Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

In this section:

Table of Contents



 

This section details the commands to configure an IPsec Peer. See IPsec for Signaling for in-depth feature description.

Command Syntax

Mandatory parameters required to configure the IPsec.

Code Block
languagenone
% set addressContext <addressContext name> ipsec peer <peer name> 
   ipAddress <ipAddress> 
   localIdentity <fqdn | ipV4Addr | ipV6Addr> 	
   preSharedKey <DES3 encrypted string>
 


Optional parameters:

Code Block
languagenone
% set addressContext <addressContext name> ipsec peer <peer name> authType <psk | rsaSig> localCertificate <sbcCertName> <peerCertName> <caCertName1>
   protectionProfile <profile_name> 
   protocol <any | ikev1 | ikev2>	 
   remoteIdentity <fqdn | ipV4Addr | ipV6Addr>

   authType <psk | rsaSig>
   localCertificate <sbcCertName>
   remoteCertificate <peerCertName>
   remoteCaCertificate <caCertName1>
   

Command Parameters

Caption
0Table
1 IPsec Peer Parameters
3 IPsec Peer Parameters


Parameter

Length/Range

Description

Mandatory peer parameter descriptions for IPsec Peer

peer

1-23

Specifies the name of the Internet Key Exchange (IKE) peer database entry. This name identifies an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase 1 criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.

ipAddress

N/A

Specifies the IPv4 or IPv6 address of the peer.

localIdentity type

N/A

Specifies the local identity type that 
Spacevars
0product
will assert to the peer during phase 1 authentication.
  • fqdn <domainName> – Specifies that the local identity will be presented in Fully Qualified Domain Name (FQDN) format, taking as its value the FQDN of the
    Spacevars
    0product
    , specified by the next argument such as westford.example.com.
  • ipV4Addr <ipAddress> – Specifies that the local identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the 
    Spacevars
    0product
    specified by the next argument (example: 128.127.50.224).
  • ipV6Addr <ipAddress> – Specifies that the local identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the 
    Spacevars
    0product
    specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).

NOTE: The ipVxAddr attribute is not used at this time. If it is present in the CLI, please ignore it.

preSharedKey

32-128 alphanumeric 

-or-

0x + 16-64 hex digits

Specifies the Pre-shared

Secret

secret key with this peer.

The preSharedKey can be one of

The SBC accepts the pre-shared key in the following formats:

A
  • An ASCII string of
from
  • 32 to 128 case-sensitive
,
  • alphanumeric characters
. These characters may only be in
  • from the range of 0-9, a-z, space, and A-Z
A hexadecimal value introduced by "0x" and followed by 16 to 64 hexadecimal digits (
  • . Example: 1234567890abcdef1234567890ABCDEF.
  • A HEX encoding of an ASCII string of 16-64 case-sensitive alphanumeric characters from the range of 0-9, a-
f
  • z, space, and A-
F)
  • Z converted into hexadecimal format starting with "0x". Example: 1234567890aBcDeF converted to a hexadecimal format 0x31323334353637383930614263446546.

In either case the given value represents a "pre-shared secret" between the

Spacevars
0product
and the IKE peer. This value is used for mutual authentication for phase 1 negotiation to set up an IKE Security association.

NOTE: Ribbon strongly recommends using unpredictable (difficult to guess) values. Use a unique value for each IKE peer. This string is never displayed in plaintext when using the show commands.

authTypeN/A

The authentication method – (psk) or rsa signature (rsaSig).

  • rskSig – rsa signature
  • pskpreshared key
localCertificateN/A

The name of local (SBC) Certificate..

  •  sbcCertName
remoteCertificateN/A

The name of remote (IPSec Peer) Certificate.

  • peerCertName

Optional peer parameter descriptions for IPsec Peer

protectionProfile

N/A

Specifies the name of the IKE protection profile to apply to the Internet key exchange with this peer.

protocol

N/A

Use this object to specify the Internet Key Exchange (IKE) protocol to use to set up a Security Association (SA) for this IPsec peer.

  • any – Use either IKE protocol version.
  • ikev1 – Internet Key Version 1.
  • ikev2 – Internet Key Version 2.

NOTE: Prior to release 4.2, the default value was ikev1. For new installations, the default is ikev2. For systems upgraded from pre-4.2 versions, the existing configuration maintains ikev1. However, ikev2 becomes the default version for any new configurations. When "any" option is configured, in IKE initiator role, IKEv2 is chosen by default, while in responder mode IKE version is selected depending upon the IKE version used by the peer in IKE message.

remoteIdentity type

N/A

Specifies the remote Identity that 

Spacevars
0product
will assert to the PEER during phase 1 authentication. 

  • fqdn <domainName> – Specifies that the remote identity will be presented in Fully Qualified Domain Name (FQDN) format, taking as its value the FQDN of the
    Spacevars
    0product
    , specified by the next argument such as westford.example.com.
  • ipV4Addr <ipAddress> – Specifies that the remote identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the 
    Spacevars
    0product
    specified by the next argument (example: 128.127.50.224).
  • ipV6Addr <ipAddress> – Specifies that the remote identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the 
    Spacevars
    0product
    specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).

NOTE: The ipVxAddr attribute is not used at this time. If it is present in the CLI, please ignore it.

remoteCaCertificateN/A

The name of remote CA Certificate referred by the IPSec peer entry.

  • caCertName1
 



Command Example

The following example creates an IPsec peer named "peer2":

Code Block
languagenone
% set addressContext default ipsec peer peer2 ipAddress 10.20.30.140 preSharedKey 12345678 localIdentity type ipV4Addr ipAddress 10.20.30.134
% show addressContext default ipsec
peer peer2 {
    ipAddress    10.20.30.140;
    localIdentity {
        type      ipV4Addr;
        ipAddress 10.20.30.134;
    }
    preSharedKey $3$jCFw27QxeFA9KSe4Ym01FechIP3sXsZY;