Header Navigation

Saturday, October 08, 2016

IPSec Configuration in NOKIA 7705-SAR8

Wikipedia says, "Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session."

For IPSec, the 7705 SAR-8 supports VPRN when 8-port Gigabit Ethernet Adapter card, version 3, When we use Nokia Router to running IPSec, we need to service instance (Maybe we can use VPRN-VPRN or VPRN-IES), one service for public network (sometimes naming as untrusted zone) and the other one is for private network (sometimes naming as trusted zone).

Nokia 7705 SAR-8 eth8-V3 MDA Card
Special case in Nokia 7705 SAR, the device just support VPRN-IES for right now, VPRN for private network (trusted) and IES for public (untrusted). Architecture of Nokia 7705 SAR-8 like below:



1. Overview

IPsec in NOKIA 7705 SA8, have some feature and support like, IKEv2 , authentication using pre-shared key (PSK), perfect forward secrecy (PFS), using Encapsulation Security Payload tunnel mode, DH Group support 1/2/5/14/15, and Phase below:
  • Phase 1: IPSec IKE policy (NULL is not supported):
    • authentication algorithm: MD5/SHA1/SHA256/SHA384/SHA512
    • encryption algorithm: DES/3DES/AES128/AES192/AES256
  • Phase 2: IPSec transform (NULL cannot be used for authentication and encryption at the same time):
    • authentication algorithm: NULL/MD5/SHA1/SHA256/SHA384/SHA512
    • encryption algorithm: NULL/DES/3DES/AES128/AES192/AES256
    To create IPSec service in Nokia router we need to understand term of tunnel group, Tunnel group is  a collection of IPSec tunnels. The 7705 SAR supports one tunnel group that always uses tunnel ID 1. 
    NOKIA 7705 has behaviour separate their network based on service (VPRN for private and IES for public), The tunnel sap and interface are needed, It use to communicate the public network to private network. Beside that, it'll be point of demarcation between Encrypted traffic and The decrypted traffic.
    There are two types of tunnel interfaces and associated SAPs:
    • Public tunnel interface: configured in the public IES service; outgoing tunnel packets have a source IP address (local gateway address) in this subnet
      • Public tunnel SAP: associated with the public tunnel interface
    • Private tunnel interface: configured in the private VPRN service
      • Private tunnel SAP: associated with the private tunnel interface, logically linked to the public tunnel SAP

    2. Configuration

    2.1 Topology

    Testing in LAB, using the topology below:

    2.2 IPSec Parameter

    I divide this part in two pieces, first is Interface and service parameter and the second is Global IPSec Parameter


    2.2.1. Interface and Service Parameter

    2.2.2. IPSec Parameter between Server and Branch that Using site to Site


    2.3 How to Configure

    For this one we just concern for SAR-8 Configuration.
    Note: This Ipsec feature will not run, If you don’t have MDA a8-eth-v3 and CSMv2 are installed


    1. Configuring tunnel group:
      A:LAB-7705-SAR8# configure isa tunnel-group 1 create  
      A:LAB-7705-SAR8>config>isa>tunnel-grp# description "IPSec-Test-ON-SAR8"
      A:LAB-7705-SAR8>config>isa>tunnel-grp# no shutdown 
      A:LAB-7705-SAR8>config>isa>tunnel-grp# back 
      A:LAB-7705-SAR8>config>isa# info 
      ----------------------------------------------
              tunnel-group 1 create
                  description "IPSec-Test-ON-SAR8"
                  no shutdown
              exit
      ----------------------------------------------
      A:LAB-7705-SAR8>config>isa# 
      

    2. Phase 1 Configuraton
      *A:LAB-7705-SAR8>config>ipsec# ike-policy 3 create 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# own-auth-method psk 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# dh-group 14 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# ipsec-lifetime 48000 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# isakmp-lifetime 60000 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# pfs dh-group 5 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# auth-algorithm sha384 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# encryption-algorithm aes192 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# dpd interval 10 
      *A:LAB-7705-SAR8>config>ipsec>ike-policy# exit 
      

    3. Phase 2 Configuration
      *A:LAB-7705-SAR8>config>ipsec# ipsec-transform 3 create 
      *A:LAB-7705-SAR8>config>ipsec>transform# esp-auth-algorithm sha512 
      *A:LAB-7705-SAR8>config>ipsec>transform# esp-encryption-algorithm aes256 
      *A:LAB-7705-SAR8>config>ipsec>transform# exit 
      *A:LAB-7705-SAR8>config>ipsec# 
      
    4. Configuring Network to Internet:
      *A:LAB-7705-SAR8>config>router# interface "Internet-Network"
      *A:LAB-7705-SAR8>config>router>if# port 1/6/7 
      *A:LAB-7705-SAR8>config>router>if# address 10.10.20.1/30 
      *A:LAB-7705-SAR8>config>router>if# exit all 
      *A:LAB-7705-SAR8#
      
    5. Configuring IES for Public Interface
      *A:LAB-7705-SAR8# configure service ies 3291 customer 1 create 
      *A:LAB-7705-SAR8>config>service>ies# interface "Branch-Pub-Net" create  
      *A:LAB-7705-SAR8>config>service>ies>if# address 10.10.26.2/30 
      *A:LAB-7705-SAR8>config>service>ies>if# sap tunnel-1.public:3290 create 
      *A:LAB-7705-SAR8>config>service>ies>if>sap# exit 
      *A:LAB-7705-SAR8>config>service>ies>if# exit 
      *A:LAB-7705-SAR8>config>service>ies# 
      *A:LAB-7705-SAR8>config>service>ies# no shutdown
      *A:LAB-7705-SAR8>config>service>ies# service-name "Branch-Public-IPSec" 
    6. Configuring VPRN for Private Interface
      a. Basic VPRN Configuration
      *A:LAB-7705-SAR8# configure service vprn 3290 customer 1 create 
      *A:LAB-7705-SAR8>config>service>vprn# route-distinguisher 192.168.200.4:3290 
      *A:LAB-7705-SAR8>config>service>vprn# service-name "SAR-8_IPSec_Private_Net" 
      b. Create Traffic Reselection on IPSec Security Policy
      *A:LAB-7705-SAR8>config>service>vprn>ipsec# security-policy 1 create 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy# entry 10 create 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry#  local-ip 192.168.25.0/24 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry# remote-ip 192.168.20.0/24 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy>entry# exit 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec>sec-plcy# exit 
      *A:LAB-7705-SAR8>config>service>vprn>ipsec# exi
      c. Create IPSec Configuration under VPRN Interface for Private Network
      *A:LAB-7705-SAR8>config>service>vprn# interface "Private-Network" tunnel create 
      *A:LAB-7705-SAR8>config>service>vprn>if# sap tunnel-1.private:3290 create 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap# ipsec-tunnel "Branch-Network" create 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# security-policy 1 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# local-gateway-address 10.10.26.1 peer 10.10.24.1 delivery-service 3291 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# dynamic-keying 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# ike-policy 3 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# pre-shared-key "3KiT4b0l3eAT"
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# transform 3 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun>dyn# exit 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# no shutdown 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap>ipsec-tun# exit 
      *A:LAB-7705-SAR8>config>service>vprn>if>sap# exit                  
      *A:LAB-7705-SAR8>config>service>vprn>if# exit
      d. Make Routing to Remote Private Network with bind to IPSec Interface
      *A:LAB-7705-SAR8>config>service>vprn>static-route 192.168.20.0/24 ipsec-tunnel "Branch-Network"
    7. Make loopback Test (Proposed for Connectivity Test)
      *A:LAB-7705-SAR8>config>service>vprn# interface "CPE-Private-Test" create 
      *A:LAB-7705-SAR8>config>service>vprn>if# address 192.168.25.1/32 
      *A:LAB-7705-SAR8>config>service>vprn>if# loopback 
      *A:LAB-7705-SAR8>config>service>vprn>if# exit
    8. Save All Configuration
      *A:LAB-7705-SAR8#/admin save

    3. IPSec Functionality Testing

    3.1 Verification Public Network

    A:LAB-7705-SAR8# /show router interface 
    
    ===============================================================================
    Interface Table (Router: Base)
    ===============================================================================
    Interface-Name                   Adm         Opr(v4/v6)  Mode    Port/SapId    
       IP-Address                                                    PfxState      
    -------------------------------------------------------------------------------
    Branch-Pub-Net                   Up          Up/Down     IES     tunnel-1.publ*
       10.10.26.2/30                                                n/a
    Internet-Network                 Up          Up/Down     Network 1/6/7         
       10.10.20.1/30                                                n/a
    system                           Up          Up/Down     Network system        
       192.168.200.4/32                                              n/a
    -------------------------------------------------------------------------------
    Interfaces : 5
    ===============================================================================
    * indicates that the corresponding row element may have been truncated.
    A:LAB-7705-SAR8#
    
    A:LAB-7705-SAR8# /show router static-route 
    
    ===============================================================================
    Static Route Table (Router: Base)  Family: IPv4
    ===============================================================================
    Prefix                                        Tag         Met    Pref Type Act 
       Next Hop                                    Interface                       
    -------------------------------------------------------------------------------
    10.10.24.0/30                                0           1      5    NH   Y   
       10.10.20.2                                 Internet-Network       
    -------------------------------------------------------------------------------
    No. of Static Routes: 1
    ===============================================================================
    A:LAB-7705-SAR8#

    3.2 Verification Private Network

    A:LAB-7705-SAR8# show router 3290 interface     
    
    ===============================================================================
    Interface Table (Service: 3290)
    ===============================================================================
    Interface-Name                   Adm         Opr(v4/v6)  Mode    Port/SapId    
       IP-Address                                                    PfxState      
    -------------------------------------------------------------------------------
    CPE-Private-Test                 Up          Up/Down     VPRN    loopback      
       192.168.25.1/32                                               n/a
    Private-Network                  Up          Up/--       VPRN I* tunnel-1.priv*
       -                                                             -
    -------------------------------------------------------------------------------
    Interfaces : 2
    ===============================================================================
    * indicates that the corresponding row element may have been truncated.
    A:LAB-7705-SAR8#

    3.3 Verification IPSec Parameter

    A:LAB-7705-SAR8# show ipsec ike-policy 3   
    
    ===============================================================================
    IPsec IKE policy Configuration Detail
    ===============================================================================
    Policy Id        : 3                    IKE Mode         : main
    DH Group         : Group14              Auth Method      : psk
    PFS              : True                 PFS DH Group     : Group5
    Auth Algorithm   : Sha384               Encr Algorithm   : Aes192
    ISAKMP Lifetime  : 60000                IPsec Lifetime   : 48000
    NAT Traversal    : Disabled             
    NAT-T Keep Alive : 0                    Behind NAT Only  : True
    DPD              : Enabled              
    DPD Interval     : 10                   DPD Max Retries  : 3
    Description      : (Not Specified)
    IKE Version      : 2                    Own Auth Method  : psk
    ===============================================================================
    A:LAB-7705-SAR8# show ipsec transform 3  
    
    ================================================================
    IPsec Transforms
    ================================================================
    TransformId    EspAuthAlgorithm    EspEncryptionAlgorithm                      
    ----------------------------------------------------------------
    3              Sha512              Aes256                       
    ----------------------------------------------------------------
    No. of IPsec Transforms: 1
    ================================================================
    A:LAB-7705-SAR8# 
    

    3.4 Test gateway Reachability

    A:LAB-7705-SAR8#  ping 10.10.24.1 source 10.10.26.2 
    PING 10.10.24.1 56 data bytes
    64 bytes from 10.10.24.1: icmp_seq=1 ttl=62 time=12.6ms.
    64 bytes from 10.10.24.1: icmp_seq=2 ttl=62 time=14.1ms.
    64 bytes from 10.10.24.1: icmp_seq=3 ttl=62 time=14.2ms.
    64 bytes from 10.10.24.1: icmp_seq=4 ttl=62 time=13.9ms.
    64 bytes from 10.10.24.1: icmp_seq=5 ttl=62 time=14.1ms.
    
    ---- 10.10.24.1 PING Statistics ----
    5 packets transmitted, 5 packets received, 0.00% packet loss
    round-trip min = 12.6ms, avg = 13.8ms, max = 14.2ms, stddev = 0.597ms
    A:LAB-7705-SAR8#

    3.5 Verification IPSec tunnel (Before Traffic Income) Note: Tunnel up when traffic want to use. It's seems tunnel is triggered by Correct Traffic

    *A:LAB-7705-SAR8# show ipsec tunnel                      
    
    ==============================================================================
    IPsec Tunnels
    ==============================================================================
    TunnelName                       LocalAddress      SvcId        Admn   Keying  
      SapId                            RemoteAddress     DlvrySvcId   Oper   Sec   
                                                                             Plcy  
    ------------------------------------------------------------------------------
    Branch-Network                   10.10.26.1       3290         Up     Dynamic
      tunnel-1.private:3290            10.10.24.1       3291         Down   1    
    ------------------------------------------------------------------------------
    IPsec Tunnels: 1
    ==============================================================================
    
    A:LAB-7705-SAR8# show ipsec tunnel Branch-Network 
    
    ===============================================================================
    IPsec Tunnel Configuration Detail
    ===============================================================================
    Service Id       : 3290                 Sap Id           : tunnel-1.private:3290
    Tunnel Name      : Branch-Network
    Description      : None
    Local Address    : 10.10.26.1           Remote Address   : 10.10.24.1
    Delivery Service : 3291                 Security Policy  : 1
    Admin State      : Up                   Oper State       : Down
    Keying Type      : Dynamic              Replay Window    : None
    Clear DF Bit     : false                IP MTU           : max
    Copy DF Bit      : false
    Oper Flags       : None
     
    -------------------------------------------------------------------------------
    BFD Interface
    -------------------------------------------------------------------------------
    BFD Designate    : no                   
    
    -------------------------------------------------------------------------------
    Dynamic Keying Parameters
    -------------------------------------------------------------------------------
    Transform Id1    : 3                    Transform Id2    : None
    Transform Id3    : None                 Transform Id4    : None
    Ike Policy Id    : 3                    Auto Establish   : disabled
    PreShared Key:3KiT4b0l3eAT            
    Isakmp State     : Down                 
    
    ISAKMP Statistics
    --------------------
    Tx Packets       : 0                    Rx Packets       : 0
    Tx Errors        : 0                    Rx Errors        : 0
    Tx DPD           : 0                    Rx DPD           : 0
    Tx DPD ACK       : 0                    Rx DPD ACK       : 0
    DPD Timeouts     : 0                    Rx DPD Errors    : 0
    ===============================================================================
    ===============================================================================
    A:LAB-7705-SAR8#

    3.6 Do Test Ping

    A:LAB-7705-SAR8# ping router 3290 192.168.20.1 source 192.168.25.1 
    PING 192.168.20.1 56 data bytes
    64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.880ms.
    64 bytes from 192.168.20.1: icmp_seq=2 ttl=64 time=0.924ms.
    64 bytes from 192.168.20.1: icmp_seq=3 ttl=64 time=0.947ms.
    64 bytes from 192.168.20.1: icmp_seq=4 ttl=64 time=0.928ms.
    64 bytes from 192.168.20.1: icmp_seq=5 ttl=64 time=0.963ms.
    
    ---- 192.168.20.1 PING Statistics ----
    5 packets transmitted, 5 packets received, 0.00% packet loss
    round-trip min = 0.880ms, avg = 0.928ms, max = 0.963ms, stddev = 0.033ms
    A:LAB-7705-SAR8# 
    

    3.7 Tunnel Status After Ping

    A:LAB-7705-SAR8# show ipsec tunnel 
    
    ==============================================================================
    IPsec Tunnels
    ==============================================================================
    TunnelName                       LocalAddress      SvcId        Admn   Keying  
      SapId                            RemoteAddress     DlvrySvcId   Oper   Sec   
                                                                             Plcy  
    ------------------------------------------------------------------------------
    Branch-Network                    10.10.26.1       3290         Up     Dynamic
      tunnel-1.private:3290            10.10.24.1       3291         Up     1    
    ------------------------------------------------------------------------------
    IPsec Tunnels: 1
    ==============================================================================
    A:LAB-7705-SAR8# show ipsec tunnel Branch-Network   
    
    ===============================================================================
    IPsec Tunnel Configuration Detail
    ===============================================================================
    Service Id       : 3290                 Sap Id           : tunnel-1.private:3290
    Tunnel Name      : Branch-Network
    Description      : None
    Local Address    : 10.10.26.1           Remote Address   : 10.10.24.1
    Delivery Service : 3291                 Security Policy  : 1
    Admin State      : Up                   Oper State       : Up
    Keying Type      : Dynamic              Replay Window    : None
    Clear DF Bit     : false                IP MTU           : max
    Copy DF Bit      : false
    Oper Flags       : None
     
    -------------------------------------------------------------------------------
    BFD Interface
    -------------------------------------------------------------------------------
    BFD Designate    : no                   
    
    -------------------------------------------------------------------------------
    Dynamic Keying Parameters
    -------------------------------------------------------------------------------
    Transform Id1    : 3                    Transform Id2    : None
    Transform Id3    : None                 Transform Id4    : None
    Ike Policy Id    : 3                    Auto Establish   : disabled
    PreShared Key:3KiT4b0l3eAT
    
    -------------------------------------------------------------------------------
    ISAKMP-SA
    -------------------------------------------------------------------------------
    State            : Up                   
    Established      : 01/02/2000 02:30:59  Lifetime         : 60000
    Expires          : 01/02/2000 19:10:56  
    
    ISAKMP Statistics                     
    --------------------
    Tx Packets       : 7                    Rx Packets       : 7
    Tx Errors        : 0                    Rx Errors        : 0
    Tx DPD           : 5                    Rx DPD           : 0
    Tx DPD ACK       : 0                    Rx DPD ACK       : 5
    DPD Timeouts     : 0                    Rx DPD Errors    : 0
    
    -------------------------------------------------------------------------------
    IPsec-SA : 10, Inbound (index 1)
    -------------------------------------------------------------------------------
    Type             : Dynamic              
    SPI              : 45838                
    Auth Algorithm   : Sha512               Encr Algorithm   : Aes256
    Installed        : 01/02/2000 02:30:59  Lifetime         : 48000
    
    Aggregate Statistics
    --------------------
    Bytes Processed  : 1512                 Packets Processed: 18
    Crypto Errors    : 0                    Replay Errors    : 0
    SA Errors        : 0                    Policy Errors    : 0
    
    -------------------------------------------------------------------------------
    IPsec-SA : 10, Outbound (index 1)
    -------------------------------------------------------------------------------
    Type             : Dynamic              
    SPI              : 176812               
    Auth Algorithm   : Sha512               Encr Algorithm   : Aes256
    Installed        : 01/02/2000 02:30:59  Lifetime         : 48000
    
    Aggregate Statistics
    --------------------
    Bytes Processed  : 1512                 Packets Processed: 18
    Crypto Errors    : 0                    Replay Errors    : 0
    SA Errors        : 0                    Policy Errors    : 0
    ===============================================================================
    ===============================================================================
    A:LAB-7705-SAR8#

    4. Reference

    1. IETF. 2001. Draft-ietf-ips-security-06.txt. https://www.ietf.org/proceedings/52/slides/ips-1/sld005.htm  (Accessed: 2 June 2016)
    2. Nokia IP. 2015. 7705 SAR OS Services Guide R6.2.R1. Nokia
    3. S. Kent, K. Seo. 2005. RFC 4301 - Security Architecture for the Internet Protocol. IETF
    4. Stallings, William. 2011. Network Security Essentials: Applications and Standards. 4th ed. New Jersey: Pearson Education, Inc


    No comments:

    Post a Comment