Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Suite B configuration

NSA Suite B set of cryptographic algorithms that the National Security Agency is using as part of an effort to modernize its cryptography. Suite B supports interoperability for unclassified information and most classified information.

The vRouter supports the following Suite B configurations from RFC 6379:

  • Suite-B-CGM-128
  • Suite-B-CGM-256

This section shows how to configure Suite B cryptography for IPsec and includes an interoperability example with Cisco IOS.

Table 1. Configuring Suite-B-GCM-128
Step Command

Create the configuration node for proposal 1 of ESP group ESP-1W.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1

Set the encryption cipher.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 encryption aes128gcm128

Set the hash algorithm.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 hash null

Set the IKE version.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W ike-version 2

Set the encryption cipher.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 encryption aes128

Set the hash algorithm.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 hash sha2_256

Set the Diffie-Hellman group.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 dh-group 19

View the configuration.

vyatta@WEST# show security vpn ipsec 
esp-group
 ESP-1W {
    proposal 1 {
       encryption aes128gcm128
        hash null
    }
ike-group
 IKE-1W {
    ike-version 2
    proposal 1 {
        encryption aes128
        hash sha2_256
        dh-group 19
    }
Table 2. Configuring Suite-B-GCM-256
Step Command

Create the configuration node for proposal 1 of ESP group ESP-1W.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1

Set the encryption cipher.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 encryption aes256gcm128

Set the hash algorithm.

vyatta@WEST# set security vpn ipsec esp-group ESP-1W proposal 1 hash null

Set the IKE version.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W ike-version 2

Set the encryption cipher.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 encryption aes256

Set the hash algorithm.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 hash null

Set the Diffie-Hellman group.

vyatta@WEST# set security vpn ipsec ike-group IKE-1W proposal 1 dh-group 20

View the configuration.

vyatta@WEST# show security vpn ipsec 
esp-group
 ESP-1W {
    proposal 1 {
       encryption aes256gcm128
        hash null
    }
ike-group
 IKE-1W {
    ike-version 2
    proposal 1 {
        encryption aes256
        hash null
        dh-group 20
    }

Interoperability with Cisco IOS

The following sample configurations can be adapted as needed for interoperability with Cisco IOS. Note that the example values might not be suitable for all security policies, and that the security policy must be applied to the appropriate interface.

vRouter

set security vpn ipsec esp-group ESP-G1 lifetime '3600'
set security vpn ipsec esp-group ESP-G1 proposal 1 encryption 'aes128gcm128'
set security vpn ipsec esp-group ESP-G1 proposal 1 hash 'null'
set security vpn ipsec ike-group IKE-G1 ike-version '2'
set security vpn ipsec ike-group IKE-G1 lifetime '3600'
set security vpn ipsec ike-group IKE-G1 proposal 1 dh-group '19'
set security vpn ipsec ike-group IKE-G1 proposal 1 encryption 'aes128'
set security vpn ipsec ike-group IKE-G1 proposal 1 hash 'sha2_256'
set security vpn ipsec site-to-site peer 192.168.3.3 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 192.168.3.3 authentication pre-shared-secret 'password'
set security vpn ipsec site-to-site peer 192.168.3.3 default-esp-group 'ESP-G1'
set security vpn ipsec site-to-site peer 192.168.3.3 ike-group 'IKE-G1'
set security vpn ipsec site-to-site peer 192.168.3.3 local-address '192.168.2.1'
set security vpn ipsec site-to-site peer 192.168.3.3 tunnel 1 local prefix '192.168.1.1/24'
set security vpn ipsec site-to-site peer 192.168.3.3 tunnel 1 remote prefix '192.168.4.3/24'

Cisco IOS

crypto ikev2 proposal 1 
 encryption aes-cbc-128
 integrity sha256
 group 19
!
crypto ikev2 policy IKE-G1 
 match fvrf any
 proposal 1
!         
crypto ikev2 profile IKE-G1
 match identity remote any
 authentication remote pre-share key password
 authentication local pre-share key password
 lifetime 3600
!         
crypto ipsec transform-set ESP-G1 esp-gcm 
 mode tunnel
!         
crypto ipsec profile 192.168.2.1
 set transform-set ESP-G1 
 set pfs group19
 set ikev2-profile IKE-G1
!         
crypto map vyatta 101 ipsec-isakmp 
 set peer 192.168.2.1
 set transform-set ESP-G1 
 set pfs group19
 set ikev2-profile IKE-G1
 match address 101
!
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
!
interface GigabitEthernet2
 ip address 192.168.3.3 255.255.255.0
 crypto map vyatta