Wikipedia says, "Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session."
For IPSec, the 7705 SAR-8 supports VPRN when 8-port Gigabit Ethernet Adapter card, version 3, When we use Nokia Router to running IPSec, we need to service instance (Maybe we can use VPRN-VPRN or VPRN-IES), one service for public network (sometimes naming as untrusted zone) and the other one is for private network (sometimes naming as trusted zone).
 |
| Nokia 7705 SAR-8 eth8-V3 MDA Card |
Special case in Nokia 7705 SAR, the device just support VPRN-IES for right now, VPRN for private network (trusted) and IES for public (untrusted). Architecture of Nokia 7705 SAR-8 like below:
1. Overview
IPsec in NOKIA 7705 SA8, have some feature and support like, IKEv2 , authentication using pre-shared key (PSK), perfect forward secrecy (PFS), using Encapsulation Security Payload tunnel mode, DH Group support 1/2/5/14/15, and Phase below:
- Phase 1: IPSec IKE policy (NULL is not supported):
- authentication algorithm: MD5/SHA1/SHA256/SHA384/SHA512
- encryption algorithm: DES/3DES/AES128/AES192/AES256
- Phase 2: IPSec transform (NULL cannot be used for authentication and encryption at the same time):
- authentication algorithm: NULL/MD5/SHA1/SHA256/SHA384/SHA512
- encryption algorithm: NULL/DES/3DES/AES128/AES192/AES256
To create IPSec service in Nokia router we need to understand term of tunnel group, Tunnel group is a collection of IPSec tunnels. The 7705 SAR supports one tunnel group that always uses tunnel ID 1.
NOKIA 7705 has behaviour separate their network based on service (VPRN for private and IES for public), The tunnel sap and interface are needed, It use to communicate the public network to private network. Beside that, it'll be point of demarcation between Encrypted traffic and The decrypted traffic.
There are two types of tunnel interfaces and associated SAPs:
- Public tunnel interface: configured in the public IES service; outgoing tunnel packets have a source IP address (local gateway address) in this subnet
- Public tunnel SAP: associated with the public tunnel interface
- Private tunnel interface: configured in the private VPRN service
- Private tunnel SAP: associated with the private tunnel interface, logically linked to the public tunnel SAP
2. Configuration
2.1 Topology
Testing in LAB, using the topology below:
2.2 IPSec Parameter
I divide this part in two pieces, first is Interface and service parameter and the second is Global IPSec Parameter
2.2.1. Interface and Service Parameter
2.2.2. IPSec Parameter between Server and Branch that Using site to Site
2.3 How to Configure
For this one we just concern for SAR-8 Configuration.Note: This Ipsec feature will not run, If you don’t have MDA a8-eth-v3 and CSMv2 are installed
- Configuring tunnel group:
A:LAB-7705-SAR8# configure isa tunnel-group 1 create A:LAB-7705-SAR8>config>isa>tunnel-grp# description "IPSec-Test-ON-SAR8" A:LAB-7705-SAR8>config>isa>tunnel-grp# no shutdown A:LAB-7705-SAR8>config>isa>tunnel-grp# back A:LAB-7705-SAR8>config>isa# info ---------------------------------------------- tunnel-group 1 create description "IPSec-Test-ON-SAR8" no shutdown exit ---------------------------------------------- A:LAB-7705-SAR8>config>isa# - Phase 1 Configuration
A:LAB-7705-SAR8>config>ipsec# ike-policy 3 create A:LAB-7705-SAR8>config>ipsec>ike-policy# own-auth-method psk A:LAB-7705-SAR8>config>ipsec>ike-policy# dh-group 14 A:LAB-7705-SAR8>config>ipsec>ike-policy# ipsec-lifetime 48000 A:LAB-7705-SAR8>config>ipsec>ike-policy# isakmp-lifetime 60000 A:LAB-7705-SAR8>config>ipsec>ike-policy# pfs dh-group 5 A:LAB-7705-SAR8>config>ipsec>ike-policy# auth-algorithm sha384 A:LAB-7705-SAR8>config>ipsec>ike-policy# encryption-algorithm aes192 A:LAB-7705-SAR8>config>ipsec>ike-policy# dpd interval 10 A:LAB-7705-SAR8>config>ipsec>ike-policy# exit - Phase 2 Configuration
*A:LAB-7705-SAR8>config>ipsec# ipsec-transform 3 create *A:LAB-7705-SAR8>config>ipsec>transform# esp-auth-algorithm sha512 *A:LAB-7705-SAR8>config>ipsec>transform# esp-encryption-algorithm aes256 *A:LAB-7705-SAR8>config>ipsec>transform# exit *A:LAB-7705-SAR8>config>ipsec# - Configuring Network to the Internet:
*A:LAB-7705-SAR8>config>router# interface "Internet-Network" *A:LAB-7705-SAR8>config>router>if# port 1/6/7 *A:LAB-7705-SAR8>config>router>if# address 10.10.20.1/30 *A:LAB-7705-SAR8>config>router>if# exit all *A:LAB-7705-SAR8# - Configuring IES for Public Interface
*A:LAB-7705-SAR8# configure service ies 3291 customer 1 create *A:LAB-7705-SAR8>config>service>ies# interface "Branch-Pub-Net" create *A:LAB-7705-SAR8>config>service>ies>if# address 10.10.26.2/30 *A:LAB-7705-SAR8>config>service>ies>if# sap tunnel-1.public:3290 create *A:LAB-7705-SAR8>config>service>ies>if>sap# exit *A:LAB-7705-SAR8>config>service>ies>if# exit *A:LAB-7705-SAR8>config>service>ies# *A:LAB-7705-SAR8>config>service>ies# no shutdown *A:LAB-7705-SAR8>config>service>ies# service-name "Branch-Public-IPSec" - Configuring VPRN for Private Interface
a. Basic VPRN Configuration*A:LAB-7705-SAR8# configure service vprn 3290 customer 1 create *A:LAB-7705-SAR8>config>service>vprn# route-distinguisher 192.168.200.4:3290 *A:LAB-7705-SAR8>config>service>vprn# service-name "SAR-8_IPSec_Private_Net"b. Create Traffic Reselection on IPSec Security Policy*A:LAB-7705-SAR8>config>service>vprn>ipsec# security-policy 1 create *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy# entry 10 create *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry# local-ip 192.168.25.0/24 *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry# remote-ip 192.168.20.0/24 *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry# exit *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy# exit *A:LAB-7705-SAR8>config>service>vprn>ipsec# exic. Create IPSec Configuration under VPRN Interface for Private Network*A:LAB-7705-SAR8>config>service>vprn# interface "Private-Network" tunnel create *A:LAB-7705-SAR8>config>service>vprn>if# sap tunnel-1.private:3290 create *A:LAB-7705-SAR8>config>service>vprn>if>sap# ipsec-tunnel "Branch-Network" create *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# security-policy 1 *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# local-gateway-address 10.10.26.1 peer 10.10.24.1 delivery-service 3291 *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# dynamic-keying *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# ike-policy 3 *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# pre-shared-key "3KiT4b0l3eAT" *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# transform 3 *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# exit *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# no shutdown *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# exit *A:LAB-7705-SAR8>config>service>vprn>if>sap# exit *A:LAB-7705-SAR8>config>service>vprn>if# exitd. Make Routing to Remote Private Network with bind to IPSec Interface*A:LAB-7705-SAR8>config>service>vprn>static-route 192.168.20.0/24 ipsec-tunnel "Branch-Network" - Make loopback Test (Proposed for Connectivity Test)
*A:LAB-7705-SAR8>config>service>vprn# interface "CPE-Private-Test" create *A:LAB-7705-SAR8>config>service>vprn>if# address 192.168.25.1/32 *A:LAB-7705-SAR8>config>service>vprn>if# loopback *A:LAB-7705-SAR8>config>service>vprn>if# exit - Save All Configuration
*A:LAB-7705-SAR8#/admin save
3. IPSec Functionality Testing
3.1 Verification Public Network
A:LAB-7705-SAR8# /show router interface
===============================================================================
Interface Table (Router: Base)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
Branch-Pub-Net Up Up/Down IES tunnel-1.publ*
10.10.26.2/30 n/a
Internet-Network Up Up/Down Network 1/6/7
10.10.20.1/30 n/a
system Up Up/Down Network system
192.168.200.4/32 n/a
-------------------------------------------------------------------------------
Interfaces : 5
===============================================================================
* indicates that the corresponding row element may have been truncated.
A:LAB-7705-SAR8#
A:LAB-7705-SAR8# /show router static-route
===============================================================================
Static Route Table (Router: Base) Family: IPv4
===============================================================================
Prefix Tag Met Pref Type Act
Next Hop Interface
-------------------------------------------------------------------------------
10.10.24.0/30 0 1 5 NH Y
10.10.20.2 Internet-Network
-------------------------------------------------------------------------------
No. of Static Routes: 1
===============================================================================
A:LAB-7705-SAR8#
3.2 Verification Private Network
A:LAB-7705-SAR8# show router 3290 interface
===============================================================================
Interface Table (Service: 3290)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
CPE-Private-Test Up Up/Down VPRN loopback
192.168.25.1/32 n/a
Private-Network Up Up/-- VPRN I* tunnel-1.priv*
- -
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
A:LAB-7705-SAR8#
3.3 Verification IPSec Parameter
A:LAB-7705-SAR8# show ipsec ike-policy 3
===============================================================================
IPsec IKE policy Configuration Detail
===============================================================================
Policy Id : 3 IKE Mode : main
DH Group : Group14 Auth Method : psk
PFS : True PFS DH Group : Group5
Auth Algorithm : Sha384 Encr Algorithm : Aes192
ISAKMP Lifetime : 60000 IPsec Lifetime : 48000
NAT Traversal : Disabled
NAT-T Keep Alive : 0 Behind NAT Only : True
DPD : Enabled
DPD Interval : 10 DPD Max Retries : 3
Description : (Not Specified)
IKE Version : 2 Own Auth Method : psk
===============================================================================
A:LAB-7705-SAR8# show ipsec transform 3
================================================================
IPsec Transforms
================================================================
TransformId EspAuthAlgorithm EspEncryptionAlgorithm
----------------------------------------------------------------
3 Sha512 Aes256
----------------------------------------------------------------
No. of IPsec Transforms: 1
================================================================
A:LAB-7705-SAR8#
3.4 Test gateway Reachability
A:LAB-7705-SAR8# ping 10.10.24.1 source 10.10.26.2
PING 10.10.24.1 56 data bytes
64 bytes from 10.10.24.1: icmp_seq=1 ttl=62 time=12.6ms.
64 bytes from 10.10.24.1: icmp_seq=2 ttl=62 time=14.1ms.
64 bytes from 10.10.24.1: icmp_seq=3 ttl=62 time=14.2ms.
64 bytes from 10.10.24.1: icmp_seq=4 ttl=62 time=13.9ms.
64 bytes from 10.10.24.1: icmp_seq=5 ttl=62 time=14.1ms.
---- 10.10.24.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 12.6ms, avg = 13.8ms, max = 14.2ms, stddev = 0.597ms
A:LAB-7705-SAR8#
3.5 Verification IPSec tunnel (Before Traffic Income) Note: Tunnel up when traffic wants to use. It seems the tunnel is triggered by Correct Traffic
*A:LAB-7705-SAR8# show ipsec tunnel
==============================================================================
IPsec Tunnels
==============================================================================
TunnelName LocalAddress SvcId Admn Keying
SapId RemoteAddress DlvrySvcId Oper Sec
Plcy
------------------------------------------------------------------------------
Branch-Network 10.10.26.1 3290 Up Dynamic
tunnel-1.private:3290 10.10.24.1 3291 Down 1
------------------------------------------------------------------------------
IPsec Tunnels: 1
==============================================================================
A:LAB-7705-SAR8# show ipsec tunnel Branch-Network
===============================================================================
IPsec Tunnel Configuration Detail
===============================================================================
Service Id : 3290 Sap Id : tunnel-1.private:3290
Tunnel Name : Branch-Network
Description : None
Local Address : 10.10.26.1 Remote Address : 10.10.24.1
Delivery Service : 3291 Security Policy : 1
Admin State : Up Oper State : Down
Keying Type : Dynamic Replay Window : None
Clear DF Bit : false IP MTU : max
Copy DF Bit : false
Oper Flags : None
-------------------------------------------------------------------------------
BFD Interface
-------------------------------------------------------------------------------
BFD Designate : no
-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1 : 3 Transform Id2 : None
Transform Id3 : None Transform Id4 : None
Ike Policy Id : 3 Auto Establish : disabled
PreShared Key:3KiT4b0l3eAT
Isakmp State : Down
ISAKMP Statistics
--------------------
Tx Packets : 0 Rx Packets : 0
Tx Errors : 0 Rx Errors : 0
Tx DPD : 0 Rx DPD : 0
Tx DPD ACK : 0 Rx DPD ACK : 0
DPD Timeouts : 0 Rx DPD Errors : 0
===============================================================================
===============================================================================
A:LAB-7705-SAR8#
3.6 Do Test Ping
A:LAB-7705-SAR8# ping router 3290 192.168.20.1 source 192.168.25.1
PING 192.168.20.1 56 data bytes
64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.880ms.
64 bytes from 192.168.20.1: icmp_seq=2 ttl=64 time=0.924ms.
64 bytes from 192.168.20.1: icmp_seq=3 ttl=64 time=0.947ms.
64 bytes from 192.168.20.1: icmp_seq=4 ttl=64 time=0.928ms.
64 bytes from 192.168.20.1: icmp_seq=5 ttl=64 time=0.963ms.
---- 192.168.20.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 0.880ms, avg = 0.928ms, max = 0.963ms, stddev = 0.033ms
A:LAB-7705-SAR8#
3.7 Tunnel Status After Ping
A:LAB-7705-SAR8# show ipsec tunnel
==============================================================================
IPsec Tunnels
==============================================================================
TunnelName LocalAddress SvcId Admn Keying
SapId RemoteAddress DlvrySvcId Oper Sec
Plcy
------------------------------------------------------------------------------
Branch-Network 10.10.26.1 3290 Up Dynamic
tunnel-1.private:3290 10.10.24.1 3291 Up 1
------------------------------------------------------------------------------
IPsec Tunnels: 1
==============================================================================
A:LAB-7705-SAR8# show ipsec tunnel Branch-Network
===============================================================================
IPsec Tunnel Configuration Detail
===============================================================================
Service Id : 3290 Sap Id : tunnel-1.private:3290
Tunnel Name : Branch-Network
Description : None
Local Address : 10.10.26.1 Remote Address : 10.10.24.1
Delivery Service : 3291 Security Policy : 1
Admin State : Up Oper State : Up
Keying Type : Dynamic Replay Window : None
Clear DF Bit : false IP MTU : max
Copy DF Bit : false
Oper Flags : None
-------------------------------------------------------------------------------
BFD Interface
-------------------------------------------------------------------------------
BFD Designate : no
-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1 : 3 Transform Id2 : None
Transform Id3 : None Transform Id4 : None
Ike Policy Id : 3 Auto Establish : disabled
PreShared Key:3KiT4b0l3eAT
-------------------------------------------------------------------------------
ISAKMP-SA
-------------------------------------------------------------------------------
State : Up
Established : 01/02/2000 02:30:59 Lifetime : 60000
Expires : 01/02/2000 19:10:56
ISAKMP Statistics
--------------------
Tx Packets : 7 Rx Packets : 7
Tx Errors : 0 Rx Errors : 0
Tx DPD : 5 Rx DPD : 0
Tx DPD ACK : 0 Rx DPD ACK : 5
DPD Timeouts : 0 Rx DPD Errors : 0
-------------------------------------------------------------------------------
IPsec-SA : 10, Inbound (index 1)
-------------------------------------------------------------------------------
Type : Dynamic
SPI : 45838
Auth Algorithm : Sha512 Encr Algorithm : Aes256
Installed : 01/02/2000 02:30:59 Lifetime : 48000
Aggregate Statistics
--------------------
Bytes Processed : 1512 Packets Processed: 18
Crypto Errors : 0 Replay Errors : 0
SA Errors : 0 Policy Errors : 0
-------------------------------------------------------------------------------
IPsec-SA : 10, Outbound (index 1)
-------------------------------------------------------------------------------
Type : Dynamic
SPI : 176812
Auth Algorithm : Sha512 Encr Algorithm : Aes256
Installed : 01/02/2000 02:30:59 Lifetime : 48000
Aggregate Statistics
--------------------
Bytes Processed : 1512 Packets Processed: 18
Crypto Errors : 0 Replay Errors : 0
SA Errors : 0 Policy Errors : 0
===============================================================================
===============================================================================
A:LAB-7705-SAR8#
4. Reference
- IETF. 2001. Draft-ietf-ips-security-06.txt. https://www.ietf.org/proceedings/52/slides/ips-1/sld005.htm (Accessed: 2 June 2016)
- Nokia IP. 2015. 7705 SAR OS Services Guide R6.2.R1. Nokia
- S. Kent, K. Seo. 2005. RFC 4301 - Security Architecture for the Internet Protocol. IETF
- Stallings, William. 2011. Network Security Essentials: Applications and Standards. 4th ed. New Jersey: Pearson Education, Inc
3 Comments
Thanks for publishing this blog, really awesome. Its help me to clarify my doubts well.
ReplyDeleteC C++ Training in Chennai
c c++ classes
C C++ Training in OMR
C C++ Training in Adyar
JMeter Training in Chennai
Appium Training in Chennai
javascript training in chennai
core java training in chennai
Hi, author really appreciate all the advice and information on your post.
ReplyDeleteI feel Nokia is still a legend Mobile brand
OshenWatch Luxe Review
Retailers should purchase a set of playing machine products in bulk at competitive charges. Chests are collected while spinning in any game, when leveling-up or by purchasing coin packs. You're also given two free chests each single day to play slots for fun. House of Fun free classic slots are what you picture of when assume about|you consider|you focus on} thecasinosource.com traditional fairground or Vegas slots machines. These kinds of free slots are the perfect alternative for on line casino traditionalists. From the minute you pull into our free parking storage you'll be able to|you presumably can} feel the electrical energy within the air.
ReplyDeletePost a Comment