The following example describes a configuration of an SBC 5200 that enables IPsec encryption of SIP traffic between LABNBS1 and SBC9000.
SBC 5200-SBC 9000 Configuration Example
IPsec encryption works for non-media traffic only on SBC Core and SBC 9000. Only non-media traffic (signaling, ICMP) traverses through the IPsec tunnel. To encrypt media as well, use SRTP. If the media endpoint IP address is behind a NAPT, enable NaptMedia flag on the sipTrunkGroup.
IPsec using overlapped IP addressing is not supported in SBC Core releases earlier than 4.2.x; only the default addressContext is used for IPsec. In 4.2.x and later releases, the SBC supports IPsec in default and custom addressContexts.
Set all parameters identically on both sides (including timers, ciphers, SPD IP addresses, prefixes/masks, PFS, and so on).
Best Practice for IKE Peer Configuration
Set local identity to local SIP signaling port IP address and set remote identity to remote SIP signaling port IP address. The other end has to be set other way, that is, "remote identity" parameter has to match the local identity and vice versa.
Set IKE peer IP address to network interface IP address, that is, IP address of LIF or NIF/SIF.
The SBC supports a setup where the IPsec peer termination IP address (FW/IPsec GW IP address) is a public IP address and there is a SIP server or PBX with a private IP address behind this FW/GW. The SBC needs static IP routes to both termination and SIP signaling IP addresses. The static IP route to the private IP address is redundant. That means, nexthop is same as the nexthop for a public IP address. The un-encrypted traffic to the private IP address cannot be sent because the private IP address is not reachable directly from the SBC.
IP addresses of the SPDs have to be populated with SIP signaling port IP addresses. Protocol enumerations: 17 UDP, 6 TCP and so on (IANA Protocol enumerations apply).
IP addresses and prefixes (masks) in traffic selectors have to be set identically on both ends.
Ensure that the entered IP address entered for SPD entries is the subnet ID IP address and not a host IP address. For example, 192.168.1.0/29 is correct and 192.168.1.5/29 is incorrect.
To send both encrypted and unencrypted traffic through the same IP Interface Group/IP Interface, configure separate SPDs. The action type for unencrypted traffic has to be set to
bypass and to encrypt set it to
Enabling IPsec on an interface group that has 2 or more interfaces is not supported.
Useful CLI Commands
To retrieve the statistics and status of SA of IKE and IPsec.