The Internet Key Exchange port (IKE)

Revised for CPX 4.8.0.

Introduction
Terminology
Configuration of the IKE port
Diagnostics of the IKE port
Statistics of the IKE port

Configuration of the IKE port tables

The Internet Protocol Security port (IPsec)

Configuration examples (CPX-to-CPX)
Configuration examples (CPX-to-Win2k/XP)

Introduction

Terminology

DH. Diffie-Hellman (DH) key exchange protocol. A protocol that allows two parties without any initial shared secret to create one in a manner immune to eavesdropping. Once they have done this, they can communicate privately by using that shared secret as a key for a block cipher or as the basis for key exchange.

PSK. Pre-shared Keys. When two parties have arranged for a trusted method of distributing secret keys for their mutual authentication, they can be used for authentication.

Configuration of the IKE port

The IKE port is referred by the "IKE" abbreviation and it has all the parameters described in this chapter.

Here is an example of the IKE port parameters.


[01:14:19] ABILIS_CPX:d p po:ike

PO:921 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
IKE    ------------------------------------------------------------------------
       LOG:DS       lowpo:902       ACT:YES      mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:AUTO    NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
The changes made on the LOG: parameter are immediately active.

The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.

The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.

Details of the IKE port parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

lowpo:	Identifier of the Abilis CPX lower level port
NONE	1 - 999, NONE

It sets the Abilis CPX lower level port. It can only be an UDP port.

Value "NONE" isolates the IKE port.

ACT:	Runtime activation/deactivation of IKE
NO	NO, YES

This parameter allows to run-time activate/deactive IKE functionalities.

When it is set to "YES", the port is configured, active, and the IKE driver performs its activities.

When it is set to "NO", the port is configured, active, but the IKE driver does not execute any action.

mxps:	Maximum length of UDP datagram which can be processed by IKE driver
2048	2048-4096

It specifies maximum length of UDP datagram which can be processed by IKE driver port.

This value cannot be changed without CPX restart.

NRTY:	Maximum number of IKE packet retransmissions
3	1-5

It specifies maximum number of IKE packet retransmissions.

TB:	Retransmission IKE packet delay
10	5-30

It specifies retransmission IKE packet delay.

WDIR:	Directory where IKE.CNS file is located
C:\APP\IKE\	from 1 up to 128 ASCII extended characters [32..255]

This parameter selects the directory where IKE.CNS file is saved. It cannot be empty. It must be a physical full path in DOS notation, i.e. starting with a drive letter in the range ['A'..'Z'] and ending with the '\' character. The maximum accepted working directory string length is 128 characters. Case is preserved and spaces are allowed, but strings holding spaces must be written between quotation marks (E.g.: "C:\My dir\").

NATT:	NAT traversal working mode
NO	NO, YES, AUTO

Specifies NAT traversal working mode for IKE port.

NO: NAT traversal is disabled
YES: Forced NAT traversal mode
AUTO: NAT traversal is automatically detected

NATT-N-IKE:	NAT traversal port floating flag
NO	NO, YES

Specifies whether the NAT traversal port floating is enabled or disabled.

NO: Port floating is disabled
YES: Port floating is enabled

NATT-PF:	NAT traversal NON-IKE marker flag
NO	NO, YES

Specifies whether the NAT traversal NON-IKE marker is enabled or disabled.

NO: NON-IKE marker is disabled
YES: NON-IKE marker is enabled

NATT-KA	NAT traversal keep-alive timer
20	10-240

Specifies the NAT traversal keep-alive timer.

Diagnostics of the IKE port

Example on how to show state and diagnostics of the IKE through the command D S:

[15:00:45] ABILIS_CPX:D S PO:IKE

PO:921 ------------------------------------------------------------------------
IKE    IKE-STATE:ACTIVE       IPSEC-STATE:ACTIVE
       ISAKMP-SA:1    ISAKMP-SA-EST:1    IPSEC-SA:1    IPSEC-SA-EST:1
       - Security Associations diagnostics: -----------------------------------
       SerialNo   Name                                     Type     Side
                  LocIp-LocPort         LocNet/LocMask     State    ReplaceTime
                  RemIp-RemPort         RemNet/RemMask     Pending  ExpiryTime
       ------------------------------------------------------------------------
       13                                                  IPsec    RESPONDER
                  192.168.006.001/500   192.168.006.001/32 QUICK-R2 3422
                  192.168.006.002/500    192.168.006.002/32 0        3542
       ------------------------------------------------------------------------
       12                                                  ISAKMP   RESPONDER
                  192.168.006.001/500   000.000.000.000/00 MAIN-R3  3420
                  192.168.006.002/500    000.000.000.000/00 0        3540
       ------------------------------------------------------------------------

Detailes of the IKE port diagnostics

IKE-STATE:	Current state of the IKE port
	DOWN, INACTIVE, ACTIVE, INIT

It shows the current state of the IKE port driver.

Driver	States	Description	Values shown in:
Driver	States	Description	System Log	Events Log	Display LCD
IKE	DOWN	State set when registration to lower UDP port fail (UDP service is not possible).			dn
	INACTIVE	IKE port is running, but the ACT: parameter is set to "NO".			na
	ACTIVE	IKE port is fully ready to work.			RD
	INIT	IKE port is in init state.			in

IPSEC-STATE:	Current state of the IPsec port
	INACTIVE, ACTIVE

It shows the current state of the IPsec port driver.

INACTIVE: IPsec port is not "ready" to work with IKE driver.
ACTIVE: IPsec port is fully ready to work.

ISAKMP-SA:	Current number of the ISAKMP Security Associations
	0-128

It shows current number of the ISAKMP Security Associations (Main mode of IKE).

ISAKMP-SA-EST:	Current number of the established ISAKMP Security Associations
	0-128

It shows current number of the established ISAKMP Security Associations (Main mode of IKE).

IPSEC-SA:	Current number of the IPsec Security Associations
	0-128

It shows current number of the IPsec Security Associations (Quick mode of IKE).

IPSEC-SA-EST:	Current number of the established IPsec Security Associations
	0-128

It shows current number of established the IPsec Security Associations (Quick mode of IKE).

Detailes of the IKE Security Associations diagnostics

SerialNo:	Serial number of the ISAKMP/IPsec Security Associations
	1-4.294.967.295

It shows serial number of the ISAKMP/IPsec Security Associations.

Name:	Name of the ISAKMP/IPsec Security Association
	from 0 up to 32 ASCII printable characters. Spaces are not allowed. Case is preserved.

Specifies name of the ISAKMP/IPsec Security Association.

Type:	Type of the Security Association
	ISAKMP, IPsec

Specifies type of the Security Association.

Side:	Side of the Security Association
	ININIATOR, RESPONDER

Specifies side of the Security Association.

LocIp-LocPort:	Local IP address/local IKE UDP port
	0.0.0.0, 1-126.x.x.x, 128-223.x.x.x/500, 4500

Local IP address/local IKE UDP port.

RemIp-RemPort:	Remote IP address/remote IKE UDP port
	0.0.0.0, 1-126.x.x.x, 128-223.x.x.x/0-65535

Remote IP address/remote IKE UDP port.

LocNet/LocMask:	Local client network number/mask
	0.0.0.0, 1-126.x.x.x, 128-223.x.x.x/0-32

Local client network number/mask. For IPsec SA only.

RemNet/RemMask:	Remote client network number/mask
	0.0.0.0, 1-126.x.x.x, 128-223.x.x.x/0-32

Remote client network number/mask. For IPsec SA only.

State:	Current state (phase) of IKE negotiation for the Security Association
	MAIN-R0, MAIN-R1, MAIN-R2, MAIN-R3 MAIN-I1, MAIN-I2, MAIN-I3, MAIN-I4 QUICK-R0, QUICK-R1, QUICK-R2 QUICK-I1, QUICK-I2

It shows the current state (phase) of IKE negotiation for the Security Association.

ISAKMP SA. Main mode of IKE negotiation:

State	Description
MAIN-R0, MAIN-R1	1 IKE message is received from peer (responder side).
MAIN-R2	2 IKE message is received from peer (responder side).
MAIN-R3	3 IKE message is received from peer (responder side). ISAKMP SA is established.
MAIN-I1	1 IKE message is sent to peer (initiator side).
MAIN-I2	2 IKE message is sent to peer (initiator side).
MAIN-I3	3 IKE message is sent to peer (initiator side).
MAIN-I4	3 IKE message is received from peer (initiator side). ISAKMP SA is established.

IPsec SA. Quick mode of IKE negotiation:

State	Description
QUICK-R0, QUICK-R1	1 IKE message is received from peer (responder side).
QUICK-R2	2 IKE message is received from peer (responder side). IPsec SA is established.
QUICK-I1	1 IKE message is sent to peer (initiator side).
QUICK-I2	2 IKE message is sent to peer (initiator side). IPsec SA is established.

Pending:	Number of the pending IPsec SA connections for the current ISAKMP SA
	0-128

Specifies number of the pending IPsec SA connections for the current negotiating ISAKMP SA.

ReplaceTime:	Remaining time to begin replace current ISAKMP/IPsec SA
	0-4.294.967.295

Specifies remaining time (in seconds) to begin replace current ISAKMP/IPsec SA.

ExpiryTime:	Remaining time to expiry current ISAKMP/IPsec SA
	0-4.294.967.295

Specifies remaining time (in seconds) to expiry current ISAKMP/IPsec SA.

Statistics of the IKE port

Example on how to show state and diagnostics of the IKE port through the command D SE:

[15:00:45] ABILIS_CPX:D SE PO:IKE

PO:921 ------------------------------------------------------------------------
IKE    --- Cleared 000:00:10:02 ago, on 22/03/2005 at 22:53:43 ----------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CHR        |      15220|       1756|LONG       |          0|          0|
       FRM        |         31|         23|BAD-FMT    |          0|           |
       FRM-LOST   |          0|           |DUPLICATED |          6|           |
       ------------------------------------------------------------------------
       -----------|--ISAKMP---|---IPSEC---|
       SA-R       |          4|          9|
       SA-I       |          0|          0|
       SA-EST-R   |          3|          1|
       SA-EST-I   |          0|          0|
       AUTH-FAIL  |          0|          0|
       NO-PROP    |          0|          0|
       ------------------------------------------------------------------------

The information "Cleared DDD:HH:MM:SS ago, at DD/MM/YYYY HH:MM:SS", referred by the extended statistics, shows the elapsed time from the last reset of the statistics (by the format "days:hours:minutes:seconds") and date/time of its execution (by the format "day/month/year" and "hours:minutes:seconds").

Detailes of the IKE port statistics

CHR:	Total number of characters received/sent by IKE port from/to UDP
	0-4.294.967.295

The INPUT counter is incremented every time IKE port receives a UDP datagram from UDP.

The OUTPUT counter is incremented every time IKE port sends a UDP datagram to UDP.

FRM:	Total number of UDP datagrams received/sent by IKE port from/to UDP
	0-4.294.967.295

The INPUT counter is incremented every time IKE port receives a UDP datagram from UDP.

The OUTPUT counter is incremented every time IKE port sends a UDP datagram to UDP

FRM-LOST:	Total number of lost incoming UDP datagrams: buffer is full
	0-4.294.967.295

The counter is incremented every time a UDP datagram is discarded because there are no available receiving buffers.

LONG:	Total number of discarded too long incoming/outgoing UDP datagrams
	0-4.294.967.295

The INPUT counter is incremented every time the IKE port discards a too long incoming UDP datagram.

The OUTPUT counter is incremented every time the IKE port discards a too long outgoing UDP datagram.

BAD-FMT:	Total number of discarded incoming UDP dtagrams with bad format
	0-4.294.967.295

The counter is incremented every time the IKE port discards an incoming UDP datgram with bad format.

DUPLICATED:	Total number of duplicated incoming UDP dtagrams
	0-4.294.967.295

The counter is incremented every time the IKE port discards a duplicated incoming UDP datgram.

SA-R:	Total number of ISAKMP/IPsec negotiation attempts (responder side).
	0-4.294.967.295

ISAKMP: The counter is incremented every time the remote IKE peer begins ISAKMP SA negotiation (Main mode).

IPSEC: The counter is incremented every time the remote IKE peer begins IPsec SA negotiation (Quick mode).

SA-I:	Total number of ISAKMP/IPsec negotiation attempts (initiator side).
	0-4.294.967.295

ISAKMP: The counter is incremented every time the local IKE port begins ISAKMP SA negotiation (Main mode).

IPSEC: The counter is incremented every time the local IKE port begins IPsec SA negotiation (Quick mode).

SA-EST-R:	Total number of ISAKMP/IPsec successful established negotiations (responder side).
	0-4.294.967.295

ISAKMP: The counter is incremented every time the ISAKMP SA is successfully established (Main mode).

IPSEC: The counter is incremented every time the IPsec SA is successfully established (Quick mode).

SA-EST-I:	Total number of ISAKMP/IPsec successful established negotiations (initiator side).
	0-4.294.967.295

ISAKMP: The counter is incremented every time the ISAKMP SA is successfully established (Main mode).

IPSEC: The counter is incremented every time the IPsec SA is successfully established (Quick mode).

AUTH-FAIL:	Total number of ISAKMP/IPsec failed authentications.
	0-4.294.967.295

ISAKMP: The counter is incremented every time the ISAKMP SA negotiation is dropped because authentication is fail (Main mode).

IPSEC: The counter is incremented every time the IPsec SA negotiation is dropped because authentication is fail (Quick mode)

NO-PROP:	Total number of dropped ISAKMP/IPsec negotiations, because proposal not choosen
	0-4.294.967.295

ISAKMP: The counter is incremented every time the ISAKMP SA negotiation is dropped because ISAKMP proposal not choosen (Main mode).

IPSEC: The counter is incremented every time the IPsec SA negotiation is dropped because IPsec proposal not choosen (Quick mode)

Print this page