Configuring IPSec

This chapter provides information about IPSec configuration on the Cisco LoRaWAN Gateway.
• Understanding IPSec, on page 1
• Configuring IPsec, on page 1
• Configuring Crypto IPSec Profile Common, on page 3
• Configuring Crypto IPSec Profile Individual , on page 5
• Basic Configuration for RSA to Connect to Primary and Secondary, on page 6
• Locking Traffic to IPSec Tunnels, on page 7
• Erasing IPSec Certificates and Key, on page 7
• Uploading Certificates from USB or Local Flash, on page 7
• Disabling LXC Restart During IPSec Reauthentication, on page 7
• Resetting Secure-Storage for Certificate Download, on page 7

Understanding IPSec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for
establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair
of hosts (host-to-host), between a pair of security gateways (site-to-site), or between a security gateway and
a host (remote-access).
IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks.
IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality
(encryption), and replay protection.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while
some other Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure
Shell (SSH), operate in the upper layers at Application layer. Hence, only IPsec protects any application
traffics over an IP network. Applications can be automatically secured by its IPsec at the IP layer. Without
IPsec, the protocols of TLS/SSL must be inserted under each of applications for protection.

Configuring IPsec
Beginning in privileged EXEC mode, follow these steps to configure IPsec on the Cisco LoRaWAN Gateway:

Configuring IPSec
1
 Configuring IPSec
Configuring IPsec

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 crypto ipsec profile Configure parameters used by tunnel.

{common|primary|secondary}
Note The primary profile MUST be
configured. Common and
secondary are optional. For more
information, see Configuring
Crypto IPSec Profile Common,
on page 3 and Configuring
Crypto IPSec Profile Individual
, on page 5.

Step 3 Do one of the following: These commands are exclusive.

• ipsec isakmp username password group • Configure PSK.
group_id psk
• Enable downloading certificates from
• ipsec cert install {usb |local}enable
USB or local flash.
• ipsec cert scep <url> <country_code>
<state> <locality> <organization> <unit> Note If SCEP is enabled, the
<name> <device-id> {ndes|xpki} ipsec cert install local
<persistency> <key-length> enable command will fail.
Disable SCEP and then
execute this command.

• Configure SCEP.
From Release 2.0.20, xpki is supported
as well as ndes.
• xpki - Use a Cisco Router as the CA
server
• ndes - Use a Window server as the
CA server

Example

Gateway(config)#ipsec cert scep

http://172.27.163.69/cgi-bin/pkiclient.exe
US CA Milpitas Cisco iot CSR1K true

Step 4 ipsec retry retry-count delay delay-time Configure number of IPsec retries and delay
time (minutes) before IPsec restarts when IPsec
is down:
• retry-count—Number of IPsec retries
when IPsec is down.
• delay-time—Minutes of delay before
restarting IPsec.

Configuring IPSec
2
 Configuring IPSec
Configuring Crypto IPSec Profile Common

Command or Action Purpose

Step 5 ipsec enable Enable IPSec.

Step 6 ipsec subnet lock Lock the device traffic with IPsec subnet.
Traffic outside of the subnet will not be
accepted.

Step 7 exit Return to global configuration mode.

Step 8 show ipsec certs (Optional) Display details about certificates

(RSA only).

Step 9 show ipsec status {info|detail} (Optional) Display details about IPsec status.

Step 10 debug ipsec (Optional) Enable logging for IPsec. This

command should be executed after the ipsec
enable command is configured. To disable the
logging for IPsec, use the no debug ipsec
command.
Note This command should be used
ONLY for debugging purpose as
it can impact performance.

Step 11 show ipsec log (Optional) Display the IPsec logs on the
screen.

Step 12 clear ipsec log (Optional) Clear the existing IPsec logs.

Step 13 copy running-config startup-config (Optional) Save your entries in the

configuration file.

What to do next
Before PSK or PKI can be configured, you must configure the primary crypto ipsec profile at the minimum.
For more information, see Configuring Crypto IPSec Profile Common, on page 3 and Configuring Crypto
IPSec Profile Individual , on page 5.

Note No spaces are allowed in any DNs (or IDs) or ca parameters.

Note Only PSK (IKEv1) and RSA (IKEv2) are supported.

Configuring Crypto IPSec Profile Common

This section contains configurations of attributes shared by all the tunnels.

Configuring IPSec
3
 Configuring IPSec
Configuring Crypto IPSec Profile Common

Note The crypto ipsec profile common command can only configure attributes shared by tunnels for RSA only,
but not for PSK.

Beginning in privileged EXEC mode, follow these steps to configure crypto IPSec profile common on the
Cisco LoRaWAN Gateway:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 crypto ipsec profile common Configure parameters used by all tunnels.

Step 3 leftid <left_id> (Optional) Configures the ID of the LoRaWAN

module.
• left_id - Full subject distinguished name
(DN) of the certificate, including IP
address, domain name, or e-mail address

Step 4 leftca <left_ca_issuer> (Optional) Configures the DN of the CA the

LoRaWAN module received its certificates
from.
• left_ca_issuer - CA DN of the Cisco
LoRaWAN Gateway

Step 5 rightca <right-ca-issuer> (Optional) Configures the DN of the CA the

corresponding IPSec server received its
certificates from.
• right-ca-issuer - CA DN of the IPSec
server

Step 6 exit Exit the crypto ipsec profile common block and
updates the IPSec configuration.

Step 7 exit Return to global configuration mode.

Step 8 copy running-config startup-config (Optional) Save your entries in the configuration
file.

Example
Example of Common Profile Block

crypto ipsec profile common

leftid C=CN,ST=Nanning, L=Nanning, O=Cisco,OU=iot,CN=cisco-iot

Configuring IPSec
4
 Configuring IPSec
Configuring Crypto IPSec Profile Individual

leftca cn=LASSI-ROOT-CA,dc=LASSI,dc=example,dc=com

Configuring Crypto IPSec Profile Individual

This section contains configuration of the parameters of the individual tunnels between the IPSec server and
the Cisco LoRaWAN Gateway. The primary block MUST be configured before any other IPSec configurations
are implemented.

Note Adding the subnet parameter enforces a subnet-only tunnel. Any packets within that subnet will travel through
the tunnel and any packets outside of that subnet will not travel within the tunnel. If all packets need to go
through the tunnel, do not configure any subnet. This will establish a host-only tunnel.

Note Primary configurations will override secondary configurations, so if no subnet is configured in primary (default,
host-only tunnel) and subnet is configured in the secondary tunnel, then packets will not be able to go through
the secondary tunnel.

Beginning in privileged EXEC mode, follow these steps to configure crypto IPSec profile individual on the
Cisco LoRaWAN Gateway:

Procedure

Command or Action Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 crypto ipsec profile {primary|secondary} Configure parameters used by individual tunnel.

Step 3 ipaddr <ip-address> iketime <ike-lifetime>
keytime <key-life> aes <ike-encryption>
Configures the required parameters of the
tunnel.
• ip-address - IP address or hostname of the
IPSec server.
• ike-lifetime - Lifetime of ISAKMP or IKE
SA in seconds.
• key-life - Lifetime of one tunnel connection
instance in seconds.
• ike-encryption – Encryption method of ike
directive in strongSwan; 128 or 256 for
aes128-sha256-ecp256 or
aes256-sha256-ecp256 by default.

Step 4 rightid <right_id> (Optional) Configure the ID of the IPSec server.

Configuring IPSec
5
 Configuring IPSec
Basic Configuration for RSA to Connect to Primary and Secondary

Command or Action Purpose

• right-id - IPSec server’s certificate’s full
subject DN, IP address, domain name, or
e-mail address.

Step 5 subnet <subnet/mask> (Optional) Configures the subnet and mask of

IP addresses the IPSec server will accept in the
tunnel.
• subnet/mask - Subnet and mask, for
example, 10.0.0.0/8.

Step 6 exit Exit the crypto ipsec profile individual block

and update the IPSec configuration.

Step 7 exit Return to global configuration mode.

Step 8 copy running-config startup-config (Optional) Save your entries in the configuration
file.

Example
Examples of Primary and Secondary Profile blocks:

crypto ipsec profile primary

ipaddr 192.168.3.4 iketime 86400 keytime 86400 aes 128
subnet 10.10.0.0/8
rightid SN=FTX2103Z05B, unstructuredName=CRS829.cisco.com
exit
!
crypto ipsec profile secondary
ipaddr 192.168.3.1 iketime 86400 keytime 86400 aes 128
subnet 10.10.0.0/8
rightid
unstructuredName=IR829_CH.cisco.com,C=CN,ST=Nanning,L=Nanning,O=Cisco,OU=IR829,CN=ndes.com
exit

Basic Configuration for RSA to Connect to Primary and

Secondary
172.27.170.71 LoRaWAN Module <—————————> Primary 172.27.170.77
<—————————> Secondary 172.27.170.72

crypto ipsec profile primary

ipaddress 172.27.170.77 iketime 86400 keytime 86400 yes 256
exit
crypto ipsec profile secondary
ipaddress 172.27.170.77 iketime 86400 keytime 86400 yes 256
exit
ipsec cert scep http://172.27.126.60/CertSrv/mscep/mscep.dll US CA Milpitas Cisco iot

Configuring IPSec
6
 Configuring IPSec
Locking Traffic to IPSec Tunnels

LORA ndes true 2048

ipsec enable

Locking Traffic to IPSec Tunnels

When subnets are configured, only the packets destined for that subnet pass through the IPsec tunnel. To make
sure that all traffic passes through IPsec tunnels when subnets are configured, use the ipsec subnet lock
command to allow only the traffic between the IXM and its designated subnets.

Erasing IPSec Certificates and Key

To erase IPSec certificates and key, use the ipsec cert erase EXEC command.

Uploading Certificates from USB or Local Flash

To upload certificates from USB, use the following EXEC command:
ipsec install usb <pfx-file > <cr> | <password >
To upload certificates from local flash, use the following EXEC command:
ipsec install local path: file password
Example

ipsec install local flash:ndes2.pfx cisco

Disabling LXC Restart During IPSec Reauthentication

To disable LXC to restart during the IPSec reauthentication, use the ipsec lxc-restart-disable command.

Resetting Secure-Storage for Certificate Download

For gateways with a minimum Release 2.1.0.1, if the box is downgraded to an older image, certificates are
inaccessible while the older image is loaded. If you want to download new certificates in the older image, run
the pki secure-storage reset EXEC command before downgrading. This command deletes all currently
installed certificates and restructure secure storage. If you do not want to install new certificates in the older
image, it is recommended not to run this command.

Configuring IPSec
7
 Configuring IPSec
Resetting Secure-Storage for Certificate Download

Configuring IPSec
8