Caution: IPSec parameter configurations saved using this release may not function properly with older software releases.
•
• PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure gateway on the packet data network (PDN) as determined by access control list (ACL) criteria. This application can be implemented for both core network service and HA-based systems. The following figure shows IPSec configurations.
• Mobile IP: Mobile IP control signals and subscriber data is encapsulated in IPSec tunnels that are established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces.Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
• L2TP: L2TP-encapsulated packets are routed from the system to an LNS/secure gateway over an IPSec tunnel.
As described in the IP Access Control Lists chapter of this guide, ACLs on the system define rules, usually permissions, for handling subscriber data packets that meet certain criteria. Crypto ACLs, however, define the criteria that must be met in order for a subscriber data packet to be routed over an IPSec tunnel.Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: These instructions assume that the system was previously configured to support subscriber data sessions either as a core service or an HA. In addition, parameters configured using this procedure must be configured in the same destination context on the system.
Step 1 Configure one or more IP access control lists (ACLs) according to the information and instructions located in IP Access Control Lists chapter of this guide.
Step 2
Step 3
Step 4
Step 5
Step 6 Save your configuration as described in Verifying and Saving Your Configuration.
The FA determines the appropriate crypto map to use for IPSec protection based on the HA address attribute. It does this by comparing the address received to those configured using the isakmp peer-ha command. From the crypto map, the system determines the following:
• The HA determines the appropriate crypto map to use for IPSec protection based on the FA’s address. It does this by comparing the address received to those configured using the isakmp peer-fa command. From the crypto map, the system determines the following:Important: Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Important: These instructions assume that the systems were previously configured to support subscriber data sessions either as an FA or an HA.
Step 1
Step 2
Step 3
Step 4Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Step 5
Step 6
Step 7
Step 8
Step 9Important: Though the use of DPD is optional, it is recommended in order to ensure service availability.
Step 11
Step 12 Save your configuration as described in Verifying and Saving Your Configuration.
Important: These instructions assume that the system was previously configured to support subscriber data sessions and L2TP tunneling either as a PDSN or an HA. In addition, with the exception of subscriber attributes, all other parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration as described in Verifying and Saving Your Configuration.
Important: These instructions assume that the system was previously configured to support PDSN compulsory tunneling subscriber data sessions. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration as described in Verifying and Saving Your Configuration.
Important: These instructions assume that the system was previously configured to support subscriber PDP contexts and L2TP tunneling either as a GGSN. In addition, all parameters configured using this procedure must be configured in the same destination context on the system as the LAC service.
Step 1
Step 2
Step 3
Step 4
Step 5 Save your configuration as described in Verifying and Saving Your Configuration.Important: This section provides the minimum instruction set for configuring transform set on your system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Transform Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>crypto ipsec transform-set <transform_name> ah hmac { md5-96 | none |sha1-96 } esp hmac { { md5-96 | none | sha1-96 } { cipher {des-cbc | 3des-cbc | aes-cbc } | none }
• <ctxt_name> is the system context in which you wish to create and configure the crypto transform set(s).
• <transform_name> is the name of the crypto transform set in the current context that you want to configure for IPSec configuration.
• For more information on parameters, refer to the IPSec Transform Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto transform-set transform_nameImportant: This section provides the minimum instruction set for configuring ISAKMP policies on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and ISAKMP Configuration Mode Commands chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>ikev1 policy <priority>lifetime <time>
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP policy.
• <priority> dictates the order in which the ISAKMP policies are proposed when negotiating IKE SAs.
• For more information on parameters, refer to the ISAKMP Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto isakmp policy priorityCaution: Modification(s) to an existing ISAKMP policy configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring ISAKMP crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map ISAKMP Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>crypto map <map_name> ipsec-isakmpset peer <agw_address>set isakmp preshared-key <isakmp_key>set transform-set <transform_name>match address <acl_name> [ preference ]match crypto-group <group_name> { primary | secondary }
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
• <map_name> is name by which the ISAKMP crypto map will be recognized by the system.
• <acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
• <group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter. For more information, refer to the Redundant IPSec Tunnel Fail-Over section of this chapter.
• For more information on parameters, refer to the Crypto Map ISAKMP Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-isakmp ]Caution: Modification(s) to an existing ISAKMP crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for configuring dynamic crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map Dynamic Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>crypto map <map_name> ipsec-dynamicset transform-set <transform_name>
• <ctxt_name> is the system context in which you wish to create and configure the dynamic crypto maps.
• <map_name> is name by which the dynamic crypto map will be recognized by the system.
• For more information on parameters, refer to the Crypto Map Dynamic Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-dynamic ]Caution: Modification(s) to an existing dynamic crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: Because manual crypto map configurations require the use of static security keys (associations), they are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only be configured and used for testing purposes.
Important: This section provides the minimum instruction set for configuring manual crypto maps on the system. For more information on commands that configure additional parameters and options, refer to the Context Configuration Mode Commands and Crypto Map Manual Configuration Mode chapters in the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>crypto map <map_name> ipsec-manualset peer <agw_address>match address <acl_name> [ preference ]set transform-set <transform_name>set session-key { inbound | outbound } { ah <ah_spi> [ encrypted ] key <ah_key> | esp <esp_spi> [ encrypted ] cipher <encryption_key> [ encrypted ] authenticator <auth_key> }
• <ctxt_name> is the system context in which you wish to create and configure the manual crypto maps.
• <map_name> is name by which the manual crypto map will be recognized by the system.
• <acl_name> is name of the pre-configured ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. This is an optional parameter.
• <group_name> is name of the Crypto group configured in the same context. It is used for configurations using the IPSec Tunnel Failover feature. This is an optional parameter.
• For more information on parameters, refer to the Crypto Map Manual Configuration Mode Commands chapter in the Command Line Interface Reference.show crypto map [ tag map_name | type ipsec-manual ]Caution: Modification(s) to an existing manual crypto map configuration will not take effect until the related security association has been cleared. Refer to the clear crypto security-association command located in the Exec Mode Commands chapter of the Command Line Interface Reference for more information.
Important: This section provides the minimum instruction set for applying manual or ISAKMP crypto maps to an interface on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 2
Step 3
Step 4 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>interface <interface_name>crypto-map <map_name>
• <ctxt_name> is the system context in which the interface is configured to apply crypto map.
• <interface_name> is the name of a specific interface configured in the context to which the crypto map will be applied.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.show configuration context ctxt_name | grep interfaceImportant: This section provides the minimum instruction set for configuring an FA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>fa-service <fa_svc_name>
• <ctxt_name> is the system context in which the FA service is configured to support IPSec.
• <fa_svc_name> is name of the FA service for which you are configuring IPSec.
• <ha_address> is IP address of the HA service to which FA service will communicate on IPSec.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.Important: This section provides the minimum instruction set for configuring an HA service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>ha-service <ha_svc_name>isakmp aaa-context <aaa_ctxt_name>
• <ctxt_name> is the system context in which the FA service is configured to support IPSec.
• <ha_svc_name> is name of the HA service for which you are configuring IPSec.
• <fa_address> is IP address of the FA service to which HA service will communicate on IPSec.
• <aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.As described in the How the IPSec-based Mobile IP Configuration Works section of this chapter, the system uses attributes stored in a subscriber’s RADIUS profile to determine how IPSec should be implemented.
•
•
3 : Enables IPSec for tunnels and registration messages4 : Disables IPSecImportant: These instructions are required for compulsory tunneling. They should only be performed for attribute-based tunneling if the Tunnel-Service-Endpoint, the SN1-Tunnel-ISAKMP-Crypto-Map, or the SN1 -Tunnel-ISAKMP-Secret are not configured in the subscriber profile.
Important: This section provides the minimum instruction set for configuring an LAC service to support IPSec on the system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>lac-service <lac_svc_name>peer-lns <ip_address> [encrypted] secret <secret> [crypto-map <map_name> { [encrypted] isakmp-secret <secret> } ] [ description <text> ] [ preference <integer>]isakmp aaa-context <aaa_ctxt_name>
• <ctxt_name> is the destination context where the LAC service is configured to support IPSec.
• <lac_svc_name> is name of the LAC service for which you are configuring IPSec.
• <lns_address> is IP address of the LNS node to which LAC service will communicate on IPSec.
• <aaa_ctxt_name> name of the context through which the HA service accesses the HAAA server to fetch the IKE S Key and S Lifetime parameters.
• <map_name> is name of the preconfigured ISAKMP or a manual crypot map.In addition to the subscriber profile attributes listed in the RADIUS and Subscriber Profile Attributes Used section of the L2TP Access Concentrator chapter in this guide, the table below lists the attributes required to support IPSec for use with attribute-based L2TP tunneling.
•
This section provides the minimum instruction set for configuring an L2TP service on the PDSN system. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference.
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>pdsn-service <pdsn_svc_name>ppp tunnel-context <lac_ctxt_name>
• <ctxt_name> is the destination context where the PDSN service is configured.
• <pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
• <lac_ctxt_name> is the name of the destination context where the LAC service is located.context <ctxt_name>pdsn-service <pdsn_svc_name>ppp tunnel-context <lac_ctxt_name>
• <ctxt_name> is the destination context where the PDSN service is configured.
• <pdsn_svc_name> is name of the PDSN service for which you are configuring attribute-based L2TP tunneling.
• <lac_ctxt_name> is name of the destination context where the LAC service is located.Important: The peer security gateway must support RFC 3706 in order for this functionality to function properly.
• Primary Tunnel is down: A primary tunnel that was previously "up" is now "down" representing an error condition.
• Primary Tunnel is up: A primary tunnel that was previously "down" is now "up".
• Secondary tunnel is down: A secondary tunnel that was previously "up" is now "down" representing an error condition.
• Secondary Tunnel is up: A secondary tunnel that was previously "down" is now "up".
• Fail-over successful: The switchover of user traffic was successful. This is generated for both primary-to-secondary and secondary-to-primary switchovers.
• Unsuccessful fail-over: An error occurred when switching user traffic from either the primary to secondary tunnel or the secondary to primary tunnel.
•Important: Parameters configured using this procedure must be configured in the same context on the system.
Important: The system supports a maximum of 32 crypto groups per context. However, configuring crypto groups to use the same loopback interface for secondary IPSec tunnels is not recommended and may compromise redundancy on the chassis.
Important: This section provides the minimum instruction set for configuring crypto groups on the system. For more information on commands that configure additional parameters and options, refer Command Line Interface Reference.
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>crypto-group <group_name>
• <ctxt_name> is the destination context where the Crypto Group is to be configured.
• <group_name> is name of the Crypto group you want to configure for IPSec tunnel failover support.
• <acl_name> is name of the pre-configured crypto ACL. It is used for configurations not implementing the IPSec Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. For more information on crypto ACL, refer Crypto Access Control List (ACL) section of this chapter.context <ctxt_name>crypto map <map_name1> ipsec-isakmpmatch crypto-group <group_name> primarycontext <ctxt_name>crypto map <map_name> ipsec-isakmpmatch crypto-group <group_name> secondary
• <ctxt_name> is the system context in which you wish to create and configure the ISAKMP crypto maps.
• <group_name> is name of the Crypto group configured in the same context for IPSec Tunnel Failover feature.
• <map_name1> is name of the preconfigured ISAKMP crypto map to match with crypto group as primary.
• <map_name2> is name of the preconfigured ISAKMP crypto map to match with crypto group as secondary.DPD is configured at the context level and is used in support of the IPSec Tunnel Failover feature (refer to the Redundant IPSec Tunnel Fail-Over section) and/or to help prevent tunnel state mismatches between an FA and HA when IPSec is used for Mobile IP applications. When used with Mobile IP applications, DPD ensures the availability of tunnels between the FA and HA. (Note that the starIPSECDynTunUp and starIPSECDynTunDown SNMP traps are triggered to indicate tunnel state for the Mobile IP scenario.)Regardless of the application, DPD must be supported/configured on both security peers. If the system is configured with DPD but it is communicating with a peer that does not have DPD configured, IPSec tunnels still come up. However, the only indication that the remote peer does not support DPD exists in the output of the show crypto isakmp security-associations summary command.Important: If DPD is enabled while IPSec tunnels are up, it will not take affect until all of the tunnels are cleared.
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>
• <ctxt_name> is the destination context where the Crypto Group is to be configured.Important: This section provides the minimum instruction set for configuring an APN template to support L2TP for APN. For more information on commands that configure additional parameters and options, refer to the Command Line Interface Reference. To configure the APN to support L2TP:
Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.context <ctxt_name>apn <apn_name>tunnel l2tp [ peer-address <lns_address> [ [ encrypted ] secret <l2tp_secret> ] [ preference <num> ] [ tunnel-context <tunnel_ctxt_name> ] [ local-address <agw_ip_address> ] [ crypto-map <map_name> { [ encrypted ] isakmp-secret <crypto_secret> } ]
• <ctxt_name> is the system context in which the APN template is configured.
• <apn_name> is name of the preconfigured APN template in which you want to configure L2TP support.
• <lns_address> is IP address of the LNS node to which this APN will communicate.
• <tunnel_ctxt_name> is the L2TP context in which the L2TP tunnel is configured.
• <agw_ip_address> is the local IP address of the GGSN in which this APN template is configured.
• <map_name> is the preconfigured crypto map (ISAKMP or manual) which is to use for L2TP.show apn { all | name apn_name }
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |