Maipu - IPSec Template

Hi All friends, Many time we came across requirement of IPSec configurations. Maipu every Router support IPSec. In this section, I will share IPSec Configuration template. It will help you to understand Maipu IPSec configuration steps.

Maipu IPSec configuration is having different command line than other vendors.

Before looking in details of IPSec template, let’s take a overview of IPSec working process -

IPSec working process –

IPSec works using IKE protocol (Internet Key Exchange).

IKE - When two devices communicate across the network to form secure tunnel. Both Routers/devices will negotiate on set of protocols, they are going to use for security, Encryption, Authentication and protection.

If both devices are using same set of protocols then only secure tunnel will form and data communication will start from secure tunnel or otherwise the secure tunnel will not be established.

In above discussion I used secure tunnel term, The secure tunnel is IPSec tunnel.

IPSec stands for IP packets security.

IPSec is having two modes of communications in Network – Transport and Tunnel Mode…

Some are well known types of VPN – Site to Site VPN, Easy VPN, Point to Multipoint VPN.

VPN -stands for Virtual Private Network, VPN tunnel means creating a private tunnel in public network. IPSec protocols are used to secure VPN tunnel. Data transfer will happen  securely from IPSec VPN.  

IPSec VPN Establishment process –

• The Routers receives traffic considered "Intresting traffic" from LAN Network towards WAN for establishing a VPN connection.
• IKE Phase 1 Negotiated and Security Association (SA) established.
• IKE Phase 2 Negotiated and Security ASsociation (SA) established.
• Data Transmitted thru IPSec Tunnel
• Once Transmission is complete , Then IPSec tunnel torn down.

Configuration Steps for Maipu Router IPSec Configurations –

• Set up Ike Proposal [ For IKE Phase I ]
• Set up IPSec proposal[ For IKE Phase II ]
• Define interesting traffic - flow
• Set up crypto tunnel –include local wan interface
• Map flow to crypto tunnel

Maipu IPSec Configuration Template –

crypto ike key pplhkhqtodel address x.x.x.x

### Define Crypto key ####

### Define Crypto IKE Phase 1 proposal ###

crypto ike proposal 1

 encryption 3des

 group group2

integrity sha1

 lifetime 28800

 exit

### Define Crypto IKE Phase 2 proposal ###

crypto ipsec proposal 1

 esp 3des

 ah sha1

 lifetime 28800

 exit

### Create IPSec Tunnel Interface ###

crypto tunnel t1

 local interface f0

 peer any

 set authentication preshared

 set ike proposal 1

 set ipsec proposal 1

set auto-up

 exit

### Create Interesting traffic rule, like ACL. Match source and destination traffic ####

crypto policy p1

 flow x.x.x.x x.x.x.x (local lan ip) x.x.x.x x.x.x.x (remote lan) ip tunnel t1

crypto policy p2

 flow x.x.x.x x.x.x.x (local lan ip) x.x.x.x x.x.x.x (remote lan) ip tunnel t1

exit

ex:

crypto policy p1

 flow 10.1.1.0 255.255.255.0 (local lan ip) 172.16.1.0 255.255.255.0 (remote lan) ip tunnel t1

crypto policy p2

 flow 10.1.1.0 255.255.255.0 (local lan ip) 192.168.1.0 255.255.255.0 (remote lan) ip tunnel t1

exit

crypto policy p3

flow 10.1.1.0 255.255.255.0 (local lan ip) 10.1.1.0 255.255.255.0 (local lan ip ) ip permit

Hope this template will help you in IPSec configuration in Maipu Routers.

Thanks for reading…

For feedback. Plz comment with Name and Mail ID..

Maipu Support - DDMI

Hi Friends, Many times I came across requirement about DDMI feature from many engineers. Maipu support DDMI (Digital Diagnostics Monitoring Interface) features in many aggregation switches on Fiber interfaces like SM3900, SM 4200, 6800, etc. 


Below commands are used for DDMI -


show optical all
show optical all detail


Show Output - 

6800-2#show optical all  detail 

port 2/0 optical information
        Device Name          : XFP
        Connector Name       : LC
        Vendor OUI           : 00-17-6a
        Vendor Name          : OEM             
        Part Number          : XFP-10G-SR      
        Revision Number      : A Bh
        Serial Number        : GM1201104103    
        Production Date      : 12/04/23(y/m/d)
        Laser WaveLength     : 850(nm)
        Vendor Specific      : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
        Monitor Parameters   : 
                                                                         T - ThresHold, S - Status
  Type                                          Value           Alarm-High(T/S)     Alarm-Low(T/S)         Warning-High(T/S)           Warning-Low(T/S)
  ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  Temperature(C)              19.273438       85.000000(N)           -10.000000(N)            80.000000(N)                        -5.000000(N)
  Voltage(V)                           0.000000         1.536000(N)                1.408000(N)               0.000000(N)                         0.128000(N)
  Tx Bias(mA)                        5.562000         12.000000(N)              1.000000(N)            10.000000(N)                         2.000000(N)
  Rx Power(dBm)                -14.100504         0.000000(N)             -13.001623(Y)              -1.000154(N)                      -11.999706(Y)
  Tx Power(dBm)                   -2.503410          2.000019(N)           -10.000000(N)               0.999912(N)                       -8.999743(N)


port 2/1 optical information
        Device Name          : XFP
        Connector Name       : LC
        Vendor OUI           : 00-00-00
        Vendor Name          : OEM             
        Part Number          : 10GB-XFP-LR-F   
        Revision Number      : 1 fX
        Serial Number        : FXF96L042       
        Production Date      : 12/04/24(y/m/d)
        Laser WaveLength     : 1310(nm)
        Vendor Specific      : 000000000000000000000000000000000000000000000000000000000000000
        Monitor Parameters   : 
                                                                         T - ThresHold, S - Status
          Type                          Value                  Alarm-High(T/S)     Alarm-Low(T/S)     Warning-High(T/S)   Warning-Low(T/S)
          ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
          Temperature(C)       34.824219        80.000000(N)         -10.000000(N)       75.000000(N)                -5.000000(N)
          Voltage(V)                 3.254800           3.500000(N)               3.080000(N)          3.480000(N)                  3.100000(N)
          Tx Bias(mA)             37.240002         90.000000(N)            2.000000(N)          80.000000(N)               4.000000(N)
          Rx Power(dBm)       -1.408016           0.000000(N)           -20.000000(N)          -1.000154(N)               -18.996294(N)
          Tx Power(dBm)       -2.301060           0.000000(N)             -7.999707(N)          -1.000154(N)                 5.999804(N)


6800-2#  




Hope this commands will help you for fiber port monitoring and troubleshooting...


Thanks for reading...


For feedback. Plz comment with Name and Mail ID..