In this section:
The following example describes a configuration of an SBC 5400 that enables IPsec encryption of SIP traffic between LABNBS1 and SBC9000.
SBC 5400-SBC 9000 Configuration Example
SBC9000 | SBC 5400 SIP Sig port GSX NIF | LIF SIP Sig port 10.220.11.22 ------ 10.220.11.8 --------- 10.220.41.160 ------- 10.220.41.161 |
### create and configure IKE and IPsec protection profiles set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF saLifetimeTime 28800 set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms integrity hmacSha1,hmacMd5 set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms encryption aesCbc128,_3DesCbc set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF saLifetimeTime 28800 set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms encryption aesCbc128,_3DesCbc set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms integrity hmacSha1,hmacMd5 set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF dpdInterval noDpd ### create IKE peer set addressContext default ipsec peer PRGGSX2 ipAddress 10.220.11.8 preSharedKey 00000000000000000000000000000000 localIdentity type ipV4Addr ipAddress 10.220.41.161 set addressContext default ipsec peer PRGGSX2 remoteIdentity type ipV4Addr ipAddress 10.220.11.22 set addressContext default ipsec peer PRGGSX2 protocol ikev1 protectionProfile PRGGSX2_IKE_PROT_PROF ### create an SPD rule for this IKE peer set addressContext default ipsec spd PRGGSX2_SPD state enabled precedence 1001 set addressContext default ipsec spd PRGGSX2_SPD localIpAddr 10.220.41.161 localIpPrefixLen 32 remoteIpAddr 10.220.11.22 remoteIpPrefixLen 32 set addressContext default ipsec spd PRGGSX2_SPD action protect set addressContext default ipsec spd PRGGSX2_SPD protocol 0 set addressContext default ipsec spd PRGGSX2_SPD protectionProfile PRGGSX2_IPSEC_PROT_PROF set addressContext default ipsec spd PRGGSX2_SPD peer PRGGSX2 ### enable IPsec on the IP interface group set addressContext default ipInterfaceGroup default_IP_INT_GR ipsec enabled
- IPsec encryption works for non-media traffic only on SBC Core and SBC 9000. Only non-media traffic (signaling, ICMP) traverses through the IPsec tunnel. To encrypt media as well, use SRTP. If the media endpoint IP address is behind a NAPT, enable NaptMedia flag on the sipTrunkGroup.
- The SBC 5400 and 7000 systems can perform IPsec encryption for media (x3) packets directly inside the network processor, over TCP and UDP.
Set all parameters identically on both sides (including timers, ciphers, SPD IP addresses, prefixes/masks, PFS, and so on).
Set local identity to local SIP signaling port IP address and set remote identity to remote SIP signaling port IP address. The other end has to be set other way, that is, "remote identity" parameter has to match the local identity and vice versa.
Set IKE peer IP address to network interface IP address, that is, IP address of LIF or NIF/SIF.
The SBC supports a setup where the IPsec peer termination IP address (FW/IPsec GW IP address) is a public IP address and there is a SIP server or PBX with a private IP address behind this FW/GW. The SBC needs static IP routes to both termination and SIP signaling IP addresses. The static IP route to the private IP address is redundant. That means, nexthop is same as the nexthop for a public IP address. The un-encrypted traffic to the private IP address cannot be sent because the private IP address is not reachable directly from the SBC.
IP addresses of the SPDs have to be populated with SIP signaling port IP addresses. Protocol enumerations: 17 UDP, 6 TCP and so on (IANA Protocol enumerations apply).
IP addresses and prefixes (masks) in traffic selectors have to be set identically on both ends.
Ensure that the entered IP address entered for SPD entries is the subnet ID IP address and not a host IP address. For example, 192.168.1.0/29 is correct and 192.168.1.5/29 is incorrect.
To send both encrypted and unencrypted traffic through the same IP Interface Group/IP Interface, configure separate SPDs. The action type for unencrypted traffic has to be set to bypass
and to encrypt set it to protect
.
Enabling IPsec on an interface group that has 2 or more interfaces is not supported.
Useful CLI Commands
To retrieve the statistics and status of SA of IKE and IPsec.
admin@labnbs1b> show status addressContext default ipsec ikeSaStatus ikeSaStatus 6 { localIpAddr 10.220.41.160; peerIpAddr 10.220.11.8; localId 10.220.41.161; peerId 10.220.11.22; encType aes128; integrityType sha1; secondsRemaining 28662; } admin@labnbs1b> show status addressContext default ipsec ikeSaStatistics ikeSaStatistics 6 { localIpAddr 10.220.41.160; peerIpAddr 10.220.11.8; ipsecSaNegotiationsSucceeded 1; ipsecSaNegotiationsFailed 0; } [ok][2013-04-12 08:25:29] admin@labnbs1b> admin@labnbs1b> show status addressContext default ipsec ipsecSaStatus ipsecSaStatus 0004BD56 { remoteSPI 0040D170; localTerminationAddr 10.220.41.160; remoteTerminationAddr 10.220.11.8; localSelector 10.220.41.161/32:*; remoteSelector 10.220.11.22/32:*; upperLayerProtocol 17; encType aes128; integrityType sha1; secondsRemaining 28612; bytesRemaining -; selectorName PRGGSX2_SPD; ikeSaIndex 6; } admin@labnbs1b> show status addressContext default ipsec ipsecSaStatistics ipsecSaStatistics 0004BD56 { localIpAddr 10.220.41.160; remoteSpi 0040D170; peerIpAddr 10.220.11.8; inPacketsCount 2; outPacketsCount 2; inBytesCount 709; outBytesCount 1620; inPacketDiscardFailedIntegrity 0; inPacketDiscardAntiReplay 0; } admin@labnbs1b> show status addressContext default ipsec systemStatistics systemStatistics labnbs1 { inPacketDiscardInvalidSpi 3; inPacketDiscardProtected 0; inPacketDiscardDiscarded 0; outPacketDiscardProtected 3; outPacketDiscardDiscarded 0; inPacketDiscardNoState 0; inPacketDiscardSAExpired 0; inPacketDiscardSelectorMismatch 0; outPacketDiscardSSNWrap 0; outPacketDiscardSAExpired 0; ikeSaNegotiationsSucceeded 6; ikeSaNegotiationsFailed 0; ipsecSaNegotiationsSucceeded 7; ipsecSaNegotiationsFailed 32; } [ok][2013-04-12 08:24:29]