VPP/IPSec and IKEv2

From fd.io
< VPP
Revision as of 07:07, 1 August 2016 by Matfabia (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page describes the support in the VPP platform for IPSec and IKEv2.

IPSec

Features

This implementation of support for IPSec in the VPP engine includes the following features:

  • ESP - Encapsulating Security Payload protocol
  • Tunnel mode - encapsulates the entire IP packet
  • Transport mode - encapsulates IP payload
  • IPv4 and IPv6

Supported cryptographic algorithms for authentication:

  • sha1
  • sha-256-96
  • sha-256-128
  • sha-384-192
  • sha-512-256

Supported cryptographic algorithms for encryption:

  • aes-cbc-128
  • aes-cbc-192
  • aes-cbc-256

Configuration

SPD creation

The following example command shows the configuration sequence to create a Security Policy Database (SPD):

CLI commands 

ipsec spd add 1

VAT commands 

ipsec_spd_add_del spd_id 1

Enable SPD on an interface

The following example command shows the configuration sequence to enable SPD on an interface:

CLI commands 

set interface ipsec spd GigabitEthernet0/6/0 1

VAT commands 

ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1

SA creation

The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:

CLI commands 

ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.100.3 tunnel-dst 192.168.100.2

VAT commands 

ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2

The following example command shows the configuration sequence to create a SA for Transport mode:

CLI commands 

ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96

VAT commands 

ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58

SPD entry creation

Parameters:

  • spd <id> - SPD identifier
  • priority - policy order in SPD, signed integer
  • inbound|outbound - policy is for inbound or outbound traffic
  • action bypass|discard|protect - policy action, protect action needs aditional parameter "sa <id>"

Traffic selectors (optional parameters):

  • local-ip-range <start_ip_addr> - <end_ip_addr>
  • remote-ip-range <start_ip_addr> - <end_ip_addr>
  • protocol <n>
  • local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
  • remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)

The following example commands show the configuration sequence to create a SPD entry:

CLI commands 

ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3

VAT commands 

ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3

IKEv2

Features

Configuration

Retrieved from "https://wiki.fd.io/index.php?title=VPP/IPSec_and_IKEv2&oldid=2344"