beautypg.com

Enhancements to ipsec/vpn, Responding to ipsec packets from an unknown tunnel, Responding to ipsec packets from an – Allied Telesis RAPIER I User Manual

Page 169: Unknown tunnel, Responding to ipsec packets from an unknown, Tunnel

background image

Software Version 2.8.1

169

Software Version 2.8.1
C613-10477-00 REV B

Enhancements to IPsec/VPN

This Software Version includes enhancements in the following IPsec functions:

Responding to IPsec Packets from an Unknown Tunnel

Modifying the Message Retransmission Delay

Retrying ISAKMP Phase 1 and 2 Negotiations

VPN Tunnel Licencing

This section describes the enhancements. The modified commands to
implement them are described in

Command Reference Updates

.

Responding to IPsec Packets from an
Unknown Tunnel

This Software Version allows the router or switch to send a notification
message to a peer when IPsec traffic from the peer is not recognised. When the
peer receives the message, it deletes the SAs it has for the router or switch. This
provides a way to ensure that only valid IPsec tunnels exist between the router
or switch and its peer.

To enable the router or switch to send this type of notification message to its
peer, use the new respondbadspi parameter in the command:

create ipsec policy=name interface=interface action=ipsec

keymanagement=isakmp peeraddress=ipv4add

respondbadspi=true [other parameters]

This feature is only valid for connections where:

The peer IP address is a static IPv4 address.

IPsec tunnel mode is used. This is specified by setting the mode parameter
to tunnel in the create ipsec saspecification command.

The ISAKMP policy for the peer has the mode parameter set to main, and
the sendnotify parameter set to true.

The IPsec policy for the peer has the action parameter set to ipsec, the
keymanagement

parameter set to isakmp, and the peeraddress parameter

set to a valid IPv4 address.

The router or switch recognises traffic for current IPsec tunnels by checking the
Security Parameter Index (SPI) value of the IPsec packets. If the router or
switch receives an IPsec packet with an unknown SPI value from a known peer,
this indicates there is a discrepancy with the IPsec tunnel between the router or
switch and its peer. When the respondbadspi parameter is configured to true,
the router or switch can then send a message to the peer, notifying it to delete
the SAs for the router or switch, which closes the tunnel.

Unknown SPI values can occur if the router or switch restarts while there is a
current IPsec tunnel. Because the IPsec SAs are lost, the router or switch no
longer recognises traffic sent through the IPsec tunnel. However, the peer will
keep sending traffic via the tunnel unless it is notified that the SAs are invalid.

This manual is related to the following products:
See also other documents in the category Allied Telesis Computer Accessories: