Multicast traffic

Multicast traffic can be protected by IPSec, but only manual tunnels are supported because the IKED supports negotiating dynamic tunnels with only a single peer rather than with a group of peers.

Multicast traffic is one-to-many (sent by individual nodes but received by multiple nodes) and is normally both sent and received; therefore, to use manual tunnels for multicast, you must use the same Security Parameter Index (SPI) and keys for inbound and outbound traffic. You must coordinate the SPI values and keys that are used with all multicast peers on the LAN segment. Also, because this manual tunnel is to be used to protect traffic with various source and destination addresses, you must specify any or any6 for the local and remote security endpoint locations. The following example shows AH authentication using the SHA algorithm, and ESP encryption using the DES algorithm.

IpManVpnAction tunnel-multicast
   {
     LocalSecurityEndpointAddr  any
     RemoteSecurityEndpointAddr any
     HowToAuth                  AH HMAC_SHA1
       AuthOutboundSa      2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
       AuthInboundSa       2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
     HowToEncrypt               DES
       EncryptOutboundSa   2701 0x3e6dcf72459ef551
       EncryptInboundSa    2701 0x3e6dcf72459ef551
     HowToEncap                 transport
   }

Requirement: You must define two filter rules for the multicast traffic. The first rule matches outbound multicast traffic, which has a unicast source address and a multicast destination address. The second rule matches inbound multicast traffic, which has a remote (destination) address that is unicast, and a local (source) address that is multicast. The addresses of the inbound rule are reversed from those that you might expect, because bidirectional rules are written from an outbound perspective. These rules are as follows:

IpFilterRule outbound-multicast
   {
     IpSourceAddrSetRef       lan-home-address
     IpDestAddr               224.0.0.1
     IpServiceRef             service-udp
     IpGenericFilterActionRef ipsec-nolog
     IpManVpnActionRef        tunnel-multicast
   }
   IpFilterRule inbound-multicast
   {
     IpSourceAddr             224.0.0.1
     IpDestAddr               lan-subnet
     IpServiceRef             service-udp
     IpGenericFilterActionRef ipsec-nolog
     IpManVpnActionRef        tunnel-multicast
   }

It is possible to restrict the tunnel to the multicast address that is being used. Define separate tunnels for different multicast addresses and use the same SPI value (the combination of address and SPI makes the tunnel unique). Because the local system is expected to participate in both sending and receiving multicast messages, you must create two manual tunnels. The following example shows this approach. In this example, one endpoint address is known for each tunnel, so you specify that address for the particular security endpoint address.

IpManVpnAction tunnel-multicast-outbound
   {
     LocalSecurityEndpointAddr  any
     RemoteSecurityEndpointAddr 224.0.0.1
     HowToAuth                  AH HMAC_SHA1
       AuthOutboundSa      2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
       AuthInboundSa       2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
     HowToEncrypt               DES
       EncryptOutboundSa   2701 0x3e6dcf72459ef551
       EncryptInboundSa    2701 0x3e6dcf72459ef551
     HowToEncap                 transport
   }
   IpManVpnAction tunnel-multicast-inbound
   {
     LocalSecurityEndpointAddr  224.0.0.1
     RemoteSecurityEndpointAddr any
     HowToAuth                  AH HMAC_SHA1
       AuthOutboundSa      2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
       AuthInboundSa       2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
     HowToEncrypt               DES
       EncryptOutboundSa   2701 0x3e6dcf72459ef551
       EncryptInboundSa    2701 0x3e6dcf72459ef551
     HowToEncap                 transport
   }
   IpFilterRule outbound-multicast
   {
     IpSourceAddrSetRef       lan-home-address
     IpDestAddr               224.0.0.1
     IpServiceRef             service-udp
     IpGenericFilterActionRef ipsec-nolog
     IpManVpnActionRef        tunnel-multicast-outbound
   }
   IpFilterRule inbound-multicast
   {
     IpSourceAddr             224.0.0.1
     IpDestAddr               lan-subnet
     IpServiceRef             service-udp
     IpGenericFilterActionRef ipsec-nolog
     IpManVpnActionRef        tunnel-multicast-inbound
   }

Tip: Configuration of manual tunnels for IPv6 multicast is similar. For specific examples of configuring this for OSPFv3 security, see Considerations for IPv6 OSPF security.