IPSec How-To Document

Before we start setting up a simple lab for IPSec, it is very important to note that you should
have a license that will let you use the IPSec functionalities.

Step 1:-
Initially the subnet tab for Client/Server will look something like this figure 1.

Figure no. 1

To enable and configure IPSec parameters you need to click on the tools->preferences as
below
Once you click the preferences tab, you will a small window like below. Click on the Subnet
Profiles tab to see the options for subnets. By default, all the subnet’s profiles are unchecked.
To enable IPSec click on the boxes to check them. The final configuration should look like
figure no 3.

Figure no. 3

Click ok to finish.

Now if you click on the Subnets tab, you will see bunch of options for IPSec configuration as
shown below in figure 4
To enable IPSec for a given subnet, check Enable IPSec box. Once you checked it, you will see
the default values for the required fields. Not all the fields will be enabled as not all of them are
required for simple IPSec configuration. Few of the fields are required for Remote access,
which we will discuss later.

Figure no.

You will need to specify the following fields:

• Gateway Version
The IP version of the gateways. (Enabled only for the Site-to-Site tunnel.)
Select to display a drop-down menu with these options:
• IPV4
• IPV6

• Local Gateway
The IP address of the local gateway. (Enabled only for the Site-to-Site tunnel.)
NOTE: Dotted notation format is used for IPv4. For IPv6, the IPv6 address is derived from
the MAC address below.

• Mac Address
The MAC address of the local gateway. (Enabled only for the Site-to-Site tunnel.)

• Remote Gateway
The IP address of the remote gateway.
NOTE: Dotted notation format is used for IPv4 and colon notation for IPv6.

• IKE Mode
The IKE mode for Phase 1. This determines the messages that are exchanged between the
initiator and responder to negotiate the Phase 1 Security Association (SA).
Select to display a drop-down menu with these options:
• Aggressive
• Main

• ISAKMP ID
A string representing the ISAKMP (Internet Security Association and Key Management
Protocol) identification payload. (This string can be any name, since it is used as an
identifier.)
 Note:- Make sure that the ISAKMP ID is same on both client and server side.
• D-H Group
The Diffie-Hellman group for Phase 1 (group 1, group 2, or group 5). The size of the group
determines the level of security of the Diffie-Hellman key exchange. (The higher the group
number, the greater the security.) The groups use traditional exponentiation over a prime
modulus (MODP). These options are key exchanges only, and do not encrypt the data.
Select to display a drop-down menu with these options:
• Group 1 (MODP-768)
• Group 2 (MODP-1024)
• Group 5 (MODP-1536)

• Hash
The hash authentication method used for Phase 1 to verify that the packets being received
were sent by the stated source.
Select to display a drop-down menu with these options:
• MD5—A message-digest algorithm that derives a secure, irreversible, cryptographically
strong hash value. This is considered less secure than SHA-1.
• SHA-1—The Secure Hash Algorithm version one, and is part of the U.S. Digital Signature
Standard (DSS). This algorithm is considered very secure.

• Encryption
The encryption method used for Phase 1 to transform the payload data in the packets from
an intelligible form (plaintext) into an unintelligible form (cipher text), and back.
Select to display a drop-down menu with these options:
• ESP-DES—The Data Encryption Standard, defined by the U.S. government. DES is a
symmetric 64-bit block cipher that uses a 56-bit key.
• ESP-3DES—A variant of DES, and is the most accepted method. 3DES is a combined set
of two DES keys totaling 112 bits. Due to its larger size, 3DES is considered much more
secure that DES.
• ESP-AES-128—AES (Advanced Encryption Standard) with a 128-bit key.
• ESP-AES-192—AES with a 192-bit key.
• ESP-AES-256—AES with a 256-bit key.

• Authentication
The authentication method for phase 1. (Enabled only for the Site-to-Site tunnel.)
Select to display a drop-down menu with these options:
• Preshared Key
• Digital Certificates

• Preshared Key
The key string to be used when doing Preshared Key authentication (above).

As this lab is for simple IPSec, we are not going to look into other parameters.
Few important points to note
• Gateway version, IKE Mode, ISAKMP ID, D-H Group, Hash, Encryption,
Authentication should be same on both client ands server sides.
• If Preshared Key authentication is used, Preshared Key should be same on both sides.
• If Digital Certificates authentication is used, you need to upload certificates files as
explained below.
• Local Gateway for client should be the remote gateway for server and vice verse
You can also use the policy generator tab to create multiple subnets with same
configuration. This is the fastest and simplest way to create multiple subnets. You can start
by clicking the Policy Generator tab shown below.

Once you clicked Policy Generator tab, you will see a policy generator wizard as below
Step 1:

You need to specify the followings

• Subnet Name prefix :- Prefix for the names of subnets. Subnets will be created with
postfix like 000.001,002 and so on.
• Subnet IP Version :- IP version of the subnet. By default IPv4 version is selected.
You can select IPv6 subnet also for IPv6 hosts.
Note:- We currently don’t support IPSec tunnels with IPv6 hosts
 • Starting Network: The starting network address. Rest of the network address will be
the addresses calculated using this address and the subnet mask specified next to it.

If you specify the Subnet IP Version as IPv6, you need to specify the Starting MAC
Address

• Number of Subnets:-You can specify the number of subnets you want to generate.
• Hosts per Subnet:- Number of hosts you want on each subnets.

Step 2:
Once you specified all the required fields, click next. You will see the following

Here you need to specify the followings

• IPSec Mode
o Site to Site Tunnels
 o Remote Access Emulation

• Gateway IP Version
o IPv4 Tunnel
The Gateway is using IPv4 addressing scheme.
o IPv6 Tunnel
The Gateway is using IPv6 addressing scheme
Important :- We can have Gateways with IPv6 address but we can not have hosts with IPv6
address. We don’t support IPv6 host at this point.
• Local Gateway MAC address
The MAC Address of local Gateway.
• Local Gateway IP Address
IP address of Local Gateway. If you select Gateway IP version as IPv6, this option will
not be available as its not required. Also If you select IPSec mode as Remote Access
Emulation, this field will be disabled.
• Remote Gateway IP Address
Depending on the Gateway IP version selected, you need to specify the IP address of
the gateway in IPv4 or IPv6 scheme.

Step 3:
Once you click Next, you will see the following window
This is where you specify the policies for the ISAKMP Security Association i.e. for Phase 1. It
is very important that all the fields specified here for the client side should be same as specified
on the server side.

The fields are

• D-H Group
• Hash Algorithm
• Encryption
• IKE Mode
• ISAKMP ID Prefix
• Authentication Type
o Preshared Key
o Digital Certificates
• Preshared Key Prefix
• Digital Certificates
o Certificate File
o Private Key File
o Ca Certs

Step 4:-
Choose the D-H group, Hash Algorithm and Encryption from the drop down menu.

That’s it. You will see the number of subnets created for you in the subnet tabs with your
configuration as below.
If you click on any subnet and click on the IPSec tab below

For a simple IPSec test, you can use the default settings. No need to change them.

Rest of the test configuration is similar to any other test.

Below is a matrix of configuration we support

Subnet Gateway Commander

Version Version 7.0
V4 V4 Supported

V4 V6 Supported

V6 V4 Not
supported
V6 V6 Not
supported