50.3. IKE Resource

50.3. IKE Resource
	Chapter 50. IPSEC - Internet Protocol SECurity

50.3.1. Activating the IKE resource

Add the resource to the Abilis system with the following command:

[15:50:39] ABILIS_CPX:a res:ike

RES:IKE ALREADY EXISTS

The IKE resource may already exist in the system, but may not yet be active: set it active with the command:

[15:50:43] ABILIS_CPX:s act res:ike

COMMAND EXECUTED

	Caution
	After adding or setting the IKE active, you must restart the Abilis to make the resource running (use the command warm start to reboot the Abilis).

[17:14:59] ABILIS_CPX:s p ike act:yes

COMMAND EXECUTED

[17:15:17] ABILIS_CPX:d p ike

RES:Ike - Not Saved (SAVE CONF), Not Refreshed (INIT) -------------------------
       ------------------------------------------------------------------------
       DESCR:Internet_Keys_Exchange_Protocol
       LOG:DS         ACT:NO          mxps:2048    max-hosts:16
       TOS:0-N        NRTY:3          TB:10
       NATT:AUTO      NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20
       MODE-CFG-DNS:#
       WDIR:C:\APP\IKE\
       ASN1-DN-SYS:

50.3.2. IKE resource parameters

Use the following command to display the parameters of the resource. The d p ike ? command shows the meaning of parameters.

[09:58:41] ABILIS_CPX:d p ike

RES:Ike -----------------------------------------------------------------------
Run    DESCR:Internet_Keys_Exchange_Protocol
       LOG:DS         ACT:YES         mxps:2048    max-hosts:16
       TOS:0-N        NRTY:3          TB:10
       NATT:AUTO      NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20
       MODE-CFG-DNS:#
       WDIR:C:\APP\IKE\
       ASN1-DN-SYS:

Meaning of the most important parameters:

LOG

Logging functionalities activation/deactivation.

ACT

Runtime IPSEC activation/deactivation.

mxps

Maximum length of UDP datagram that can be processed.

max-hosts

Maximum number of simultaneous clients [1..255].

TOS

Type Of Service octet or Differentiated Services Field (DS):

-' p-t', i.e. PRECEDENCE and TOS values, where 'p' can be [0..7] and 't' can be [N=None, D=Min. Delay, T=Max. Throughput, R=Max. Reliability, C=Min. Monetary Cost]

- 'bbbbbb', i.e. DS value bit by bit, where 'b' can be [0, 1].

NRTY

Maximum number of packet retransmissions.

TB

Retransmission delay.

WDIR

Working directory; it cannot be empty (physical full path in DOS notation).

NATT

NAT traversal activation. If NAT traversal is enabled, IPsec AH algorithm must be disabled.

NATT-N-IKE

NAT traversal NON-IKE marker activation.

NATT-PF

NAT traversal NAT traversal port floating activation.

NATT-KA

NAT traversal keep-alive timer.

MODE-CFG-DNS

IP address of DNS server for the MODE-CFG mode [#, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x].

ASN1-DN-SYS

Specifies system Distinguished Name.

The command that allows the configuration of the resource to be modified has the following syntax:

s p ike par:val...

	Caution
	To activate the changes made on the upper case parameters, execute the initialization command init res:ike; while to set act the changes made on the lowercase parameters a save conf and an Abilis restart are required (i.e. With warm start command).

50.3.3. IKE tables

IKE tables define the control and cryptographic characteristics of the Hosts and Clients:

The Host connections table defines the mechanisms to establish the Security Association and the encryption algorithms;
The Client connections table defines the characteristics and the security parameters for a single IPSec VPN;
The Preshared Keys Table contains the secret key for mutual authentication.

50.3.3.1. Host connections table

The Host connections table can store up to 255 entries, indexed starting from 0 up to 254.

Changes made in the table are activated by executing the command init res:ike.

Commands for the handling Host connections table are:

d/a/c/s ike host:"id-num" [par:val...]

The d ike host ? command displays the meaning of parameters.

[18:47:07] ABILIS_CPX:d ike host

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
HOST: NAME:                              LIFETIME: HASH:     DPD:    DPD-ACTION:
      LOCIP:          NATT:   MODE:      MODE-CFG: DH:               DPD-DELAY:
      REMIP:          SIDE:   AUTH:      XAUTH:    CIPHER:   SA-TRY: DPD-TOUT:
      XAUTH-USER:                        XAUTH-PWD:
      -- PSK ID ---------------------------------------------------------------
      ID-TYPE:        IP:/ID:
      PEER-ID-TYPE:   PEER-IP:/PEER-ID:
      -- RSA Cert -------------------------------------------------------------
      CERT-SEND:      ASN1-DN:
      CERT-PEER:      PEER-ASN1-DN:
      CERT-VERIFY:
-------------------------------------------------------------------------------
0     Agent_HOST1                        28800     SHA1      YES     STOP
      188.138.185.166 SYS     MAIN       NO        MODP1024          30
      *               INSIDE  PSK        NO        AES256    3       120
      -- PSK ID ---------------------------------------------------------------
      IP              188.138.185.166
      IP              192.168.010.007
-------------------------------------------------------------------------------
1     Android                            3600      SHA1      YES     STOP
      188.138.185.166 SYS     AGGRESSIVE REQUEST   MODP1024          30
      *               INSIDE  PSK        SERVER    AES128    3       120
      android2                            ********
      -- PSK ID ---------------------------------------------------------------
      LOCIP           
      KEY-ID          androidkeiid
-------------------------------------------------------------------------------


[20:33:37] ABILIS_CPX:d ike host:0


- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
HOST: NAME:                              LIFETIME: HASH:     DPD:    DPD-ACTION:
      LOCIP:          NATT:   MODE:      MODE-CFG: DH:               DPD-DELAY:
      REMIP:          SIDE:   AUTH:      XAUTH:    CIPHER:   SA-TRY: DPD-TOUT:
      XAUTH-USER:                        XAUTH-PWD:
      -- PSK ID ---------------------------------------------------------------
      ID-TYPE:        IP:/ID:
      PEER-ID-TYPE:   PEER-IP:/PEER-ID:
      -- RSA Cert -------------------------------------------------------------
      CERT-SEND:      ASN1-DN:
      CERT-PEER:      PEER-ASN1-DN:
      CERT-VERIFY:
-------------------------------------------------------------------------------
0     Agent_HOST1                        28800     SHA1      YES     STOP
      188.138.185.166 SYS     MAIN       NO        MODP1024          30
      *               INSIDE  PSK        NO        AES256    3       120
      -- PSK ID ---------------------------------------------------------------
      IP              188.138.185.166
      IP              192.168.010.007
-------------------------------------------------------------------------------

Meaning of the most important parameters:

LOCIP

Local IP address [0.0.0.0, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x] or IP resource [Ip-1..Ip-999]. Value 0.0.0.0 disables the host.

REMIP

Peer's IP address [0.0.0.0, 1-126.x.x.x, 127.0.0.1, 128-223.x.x.x] or * or the name of an IP/IR list. Value 0.0.0.0 disables the host.

NATT

NAT traversal activation [SYS, NO, YES, AUTO].

MODE

IKE mode for phase1 [MAIN, AGGRESSIVE].

AUTH

Authentication method for the ISAKMP/OAKLEY negotiation [PSK, RSASIG].

HASH

Hash algorithm for the ISAKMP/OAKLEY negotiation [MD5, SHA-1, SHA-256, SHA-384, SHA-512].

DH

Diffi-Hellman group for the ISAKMP/OAKLEY negotiation [MODP768 for Group 1, MODP1024 for Group 2, MODP1536 for Group 5, MODP2048 for Group 14]

CIPHER

Encryption algorithm for the ISAKMP/OAKLEY negotiation [DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256].

SIDE

NAT side assigned to the tunnel [NONE, AUTO, INSIDE, OUTSIDE, VPN, DMZ].

XAUTH

Extended authentication type [NO, SERVER, CLIENT]..

XAUTH-USER

XAUTH user name for host connection.

XAUTH-PWD

XAUTH password for host connection.

MODE-CFG

Type of Mode config [NO, PUSH, REQUEST] (for iphone compatibility).

SA-TRY

Specifies how many times IKE should try to negotiate an SA, either for the first time or for rekeying [INFINITE, 1..100].

LIFE-TIME

Specifies how long IKE will propose that an ISAKMP SA be allowed to live. The range is [600..86400] sec.

DPD-ENABLE

Enables/disables DPD (Dead peer detection) procedure support (the function must necessarily supported by the IPSec client) [NO, YES]. DPD is a keepalive mechanism that enables the router to detect when the connection between the router and a remote IPSec peer has been lost. DPD enables the router to reclaim resources and to optionally redirect traffic to an alternate failover destination. If DPD is not enabled, the traffic continues to be sent to the unavailable destination.

DPD-DELAY

Time interval between DPD checks. It must be lower than DPD-TIMEOUT.

DPD-TIMEOUT

Time interval of missing DPD replies after which peer is declared dead. It must be greater then DPD-DELAY.

DPD-ACTION

Action executed upon peer is detected dead [STOP, RESTART].

ID-TYPE

Type of local host for the connection [LOCIP: local ID will be set automatically in run-time as local IP address; IP: local ID is a IP address; FQDN: local ID is fully-qualified domain name (FQDN); USER-FQDN: local ID is fully-qualified user domain name (FQDN); KEY-ID: local ID is a opaque string used to identify which PSK key should be used to authenticate Aggressive mode negotiations].

IP

Local ID for type IP [0.0.0.0-255.255.255.255].

	Important
	Only for `ID-TYPE`:`IP`.

ID

Local ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included. Case is preserved.

	Important
	Only for `ID-TYPE`:`FQDN` or `USER-FQDN` or `KEY-ID`.

PEER-ID-TYPE

Peer's ID type [REMIP: remote ID will be set automatically in run-time as remote IP address; IP: remote ID is a IP address; FQDN: remote ID is fully-qualified domain name (FQDN); USER-FQDN: remote ID is fully-qualified user domain name (FQDN); KEY-ID: remote ID is a opaque string used to identify which PSK key should be used to authenticate Aggressive mode negotiations].

PEER-IP

Peer ID for type IP [0.0.0.0-255.255.255.255].

	Important
	Only for `PEER-ID-TYPE`:`IP`.

PEER-ID

Peer ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included. Case is preserved and match is case sensitive.

	Important
	Only for `PEER-ID-TYPE`:`FQDN` or `USER-FQDN` or `KEY-ID`.

	Note
	The `FQDN` and `PEER-FQDN` parameters are used as password and they do not have necessarily be referred to existing domains.

50.3.3.2. Client connections table

The Client connections table can store up to 255 entries, indexed starting from 0 up to 254.

Changes made in the table are activated by executing the command init res:ike.

Commands for the handling Client connections table are:

d/a/c/s ike cli:"id-num" [par:val...]

The d ike cli ? command displays the meaning of the parameters.

[18:47:32] ABILIS_CPX:d ike cli


- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
CLI:  NAME:                                LIFETIME: ESP:        AH:
HOST: NET-LOC:           RULE:  PASSIVE:   PFS:      ESP-AUTH:   AH-AUTH:
      NET-REM:                  PERMANENT: TUNNEL:   ESP-CIPHER: MODE-CFG-DNS:
-------------------------------------------------------------------------------
0     Agent_Cli1                           3600      YES         NO
0     192.168.020.000/24 IPSEC  YES        YES       SHA1        SHA1
      192.168.010.007/32        YES        YES       AES256      SYS
-------------------------------------------------------------------------------
1     Android_Forticlient                  28800     YES         NO
1     000.000.000.000/00 IPSEC  YES        NO        SHA1        SHA1
      192.168.010.008/32        YES        YES       AES128      008.008.008.008
-------------------------------------------------------------------------------


[20:46:06] ABILIS_CPX:d ike cli:0

- Not Saved (SAVE CONF), Not Refreshed (INIT) ---------------------------------
-------------------------------------------------------------------------------
CLI:  NAME:                                LIFETIME: ESP:        AH:
HOST: NET-LOC:           RULE:  PASSIVE:   PFS:      ESP-AUTH:   AH-AUTH:
      NET-REM:                  PERMANENT: TUNNEL:   ESP-CIPHER: MODE-CFG-DNS:
-------------------------------------------------------------------------------
0     Agent_Cli1                           3600      YES         NO
0     192.168.020.000/24 IPSEC  YES        YES       SHA1        SHA1
      192.168.010.007/32        YES        YES       AES256      SYS
-------------------------------------------------------------------------------

Meaning of the most important parameters:

RULE: Rule for this client connection [BYPASS, DROP, IPSEC]
PASSIVE: Mode of negotiation. [NO: negotiation can be started as initiator and as responder; YES: negotiation can be started as responder only; it's useful for a server]. If related host LOC-IP is set to an “IP resource”, PASSIVE must be forced to NO; if related host REM-IP is set to *, PASSIVE must be forced to YES, even if LOC-IP is set to an “IP resource” .
PERMANENT: Mode of negotiation [NO: after driver starting or after init command (re-)negotiation will not be started automatically as initiator; YES: after driver starting or after init command (re-)negotiation of this connection will be started automatically as initiator].
TUNNEL: Mode of IPSEC negotiation [NO: Transport mode, YES: Tunnel mode].
ESP: Enables/disables IPSEC ESP protocol .
ESP-CIPHER: Encryption algorithm for IPSEC ESP protocol [NONE, DES, 3DES, IDEA, CAST, BLOWFISH, AES128, AES192, AES256].
ESP-AUTH: Authentication algorithm for IPSEC ESP protocol [NONE, MD5, SHA-1, SHA-256, SHA-384, SHA-512].
AH: Enables/disables IPSEC AH protocol.
AH-AUTH: Authentication algorithm for IPSEC AH protocol [MD5, SHA].
LIFE-TIME: Specifies how long IKE will propose that an IPSEC SA be allowed to live. The range is [600..86400] sec.
PFS: Enables/disables Perfect Forward Secrecy. PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys.
NET-LOC: Local subnet address and mask in Slash Notation.
NET-REM: Remote subnet address and mask in Slash Notation.
MODE-CFG-DNS: IP address of DNS server for the MODE-CFG mode.

	Note
	More clients can be referred to a same IKE Host.

50.3.3.3. Pre-shared keys table

The Pre-shared keys table can store up to 64 entries, indexed starting from 0 up to 127.

Changes made in the table are activated by executing the command init res:ike.

Commands for the handling Host connections table are:

d/a/c/s ike psk:"id-num" [par:val...]

The d ike psk ? command displays the meaning of parameters.

[18:47:53] ABILIS_CPX:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     PEER-ID-TYPE:  PEER-IP:/PEER-ID:
-------------------------------------------------------------------------------
0    ******** ANONYMOUS      
1    ******** KEY-ID         androidkeiid

Meaning of the most important parameters:

KEY

Specifies preshared key for this record. Max 64 ASCII characters. Spaces require double quotes (E.g. "my key").

PEER-ID-TYPE

Type of peer ID [ANONYMOUS, IP, FQDN, USER-FQDN, KEY-ID, NONE]. ANONYMOUS is allowed only once, used for all hosts with REMIP:* . NONE disables the PSK without deleting it.

PEER-IP

Remote IP address. [0.0.0.0-255.255.255.255].

	Important
	Only for `PEER-ID-TYPE`:`IP`.

PEER-ID

Peer ID for type FQDN/USER-FQDN/KEY-ID. Max 64 ASCII printable characters, space not included.

	Important
	Only for `PEER-ID-TYPE`:`FQDN` or `USER-FQDN` or `KEY-ID`.

50.3.4. IKE Aggressive mode

When clients have dynamic IP address the MAIN mode requires the SAME PSK (ANONYMOUS) for all users, on the contrary AGGRESSIVE mode allows individual PSK. For this reason it is usually preferred in this situation.

Drawback is that AGGRESSIVE mode It is less secure then MAIN mode due to intrinsic protocol weakness, however choosing a long and complicated password and strong hash algorithm (e.g. SHA256) largely mitigate the risk down to an acceptable level. Surfing the web you'll find many article that compares the two modes.

	Tip
	Interesting chapter: Section 50.6, “Aggressive Mode: Example of IPSEC configuration”.


50.2. IPSEC Resource		50.4. IPSEC and IKE diagnostics and statistics