System Security Configuration Guide for Cisco NCS 540 Series Routers, IOS XR Release 7.11.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can now use IP Security (IPSec), a protocol suite that authenticates and encrypts packets of data to provide secure communication
over an unprotected network for all management traffic flows between routers.
This feature modifies the tunnel mode command for tunneled interfaces.
Note
The IPSec and IKEv2 commands apply to the below listed Cisco NCS 540 series routers only:
N540X-12Z16G-SYS-D
N540X-12Z16G-SYS-A
The key components in IPSec are as follows:
IPSec Profile: The IPSec profile consists of the details about the Internet Key Exchange Version 2 (IKEv2) profile and transform set for
IPSec communication.
Transform Set: A transform set includes the encapsulation mode and Encapsulating Security Payload (ESP) transform needed for the IPSec
network.
IKEv2 Profile: The IKEv2 profile details the keyring, lifetime period of the security association (SA), authentication method for identifying
the IPSec Peer, and the IP address of the IPSec Peer. IKEv2 profile supports both Preshared Secret Keys (PSK) and X.509v3
Certificate (RSA Signature) based authentication.
IKEv2 Keyring: The IKEv2 keyring consists of the preshared keys along with the IP address IKEv2 negotiations used to establish the peer
tunnel.
IKEv2 Policy: The IKEv2 policy consists of the proposals that detail the encryption, integrity, pseudo-random function (PRF) algorithms,
and Diffie-Hellman (DH) group in the IKE SAs exchange along with the IP address for the IPSec tunnel interface.
IKEv2 Proposal: The IKEv2 proposal consists of the parameters for negotiation of Internet Key Exchange (IKE) security associations (SA).
The parameters used in the IKE SA negotiation are encryption, integrity, PRF algorithms, and dh-group.
In the IPSec feature, a tunnel is established between the peer routers and all management traffic packets flows through it.
The IPSec tunnel is created over the physical interfaces in the peer routers. The individual tunnel interfaces in the routers
are associated with an IPSec profile. Overall the IPSec profile details the information regarding the parameters used for
encapsulation or decapsulation along with the authentication parameter that ensures the packets following in the tunnel are
secure to be transmitted over unprotected networks.
When you configure the IPSec features on Interface A in Router A and Interface B in Router B, this feature ensures all the
management traffic flowing between interfaces A, and B is encrypted and transferred through a virtual IPSec tunnel. The routers
use the IPSec profile to establish a virtual IPSec tunnel and for traffic encryption and decryption. The IPSec configuration
on interface A contains the source address (IP address for interface A), source interface type, destination address (IP address
for interface B), IPSec profile, and tunnel mode. Similar parameters are available in the IPSec configuration for interface
B. Further interfaces A and B negotiate the conditions to establish the virtual IPSec tunnel. This negotiation is encrypted
and decrypted using the IKEv2 Policy. The IKEv2 Policy includes the local interface address and the IKEv2 Proposal. The IKEv2
Proposal has the traffic type, authentication, encryption, integrity, Pseudo-Random Function (PRF), and DH-Group values. After
successfully establishing the virtual IPSec tunnel, the peer interfaces (Interfaces A and B) authenticate each other using
the keyring value obtained from the IKEv2 Profile. Once authentication is complete, all the management traffic between interface
A and B flow through the virtual IPSec tunnel until the keyring expiry. The management traffic following through the IPSec
virtual tunnel is encrypted using the Transform Set. The Transform Set includes the IPSec data communication mode and encryption
algorithm.
Feature Highlights
IPSec feature works on virtual tunnel interfaces (VTI) as the endpoints of the virtual network. All traffic passing through
a tunnel interface is sent to the IPSec processing. All traffic matching the IPSec criteria routes into a VTI interface via
static or dynamic routing rules
IPSec feature can be applied to any number of interfaces in the router, given you configure the IPSec feature on both the
endpoints.
The IPSec feature supports the following security features:
IKEv2 Negotiations for virtual IPSec tunnel:
Encryption algorithms: AES-CBC-128, AES-CBC-192, AES-CBC-256, AES-GCM-128, and AES-GCM-256
Router# config
Router (config)# ipsec profile set ikev2 profile ikev2_prof_mgmt_P2
Router (config)# ipsec profile set pfs group19
Router (config)# ipsec profile set security-association lifetime seconds 600
Router (config)# ipsec profile set transform-set ts_mgmt_P2
Router (config)# ipsec profile set responder-only >>> This command sets the router as a responder and will not initiate an IPSec session.
Router (config)# commit
Router# show ipsec sa
Tue Oct 5 15:45:55.597 IST
If/name SA-Id Inbound SPI Outbound SPI
---------------------------------------------------------
tunnel-ip1 804 0x2c378849 0xa9ed8828
Router# show ikev2 session
Session ID : 1
===================================
Status : UP-ACTIVE
IKE Count : 1
Child Count : 1
IKE SA ID : 1
---------------------------------------------------
Local : 1.1.1.1/500
Remote : 1.1.1.2/500
Status(Description) : READY (Negotiation done)
Role : Initiator
Child SA
----------------------------------------------
Local Selector : 1.1.1.1/1000 - 1.1.1.1/1000
Remote Selector : 1.1.1.2/1000 - 1.1.1.2/1000
ESP SPI IN/OUT : 0x6c7b15b7 / 0xbf55acd7
Router# show ikev2 summary
IKEv2 Session Summary
-------------------------------------------------
Total Sa (Active/Negotiation) : 2 (1/1)
Total Outgoing Sa (Active/Negotiation) : 2 (1/1)
Total Incoming Sa (Active/Negotiation) : 0 (0/0)
P/0/RP0/CPU0:ios# show ikev2 session detail
Session ID : 1
==========================================================
Status : UP-ACTIVE
IKE Count : 1
Child Count : 1
IKE SA ID : 1
--------------------------------------------------------------------
Local : 1.1.1.1/500
Remote : 1.1.1.2/500
Status(Description) : READY (Negotiation done)
Role : Initiator
Encryption/Keysize : AES-CBC/128PRF/Hash/DH Group : SHA1/SHA256/20Authentication(Sign/Verify) : PSK/PSKAuthentication(Sign/Verify) : RSA/RSA (for certificate based)
Life/Active Time(sec) : 86400/2043
Session ID : 1
Local SPI : 3B95C7FCC6A69D0A
Remote SPI : F44C4DBCFEE67F07
Local ID : 1.1.1.1
Remote ID : 1.1.1.2
Child SA
--------------------------------------------------------------------
Local Selector : 1.1.1.1/1000 - 1.1.1.1/1000
Remote Selector : 1.1.1.2/1000 - 1.1.1.2/1000
ESP SPI IN/OUT : 0x6c7b15b7 / 0xbf55acd7
Encryption : AES-GCMKeysize : 256
ESP HMAC : None
Router# show ipsec sa interface tunnel-ip1
Sun Feb 6 12:10:40.908 IST
-------------------------------------
Interface Name : tunnel-ip1
Interface handle : 0x800090
SA id : 713
Mode : Tunnel
-------------------------------------
Inbound SA
SPI : 0xab487871
Protocol : ESPEncrypt Algorithm : ESP_192_AESAuth Algorithm : HMAC_SHA_256Rekey (After Seconds): 37
-------------------------------------
Outbound SA
SPI : 0x1488529e
Protocol : ESPEncrypt Algorithm : ESP_192_AESAuth Algorithm : HMAC_SHA_256Rekey (After Seconds): 37