You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Back to Table of Content

Back to Configuring SBC Objects

SBC5200-SBC9000 Configuration Example

The following example describes a configuration of SBC5200 (LABNBS1) that enables an IPSEC encryption of SIP traffic between LABNBS1 and SBC9000.

Network diagram showing the IP addresses used in the configuration example
            SBC9000                 |                   SBC5200
SIP Sign port        GSX NIF        |          LIF              SIP Sign port
10.220.11.22 ------ 10.220.11.8 --------- 10.220.41.160 ------- 10.220.41.161
                                    |
SBC5k IPSec Configuration Commands
### create and configure IKE and IPSEC protection profiles
 
set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF saLifetimeTime 28800
set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms inte hmacSha1,hmacMd5
set profiles security ipsecProtectionProfile PRGGSX2_IPSEC_PROT_PROF espAlgorithms encryption aesCbc128,3DesCbc

set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF saLifetimeTime 28800
set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms encryption aesCbc128,3DesCbc
set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF algorithms integ hmacSha1,hmacMd5
set profiles security ikeProtectionProfile PRGGSX2_IKE_PROT_PROF dpdInterval noDpd

### create IKE peer

set addressContext default ipsec peer PRGGSX2 ipAddress 10.220.11.8 preShared 00000000000000000000000000000000
set addressContext default ipsec peer PRGGSX2 localIdentity type ipV4Addr ipAddress 10.220.41.161
set addressContext default ipsec peer PRGGSX2 remoteIdentity type ipV4Addr ipAddress 10.220.11.22
set addressContext default ipsec peer PRGGSX2 protectionProfile PRGGSX2_IKE_PROT_PROF

### create an SPD rule that allows the initial IPSEC negotiation to go through (SBC must allow traffic on UDP port 500)

set addressContext default ipsec spd ALLOW_IKE state enabled precedence 1000
set addressContext default ipsec spd ALLOW_IKE localPort 500 localIpAddr 10.220.41.160 localIpPrefixLen 32
set addressContext default ipsec spd ALLOW_IKE action bypass
set addressContext default ipsec spd ALLOW_IKE protocol 17

### create an SPD rule for this IKE peer

set addressContext default ipsec spd PRGGSX2_SPD state enabled precedence 1001
set addressContext default ipsec spd PRGGSX2_SPD localIpAddr 10.220.41.161 localIpPrefixLen 32 remoteIpAddr 10.220.11.22 remoteIpPrefixLen 32
set addressContext default ipsec spd PRGGSX2_SPD action protect
set addressContext default ipsec spd PRGGSX2_SPD protocol 17
set addressContext default ipsec spd PRGGSX2_SPD protectionProfile PRGGSX2_IPSEC_PROT_PROF
set addressContext default ipsec spd PRGGSX2_SPD peer PRGGSX2

### enable IPSec on the IP interface group

set addressContext default ipInterfaceGroup default_IP_INT_GR ipsec enabled

IPSEC encryption works for non-media traffic only on SBC5k and SBC9000. Only non-media traffic (signaling, ICMP) traverses through the IPSEC tunnel. To encrypt media as well, use SRTP. If the media endpoint IP address is behind a NAPT, enable NaptMedia flag on the sipTrunkGroup.

IPsec used with overlapped IP addressing is not supported in releases earlier than 4.2.x of SBC5200. It means that only default addressContext can be used for IPSec on SBC5200. In 4.2.x and later releases, SBC supports IPSec in other addressContexts as well (SBX-1156, PCR5560).

Set all parameters identically on both sides (including timers, ciphers, SPD IP addresses, prefixes/masks, PFS, and so on).

Best Practice for IKE Peer Configuration

Set local identity to local SIP signaling port IP address and set remote identity to remote SIP signaling port IP address. The other end has to be set other way, that is, "remote identity" parameter has to match the local identity and vice versa.

Set IKE peer IP address to network interface IP address, that is, IP address of LIF or NIF/SIF.

SBC5k supports a setup where the IPSEC peer termination IP address (FW/IPSEC GW IP address) is a public IP address and there is a SIP server or PBX with a private IP address behind this FW/GW. SBC needs static IP routes to both termination and SIP signaling IP addresses. The static IP route to the private IP address is redundant. That means, nexthop is same as the nexthop for a public IP address. The un-encrypted traffic to the private IP address cannot be sent because the private IP address is not reachable directly from SBC.

SPD Configuration

IP addresses of the SPDs have to be populated with SIP signaling port IP addresses. Protocol enumerations: 17 UDP, 6 TCP and so on (IANA Protocol enumerations apply).

IP addresses and prefixes (masks) in traffic selectors have to be set identically on both ends.

Ensure that the entered IP address entered for SPD entries is the subnet ID IP address and not a host IP address. For example, 192.168.1.0/29 is correct and 192.168.1.5/29 is incorrect.

To send both encrypted and unencrypted traffic through the same IP Interface Group/IP Interface, configure separate SPDs. The action type for unencrypted traffic has to be set to bypass and to encrypt set it to protect.

Enabling IPSEC on an interface group that has 2 or more interfaces is not supported.

Useful CLI Commands

To retrieve the statistics and status of SA of IKE and IPSEC.

admin@labnbs1b> show status addressContext default ipsec ikeSaStatus
ikeSaStatus 6 {
    localIpAddr      10.220.41.160;
    peerIpAddr       10.220.11.8;
    localId          10.220.41.161;
    peerId           10.220.11.22;
    encType          aes128;
    integrityType    sha1;
    secondsRemaining 28662;
}
admin@labnbs1b> show status addressContext default ipsec ikeSaStatistics
ikeSaStatistics 6 {
    localIpAddr                  10.220.41.160;
    peerIpAddr                   10.220.11.8;
    ipsecSaNegotiationsSucceeded 1;
    ipsecSaNegotiationsFailed    0;
}
[ok][2013-04-12 08:25:29]
admin@labnbs1b>
 
admin@labnbs1b> show status addressContext default ipsec ipsecSaStatus
ipsecSaStatus 0004BD56 {
    remoteSPI             0040D170;
    localTerminationAddr  10.220.41.160;
    remoteTerminationAddr 10.220.11.8;
    localSelector         10.220.41.161/32:*;
    remoteSelector        10.220.11.22/32:*;
    upperLayerProtocol    17;
    encType               aes128;
    integrityType         sha1;
    secondsRemaining      28612;
    bytesRemaining        -;
    selectorName          PRGGSX2_SPD;
    ikeSaIndex            6;
}
admin@labnbs1b> show status addressContext default ipsec ipsecSaStatistics
ipsecSaStatistics 0004BD56 {
    localIpAddr                    10.220.41.160;
    remoteSpi                      0040D170;
    peerIpAddr                     10.220.11.8;
    inPacketsCount                 2;
    outPacketsCount                2;
    inBytesCount                   709;
    outBytesCount                  1620;
    inPacketDiscardFailedIntegrity 0;
    inPacketDiscardAntiReplay      0;
}
 
admin@labnbs1b> show status addressContext default ipsec systemStatistics
systemStatistics labnbs1 {
    inPacketDiscardInvalidSpi       3;
    inPacketDiscardProtected        0;
    inPacketDiscardDiscarded        0;
    outPacketDiscardProtected       3;
    outPacketDiscardDiscarded       0;
    inPacketDiscardNoState          0;
    inPacketDiscardSAExpired        0;
    inPacketDiscardSelectorMismatch 0;
    outPacketDiscardSSNWrap         0;
    outPacketDiscardSAExpired       0;
    ikeSaNegotiationsSucceeded      6;
    ikeSaNegotiationsFailed         0;
    ipsecSaNegotiationsSucceeded    7;
    ipsecSaNegotiationsFailed       32;
}
[ok][2013-04-12 08:24:29]

 

 

  • No labels