49.6. Aggressive Mode: Example of IPSEC configuration

Consider an IPSEC VPN in TUNNEL mode that uses the IKE protocol and an ANONYMOUS access, as shown in the following figure.

Figure 49.2. IPSEC configuration example

IPSEC configuration example

[Caution]Caution

The IPSEC connection works ONLY if the LAN, where the PC client is connected to, is different from the LAN of Abilis (e.g. in the previous case if the PC client IP address is belonging to the 192.168.1.0/24 the IPSEC connection doesn't work!).

[Tip]Tip

Interesting chapters:

Section 81.19.1, “How to configure a RAS using IPSEC VPN server”;

Chapter 89, IPsec clients.

49.6.1. Activating IPSEC parameter on the desired IP resource

Set the IPSEC parameter to YES in the IP resource in which you want to encapsulate IPSEC packets (outgoing traffic). If you want to use the IP-2 resource (ADSL line), type:

[15:54:12] ABILIS_CPX:s p ip-2 ipsec:yes

COMMAND EXECUTED

[16:08:53] ABILIS_CPX:d p ip-2

RES:Ip-2 - IP over PPP (PPP) --------------------------------------------------
Run    DESCR:ADSL_line
       OPSTATE:UP             LOG:NO               STATE-DETECT:NORMAL
       LOWRES:Dsl-1
       IPADD:RETRIEVE                                NEIGH:RETRIEVE
       REDIS:EXT     HIDE:NO         RP:NONE            IPSEC:YES      VRRP:NO
       NAT:OUTSIDE   UPNP:NO         DIFFSERV:NO        DDNS:NO
       OUTBUF:100    OUTQUEUE:FAIR   MTU:1500
       OUTSPL:NO
       INBUF:0                      mru:1500           SRCV:NO
       - TRFA section ---------------------------------------------------------
       TRFA:NO
       - Ppp ------------------------------------------------------------------
       LOG:DS           NRTY3:3         PPP-ENC:RFC2364-VCMUX     RADIUS:NO
       VPI:8            VCI:35
       - Tcp-MSS/Lcp/IpCp -----------------------------------------------------
       TCP-MSS-CLAMP:NO
       maxmru:1500        DNS:NO
       - Authentication -------------------------------------------------------
       USERNAME:abilis
       PASSWORD:********                          LOCAL:CHAP,PAP
       SERVNAME:                                  REMOTE:NONE
       REPEAT:0
RES:Dsl-1 - Not Saved (SAVE CONF), Not Refreshed (INIT) -----------------------
       ------------------------------------------------------------------------
       DESCR:
       LOG:DST                     MODE:ADSL                  payload-rxbuf:30
       - Specific for Abilis-VDSL2 modem --------------------------------------
       MORE-ADSL-ANNEX:L,M
       - Specific for Abilis-5800UB modem -------------------------------------
       5800UB-MODULATION:AUTO
       - Adsl-ATM -------------------------------------------------------------
       max-vc:1
       adsl-usb-rxbuf:3            adsl-usb-txbuf:1
       - Vdsl-PTM -------------------------------------------------------------
       vdsl-usb-rxbuf:15           vdsl-usb-txbuf:15
[Caution]Caution

To activate the changes made, execute the initialization command init res:ip-2.

49.6.2. Configuration of the Host connections table

Add an IKE Host with Aggressive mode:

[16:06:36] ABILIS_CPX:a ike host:0 name:User_1_Aggressive mode:aggressive

COMMAND EXECUTED

Give the host the following characteristics:

  • local IP used for the VPN: 81.81.81.81;

  • ip resource used for the VPN: IP-2 (ADSL line);

  • no verify of the client's IP address that tries to open the VPN;

  • authentication method: PSK;

  • hash algorithm: SHA1;

  • Diffie-Hellman group: MODP1024;

  • encryption algorithm: AES256;

  • NAT type: INSIDE;

  • XAUTH authentication;

  • Peer ID type: KEY-ID.

[16:16:33] ABILIS_CPX:s ike host:0 locip:81.81.81.81 remip:*

COMMAND EXECUTED

[16:16:59] ABILIS_CPX:s ike host:0 auth:PSK hash:SHA1 dh:MODP1024 cipher:AES256

COMMAND EXECUTED

[16:17:09] ABILIS_CPX:s ike host:0 side:inside xauth:server xauth-user:user1 xauth-pwd:user1pwd

COMMAND EXECUTED

[16:17:21] ABILIS_CPX:s ike host:0 mode-cfg:request peer-id-type:key-id peer-id:mykey202 

COMMAND EXECUTED

[17:55:47] ABILIS_CPX:d ike host:0

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
HOST: NAME:                              LIFETIME: HASH:     DPD:    DPD-ACTION:
      LOCIP:          NATT:   MODE:      MODE-CFG: DH:               DPD-DELAY:
      REMIP:          SIDE:   AUTH:      XAUTH:    CIPHER:   SA-TRY: DPD-TOUT:
      XAUTH-USER:                        XAUTH-PWD:
      -- PSK ID ---------------------------------------------------------------
      ID-TYPE:        IP:/ID:
      PEER-ID-TYPE:   PEER-IP:/PEER-ID:
      -- RSA Cert -------------------------------------------------------------
      CERT-SEND:      ASN1-DN:
      CERT-PEER:      PEER-ASN1-DN:
      CERT-VERIFY:
-------------------------------------------------------------------------------
0     User_1_Aggressive                  3600      SHA1      YES     STOP
      081.081.081.081 SYS     AGGRESSIVE REQUEST   MODP1024          30
      *               INSIDE  PSK        SERVER    AES256    3       120
      user1                              ********
      -- PSK ID ---------------------------------------------------------------
      LOCIP           
      KEY-ID          mykey2020
-------------------------------------------------------------------------------
[Caution]Caution

To activate the changes made, execute the initialization command init res:ike.

49.6.3. Configuration of the Client connections table

Add an IKE client:

[16:29:57] ABILIS_CPX:a ike cli:0 name:user_1_cli

COMMAND EXECUTED

Give the host the following characteristics:

  • IPSEC negotiation: tunnel mode;

  • IP address of the server: 192.168.1.0/24;

  • IP address of the client: 192.168.200.1/32.

[16:30:15] ABILIS_CPX:s ike cli:0 host-id:0 tunnel:yes

COMMAND EXECUTED

[16:30:33] ABILIS_CPX:s ike cli:0 net-loc:192.168.1.0/24 net-rem:192.168.200.1/32

COMMAND EXECUTED

[16:40:16] ABILIS_CPX:d ike cli:0

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
CLI:  NAME:                                LIFETIME: ESP:        AH:
HOST: NET-LOC:           RULE:  PASSIVE:   PFS:      ESP-AUTH:   AH-AUTH:
      NET-REM:                  PERMANENT: TUNNEL:   ESP-CIPHER: MODE-CFG-DNS:
-------------------------------------------------------------------------------
0     user_1                               28800     YES         NO
0     192.168.001.000/24 IPSEC  YES        YES       SHA1        SHA1
      192.168.200.001/32        YES        YES       AES256      SYS
-------------------------------------------------------------------------------
[Caution]Caution

To activate the changes made, execute the initialization command init res:ike.

49.6.4. Configuration of the Pre-shard Key table

If a PSK authentication is set in the IKE Host table, you must define a secret key for mutual authentication. In our example type for an KEY-ID PSK:

[16:51:32] ABILIS_CPX:a ike psk:0 key:preshared_key peer-id-type:key-id peer-id:mykey2020

COMMAND EXECUTED

[16:52:11] ABILIS_CPX:d ike psk

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
PSK: KEY:     PEER-ID-TYPE:  PEER-IP:/PEER-ID:
-------------------------------------------------------------------------------
0    ******** KEY-ID         mykey2020    
[Caution]Caution

To activate the changes made, execute the initialization command init res:ike.

49.6.5. Outgoing IP resource for IPSEC packets

Ensuring that outgoing IPSEC packets are routed toward appropriate resource is important.

Add a static route for remote network (in our situation only for host 192.168.200.1/32) towards IP-2 resource (specifying eventually the gateway).

[16:51:32] ABILIS_CPX:a ipr net:192.168.200.1/32 ip:2

COMMAND EXECUTED

[16:52:17] ABILIS_CPX:d ipr

Destination routes and conditional source routes:
+-+-+-+-+--------------------+--------------------+-----------------+----+---+
|B|P|S|H|     NET:/MASK:     |      MASK: or      |       GW: or    |IP: |AD:|
| | | | |                    |   SRNET:/SRMASK:   |      IPLB       |    |   |
+-+-+-+-+--------------------+--------------------+-----------------+----+---+
|*|C| | | 081.081.081.081/32 | 255.255.255.255    |                 |R-ID|  0|
|*|C| | | 192.168.000.000/24 | 255.255.255.000    |                 |   1|  0|
|*|S| | | 192.168.200.001/32 | 255.255.255.255    |                 |   2|  1|
|*|S| | | 000.000.000.000/0  | 000.000.000.000    |                 |   2|  1|
+-+-+-+-+--------------------+--------------------+-----------------+----+---+