Multicast traffic
Multicast traffic can be protected by IPSec, but only manual tunnels are supported because the IKED supports negotiating dynamic tunnels with only a single peer rather than with a group of peers.
Multicast traffic is one-to-many (sent by individual nodes but received by multiple nodes) and is normally both sent and received; therefore, to use manual tunnels for multicast, you must use the same Security Parameter Index (SPI) and keys for inbound and outbound traffic. You must coordinate the SPI values and keys that are used with all multicast peers on the LAN segment. Also, because this manual tunnel is to be used to protect traffic with various source and destination addresses, you must specify any or any6 for the local and remote security endpoint locations. The following example shows AH authentication using the SHA algorithm, and ESP encryption using the DES algorithm.
IpManVpnAction tunnel-multicast
{
LocalSecurityEndpointAddr any
RemoteSecurityEndpointAddr any
HowToAuth AH HMAC_SHA1
AuthOutboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
AuthInboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
HowToEncrypt DES
EncryptOutboundSa 2701 0x3e6dcf72459ef551
EncryptInboundSa 2701 0x3e6dcf72459ef551
HowToEncap transport
}
IpFilterRule outbound-multicast
{
IpSourceAddrSetRef lan-home-address
IpDestAddr 224.0.0.1
IpServiceRef service-udp
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-multicast
}
IpFilterRule inbound-multicast
{
IpSourceAddr 224.0.0.1
IpDestAddr lan-subnet
IpServiceRef service-udp
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-multicast
}
It is possible to restrict the tunnel to the multicast address that is being used. Define separate tunnels for different multicast addresses and use the same SPI value (the combination of address and SPI makes the tunnel unique). Because the local system is expected to participate in both sending and receiving multicast messages, you must create two manual tunnels. The following example shows this approach. In this example, one endpoint address is known for each tunnel, so you specify that address for the particular security endpoint address.
IpManVpnAction tunnel-multicast-outbound
{
LocalSecurityEndpointAddr any
RemoteSecurityEndpointAddr 224.0.0.1
HowToAuth AH HMAC_SHA1
AuthOutboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
AuthInboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
HowToEncrypt DES
EncryptOutboundSa 2701 0x3e6dcf72459ef551
EncryptInboundSa 2701 0x3e6dcf72459ef551
HowToEncap transport
}
IpManVpnAction tunnel-multicast-inbound
{
LocalSecurityEndpointAddr 224.0.0.1
RemoteSecurityEndpointAddr any
HowToAuth AH HMAC_SHA1
AuthOutboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
AuthInboundSa 2700 0xa66e1b72e58a367ebd39d62daef84d5d9222cfe1
HowToEncrypt DES
EncryptOutboundSa 2701 0x3e6dcf72459ef551
EncryptInboundSa 2701 0x3e6dcf72459ef551
HowToEncap transport
}
IpFilterRule outbound-multicast
{
IpSourceAddrSetRef lan-home-address
IpDestAddr 224.0.0.1
IpServiceRef service-udp
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-multicast-outbound
}
IpFilterRule inbound-multicast
{
IpSourceAddr 224.0.0.1
IpDestAddr lan-subnet
IpServiceRef service-udp
IpGenericFilterActionRef ipsec-nolog
IpManVpnActionRef tunnel-multicast-inbound
}