of outbound Security Associations.
	0-127

It shows number of installed outbound (OUT) Security Associations in the SA table.

SA-BND-IN:	Number of inbound Security Association bundles.
	0-127

It shows number of installed inbound (IN) Security Association bundles in the SA table.

SA-BND-OUT:	Number of outbound Security Association bundles.
	0-127

It shows number of installed outbound (OUT) Security Association bundles in the SA table.

Detailes of the IPsec Security Associations diagnostics

SA:	Identifier of Security Association record.
	0-127

It shows identifier of Security Association record Security Association bundles in the SA table.

Bundle:	Number of bundle of Security Association record.
	0-127

It shows number of bundle of Security Association record.

State:	State of Security Association record.
	LARVAL, MATURE, DYING, DEAD

It shows state of Security Association record.

LARVAL: Security Association is one that was created by IKE, but is not working yet. Displayed in IKE mode only.
MATURE: Security Association is in working mode. In MANUAL mode Security Association always is in this state.
DYING: Security Association is one whose soft lifetime has expired. Displayed in IKE mode only.
DEAD: Security Association is one whose hard lifetime has expired, but hasn't been reaped by system garbage collection. Incoming and outgoing IP packets will be dropped. Displayed in IKE mode only.

SPI:	Security Parameter Index (SPI) of Security Association.
	0x100-0xFFFFFFFF

It shows Security Parameter Index (SPI) of Security Association.