In this section:

 

This section details the commands to configure an IPsec Peer. See IPsec for Signaling for in-depth feature description.

Command Syntax

Mandatory parameters required to configure the IPsec.

% set addressContext <addressContext name> ipsec peer <peer name> 
   ipAddress <ipAddress> 
   localIdentity <fqdn | ipV4Addr | ipV6Addr> 	
   preSharedKey <DES3 encrypted string>

 

Optional parameters:

% set addressContext <addressContext name> ipsec peer <peer name> authType <psk | rsaSig> localCertificate <sbcCertName> <peerCertName> <caCertName1>
   protectionProfile <profile_name> 
   protocol <any | ikev1 | ikev2>	 
   remoteIdentity <fqdn | ipV4Addr | ipV6Addr>

   authType <psk | rsaSig>
   localCertificate <sbcCertName>
   remoteCertificate <peerCertName>
   remoteCaCertificate <caCertName1>
   

Command Parameters

IPsec Peer Parameters

Parameter

Length/Range

Description

Mandatory peer parameter descriptions for IPsec Peer

peer

1-23

Specifies the name of the Internet Key Exchange (IKE) peer database entry. This name identifies an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase 1 criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.

ipAddress

N/A

Specifies the IPv4 or IPv6 address of the peer.

localIdentity type

N/A

Specifies the local identity type  that SBC will assert to the peer during phase 1 authentication.
  • fqdn <domainName> – Specifies that the local identity will be presented in Fully Qualified Domain Name (FQDN) format, taking as its value the FQDN of the SBC, specified by the next argument such as westford.example.com.
  • ipV4Addr <ipAddress> – Specifies that the local identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the SBC specified by the next argument (example: 128.127.50.224).
  • ipV6Addr <ipAddress> – Specifies that the local identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the SBC specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).

NOTE: The ipVxAddr attribute is not used at this time. If it is present in the CLI, please ignore it.

preSharedKey

32-128 alphanumeric 

-or-

0x + 16-64 hex digits

Specifies the Pre-shared Secret with this peer. The preSharedKey can be one of the following:

  • A string of from 32 to 128 case-sensitive, alphanumeric characters. These characters may only be in the range 0-9, a-z, space, and A-Z
  • A hexadecimal value introduced by "0x" and followed by 16 to 64 hexadecimal digits (0-9, a-f, A-F)

In either case the given value represents a "pre-shared secret" between the SBC and the IKE peer. This value is used for mutual authentication for phase 1 negotiation to set up an IKE Security association.

NOTE: Ribbon strongly recommends using unpredictable (difficult to guess) values. Use a unique value for each IKE peer. This string is never displayed in plaintext when using the show commands.

authTypeN/A

The authentication method – (psk) or rsa signature (rsaSig).

  • rskSig – rsa signature
  • psk preshared key
localCertificateN/A

The name of local (SBC) Certificate..

  •  sbcCertName
remoteCertificateN/A

The name of remote (IPSec Peer) Certificate.

  • peerCertName

Optional peer parameter descriptions for IPsec Peer

protectionProfile

N/A

Specifies the name of the IKE protection profile to apply to the Internet key exchange with this peer.

protocol

N/A

Use this object to specify the Internet Key Exchange (IKE) protocol to use to set up a Security Association (SA) for this IPsec peer.

  • any – Use either IKE protocol version.
  • ikev1 – Internet Key Version 1.
  • ikev2 – Internet Key Version 2.

NOTE: Prior to release 4.2, the default value was ikev1. For new installations, the default is ikev2. For systems upgraded from pre-4.2 versions, the existing configuration maintains ikev1. However, ikev2 becomes the default version for any new configurations. When "any" option is configured, in IKE initiator role, IKEv2 is chosen by default, while in responder mode IKE version is selected depending upon the IKE version used by the peer in IKE message.

remoteIdentity type

N/A

Specifies the remote Identity that SBC will assert to the PEER during phase 1 authentication. 

  • fqdn <domainName> – Specifies that the remote identity will be presented in Fully Qualified Domain Name (FQDN) format, taking as its value the FQDN of the SBC, specified by the next argument such as westford.example.com.
  • ipV4Addr <ipAddress> – Specifies that the remote identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the SBC specified by the next argument (example: 128.127.50.224).
  • ipV6Addr <ipAddress> – Specifies that the remote identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the SBC specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).

NOTE: The ipVxAddr attribute is not used at this time. If it is present in the CLI, please ignore it.

remoteCaCertificateN/A

The name of remote CA Certificate referred by the IPSec peer entry.

  • caCertName1

 

Command Example

The following example creates an IPsec peer named "peer2":

% set addressContext default ipsec peer peer2 ipAddress 10.20.30.140 preSharedKey 12345678 localIdentity type ipV4Addr ipAddress 10.20.30.134
% show addressContext default ipsec
peer peer2 {
    ipAddress    10.20.30.140;
    localIdentity {
        type      ipV4Addr;
        ipAddress 10.20.30.134;
    }
    preSharedKey $3$jCFw27QxeFA9KSe4Ym01FechIP3sXsZY;
  • No labels