IPSEC module config

In order to use IP sec we need to define which combinations of the protocols ESP and AH we wish to allow along with which encription and hash algoritums.

AH
- Key
  - ISAKMP
  - Manual {}
- Hash
  - DESMAC
  - MD5
  - SHA
  - NULL
- Mode
  - Transport
  - Tunnel
- Anti Replay
  - Off
  - 32 Packets
  - 64 Packets
  - 128 Packets
  - 256 Packets
ESP
- Key
  - ISAKMP
  - Manual {}
- Hash
  - DESMAC
  - MD5
  - SHA
  - NULL
- Encript Algorithum.
- Mode
  - Transport
  - Tunnel
- Anti Replay
  - Off
  - 32 Packets
  - 64 Packets
  - 128 Packets
  - 256 Packets

I think that works out at around, 25,600 posible combinations. But I have probabaly missed some, also the standard is extensible allowing extra Encription or Hash algoritums to be added in as they are developed and implimented.

We now need to create the specifications for the Security Associations to be negotiated on the VPN to connect this LAN to the remote LAN, so traffic between the LAN's is encrypted.

This example will specify AH using SHA, and ESP using DES+MD5, and key management via ISAKMP.

The Firewall supports 256 Security Association Specifications. The defined SAspecifications are combined into upto 256 bundles, when negotiating with a potential peer it is the SAspecs within the bundle selected for use with the peer that are checked.

IPsec Security Association Specifications

show IPSec SAspec
Will list alredy defined specs.

create IPSec SASpec=1 prot=esp hasha=null encalg=3des2key keyman=isakmp

create IPSec SASpec=2 prot=esp hasha=null encalg=3desinner keyman=isakmp

create IPSec SASpec=3 prot=esp hasha=null encalg=des keyman=isakmp

create IPSec SASpec=101 prot=ah mode=Transport hasha=sha keyman=isakmp

create IPSec SASpec=102 prot=ah mode=Transport hasha=md5 keyman=isakmp

create IPSec SASpec=103 prot=ah mode=Transport hasha=desmac keyman=isakmp

create IPSec SASpec=151 prot=ah hasha=sha keyman=isakmp

IPSec Bundle Definitions

show IPSec bundles
will list existing bundles.

create IPSec bundlespec=1 keym=isakmp string="1 on 2 or 3 and 101 or 102 or 103"

ISAKMP Policies

ISAKMP can be used to negociate a sequence of keys used for IPsec security Associations. This has advantages as the keys are changed automaticaly.

ISAKMP can use "Perfect Forward Secrecy" where braking one of the SA keys will not compromise future keys.

ISAKMP can also negociate keys where one of the endpoint IP addreses is not known in advance.

There are lots of options available with ISAKMP these must, in most cases, match at both ends. The following table represents those options available from version 1.8 of the software. Default options are in Bold, entries added upto version 2.3 are in italics.

Options are being continuously extended.

Peer
- any
- IPaddr
AuthType
- Preshared
  - Key Any GENERAL key
- RSAENCR
  - Key number for remote units RSA key
- RSASIG
DHExponentLength Number of Bits used for the Diffie-Hellman private exponent.
- 160
- may me increased upto 511 bits for Group 0, 767 bits for Group 1, 1023 bits for Group2.
EncAlg
- 3des2key
- 3desinner
- 3desinner
- des
ExpireKbytes
- 0..1000..
ExpireSeconds
- 0..86400..
Group. Specifies the group to be used for the Diffie-Hellman key exchange for Perfect Forward Secrecy {Groups 1 and 2 are Oakley Groups} USEPFSKEY=True.
- 0
- 1
- 2
HashAlgoritum
- MD5
- SHA
HeartBeatMode
- NONE
- SEND
- Receive
- Both
HybridXauth only for AuthType RSASIG
LocalID How we identify our selves.
- ipaddr
- DomainName
- UserDomainName
- dist-name
LocalRSAkey
Mode Phase 1 key negociation mode.
- Main
- Aggressive
MsgRetryLimit The number of times an ISAKMP message is retransmited. 5
MsgTimeOut
Phase2XchgLimit
PolicyFileName
PreNegociate
- True
- False
Remote ID How the remote is expected to identify its self.
- ipaddr
- DomainName
- UserDomainName
- dist-name
SrcInterface Source interface for the policy
Xauth
- NONE
- Server
- Client
XauthName
XauthPassword
XauthType
- Generic
- Radius

Note these examples all use the same preshared key this is a very bad idea.

To another Allied Router at a fixed IP address

# Remote site create isakmp policy=Fire2Fire peer=193.133.123.213 hashalg=sha key=1 set ISAkmp pol=Fire2Fire senddeletes=on setcommitbit=on sendnotify=on

Roaming user with Allied IPsec client with Dynamic IP address

To state the obvious, if the client has a dynamic IP address the client will have to initiate the connection.

create isakmp policy=roaming1 peer=any hashalg=sha key=1 set isakmp policy=roaming1 senddeletes=on setcommitbit=on sendnotify=on

Roaming user can also be authenticated on a user name,

set isakmp policy=roaming1 xauth=server xauthtype=generic

User authentication

You have a choice here either create the users on the firewall or configure a radius server.

add user=mikey pass=ratspass login=false