Add the resource to the Abilis system with the following command:
[15:50:39] ABILIS_CPX:a res:ipsec
RES:IPSEC ALREADY EXISTS
The IPSEC resource may already exist in the system, but may not yet be active: set it active with the command:
[15:50:43] ABILIS_CPX:s act res:ipsec
COMMAND EXECUTED
Caution | |
---|---|
After adding or setting the IPSEC active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis). |
[17:14:59] ABILIS_CPX:s p ipsec act:yes
COMMAND EXECUTED [17:15:17] ABILIS_CPX:d p ipsec
RES:Ipsec - Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------- Run DESCR:IP_Security_Protocol LOG:DS ACT:YES MODE:IKE mxps:2048 IN-CHK:YES TTL:COPY ECN:NOCARE DF:CLEAR TCP-MSS-CLAMP:YES TCP-MSS-VALUE:1334
Warning | |
---|---|
To activate IPSEC reource 16 MB of free RAM are requested. Verify it with the command d i; for example: [17:39:21] ABILIS_CPX:_ |
Use the following command to display the parameters of the resource; the below command shows the meaning parameters.
[09:58:41] ABILIS_CPX:
d p ipsec
RES:IpSec --------------------------------------------------------------------- Run DESCR:IP_Security_Protocol LOG:DS ACT:YES MODE:IKE mxps:2048 IN-CHK:YES TTL:COPY ECN:FORBIDDEN DF:CLEAR TCP-MSS-CLAMP:YES TCP-MSS-VALUE:1334
Meaning of the most important parameters:
LOG
Logging functionalities activation/deactivation.
ACT
Runtime IPSEC activation/deactivation.
MODE
Working mode of IPSEC port [MANUAL
;
IKE
].
mxps
Maximum length of IP datagram which can be processed.
IN-CHK
Inbound policy check flag.
TTL
Specifies the Time-To-Live field for the outer IP header in
tunnel mode [COPY
: TTL field will be copied
from the inner IP header to the tunnel one;
1
..255
].
ECN
Specifies ECN (Explicit Congestion Notification)
consideration mode on IPSEC tunnels in tunnel mode. ECN is an
experimental addition to the IP architecture that provides
notification of onset of congestion to delay- or loss-sensitive
applications [ALLOWED
;
FORBIDDEN
; NOCARE
].
DF
DF (Don't Fragment) bit manipulation in tunnel mode during
encapsulation [CLEAR
: clear DF bit on outer IP
header; SET
: set DF bit on outer IP header;
COPY
: copy DF bit from inner to outer IP
header].
TCP-MSS-CLAMP
Activates/deactivates the TCP MSS (Maximum Segment Size) Clamping procedure used to control the size of TCP segments.
TCP-MSS-VALUE
TCP MSS clamping value.
The command that allows the configuration of the resource to be modified has the following syntax:
s p ipsec
par:val
...
Caution | |
---|---|
To activate the changes made on the upper case parameters, execute the initialization command init res:ipsec; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. with warm start command). |
A particular SA may protect ip datagrams using only one of security protocol between: AH or ESP.
Enhanced security policy may be implemented using multiple SAs.
The term “security association bundle” or “SA bundle” is applied to a sequence of SAs through which traffic must be processed to satisfy a security policy. The order of the sequence is defined by the policy.
This table is used only when mode
parameter
is set to MANUAL
.
The Security Associations table can store up to 256 entries, indexed starting from 0 up to 255.
Changes made in the table are activated by executing the command init res:ipsec.
Commands for handling Security Associations table are:
d/a/c/s ipsec
sa:"id-num" [par:val
...]
The d ipsec sa ? command displays the meaning of parameters.
[11:46:52] ABILIS_CPX:d ipsec sa
-------------------------------------------------------------------------------
SA: NAME: SPI: SRC-IP: PROT: AUTH: CIPHER:
BUNDLE: TUNNEL: IPRES: SIDE: DST-IP: AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
*** NO IPSEC SECURITY ASSOCIATIONS DEFINED ***
Meaning of the most important parameters:
SPI
Specifies Security Parameter Index (SPI).
BUNDLE
Number of SA bundle group.
SRC-IP
Source IP address for the Security Association.
DST-IP
Destination IP address for the Security Association.
PROT
Protocol for this security association record
[AH
, ESP
].
AUTH
authentication method for the AH or ESP protocols
[NONE
, MD5
,
SHA
].
AUTHKEY
Authentication key for the AH or ESP protocols (only for
AUTH
not equal to NONE
).
ASCII printable string. For MD5 authentication key: exactly 16
characters are required. For SHA authentication key: exactly 20
characters are required.
CIPHER
Encryption algorithm for the ESP protocol
[NONE
, DES
,
3DES
, IDEA
,
CAST
, BLOWFISH
,
AES128
, AES192
,
AES256
].
ENCKEY
Encryption key for the ESP protocol (only for
PROT
:ESP
and
CIPHER
not equal to NONE
).
For DES encryption key: exactly 8 characters are required. For
IDEA
, CAST
,
BLOWFISH
, AES128
encryption key: exactly 16 characters. For
3DES
, AES192
encryption
key: exactly 24 characters are required. For
AES256
encryption key: exactly 32 characters
are required.
TUNNEL
Tunnel mode flag.
IPRES
Tunnel IP resource.
SIDE
Tunnel side [NONE, AUTO, INSIDE, OUTSIDE, VPN, DMZ].
This table is used only when mode
parameter
is set to MANUAL
.
The Policy table can store up to 256 entries, indexed starting from 0 up to 255.
Changes made in the table are activated by executing the command init res:ipsec.
Commands for handling Policy table are:
d/a/c/s ipsec
policy:"id-num" [par:val
...]
By typing d ipsec policy ?, it is possible to display the meaning of the parameters.
[11:46:54] ABILIS_CPX:d ipsec policy
-------------------------------------------------------------------------------
POLICY: NAME: NET-SRC: PORT-SRC:
DIR: BUNDLE: RULE: NET-DST: PORT-DST:
-------------------------------------------------------------------------------
*** NO IPSEC SECURITY POLICIES DEFINED ***
Meaning of the most important parameters:
DIR
Direction for the policy record [OUT
:
outbound direction (used as packet filter);
IN
: inbound direction (used for inbound
policy check)].
BUNDLE
Number of SA bundle group associated with this policy record.
RULE
Rule for the policy record [BYPASS
:
packet will be bypassed by IPSEC (outbound direction only);
DROP
: packet will be dropped by IPSEC
(outbound direction only); IPSEC
: packet will
be processed by IPSEC].
NET-SRC
Source subnet address and mask in Slash Notation.
NET-DST
Destination subnet address and mask in Slash Notation.
PROT-SRC
Source port of the upper protocol (TCP, UDP).
PROT-DST
Destination port of the upper protocol (TCP, UDP).