49.2. IPSEC Resource

49.2.1. Activating the IPSEC resource

Add the resource to the Abilis system with the following command:

[15:50:39] ABILIS_CPX:a res:ipsec

RES:IPSEC ALREADY EXISTS

The IPSEC resource may already exist in the system, but may not yet be active: set it active with the command:

[15:50:43] ABILIS_CPX:s act res:ipsec

COMMAND EXECUTED
[Caution]Caution

After adding or setting the IPSEC active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis).

[17:14:59] ABILIS_CPX:s p ipsec act:yes

COMMAND EXECUTED

[17:15:17] ABILIS_CPX:d p ipsec

RES:Ipsec - Not Saved (SAVE CONF), Not Refreshed (INIT) ----------------------
Run    DESCR:IP_Security_Protocol
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:COPY
       ECN:NOCARE     DF:CLEAR   TCP-MSS-CLAMP:YES        TCP-MSS-VALUE:1334
[Warning]Warning

To activate IPSEC resource 16 MB of free RAM are requested. Verify it with the command d i; for example:

[17:39:21] ABILIS_CPX:d i

    Abilis CPX - Ver. 8.3.1/STD - Build 4031.12 - Branch 8.3 - 12/11/2015     
                            (c) 1994/2015 - Abilis                            

ABILIS-ID: 800733

Free/Total Memory (in byte): 1,682,112/260,046,848
Free/Used/Total HD/CF space (in Kibyte): 57,279/67,169/124,448

49.2.2. IPSEC resource parameters

Use the following command to display the parameters of the resource; the below command shows the meaning parameters.

[09:58:41] ABILIS_CPX:d p ipsec

RES:IpSec ---------------------------------------------------------------------
Run    DESCR:IP_Security_Protocol
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:COPY
       ECN:FORBIDDEN  DF:CLEAR   TCP-MSS-CLAMP:YES        TCP-MSS-VALUE:1334

Meaning of the most important parameters:

LOG

Logging functionalities activation/deactivation.

ACT

Runtime IPSEC activation/deactivation.

MODE

Working mode of IPSEC port [MANUAL; IKE].

mxps

Maximum length of IP datagram which can be processed.

IN-CHK

Inbound policy check flag.

TTL

Specifies the Time-To-Live field for the outer IP header in tunnel mode [COPY: TTL field will be copied from the inner IP header to the tunnel one; 1..255].

ECN

Specifies ECN (Explicit Congestion Notification) consideration mode on IPSEC tunnels in tunnel mode. ECN is an experimental addition to the IP architecture that provides notification of onset of congestion to delay- or loss-sensitive applications [ALLOWED; FORBIDDEN; NOCARE].

DF

DF (Don't Fragment) bit manipulation in tunnel mode during encapsulation [CLEAR: clear DF bit on outer IP header; SET: set DF bit on outer IP header; COPY: copy DF bit from inner to outer IP header].

TCP-MSS-CLAMP

Activates/deactivates the TCP MSS (Maximum Segment Size) Clamping procedure used to control the size of TCP segments.

TCP-MSS-VALUE

TCP MSS clamping value.

The command that allows the configuration of the resource to be modified has the following syntax:

s p ipsec par:val...

[Caution]Caution

To activate the changes made on the upper case parameters, execute the initialization command init res:ipsec; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command).

49.2.3. IPSEC tables

A particular SA may protect IP datagrams using only one of security protocol between: AH or ESP.

The enhanced security policy may be implemented using multiple SAs.

The term “security association bundle” or “SA bundle” is applied to a sequence of SAs through which traffic must be processed to satisfy a security policy. The order of the sequence is defined by the policy.

49.2.3.1. Security Associations table

This table is used only when mode parameter is set to MANUAL.

The Security Associations table can store up to 256 entries, indexed starting from 0 up to 255.

Changes made in the table are activated by executing the command init res:ipsec.

Commands for the handling Security Associations table are:

d/a/c/s ipsec sa:"id-num" [par:val...]

The d ipsec sa ? command displays the meaning of parameters.

[11:46:52] ABILIS_CPX:d ipsec sa

-------------------------------------------------------------------------------
SA:  NAME:                SPI:           SRC-IP:         PROT: AUTH:    CIPHER:
     BUNDLE:      TUNNEL: IPRES: SIDE:   DST-IP:               AUTHKEY: ENCKEY:
-------------------------------------------------------------------------------
                *** NO IPSEC SECURITY ASSOCIATIONS DEFINED ***

Meaning of the most important parameters:

SPI

Specifies Security Parameter Index (SPI).

BUNDLE

Number of SA bundle group.

SRC-IP

Source IP address for the Security Association.

DST-IP

Destination IP address for the Security Association.

PROT

Protocol for this security association record [AH, ESP].

AUTH

authentication method for the AH or ESP protocols [NONE, MD5, SHA].

AUTHKEY

Authentication key for the AH or ESP protocols (only for AUTH not equal to NONE). ASCII printable string. For MD5 authentication key: exactly 16 characters are required. For SHA authentication key: exactly 20 characters are required.

CIPHER

Encryption algorithm for the ESP protocol [NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256].

ENCKEY

Encryption key for the ESP protocol (only for PROT:ESP and CIPHER not equal to NONE). For DES encryption key: exactly 8 characters are required. For IDEA, CAST, BLOWFISH, AES128 encryption key: exactly 16 characters. For 3DES, AES192 encryption key: exactly 24 characters are required. For AES256 encryption key: exactly 32 characters are required.

TUNNEL

Tunnel mode flag.

IPRES

Tunnel IP resource.

SIDE

Tunnel side [NONE, AUTO, INSIDE, OUTSIDE, VPN, DMZ].

49.2.3.2. Policy table

This table is used only when mode parameter is set to MANUAL.

The Policy table can store up to 256 entries, indexed starting from 0 up to 255.

Changes made in the table are activated by executing the command init res:ipsec.

Commands for the handling Policy table are:

d/a/c/s ipsec policy:"id-num" [par:val...]

By typing d ipsec policy ?, it's possible to display the meaning of the parameters.

[11:46:54] ABILIS_CPX:d ipsec policy

-------------------------------------------------------------------------------
POLICY:  NAME:                            NET-SRC:           PORT-SRC:
         DIR: BUNDLE: RULE:               NET-DST:           PORT-DST:
-------------------------------------------------------------------------------
                  *** NO IPSEC SECURITY POLICIES DEFINED ***

Meaning of the most important parameters:

DIR

Direction for the policy record [OUT: outbound direction (used as packet filter); IN: inbound direction (used for inbound policy check)].

BUNDLE

Number of SA bundle group associated with this policy record.

RULE

Rule for the policy record [BYPASS: packet will be bypassed by IPSEC (outbound direction only); DROP: packet will be dropped by IPSEC (outbound direction only); IPSEC: packet will be processed by IPSEC].

NET-SRC

Source subnet address and mask in Slash Notation.

NET-DST

Destination subnet address and mask in Slash Notation.

PROT-SRC

Source port of the upper protocol (TCP, UDP).

PROT-DST

Destination port of the upper protocol (TCP, UDP).