Add the resource to the Abilis system with the following command:
[15:50:39] ABILIS_CPX:a res:ike
RES:IKE ALREADY EXISTS
The IKE resource may already exist in the system, but may not yet be active: set it active with the command:
[15:50:43] ABILIS_CPX:s act res:ike
COMMAND EXECUTED
Caution | |
---|---|
After adding or setting the IKE active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis). |
[17:14:59] ABILIS_CPX:s p ike act:yes
COMMAND EXECUTED [17:15:17] ABILIS_CPX:d p ike
RES:Ike - Not Saved (SAVE CONF), Not Refreshed (INIT) ------------------------- ------------------------------------------------------------------------ DESCR:Internet_Keys_Exchange_Protocol LOG:DS ACT:NO mxps:2048 max-hosts:16 TOS:0-N NRTY:3 TB:10 NATT:AUTO NATT-N-IKE:YES NATT-PF:YES NATT-KA:20 MODE-CFG-DNS:# WDIR:C:\APP\IKE\ ASN1-DN-SYS:
Use the following command to display the parameters of the resource. The d p ike ? command shows the meaning of parameters.
[09:58:41] ABILIS_CPX:
d p ike
RES:Ike ----------------------------------------------------------------------- Run DESCR:Internet_Keys_Exchange_Protocol LOG:DS ACT:YES mxps:2048 max-hosts:16 TOS:0-N NRTY:3 TB:10 NATT:AUTO NATT-N-IKE:YES NATT-PF:YES NATT-KA:20 MODE-CFG-DNS:# WDIR:C:\APP\IKE\ ASN1-DN-SYS:
Meaning of the most important parameters:
LOG
Logging functionalities activation/deactivation.
ACT
Runtime IPSEC activation/deactivation.
mxps
Maximum length of UDP datagram that can be processed.
max-hosts
Maximum number of simultaneous clients [1..255].
Type Of Service octet or Differentiated Services Field (DS):
-' p-t', i.e. PRECEDENCE and TOS values, where 'p' can be [0..7] and 't' can be [N=None, D=Min. Delay, T=Max. Throughput, R=Max. Reliability, C=Min. Monetary Cost]
- 'bbbbbb', i.e. DS value bit by bit, where 'b' can be [0, 1].
NRTY
Maximum number of packet retransmissions.
TB
Retransmission delay.
WDIR
Working directory; it cannot be empty (physical full path in DOS notation).
NATT
NAT traversal activation. If NAT traversal is enabled, IPsec AH algorithm must be disabled.
NATT-N-IKE
NAT traversal NON-IKE marker activation.
NATT-PF
NAT traversal NAT traversal port floating activation.
NATT-KA
NAT traversal keep-alive timer.
MODE-CFG-DNS
IP address of DNS server for the MODE-CFG mode [#, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x].
ASN1-DN-SYS
Specifies system Distinguished Name.
The command that allows the configuration of the resource to be modified has the following syntax:
s p ike
par:val
...
Caution | |
---|---|
To activate the changes made on the upper case parameters, execute the initialization command init res:ike; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command). |
IKE tables define the control and cryptographic characteristics of the Hosts and Clients:
The Host connections table defines the mechanisms to establish the Security Association and the encryption algorithms;
The Client connections table defines the characteristics and the security parameters for a single IPSec VPN;
The Preshared Keys Table contains the secret key for mutual authentication.
The Host connections table can store up to 255 entries, indexed starting from 0 up to 254.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Host connections table are:
d/a/c/s ike
host:"id-num" [par:val
...]
The d ike host ? command displays the meaning of parameters.
[18:47:07] ABILIS_CPX:d ike host
- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- HOST: NAME: LIFETIME: HASH: DPD: DPD-ACTION: LOCIP: NATT: MODE: MODE-CFG: DH: DPD-DELAY: REMIP: SIDE: AUTH: XAUTH: CIPHER: SA-TRY: DPD-TOUT: XAUTH-USER: XAUTH-PWD: -- PSK ID --------------------------------------------------------------- ID-TYPE: IP:/ID: PEER-ID-TYPE: PEER-IP:/PEER-ID: -- RSA Cert ------------------------------------------------------------- CERT-SEND: ASN1-DN: CERT-PEER: PEER-ASN1-DN: CERT-VERIFY: ------------------------------------------------------------------------------- 0 Agent_HOST1 28800 SHA1 YES STOP 188.138.185.166 SYS MAIN NO MODP1024 30 * INSIDE PSK NO AES256 3 120 -- PSK ID --------------------------------------------------------------- IP 188.138.185.166 IP 192.168.010.007 ------------------------------------------------------------------------------- 1 Android 3600 SHA1 YES STOP 188.138.185.166 SYS AGGRESSIVE REQUEST MODP1024 30 * INSIDE PSK SERVER AES128 3 120 android2 ******** -- PSK ID --------------------------------------------------------------- LOCIP KEY-ID androidkeiid ------------------------------------------------------------------------------- [20:33:37] ABILIS_CPX:d ike host:0
- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- HOST: NAME: LIFETIME: HASH: DPD: DPD-ACTION: LOCIP: NATT: MODE: MODE-CFG: DH: DPD-DELAY: REMIP: SIDE: AUTH: XAUTH: CIPHER: SA-TRY: DPD-TOUT: XAUTH-USER: XAUTH-PWD: -- PSK ID --------------------------------------------------------------- ID-TYPE: IP:/ID: PEER-ID-TYPE: PEER-IP:/PEER-ID: -- RSA Cert ------------------------------------------------------------- CERT-SEND: ASN1-DN: CERT-PEER: PEER-ASN1-DN: CERT-VERIFY: ------------------------------------------------------------------------------- 0 Agent_HOST1 28800 SHA1 YES STOP 188.138.185.166 SYS MAIN NO MODP1024 30 * INSIDE PSK NO AES256 3 120 -- PSK ID --------------------------------------------------------------- IP 188.138.185.166 IP 192.168.010.007 -------------------------------------------------------------------------------
Meaning of the most important parameters:
LOCIP
Local IP address [0.0.0.0, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x] or IP resource [Ip-1..Ip-999]. Value 0.0.0.0 disables the host.
REMIP
Peer's IP address [0.0.0.0, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x] or * or the name of an IP/IR list. Value 0.0.0.0 disables the host.
NATT
NAT traversal activation [SYS
,
NO
, YES
,
AUTO
].
MODE
IKE mode for phase1 [MAIN
,
AGGRESSIVE
].
AUTH
Authentication method for the ISAKMP/OAKLEY negotiation
[PSK
, RSASIG
].
HASH
Hash algorithm for the ISAKMP/OAKLEY negotiation
[MD5
, SHA-1
,
SHA-256
, SHA-384
,
SHA-512
].
DH
Diffi-Hellman group for the ISAKMP/OAKLEY negotiation
[MODP768
for Group 1,
MODP1024
for Group 2,
MODP1536
for Group 5,
MODP2048
for Group 14]
CIPHER
Encryption algorithm for the ISAKMP/OAKLEY negotiation
[DES
, 3DES
,
IDEA
, CAST
,
BLOWFISH
, AES128
,
AES192
, AES256
].
SIDE
NAT side assigned to the tunnel [NONE
,
AUTO
, INSIDE
,
OUTSIDE
, VPN
,
DMZ
].
XAUTH
Extended authentication type [NO
,
SERVER
, CLIENT
]..
XAUTH-USER
XAUTH user name for host connection.
XAUTH-PWD
XAUTH password for host connection.
MODE-CFG
Type of Mode config [NO
,
PUSH
, REQUEST
] (for iphone
compatibility).
SA-TRY
Specifies how many times IKE should try to negotiate an
SA, either for the first time or for rekeying
[INFINITE
,
1
..100
].
LIFE-TIME
Specifies how long IKE will propose that an ISAKMP SA be allowed to live. The range is [600..86400] sec.
DPD-ENABLE
Enables/disables DPD (Dead peer detection) procedure
support (the function must necessarily supported by the IPSec
client) [NO
, YES
]. DPD is
a keepalive mechanism that enables the router to detect when the
connection between the router and a remote IPSec peer has been
lost. DPD enables the router to reclaim resources and to
optionally redirect traffic to an alternate failover
destination. If DPD is not enabled, the traffic continues to be
sent to the unavailable destination.
DPD-DELAY
Time interval between DPD checks. It must be lower than
DPD-TIMEOUT
.
DPD-TIMEOUT
Time interval of missing DPD replies after which peer is
declared dead. It must be greater then
DPD-DELAY
.
DPD-ACTION
Action executed upon peer is detected dead
[STOP
, RESTART
].
ID-TYPE
Type of local host for the connection
[LOCIP
: local ID will be set automatically in
run-time as local IP address; IP
: local ID is
a IP address; FQDN
: local ID is
fully-qualified domain name (FQDN);
USER-FQDN
: local ID is fully-qualified user
domain name (FQDN); KEY-ID
: local ID is a
opaque string used to identify which PSK key should be used to
authenticate Aggressive mode negotiations].
IP
Local ID for type IP [0.0.0.0-255.255.255.255].
Important | |
---|---|
Only for
|
ID
Local ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included. Case is preserved.
Important | |
---|---|
Only for
|
PEER-ID-TYPE
Peer's ID type [REMIP
: remote ID will
be set automatically in run-time as remote IP address;
IP
: remote ID is a IP address;
FQDN
: remote ID is fully-qualified domain
name (FQDN); USER-FQDN
: remote ID is
fully-qualified user domain name (FQDN);
KEY-ID
: remote ID is a opaque string used to
identify which PSK key should be used to authenticate Aggressive
mode negotiations].
PEER-IP
Peer ID for type IP [0.0.0.0-255.255.255.255].
Important | |
---|---|
Only for
|
PEER-ID
Peer ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included. Case is preserved and match is case sensitive.
Important | |
---|---|
Only for
|
Note | |
---|---|
The |
The Client connections table can store up to 255 entries, indexed starting from 0 up to 254.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Client connections table are:
d/a/c/s ike
cli:"id-num" [par:val
...]
The d ike cli ? command displays the meaning of the parameters.
[18:47:32] ABILIS_CPX:d ike cli
- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- CLI: NAME: LIFETIME: ESP: AH: HOST: NET-LOC: RULE: PASSIVE: PFS: ESP-AUTH: AH-AUTH: NET-REM: PERMANENT: TUNNEL: ESP-CIPHER: MODE-CFG-DNS: ------------------------------------------------------------------------------- 0 Agent_Cli1 3600 YES NO 0 192.168.020.000/24 IPSEC YES YES SHA1 SHA1 192.168.010.007/32 YES YES AES256 SYS ------------------------------------------------------------------------------- 1 Android_Forticlient 28800 YES NO 1 000.000.000.000/00 IPSEC YES NO SHA1 SHA1 192.168.010.008/32 YES YES AES128 008.008.008.008 ------------------------------------------------------------------------------- [20:46:06] ABILIS_CPX:d ike cli:0
- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- CLI: NAME: LIFETIME: ESP: AH: HOST: NET-LOC: RULE: PASSIVE: PFS: ESP-AUTH: AH-AUTH: NET-REM: PERMANENT: TUNNEL: ESP-CIPHER: MODE-CFG-DNS: ------------------------------------------------------------------------------- 0 Agent_Cli1 3600 YES NO 0 192.168.020.000/24 IPSEC YES YES SHA1 SHA1 192.168.010.007/32 YES YES AES256 SYS -------------------------------------------------------------------------------
Meaning of the most important parameters:
RULE
Rule for this client connection
[BYPASS
, DROP
,
IPSEC
]
PASSIVE
Mode of negotiation. [NO
: negotiation
can be started as initiator and as responder;
YES
: negotiation can be started as responder
only; it's useful for a server]. If related host
LOC-IP
is set to an “IP
resource”, PASSIVE
must be forced to
NO
; if related host REM-IP
is set to *
, PASSIVE
must
be forced to YES
, even if
LOC-IP
is set to an “IP
resource” .
PERMANENT
Mode of negotiation [NO
: after driver
starting or after init command
(re-)negotiation will not be started automatically as initiator;
YES
: after driver starting or after
init command (re-)negotiation of this
connection will be started automatically as initiator].
TUNNEL
Mode of IPSEC negotiation [NO
:
Transport mode, YES
: Tunnel mode].
ESP
Enables/disables IPSEC ESP protocol .
ESP-CIPHER
Encryption algorithm for IPSEC ESP protocol
[NONE
, DES
,
3DES
, IDEA
,
CAST
, BLOWFISH
,
AES128
, AES192
,
AES256
].
ESP-AUTH
Authentication algorithm for IPSEC ESP protocol
[NONE
, MD5
,
SHA-1
, SHA-256
,
SHA-384
, SHA-512
].
AH
Enables/disables IPSEC AH protocol.
AH-AUTH
Authentication algorithm for IPSEC AH protocol
[MD5
, SHA
].
LIFE-TIME
Specifies how long IKE will propose that an IPSEC SA be allowed to live. The range is [600..86400] sec.
PFS
Enables/disables Perfect Forward Secrecy. PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys.
NET-LOC
Local subnet address and mask in Slash Notation.
NET-REM
Remote subnet address and mask in Slash Notation.
MODE-CFG-DNS
IP address of DNS server for the MODE-CFG mode.
Note | |
---|---|
More clients can be referred to a same IKE Host. |
The Pre-shared keys table can store up to 64 entries, indexed starting from 0 up to 127.
Changes made in the table are activated by executing the command init res:ike.
Commands for the handling Host connections table are:
d/a/c/s ike
psk:"id-num" [par:val
...]
The d ike psk ? command displays the meaning of parameters.
[18:47:53] ABILIS_CPX:d ike psk
-------------------------------------------------------------------------------
PSK: KEY: PEER-ID-TYPE: PEER-IP:/PEER-ID:
-------------------------------------------------------------------------------
0 ******** ANONYMOUS
1 ******** KEY-ID androidkeiid
Meaning of the most important parameters:
KEY
Specifies preshared key for this record. Max 64 ASCII characters. Spaces require double quotes (E.g. "my key").
PEER-ID-TYPE
Type of peer ID [ANONYMOUS
,
IP
, FQDN
,
USER-FQDN
, KEY-ID
,
NONE
]. ANONYMOUS
is
allowed only once, used for all hosts with
REMIP
:*
.
NONE
disables the PSK without deleting
it.
PEER-IP
Remote IP address. [0.0.0.0-255.255.255.255].
Important | |
---|---|
Only for
|
PEER-ID
Peer ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included.
Important | |
---|---|
Only for
|
When clients have dynamic IP address the MAIN mode requires the SAME PSK (ANONYMOUS) for all users, on the contrary AGGRESSIVE mode allows individual PSK. For this reason it is usually preferred in this situation.
Drawback is that AGGRESSIVE mode It is less secure then MAIN mode due to intrinsic protocol weakness, however choosing a long and complicated password and strong hash algorithm (e.g. SHA256) largely mitigate the risk down to an acceptable level. Surfing the web you'll find many article that compares the two modes.
Tip | |
---|---|
Interesting chapter: Section 49.6, “Aggressive Mode: Example of IPSEC configuration”. |