1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. IPsec Security Policy Configuration
  4. IPsec SA Configuration

IPsec SA Configuration

During the IKE_AUTH exchange, cooperating peers use the secure channel previously established by the IKE_SA_INIT exchange to negotiate child IPsec SAs to construct secure end-to-end IPsec tunnels between the peers. IKE_SA_INIT negotiations use the values provided by the ike-sainfo configuration element.

Use the following procedure to create an ike-sainfo configuration element that specifies cryptographic material used for IPsec tunnel establishment. You will later assign this ike-sainfo configuration element to an IPsec Security Policy which defines IPsec services for a specified IKEv2 interface.

  1. Access the ike-sainfo configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-sainfo
ORACLE(ike-sainfo)#
  2. name—Provide a unique identifier for this ike-sainfo configuration element. 
    ORACLE(ike-sainfo)# name SA-1
  3. security-protocol—Specify the IPsec security (authentication and encryption) protocols supported by this SA.
    The default value is ah. Supported values are:
    • ah—Authentication Header. Provides authentication integrity to include the mutual identification of remote peers, non-repudiation of received traffic, detection of data that has been altered in transit, and detection of data that has been replayed, that is copied and then re-injected into the data stream at a later time.
    • esp—Encapsulating Security Payload provides both authentication and privacy services.
    • esp-auth—Supports ESP’s optional authentication
    • esp-null—Provides NULL encryption.

      WARNING:

      This option provides no privacy services and is not recommended for production environments.
  4. auth-algo—Specify the authentication algorithms supported by this SA.
    Available protocols are:
    • any
    • md5
    • sha1
    • xcbc
    • sha2-256
    • sha2-384
    • sha2-512
  5. encryption-algo—Specify the encryption algorithms supported by this SA.
    The default is aes. Available protocols are:
    • any—Choose any
    • 3des—Triple DES
    • aes—AES with CBC mode
    • aes-ctr—AES with counter mode
    • null—NULL encryption
  6. ipsec-mode—Specify the IPsec operational mode.
    • tunnel—Provides a secure end-to-end connection between two IP hosts.
    • transport—Provides VPN service where the entire IP packets are encapsulated within an outer IP envelope and delivered from source (an IP host) to destination (generally a secure gateway) across an untrusted internet.
  7. tunnel-local-addr—If using tunnel mode, specify the IP address of the local IKEv2 interface that terminates the IPsec tunnel. 
    ORACLE(ike-sainfo)# tunnel-local-addr 172.30.89.10
  8. tunnel-remote-addr—If using tunnel mode, specify the IP address of the remote IKEv2 peer that terminates the IPsec tunnel.

    Provide the remote IP address or use the default wild-card value (*) to match all IP addresses. 

    ORACLE(ike-sainfo)# tunnel-remote-addr *
  9. Type done to save your configuration.
  10. If necessary, configure additional IPsec SAs.