Noprint | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
...
...
The following example describes a configuration of SBC5200 (LABNBS1) SBC 5200 that enables an IPSEC encryption of SIP traffic between LABNBS1 and SBC9000.
Code Block | ||||
---|---|---|---|---|
| ||||
SBC9000 | SBC5200SBC 5200 SIP SignSig port GSX NIF | LIF SIP SignSig port 10.220.11.22 ------ 10.220.11.8 --------- 10.220.41.160 ------- 10.220.41.161 | |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
### create and configure IKE and IPSEC protection profiles set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF saLifetimeTime 28800 set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms inte hmacSha1,hmacMd5 set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms encryption aesCbc128,3DesCbc set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF saLifetimeTime 28800 set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms encryption aesCbc128,3DesCbc set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms integ hmacSha1,hmacMd5 set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF dpdInterval noDpd ### create IKE peer set addressContext default ipsec peer PRGGSX2 ipAddress 10.220.11.8 preShared 00000000000000000000000000000000 set addressContext default ipsec peer PRGGSX2 localIdentity type ipV4Addr ipAddress 10.220.41.161 set addressContext default ipsec peer PRGGSX2 remoteIdentity type ipV4Addr ipAddress 10.220.11.22 set addressContext default ipsec peer PRGGSX2 protectionProfile PRGGSX2_IKE_PROT_PROF ### create an SPD rule that allows the initial IPSEC negotiation to go through (SBC must allow traffic on UDP port 500) set addressContext default ipsec spd ALLOW_IKE state enabled precedence 1000 set addressContext default ipsec spd ALLOW_IKE localPort 500 localIpAddr 10.220.41.160 localIpPrefixLen 32 set addressContext default ipsec spd ALLOW_IKE action bypass set addressContext default ipsec spd ALLOW_IKE protocol 17 ### create an SPD rule for this IKE peer set addressContext default ipsec spd PRGGSX2_SPD state enabled precedence 1001 set addressContext default ipsec spd PRGGSX2_SPD localIpAddr 10.220.41.161 localIpPrefixLen 32 remoteIpAddr 10.220.11.22 remoteIpPrefixLen 32 set addressContext default ipsec spd PRGGSX2_SPD action protect set addressContext default ipsec spd PRGGSX2_SPD protocol 17 set addressContext default ipsec spd PRGGSX2_SPD protectionProfile PRGGSX2_IPSEC_PROT_PROF set addressContext default ipsec spd PRGGSX2_SPD peer PRGGSX2 ### enable IPSec on the IP interface group set addressContext default ipInterfaceGroup default_IP_INT_GR ipsec enabled |
Info |
---|
IPSEC encryption works for non-media traffic only on SBC5k SBC Core and SBC9000SBC 9000. Only non-media traffic (signaling, ICMP) traverses through the IPSEC tunnel. To encrypt media as well, use SRTP. If the media endpoint IP address is behind a NAPT, enable NaptMedia flag on the sipTrunkGroup. |
Note |
---|
IPsec IPSEC used with overlapped IP addressing is not supported in releases earlier than 4.2.x of SBC5200SBC Core. It means that only default addressContext can be used for IPSec IPSEC on SBC5200SBC Core. In 4.2.x and later releases, SBC supports IPSec IPSEC in other addressContexts as well (SBX-1156, PCR5560). |
Tip |
---|
Set all parameters identically on both sides (including timers, ciphers, SPD IP addresses, prefixes/masks, PFS, and so on). |
...
Note |
---|
Enabling IPSEC on an interface group that has 2 or more interfaces is not supported. |
To retrieve the statistics and status of SA of IKE and IPSEC.
Code Block | ||
---|---|---|
| ||
admin@labnbs1b> show status addressContext default ipsec ikeSaStatus ikeSaStatus 6 { localIpAddr 10.220.41.160; peerIpAddr 10.220.11.8; localId 10.220.41.161; peerId 10.220.11.22; encType aes128; integrityType sha1; secondsRemaining 28662; } admin@labnbs1b> show status addressContext default ipsec ikeSaStatistics ikeSaStatistics 6 { localIpAddr 10.220.41.160; peerIpAddr 10.220.11.8; ipsecSaNegotiationsSucceeded 1; ipsecSaNegotiationsFailed 0; } [ok][2013-04-12 08:25:29] admin@labnbs1b> admin@labnbs1b> show status addressContext default ipsec ipsecSaStatus ipsecSaStatus 0004BD56 { remoteSPI 0040D170; localTerminationAddr 10.220.41.160; remoteTerminationAddr 10.220.11.8; localSelector 10.220.41.161/32:*; remoteSelector 10.220.11.22/32:*; upperLayerProtocol 17; encType aes128; integrityType sha1; secondsRemaining 28612; bytesRemaining -; selectorName PRGGSX2_SPD; ikeSaIndex 6; } admin@labnbs1b> show status addressContext default ipsec ipsecSaStatistics ipsecSaStatistics 0004BD56 { localIpAddr 10.220.41.160; remoteSpi 0040D170; peerIpAddr 10.220.11.8; inPacketsCount 2; outPacketsCount 2; inBytesCount 709; outBytesCount 1620; inPacketDiscardFailedIntegrity 0; inPacketDiscardAntiReplay 0; } admin@labnbs1b> show status addressContext default ipsec systemStatistics systemStatistics labnbs1 { inPacketDiscardInvalidSpi 3; inPacketDiscardProtected 0; inPacketDiscardDiscarded 0; outPacketDiscardProtected 3; outPacketDiscardDiscarded 0; inPacketDiscardNoState 0; inPacketDiscardSAExpired 0; inPacketDiscardSelectorMismatch 0; outPacketDiscardSSNWrap 0; outPacketDiscardSAExpired 0; ikeSaNegotiationsSucceeded 6; ikeSaNegotiationsFailed 0; ipsecSaNegotiationsSucceeded 7; ipsecSaNegotiationsFailed 32; } [ok][2013-04-12 08:24:29] |