Nokia

Dynamic MC-IPSec on SeGW

Dynamic IPSec on SeGW and static IPSec at remote device (Cisco and Nokia)

  • Configure ISA
configure
    system
        name "SeGW-01"
        chassis-mode d
    exit
    isa
        tunnel-group 1 isa-scale-mode tunnel-limit-2k create
            ipsec-responder-only
            multi-active
            mda 1/2
            no shutdown
        exit
    exit
  • Configure Port, Interface and global routing (OSPF)
configure
    port 1/1/1
        description "SHUNT_TO_SeGW-02"
        ethernet                     
            mode hybrid
            encap-type dot1q
        exit
        no shutdown
    exit
    port 1/1/2
        description "PUBLIC"
        ethernet
            mode access
            encap-type dot1q
        exit
        no shutdown
    exit
    port 1/1/3
        description "PRIVATE"
        ethernet
            mode access
            encap-type dot1q
        exit
        no shutdown
    exit
    router Base
        interface "SHUNT"
            address 10.1.2.1/24
            port 1/1/1:0
            no shutdown
        exit
        interface "system"
            address 10.1.1.1/32
            bfd 100 receive 100 multiplier 3
            no shutdown
        exit
        ospf 0 10.1.1.1
            area 0.0.0.0
                interface "system"
                    no shutdown
                exit
                interface "SHUNT"
                    interface-type point-to-point
                    no shutdown
                exit
            exit
            no shutdown
        exit
    exit
  • Generate Key and CSR (Certificate Request)
A:SeGW-01# admin certificate gen-keypair cf3:/key_rsa2048 type rsa size 2048 
A:SeGW-01# file dir
 
Volume in drive cf3 on slot A is SROS VM.
 
Volume in drive cf3 on slot A is formatted as FAT32
 
Directory of cf3:\
 
02/08/2018  08:13a      <DIR>          .ssh/
10/01/2016  12:07a                 548 bof.cfg
12/20/2017  04:46p                 196 bof.cfg.1
10/01/2016  12:01a                5139 bootlog.txt
10/01/2016  12:01a                5139 bootlog_prev.txt
10/02/2016  08:37a                6501 config.cfg
12/20/2017  04:46p                   0 config.cfg.1
10/02/2016  08:40a                1193 key_rsa2048
10/01/2016  12:06a                 980 lic.txt
12/20/2017  04:46p                 101 nvram.dat
10/01/2016  12:01a                 309 nvsys.info
10/01/2016  12:01a                   1 restcntr.txt
12/20/2017  04:46p      <DIR>          syslinux/
12/20/2017  04:46p      <DIR>          timos/
              11 File(s)                  20107 bytes.
               3 Dir(s)               823148544 bytes free.
 
A:SeGW-01# admin certificate gen-local-cert-req keypair cf3:/key_rsa2048 subject-dn "CN=SeGW.test.co.th,ST=BKK,C=TH" file cf3:/SeGW_req.csr
A:SeGW-01# file dir
 
 
Volume in drive cf3 on slot A is SROS VM.
 
Volume in drive cf3 on slot A is formatted as FAT32
 
Directory of cf3:\
 
02/08/2018  08:13a      <DIR>          .ssh/
10/02/2016  08:43a                 936 SeGW_req.csr
10/01/2016  12:07a                 548 bof.cfg
12/20/2017  04:46p                 196 bof.cfg.1
10/01/2016  12:01a                5139 bootlog.txt
10/01/2016  12:01a                5139 bootlog_prev.txt
10/02/2016  08:37a                6501 config.cfg
12/20/2017  04:46p                   0 config.cfg.1
10/02/2016  08:40a                1193 key_rsa2048
10/01/2016  12:06a                 980 lic.txt
12/20/2017  04:46p                 101 nvram.dat
10/01/2016  12:01a                 309 nvsys.info
10/01/2016  12:01a                   1 restcntr.txt
12/20/2017  04:46p      <DIR>          syslinux/
12/20/2017  04:46p      <DIR>          timos/
              12 File(s)                  21043 bytes.
               3 Dir(s)               823144448 bytes free.
 
A:SeGW-01# file type cf3:/SeGW_req.csr
File: SeGW_req.csr
-------------------------------------------------------------------------------
-----BEGIN CERTIFICATE REQUEST-----
MIICejCCAWICAQAwNTEYMBYGA1UEAwwPU2VHVy50ZXN0LmNvLnRoMQwwCgYDVQQI
DANCS0sxCzAJBgNVBAYTAlRIMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwP9pRH0kFyKt2kaycoGVkQ2gg4EjQDLy0TQ+/AdudAepbsn8OXYHnFJ6y25F
wrgs/0uavPJbY7caJwGbBS1+VUOKWzzzUPZiwbUsZOLouPNnvQ7SQSSGO0aCPYbJ
ZQT8hIK0+GwORcJLTxQ218t/lc3ybiAPXjeM6FASE6WSOtvxn9FVmZruOw6J6+gi
UNy46nI8YfVewO1kAfgkutZED93b5AeqfqFlBjD6T4DtfGrQOLY/oWDuxdSjNedQ
+Ui/6DlYZxa8FzsXDzrhzmtPDGAoHnHVsVsIRhnwcONXg6YQ7J2jLOlTxsCLJshp
KLLjLyWuiVZ//sYPHoAW/YaA1wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBACtL
KaZKR+X8X7b9Aqp8abTWqu1T9RoHVbJVGvg3Arjl1SKlUdxGtaVW1pY72Maj0k4H
pWuetSrFO/GE4c2LFE9PdXdTaJUh7pV3HDuRWY7biEDnYLju3OzN3GVXBppMvu5g
d4WXOZEo73sNc23gpotdWoKZMtVxSdGTQQXbeAAa3Zs+zuvWq6WPLT3EEl9tbMvI
BS9RSNhOcILy5hwI4QkiQDpNN0n1gbXWFKQxy+n37pLKTl7uLeJRdwXnJc6x7kcF
nTyphwvVrp/pp8p/h8xXhvtGSXLdGQVv1i61ZOc5rtzl7yMNfXuRT2RJVhuLCOIO
+zfbONSt3rajgaEdv1A=
-----END CERTIFICATE REQUEST-----
 
===============================================================================
  • Send CSR to CA to sign and get signed certificate
  • Import key, signed certificate, CA certificate, CRL to NE
admin certificate import type key input cf3:/key_rsa2048 output key1_rsa2048 format der 
admin certificate import type cert input cf3:/SeGW.cer output seGW.cer format der
admin certificate import type cert input cf3:/CA-cert.cer output Root-CA.cer format der
admin certificate import type crl input cf3:/certcrl.crl output certcrl.crl format der
 
Directory of cf3:\system-pki
 
10/03/2016  10:57a      <DIR>          ./
10/03/2016  10:57a      <DIR>          ../
10/03/2016  10:58a                 895 Root-CA.cer
10/03/2016  10:59a                 909 certcrl.crl
10/03/2016  10:57a                1200 key1_rsa2048
10/03/2016  10:58a                1340 seGW.cer
               4 File(s)                   4344 bytes.
               2 Dir(s)               823083008 bytes free.
  • Configure Cert-Profile
configure
    system
        security
            pki
                ca-profile "SeGW-Root" create
                    cert-file "Root-CA.cer"
                    crl-file "certcrl.crl"
                    no shutdown
                exit                 
            exit
        exit
    exit
 
*A:SeGW-01# configure system security pki ca-profile "SeGW-Root" shutdown
*A:SeGW-01# configure system security pki ca-profile "SeGW-Root" no shutdown
*A:SeGW-01# show certificate ca-profile "SeGW-Root"                         
 
===============================================================================
PKI CA-Profile Information
===============================================================================
CA Profile     : SeGW-Root                      Admin State    : up
Description    : (Not Specified)
CRL File       : certcrl.crl
Cert File      : Root-CA.cer
Oper State     : up                            
Oper Flags     : <none>
Revoke Chk     : crl                            
 
CMPv2
-------------------------------------------------------------------------------
HTTP Timeout   : 30 secs                        Router         : base
CA URL         : (Not Specified)
Sign Cert URL  : (Not Specified)
Unprot Err Msg : disabled                       Unprot Pki Conf: disabled
Same RecipNonce: disabled                      
for Poll-reqs
Set Sndr for IR: False                         
HTTP version   : 1.1                           
                                     
OCSP
-------------------------------------------------------------------------------
Responder URL  : (Not Specified)
Router         : base                          
  • configure redundancy and mc-ipsec
    • peer-group : This command specifies the corresponding tunnelgroup id on the peer node
    • priority : This is used to elect a master, where the higher number wins
 configure
    redundancy
        multi-chassis
            peer 10.2.2.2 create     
                sync
                    ipsec
                    tunnel-group 1 sync-tag "1" create
                    no shutdown
                exit
                mc-ipsec
                    bfd-enable
                    tunnel-group 1 create
                        peer-group 1
                        priority 200
                        no shutdown
                    exit
                exit
                no shutdown
            exit
        exit
    exit
  • Configure IPSec Phase 1 (IKEv2) with cert authentication
configure
    ipsec
        ike-policy 10 create
            ike-version 2
            auth-method cert-auth
            own-auth-method cert
            dh-group 5
            ipsec-lifetime 86400
            isakmp-lifetime 86400
            auth-algorithm sha256
            dpd interval 10 max-retries 2 reply-only
        exit
    exit
  • Configure IPSec Phase 2 (Transform Policy) default value are
    • esp-auth-algorithm sha1
    • esp-encryption-algorithm aes128
configure
    ipsec
        ipsec-transform 100 create
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes256
        exit
    exit
  • Configure cert-profile
configure
    ipsec
        cert-profile "SeGW" create
            entry 1 create
                cert seGW.cer
                key key1_rsa2048
            exit
            no shutdown
        exit
 
*A:SeGW-01# show ipsec cert-profile
 
===============================================================================
Certificate Profile
===============================================================================
Cert Profile                     AdminState OperState  OperFlags
-------------------------------------------------------------------------------
SeGW                             up         up        
===============================================================================
  • Configure Trust-anchor-profile

In X.509 architecture, a root certificate would be the trust anchor from which the whole chain of trust is derived. The trust anchor must be in the possession of the trusting party beforehand to make any further certificate path validation possible.

A:SeGW-01# show certificate ca-profile 
-------------------------------------------------------------------------------
Max Cert Chain Depth: 7 (default)
-------------------------------------------------------------------------------
Certificate Display Format: ASCII
-------------------------------------------------------------------------------
Time Frames For Expiry Warning Generation Before:
Certificate Expiry Warning : N/A            Repeat Interval: N/A
CRL Expiry Warning         : N/A            Repeat Interval: N/A
 
===============================================================================
CA Profile
===============================================================================
CA Profile        Admin Oper  Cert File                CRL File
                  State State                         
-------------------------------------------------------------------------------
SeGW-Root         up    up    Root-CA.cer              certcrl.crl
-------------------------------------------------------------------------------
Entries found: 1
===============================================================================
 
configure
    ipsec
        trust-anchor-profile "SeGW" create
            trust-anchor "SeGW-Root" 
        exit
    exit
 
A:SeGW-01# show ipsec trust-anchor-profile "SeGW"
 
==================================================================
Trust Anchor CA-profile List
==================================================================
CA Profile                       Admin/Oper State
------------------------------------------------------------------
SeGW-Root                        up/up
==================================================================
  • Configure Tunnel Template
configure
    ipsec
        tunnel-template 1 create
            sp-reverse-route
            transform 100
        exit
       exit
  • Configure Security Policy
    • used to allow the traffic from certain IP address ranges by
    • configuring a local and remote IP addresses
    • on static side need to put local-ip address as customer network
    • use for traffic selection into IPSec Tunnel
configure
    service
        vprn 110 customer 1 create
            ipsec
                security-policy 10 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                exit
            exit
            no shutdown
        exit
    exit
  • IPSec Public Interface Configuration and configure IPSec Gateway (on gateway side only)
    • VPRN Service id and tunnel interface
    • ike-policy and tunnel-template
    • local gateway address (wtf)
    • Cert-Auth

This is Dynamic Side configuration (no need to include Peer address)

configure
    service
        vprn 120 customer 1 create
            route-distinguisher 100:120
            vrf-target target:100:120
            interface "To_PUBLIC_VPRN" create
                address 10.1.3.1/24
                sap 1/1/2:0 create
                exit
            exit
            interface "PUBLIC_IPSEC" create
                address 44.44.44.0/31
                sap tunnel-1.public:12 create
                    ipsec-gw "SeGW_Tunnel"
                        default-secure-service 110 interface "PRIVATE_IPSEC"
                        default-tunnel-template 1
                        ike-policy 10
                        local-gateway-address 44.44.44.1
                        cert
                            trust-anchor-profile "SeGW"
                            cert-profile "SeGW"
                            status-verify
                                default-result good
                            exit
                        exit 
                        local-id type fqdn value segw.test.co.th       
                        no shutdown
                    exit
                exit
            exit
            service-name "PUBLIC_IPSEC"
            no shutdown
        exit
    exit
 
*A:SeGW-01# show ipsec gateway
 
===============================================================================
IPSec Gateway
===============================================================================
Name                             LclGwAddr        Adm  Opr  Ike  Auth
 SAP                              Service                       
-------------------------------------------------------------------------------
SeGW_Tunnel                      44.44.44.1       Up   Up   10   cert
 tunnel-1.public:12               120                             
-------------------------------------------------------------------------------
Number of gateways: 1
===============================================================================
  • IPSec Private Interface
Configure
    service
        vprn 110 customer 1 create
            ipsec
                security-policy 10 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                exit
            exit
            route-distinguisher 100:110
            vrf-target target:100:110
            interface "PRIVATE_IPSEC" tunnel create
                sap tunnel-1.private:12 create
                exit
            exit
            interface "To_Client" create
                address 10.1.7.1/24
                sap 1/1/3:0 create
                exit                 
            exit
            no shutdown
        exit
  • Configure Shunt interface for Public and Private VPRN
configure
    service
        vprn 110 customer 1 create
            interface "PRIVATE_IPSEC" tunnel create
                dynamic-tunnel-redundant-next-hop 172.1.2.2
            exit
            interface "SHUNT_IPSEC_PRIVATE" create
                address 172.1.2.1/30
                sap 1/1/1:110 create
                exit
            exit
        exit                         
        vprn 120 customer 1 create
            interface "PUBLIC_IPSEC" create
                dynamic-tunnel-redundant-next-hop 172.1.2.2
            exit
            interface "SHUNT_IPSEC_PUBLIC" create
                address 172.1.2.1/30
                sap 1/1/1:120 create
                exit
            exit
        exit
    exit
  • Configure Public side route policy and routing protocol (BGP in this example)
    • Need to advertise local gateway address to remote vpn devices.
 configure
    router
        policy-options
            begin
            prefix-list "LOCAL_GW"
                prefix 44.44.44.0/31 exact
            exit
            policy-statement "EXP_BGP_PUBLIC"
                entry 10
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept    
                        metric set 100
                    exit
                exit
                entry 30
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit
            exit
            commit
        exit
    exit
    service
        vprn 120 customer 1 create
            bgp
                router-id 10.1.1.1
                group "PUBLIC_PEER"
                    family ipv4
                    preference 20    
                    export "EXP_BGP_PUBLIC"
                    peer-as 65001
                    split-horizon
                    neighbor 10.1.3.3
                    exit
                exit
                no shutdown
            exit
        exit
    exit
  • Configure Private Side
configure
    router
        policy-options
            begin
            policy-statement "EXP_BGP_PRIVATE"
                entry 10
                    from
                        protocol ipsec
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 100
                    exit
                exit
                entry 30
                    from             
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit
            exit
            commit
        exit
    exit
    service
        vprn 110 customer 1 create
            ipsec
                security-policy 10 create
                    entry 1 create
                        local-ip any
                        remote-ip any
                    exit
                exit
            exit
            autonomous-system 65000
            route-distinguisher 100:110
            vrf-target target:100:110
            interface "PRIVATE_IPSEC" tunnel create
                sap tunnel-1.private:12 create
                exit
                dynamic-tunnel-redundant-next-hop 172.1.2.2
            exit
            interface "To_Client" create
                address 10.1.7.1/24
                sap 1/1/3:0 create
                exit
            exit
            interface "SHUNT_IPSEC_PRIVATE" create
                address 172.1.2.1/30
                sap 1/1/1:110 create
                exit
            exit
            bgp
                group "PRIVATE_PEER"
                    family ipv4
                    preference 20
                    export "EXP_BGP_PRIVATE"
                    peer-as 65002
                    split-horizon
                    neighbor 10.1.7.7
                    exit
                exit
                no shutdown
            exit
            service-name "PRIVATE_IPSEC"
            no shutdown
        exit                    
    exit
  • (optional) configure TS-LIST
configure
    ipsec
        ts-list "LOCAL_NETWORK" create
            local
                entry 10 create
                    address prefix 10.7.0.0/24
                    protocol any
                exit
            exit
    exit
    service
        vprn 120 customer 1 create
            interface "PUBLIC_IPSEC" create
                sap tunnel-1.public:12 create
                    ipsec-gw "SeGW_Tunnel"
                        ts-negotiation ts-list "LOCAL_NETWORK"
                    exit
                exit
            exit
        exit
    exit

Troubleshooting

  • Found this debug message IKE-SA exchange timed out
69 2016/10/05 16:59:51.18 BKK MINOR: DEBUG #2001 Base IPsec
"IPsec: 44.44.44.1[500]-33.33.33.2[5*
IKE-SA exchange timed out, index=5477b8419e46bbaa:97bd37b31da0519f state=INIT_SE
NT"
 
70 2016/10/05 16:59:51.18 BKK MINOR: DEBUG #2001 Base IPsec
"IPsec: 44.44.44.1[500]-33.33.33.2[5*
IKE-SA deleted: side=responder tep={44.44.44.1[500],33.33.33.2[500],12} index=54
77b8419e46bbaa:97bd37b31da0519f"
  • Attempt to configured reassembly like this
A:SeGW-01# configure isa 
A:SeGW-01>config>isa# info
----------------------------------------------
        tunnel-group 1 isa-scale-mode tunnel-limit-2k create
            reassembly 5000
            ipsec-responder-only
            multi-active
            mda 1/2
            no shutdown
        exit
----------------------------------------------
  • And it work!!!
 A:SeGW-01# show ipsec gateway tunnel 
 
===============================================================================
IPsec Remote User Tunnels
===============================================================================
Remote Endpoint Addr                      GW Name           
 GW Lcl Addr                              SvcId             TnlType
  Private Addr                            Secure SvcId      BiDirSA
   Idi-Type      Value*                                    
-------------------------------------------------------------------------------
33.33.33.2:500                            SeGW_Tunnel      
 44.44.44.1                               120               cert
                                          110               true
   derAsn1Dn      C=TH,ST=BKK,CN=7750SR.test.co.th                           
-------------------------------------------------------------------------------
IPsec Gateway Tunnels: 1
===============================================================================
 A:SeGW-01# show ipsec gateway tunnel 33.33.33.2:500 
 
===============================================================================
IPsec Remote Users Tunnel Detail
===============================================================================
IP Addr: 33.33.33.2:500, port: 500
-------------------------------------------------------------------------------
Service Id       : 120                  Sap Id           : tunnel-1.public:12
Address          : 33.33.33.2:500
Private If       : PRIVATE_IPSEC
Private Service  : 110                  Template Id      : 1
Replay Window    : None                 Bi Direction SA  : true
Host MDA         : 1/2                 
Match TrustAnchor: None                
Last Oper Changed: 10/06/2016 07:04:05 
IKE IDI Type     : derAsn1Dn           
IKE IDI Value    : C=TH,ST=BKK,CN=7750SR.test.co.th
TS List          : <none>
Pre-Shared Key   : <none>
 
-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1    : 100                  Transform Id2    : None
Transform Id3    : None                 Transform Id4    : None
IPsec GW Name    : SeGW_Tunnel
Local GW Address : 44.44.44.1
Ike Policy Id    : 10                   Ike Pol Auth     : cert
Cert Profile     : SeGW
Trust Anchor Prof: SeGW                
Selected Cert    : None
Selected Key     : None
Send Chain Prof  : None
Local Id Type    : none                
Client Database
    Client Index : None                
Radius Acct Plcy : None                
Radius Auth Plcy : None                
 
Certificate Status Verify
-------------------------------------------------------------------------------
Primary          : crl                  Secondary        : none
Default Result   : good                
 
-------------------------------------------------------------------------------
ISAKMP-SA
-------------------------------------------------------------------------------
State            : Up                  
Established      : 10/06/2016 06:46:26  Lifetime         : 86400
Expires          : 10/07/2016 06:46:26 
 
ISAKMP Statistics
--------------------
Tx Packets       : 2                    Rx Packets       : 2
Tx Errors        : 0                    Rx Errors        : 0
Tx DPD           : 0                    Rx DPD           : 0
Tx DPD ACK       : 0                    Rx DPD ACK       : 0
DPD Timeouts     : 0                    Rx DPD Errors    : 0
 
-------------------------------------------------------------------------------
IPsec-SA : 1, Inbound (index 1)
-------------------------------------------------------------------------------
SPI              : 464913              
Auth Algorithm   : Sha256               Encr Algorithm   : Aes256
Installed        : 10/06/2016 07:05:10  Lifetime         : 86400
Local Traffic Selectors:
0.0.0.0-255.255.255.255
    any protocol
Remote Traffic Selectors:
10.7.9.0-10.7.9.255                  
    any protocol
 
Aggregate Statistics
--------------------
Bytes Processed  : 15780                Packets Processed: 263
Crypto Errors    : 0                    Replay Errors    : 0
SA Errors        : 0                    Policy Errors    : 0
 
-------------------------------------------------------------------------------
IPsec-SA : 1, Outbound (index 1)
-------------------------------------------------------------------------------
SPI              : 458923               
Auth Algorithm   : Sha256               Encr Algorithm   : Aes256
Installed        : 10/06/2016 07:05:10  Lifetime         : 86400
Local Traffic Selectors:
0.0.0.0-255.255.255.255
    any protocol
Remote Traffic Selectors:
10.7.9.0-10.7.9.255
    any protocol
 
Aggregate Statistics
--------------------                 
Bytes Processed  : 15780                Packets Processed: 263
Crypto Errors    : 0                    Replay Errors    : 0
SA Errors        : 0                    Policy Errors    : 0
 
===============================================================================
Fragmentation Statistics
===============================================================================
Encapsulation Overhead                 : 77
Pre-Encapsulation
    Fragmentation Count                : 0
    Last Fragmented Packet Size        : 0
Post-Encapsulation
    Fragmentation Count                : 0
    Last Fragmented Packet Size        : 0
===============================================================================
===============================================================================
  • If MIMP State is eligible on both SeGW (tunnel-group is ‘up’ , but no peer has been discovered)
    • Will be happen when inter-chassis link is down
    • Need to add another entry for policy statement on master and standby segw to perform adv routing
 *A:SeGW-01>config>router>policy-options# info 
----------------------------------------------
            prefix-list "LOCAL_GW"
                prefix 44.44.44.0/31 exact
            exit
            policy-statement "EXP_BGP_PUBLIC"
                entry 10
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 100
                    exit
                exit                 
                entry 30
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit
                entry 40
                    from
                        prefix-list "LOCAL_GW"
                    exit
                    action accept
                        metric set 200
                    exit
                exit
            exit
            policy-statement "EXP_BGP_PRIVATE"
                entry 10
                    from
                        protocol ipsec
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 100
                    exit
                exit
                entry 30
                    from
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit                 
                entry 40
                    from
                        protocol ipsec
                    exit
                    action accept
                        metric set 200
                    exit
                exit
            exit
 *A:SeGW-02>config>router>policy-options# info 
----------------------------------------------
            prefix-list "LOCAL_GW"
                prefix 44.44.44.0/31 exact
            exit
            policy-statement "EXP_BGP_PUBLIC"
                entry 10
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 100
                    exit
                exit                 
                entry 30
                    from
                        prefix-list "LOCAL_GW"
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit
                entry 40
                    from
                        prefix-list "LOCAL_GW"
                    exit
                    action accept
                        metric set 300
                    exit
                exit
            exit
            policy-statement "EXP_BGP_PRIVATE"
                entry 10
                    from
                        protocol ipsec
                        state ipsec-master-with-peer
                    exit
                    action accept
                        metric set 50
                    exit
                exit
                entry 20
                    from
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 100
                    exit
                exit
                entry 30
                    from
                        protocol ipsec
                        state ipsec-non-master
                    exit
                    action accept
                        metric set 150
                    exit
                exit                 
                entry 40
                    from
                        protocol ipsec
                    exit
                    action accept
                        metric set 300
                    exit
                exit
            exit
----------------------------------------------
  • Entry 40 on both policy-state are used for advertise prefix when mime state is eligible

Cisco (R5) Configuration

 R5#show run

hostname R5
ip domain name test.co.th
ip cef
no ipv6 cef
crypto pki trustpoint CA-ROOT
 enrollment mode ra
 enrollment url http://10.3.0.10:80/certsrv/mscep/mscep.dll
 serial-number
 fqdn R5.test.co.th
 subject-name cn=R5.test.co.th,OU=IT,O=SeGW,ST=BKK,C=TH
 revocation-check none
!
!
crypto pki certificate chain CA-ROOT
 certificate 6115E32D000000000009
  308205BA 308204A2 A0030201 02020A61 15E32D00 00000000 09300D06 092A8648
  86F70D01 01050500 30503112 3010060A 09922689 93F22C64 01191602 74683112
  3010060A 09922689 93F22C64 01191602 636F3114 3012060A 09922689 93F22C64
  01191604 74657374 3110300E 06035504 03130752 4F4F542D 4341301E 170D3136
  31303033 31393235 32395A17 0D313831 30303331 39333532 395A3081 80311130
  0F060355 04051308 36373133 39363739 311C301A 06092A86 4886F70D 01090213
  0D52352E 74657374 2E636F2E 7468310B 30090603 55040613 02544831 0C300A06
  03550408 1303424B 4B310D30 0B060355 040A1304 53654757 310B3009 06035504
  0B130249 54311630 14060355 0403130D 52352E74 6573742E 636F2E74 68308201
  22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 0100AA46
  80442B2E 42907BA0 2CFD3F12 9D0B69F1 9C392427 895E84F9 127FDD56 099FECA8
  2D6282D0 E9D8AFE8 1DCFECF5 3890613E 28DA97A3 8DD25734 142F0BAD 46A92767
  6C8BE100 9F483DFF FE34E68F B55093E2 00B95282 8BCD60F5 A09179BE B4FD164E
  C53DE558 F7A20235 C4B46897 1388BBE0 E733E530 6EEA2D72 DA48DF02 FE30EE2D
  2C475278 742E4E00 8FED8611 50AED432 B102A4FB 57A5A2B4 7D6525F4 29FF2ADE
  A2F4702A C2E1B25A A4C4C0B8 D3E41FD1 0C6375A8 F4E7C338 4B981AE2 9687399F
  F8165168 15652988 BAFAEDD9 EDC4A7BC FE06E8E3 EE3E55EE 29C188E3 56D6F3D5
  8F1D0EA7 472DB671 4F363FA5 1616F38A D70BBAA6 AEA0241E A3E8F5AE A75F0203
  010001A3 82026330 82025F30 0E060355 1D0F0101 FF040403 0205A030 1D060355
  1D0E0416 0414AE82 AFFFFE9D F50BABCC 46CDDF92 96230EC2 5BEA301F 0603551D
  23041830 16801475 19E1F1A1 326C67F8 DC1FC744 5E6E5835 C5E17D30 81C20603
  551D1F04 81BA3081 B73081B4 A081B1A0 81AE8681 AB6C6461 703A2F2F 2F434E3D
  524F4F54 2D43412C 434E3D43 412C434E 3D434450 2C434E3D 5075626C 69632532
  304B6579 25323053 65727669 6365732C 434E3D53 65727669 6365732C 434E3D43
  6F6E6669 67757261 74696F6E 2C44433D 74657374 2C44433D 636F2C44 433D7468
  3F636572 74696669 63617465 5265766F 63617469 6F6E4C69 73743F62 6173653F
  6F626A65 6374436C 6173733D 63524C44 69737472 69627574 696F6E50 6F696E74
  3081BB06 082B0601 05050701 010481AE 3081AB30 81A80608 2B060105 05073002
  86819B6C 6461703A 2F2F2F43 4E3D524F 4F542D43 412C434E 3D414941 2C434E3D
  5075626C 69632532 304B6579 25323053 65727669 6365732C 434E3D53 65727669
  6365732C 434E3D43 6F6E6669 67757261 74696F6E 2C44433D 74657374 2C44433D
  636F2C44 433D7468 3F634143 65727469 66696361 74653F62 6173653F 6F626A65
  6374436C 6173733D 63657274 69666963 6174696F 6E417574 686F7269 7479301B
  0603551D 110101FF 0411300F 820D5235 2E746573 742E636F 2E746830 3B06092B
  06010401 82371507 042E302C 06242B06 01040182 37150882 B18B6183 FC8E02B9
  9502C7E3 0186C18C 68814581 80854CB4 D63E0201 64020102 30130603 551D2504
  0C300A06 082B0601 05050802 02301B06 092B0601 04018237 150A040E 300C300A
  06082B06 01050508 0202300D 06092A86 4886F70D 01010505 00038201 01009C6E
  43F496F0 0AF96935 C6E4011A 88794097 924F0020 9A365E58 463AA2F3 07DBDE5D
  8B052D38 CC329250 324497B7 4D0FA64F 1B68B342 C7617279 274F0719 09CF132E
  559ED316 460ED833 EB084BA8 B03A957D 86D5A415 5F2669C5 989E41F8 CDE637BA
  810834E8 5CF77594 34090F64 AD5A264C B9DC3FA1 64969F0A 2F20FF6F 16C039B8
  75B980F1 63885A10 941C03A9 D72D3969 A2C2848D E6D59712 DCA95977 457805E8
  DF6A80CF DE3F9BCB 418F5DFB 75AFA477 44517B5A FB0A16CC C21C5913 89F33186
  81325B36 0BF1D9D9 3AB60E21 AEE28A0F 0E7E90A4 9CE7A937 2C46DF5E 3F25DC3B
  D86A85E3 0068DBBB 60AF41A3 F1E90976 A8CF650C 83C09192 42A35262 F816
        quit
 certificate ca 68082AB3685BFA8B43DA8C9C11B33470
  3082037B 30820263 A0030201 02021068 082AB368 5BFA8B43 DA8C9C11 B3347030
  0D06092A 864886F7 0D010105 05003050 31123010 060A0992 268993F2 2C640119
  16027468 31123010 060A0992 268993F2 2C640119 1602636F 31143012 060A0992
  268993F2 2C640119 16047465 73743110 300E0603 55040313 07524F4F 542D4341
  301E170D 31363130 30323230 32303539 5A170D32 31313030 32323033 3035395A
  30503112 3010060A 09922689 93F22C64 01191602 74683112 3010060A 09922689
  93F22C64 01191602 636F3114 3012060A 09922689 93F22C64 01191604 74657374
  3110300E 06035504 03130752 4F4F542D 43413082 0122300D 06092A86 4886F70D
  01010105 00038201 0F003082 010A0282 010100B2 3DE475DE 6123CB5C 16306196
  F285A39E D32B16A1 22D348D0 0358F125 E83AED95 0B339A3B FD4A8406 4B86FBCE
  7A6624F5 D8560A34 61ADF34E 05DF3033 60A5BF21 CE31E9D8 1453A0AE 44F13304
  2F724278 9C466475 1862AC6F 77718080 65C21267 90B93196 850E23B3 69A42E64
  BAACF9F4 0D839226 3590C569 E4B34538 6B000C18 92CDA001 D8997594 21BB7F07
  C274B575 B730B3B6 26FC446E 8B9CF38C 460E50DC 604B32BB F60449B3 3922226A
  57CFBA55 CAB08321 0C12CEC1 7A96F917 5C7702F3 1E84B70B 36E2ECF9 59C4FC96
  0DC94296 4D58FC57 9681FD6E 32022BB5 72342FBA 7AFB8BFE 1345BE81 70A1D0D4
  5CE8AFC2 1CD91BB5 72882BCB F0BF1CE3 05479B02 03010001 A351304F 300B0603
  551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  0E041604 147519E1 F1A1326C 67F8DC1F C7445E6E 5835C5E1 7D301006 092B0601
  04018237 15010403 02010030 0D06092A 864886F7 0D010105 05000382 01010063
  974ED722 45963841 8A3C3230 77310F0F 71B1A4B6 1D91C561 07886337 A6A86403
  95FF69AE D20084CE BA30C56B 9692F54C 69EAEC3C 1574C249 68A7F963 E8BE73AB
  47C5EA34 CAFFBEF5 749B60C1 3F03014F 87BFE4C6 69544C43 2C2BE924 240C6F54
  E346CBE8 7A840311 5D1AC4F3 2ECB7576 3EA6C251 7CD6F805 5A7BD34B 36BC7C29
  475E6DC7 00B7B834 0707AA5E 305B92B6 528609EA B6D28371 5AE4A414 B272A19B
  EB9D31C7 BC540408 A762E33D 8844F958 8AF9A4AB E6908B03 8CE1099E 9EAD37DA
  226A4D54 13D466F7 C36559D3 DF47A11C F12F52B7 0497775E 60373E72 F3597587
  F4707525 064184DE DE3FC46F 4F9C031F 6B69D79B 469E79FC BB168265 4564EC
        quit
!        
redundancy
!
!
!
!
crypto ikev2 proposal ikev2-proposal
 encryption aes-cbc-128
 integrity sha256
 group 5
!
crypto ikev2 policy policy1
 match address local 10.3.5.5
 proposal ikev2-proposal
!
!
crypto ikev2 profile profile1
 match address local 10.3.5.5
 match identity remote fqdn SeGW.test.co.th
 match identity remote key-id SeGW.test.co.th
 match identity remote fqdn segw.test.co.th
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-ROOT
!
no crypto ikev2 http-url cert
!
!
crypto ipsec transform-set aes-sha-256 esp-aes 256 esp-sha256-hmac
 mode tunnel
!
!
!
crypto map cmap 1 ipsec-isakmp
 set peer 44.44.44.1
 set transform-set aes-sha-256
 set ikev2-profile profile1
 match address 103
!
!
!
!
!
interface Ethernet0/0
 ip address 10.3.5.5 255.255.255.0
 crypto map cmap
!        
interface Ethernet0/1
 ip address 10.5.8.254 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.3.5.3
!
!
!
access-list 103 permit ip 10.5.8.0 0.0.0.255 10.7.0.0 0.0.0.255
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
ntp server 172.16.98.2
!
end
Advertisements

Categories: Nokia, Security

5 replies »

  1. Hi, seems like you are running this on a VSR/vSIM. If some Can you please let me know which version are you running?

    I am running version 13 and multi-chassis doesn’t come up? Thanks

    Like

  2. Hello Saby,

    Thanks for the article.
    It seems like you are running Nokia VSR/vSIM, can you please let me know which version are you running? I am running version 13 and cannot get multi-chassis Up. Thanks

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s