troublescisco ios firewallhooting cisco ios firewall-based and cisco secure pix firewall-based ipsec...
DESCRIPTION
Cisco IOS FirewallTRANSCRIPT
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
1 2004 Cisco Systems, Inc. All rights reserved.SEC-30109825_05_2004_c1
TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC IMPLEMENTATIONSSESSION SEC-3010
222 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction Router IPSec VPNS PIX IPSec VPNS Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
333 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Whats Not Covered
PKI-based troubleshooting
Debugs from the PIX platforms
IPSec VPN Services Module
VRF aware IPSec
444 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Why Troubleshooting Is Important in Todays VPN Deployment
Complex security association and key management protocols and a rich set of cryptographic algorithms from which VPN peers can choose
VPNs are often implemented on top of existing networks
Some advance features could break IPSec Implementations
VPNs could be used between different vendors
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
555 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
A Key Point to Remember
DEBUG AND SHOW COMMANDS ARE YOUR FRIENDS IN TROUBLESHOOTING ANY IPSEC RELATED ISSUES.
666 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
BMessage
Mes
sage Message
Message
A
Needs Secure Communications over Insecure Channel
Secure Communications Using IPSec VPN
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
777 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IKE (Two-Phase Protocol)
Two-phase protocol:Phase I exchange: two peers establish a secure, authenticated channel with which to communicate; main mode or aggressive modeaccomplishes a phase I exchange
Phase II exchange: security associations are negotiated on behalf of IPSec services; quick mode accomplishes a phase II exchange
Each phase has its SAs: ISAKMP SA (phase I) and IPSec SA(phase II)
888 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
DH key exchange complete, share secret SKEYIDe derivedNonce exchange defeat replay
Main Mode with Pre-Shared KeyInitiator Responder
Phase I SA parameter negotiation complete
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
999 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Phase II Quick Mode Negotiation
Protected by Phase I SA Optional DH exchange for Perfect Forward Secrecy (PFS) Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR] Two unidirectional IPSec SA established with unique SPI number Nonce exchanged for generating session key
KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)
101010 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
111111 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Encrypted
Backbone
209.165.200.227 209.165.201.4
Layout
Router1 Router2
10.1.1.0/24 10.1.2.0/24
121212 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Router Configurations
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key jw4ep9846804ijl address 209.165.201.4
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 209.165.201.4
set transform-set myset
match address 101
crypto isakmp policy Defines the Phase 1 SA Parameters
crypto map.. Commands Defines the IPSec SA (Phase II SA) Parameters
crypto ipsec transform-set.. Command Defines IPSec Encryption and authen algo
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
131313 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Router Configurations
interface Ethernet0/2ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
ip address 209.165.200.227 255.255.255.0
crypto map vpn
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
crypto map applied to the outbound Interface
Interface that is connected to the Private network
Access-list defines interesting VPNtraffic
141414 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Router Configurations
R1# show crypto map
Crypto Map "vpn" 10 IPSec-isakmp
Peer = 209.165.201.4
Extended IP access list 101
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Current peer: 209.165.201.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet0/3
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
151515 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Important Debugs Commands
debug crypto isakmp
debug crypto ipsec
debug crypto engine
debug ip packet detail
161616 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Main Mode IKE Negotiation
Quick Mode Negotiation
Establishment of Tunnel
Interesting Traffic Received
Debugs Functionality Flow Chart
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
171717 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Tunnel Establishment
The ping source and destination addresses matched the match address access list for the crypto map VPN22:17:24.426: IPSEC(sa_request): ,(key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
The local is the local tunnel end-point, the remote is the remote crypto end point as configured in the map; The src proxy is the src interesting traffic as defined by the match address access list; The dst proxy is the destination interesting traffic as defined by the match address access listprotocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x400A
The protocol and the transforms are specified by the crypto map which has been hit, as are the lifetimes
Interesting Traffic Received
181818 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IKE Main Mode Negotiation:Phase I SA Negotiation
Begins Main Mode exchange; the first two packets negotiate phase I SA parameters
ISAKMP: received ke message (1/1)ISAKMP: local port 500, remote port 500ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State =
IKE_READY New State = IKE_I_MM1ISAKMP (0:1): beginning Main Mode exchange22:17:24: ISAKMP (0:1): sending packet to 209.165.201.4(I)MM_NO_STATE22:17:24: ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_NO_STATE22:17:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM1 New State = IKE_I_MM2
Initiator ResponderIKEIKE
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
191919 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
22:17:24: ISAKMP (0:1): processing SA payload. message ID = 022:17:24: ISAKMP (0:1): processing vendor id payload22:17:24: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy22:17:24: ISAKMP: hash SHA22:17:24: ISAKMP: default group 122:17:24: ISAKMP: auth pre-share22:17:24: ISAKMP: life type in seconds22:17:24: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 22:17:24: ISAKMP (0:1): atts are acceptable. Next payload is 0
22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEOld State = IKE_I_MM2 New State = IKE_I_MM2
IKE Main Mode Negotiation:Phase I SA Negotiation
The policy 10 on this router and the atts offered by the other side matched
202020 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
ISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_SA_SETUPISAKMP (0:1): Input = IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE Old State = IKE_I_MM2 New State = IKE_I_MM3ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_SA_SETUPISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP (0:1): processing KE payload. message ID = 0ISAKMP (0:1): processing NONCE payload. message ID = 0ISAKMP (0:1): found peer pre-shared key matching 209.165.201.4ISAKMP (0:1): SKEYID state generatedISAKMP (0:1): processing vendor id payload
IKE Main Mode Negotiation:DH Exchange
The third and fourth packets completes Diffie-Hellman exchange
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
212121 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDRISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_KEY_EXCHISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCHISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_I_MM5 New State = IKE_I_MM6ISAKMP (0:1): processing ID payload. message ID = 0ISAKMP (0:1): processing HASH payload. message ID = 0ISAKMP (0:1): SA has been authenticated with 209.165.201.4ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM6 New State = IKE_P1_COMPLETE
IKE Main Mode Negotiation:Authentication
The fifth and sixth packets complete IKE authentication; Phase 1 SA established
222222 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IKE Quick ModeIPSec SA Negotiations
Begin Quick Mode exchange; IPSec SA will be negotiated in QM
The IPSec SA proposal offered by far end will be checked against local crypto map configuration
ISAKMP (0:1): beginning Quick Mode exchange,M-ID of 843945273ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLEISAKMP (0:1): Node 843945273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY New State = IKE_QM_I_QM1ISAKMP (0:1): received packet from 209.165.201.4 (I) QM_IDLE
ISAKMP (0:1): processing HASH payload. message ID = 843945273ISAKMP (0:1): processing SA payload. message ID = 843945273
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
232323 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IKE Quick ModeIPSec SA Negotiations
ISAKMP (0:1): Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0ISAKMP: authenticator is HMAC-MD5ISAKMP (0:1): atts are acceptable.IPsec(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4,local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
242424 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
ISAKMP (0:1): Creating IPSec SAsinbound SA from 209.165.201.4 to 209.165.200.227(proxy 10.1.2.0 to 10.1.1.0)has spi 0x8EAB0B22 and conn_id 2000 and flags 2lifetime of 3600 seconds lifetime of 4608000 kilobytesoutbound SA from 209.165.200.227 to 209.165.201.4 (proxy 10.1.1.0 to 10.1.2.0)has spi -1910720646 and conn_id 2001 and flags Alifetime of 3600 seconds lifetime of 4608000 kilobytes
IKE Quick ModeSA Creation
Two IPSec SAs have been negotiated, an incoming SA with the SPI generated by the local machine and an outbound SA with the SPIs proposed by the remote end
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
252525 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
22:17:25 : IPsec(key_engine): got a queue event...22:17:25: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 2000, keysize= 0, flags=0x2
22:17:25: IPsec(initialize_sas): ,(key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4,local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 3600s and 4608000kb,spi= 0x8E1CB77A(2384246650), conn_id= 2001, keysize= 0, flags= 0xA
IKE Quick ModeSA Initialization
The IPSec SA info negotiated by IKE will be populated into routers SADB
262626 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IKE Quick ModePhase 2 Completion
IPSec SA created in SADB, sent out last packet with commit bit set; IPSec tunnel established
IPsec(create_sa): sa created,(sa) sa_dest= 209.165.200.227,sa_prot= 50,sa_spi= 0x4579753B(1165587771),sa_trans= esp-3des esp-md5-hmac ,sa_conn_id= 2000IPsec(create_sa): sa created,(sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(2384246650),sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLEISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
272727 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Show Commands
Show crypto engine connection active
Show crypto isakmp sa [detail]
Show crypto ipsec sa [detail]
282828 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Show Commands
Router#show cry engine connection activeID Interface IP-Address State Algorithm Encrypt Decrypt1 Ethernet0/3 209.165.200.227 set HMAC_SHA+3DES_56_C 0 0
This is ISAKMP SA2000 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 0 192001 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 19 0
These two are IPSec SAsRouter#sh crypto isakmp sadst src state conn-id slot209.165.201.4 209.165.200.227 QM_IDLE 1 0
Router#show crypto isakmp sa detailCodes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversalX - IKE Extended Authenticationpsk - Preshared key, rsig - RSA signature, renc - RSA encryption
C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap.1 209.165.200.227 209.165.201.4 3des sha psk 1 23:59:40
Connection-id:Engine-id = 1:1(software)
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
292929 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Router# show crypto ipsec sainterface: Ethernet0/3
Crypto map tag: vpn, local addr. 209.165.200.227
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)current_peer: 209.165.201.4PERMIT, flags={origin_is_acl,}#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0#send errors 1, #recv errors 0
local crypto endpt.: 209.165.200.227, remote crypto endpt.: 209.165.201.4path mtu 1500, media mtu 1500current outbound spi: 8E1CB77A
Show Commands
303030 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Show Commandsinbound esp sas:
spi: 0x4579753B(1165587771)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4456885/3531)IV size: 8 bytesreplay detection support: Y
outbound esp sas:spi: 0x8E1CB77A(2384246650)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4456885/3531)IV size: 8 bytesreplay detection support: Y
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
313131 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Show Commands
Router# show crypto ipsec sa detail...#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#pkts no sa (send) 1, #pkts invalid sa (rcv) 0#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0#pkts invalid prot (recv) 0, #pkts verify failed: 0#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0##pkts replay failed (rcv): 0#pkts internal err (send): 0, #pkts internal err (recv) 0...
323232 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Hardware Crypto Engine
In latest Cisco IOS versions, show commands for different types of hardware crypto cards have been unified
Show crypto engine configurationVerify hardware/softwarecrypto engine
Hardware info
Turn on/off the hardwarecrypto engine
Display statistics
Debug crypto engine
Show diag
[no] crypto engine accelerator [slot_no.]
Show crypto engine accelerator stat
Debug crypto engine accelerator control/packet
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
333333 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Hardware Crypto Engine (Cont.)
show crypto engine configuration crypto engine name: Virtual Private Network (VPN) Modulecrypto engine type: hardware
Product name: AIM-VPN/EP
show diagslot : 0
Encryption AIM 0:
Hardware revision : 1.0Top assy. part number : 800-15369-03
Board revision : B0
Indicates HardwareIndicates HardwareCrypto Engine OnCrypto Engine On
Shows the Type ofShows the Type ofHardware EncryptionHardware Encryption
343434 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Hardware Crypto Engine (Cont.)
show crypto engine accelerator statistic
Virtual Private Network (VPN) Module in aim slot : 0Statistics for Hardware VPN Module since the last clearof counters 31 seconds ago605 packets in 605 packets out0 packet overruns 0 output packets droppedLast 5 minutes:605 packets in 605 packets out307 packets decrypted 298 packets encrypted15708 bytes decrypted 13854 bytes encrypted19 paks/sec in 19 paks/sec out 17 Kbits/sec decrypted 14 Kbits/sec encrypted
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
353535 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Hardware Crypto Engine (Cont.)
Debug crypto engine acceleratordebug cry engine accelerator controldetail display the entire command content
error display errors from control commands
debug cry engine accelerator packet
detail display packet going through crypto acceleratorerror display errors from packets going through crypto
acceleratornumber number of packet to be printed
363636 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Verify Crypto Engine
router#sh crypto engine configuration
crypto engine name: unknowncrypto engine type: ISA/ISMCryptIC Version: FF41CGX Version: 0111DSP firmware version: 0061MIPS firmware version: 0003030FISA/ISM serial number:
B82CA6C09E080DF0E0A1029EF8E7112F3FF5F67B
PCBD info: 3-DES [07F000260000]Compression: No3 DES: Yes
Privileged Mode: 0x0000Maximum buffer length: 4096Maximum DH index: 1014Maximum SA index: 2029Maximum Flow index: 4059Maximum RSA key size: 0000crypto engine in slot: 5platform: predator
crypto_engine
Crypto Adjacency Counts:Lock Count: 0
Unlock Count: 0
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
373737 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Common Issues
Incompatible ISAKMP policy or pre-shared secrets
Incompatible transform sets
Incompatible or incorrect access lists
Crypto map on the wrong interface
Overlapping ACLs
Routing and filtering issues
Caveats: switching paths
383838 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incompatible ISAKMP Policy or Pre-Shared Secrets
If the configured ISAKMP policies dont match the proposed policy by the remote peer, the router tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation
Default protection suiteencryption algorithm: DESData Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main-mode failed
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
393939 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incompatible ISAKMP Policy or Pre-Shared Secrets
3d01h: ISAKMP (0:1): processing SA payload. message ID = 03d01h: ISAKMP (0:1): found peer pre-shared key matching 209.165.200.227ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policyISAKMP: encryption 3DES-CBCISAKMP: hash MD5ISAKMP: default group 1ISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP (0:1): Hash algorithm offered does not match policy!ISAKMP (0:1): atts are not acceptable.Next payload is 0
ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policyISAKMP: encryption 3DES-CBCISAKMP: hash MD5ISAKMP: default group 1ISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP (0:1): Encryption algorithm offered does not match policy!ISAKMP (0:1): atts are not acceptable. Next payload is 0ISAKMP (0:1): no offers accepted!ISAKMP (0:1): phase 1 SA not acceptable!
404040 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incompatible ISAKMP Policy or Pre-Shared Secrets
If the pre-shared secrets are not the same on both sides, the negotiation will fail again, with the router complaining about sanity check failed
A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main mode failed
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
414141 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
ISAKMP (62): processing SA payload. message ID = 0ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy
encryption DES-CBChash SHAdefault group 1auth pre-share
ISAKMP (62): atts are acceptable. Next payload is 0ISAKMP (62): SA is doing pre-shared key authenticationISAKMP (62): processing KE payload. message ID = 0ISAKMP (62): processing NONCE payload. message ID = 0ISAKMP (62): SKEYID state generatedISAKMP (62); processing vendor id payloadISAKMP (62): speaking to another IOS box!
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 209.165.200.227
failed its sanity check or is malformed
Incompatible ISAKMP Policy or Pre-Shared Secrets
424242 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incompatible IPSec Transform Set
If the ipsec transform-set is not compatible or mismatched on the two IPSec devices, the IPSec negotiation will fail, with the router complaining about atts not acceptable for the IPSec proposal
ISAKMP (0:2): Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supportedISAKMP (0:2): atts not acceptable. Next payload is 0ISAKMP (0:2): SA not acceptable!
IPSec mode (tunnel or transport)Encryption algorithmAuthentication algorithmPFS groupIPSec SA LifetimeACL - traffic definition
Phase II ParametersPhase II Parameters
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
434343 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incompatible or Incorrect Access Lists
If the access lists on the two routers dont match proxy identities not supported will result
It is recommended that access lists on the two routers be a mirror of each other
It is also highly recommended that the key word any not be used in match address access lists
444444 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
1w6d: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
1w6d: IPSEC(validate_transform_proposal): proxy identities not supported1w6d: ISAKMP (0:2): IPSec policy invalidated proposal1w6d: ISAKMP (0:2): phase 2 SA not acceptable!
Access List at 209.165.200.227: access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access List at 209.165.201.4: access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
Incompatible or Incorrect Access Lists
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
454545 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Crypto Map on the Wrong Interface
The crypto map needs to be applied to the outgoing interface of the router
IPSEC(validate_proposal): invalid local address 209.165.201.4ISAKMP (0:4): atts not acceptable. Next payload is 0ISAKMP (0:4): phase 2 SA not acceptable!
If you dont want to use the outside interfaces IP as the local ID, use the command crypto map local-address , to specify the correct interface
If there are physical as well as logical interfaces involved in carrying outgoing traffic, the crypto map needs to be applied to both; however, this restriction has been taken off in the latest Cisco IOS
464646 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Overlapping ACLs
If there are multiple peers to a router, make sure that the match address access-lists for each of the peers are mutually exclusive from the match address access-list for the other peers
If this is not done, the router will choose the wrong crypto map to try and establish a tunnel with one of the other peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
474747 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Incorrect SA Selection by the Router
IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 209.165.202.149 not foundISAKMP (0:2): IPSec policy invalidated proposalISAKMP (0:2): phase 2 SA not acceptable!
Access list for 209.165.201.4:Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255
Access list for 209.165.202.149:Access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
484848 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Routing Issues
A packet needs to be routed to the interface which has the crypto map configured on it before IPSec kicks in
Routes need to be there for:The router to reach its peers address
The IP subnets of the destination host before the packets are encrypted
The IP subnets of the destination host once the packets are decrypted
Use the debug ip packet detailed to see if the routing is occurring correctly (be careful on the busy networks!!!)
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
494949 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Possible Caveats in Switching Paths
Symptom: Only see encryption or decryption counter incrementing from show crypto eng conn active
Caveats in the switching paths might cause IPSec encryption/decryption failures
Workaround: Try different switch paths (CEF, fast switching, process switching)
Process switching can cause Performance issues!!!
505050 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Quiz Time
1. Phase 2 Hashing is mismatched
2. Access-List is mismatched
3. Phase 2 Encryption type is mismatched
4. DH group is mismatched
PROXY IDS NOT SUPPORTED.. Debug Message Means:
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
515151 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Layout
Encrypted
Internet
PIX 1
PrivatePublic
Private
209.165.200.226
PIX 2
209.165.202.129
10.1.2.0/2410.1.1.0/24
525252 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
access-list bypassnat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list bypassnat
access-list encrypt permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
ip address outside 209.165.202.129 255.255.255.0ip address inside 10.1.1.1 255.255.255.0route outside 0.0.0.0 0.0.0.0 209.165.202.158 1
sysopt connection permit-ipsec
PIX-to-PIX VPN Configuration
Access-List bypassnat Defines Interesting Traffic to bypass NAT for VPN
NAT 0 Command Bypasses NAT for the Pkts Destined over the IPSec Tunnel
Access-list encrypt Defines VPN Interesting Traffic
IP Addresses on the outside and inside Interfaces
Sysopt Command Bypasses Conduits or ACLs Checking to Be Applied on the Inbound VPN Packets after Decryption
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
535353 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Standard Site-to-Site VPN Configuration Highlight
crypto ipsec transform-set mysetdes esp-des esp-md5-hmac crypto map encryptmap 20 ipsec-isakmpcrypto map encryptmap 20 match address encryptcrypto map encryptmap 20 set peer 209.165.200.226crypto map encryptmap 20 set transform-set mysetdescrypto map encryptmap interface outsideisakmp enable outsideisakmp key cisco123 address 209.165.200.226netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 86400
crypto map.. Commands Define the IPSec SA (Phase II SA) Parameters
crypto IPSec.. Command Defines IPSec Encryption and authen algo
isakmp key.. Command Defines the Pre-Shared Key for the Peer Address
isakmp policy.. Defines the Phase 1 SA Parameters
545454 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Common Issues
Bypassing NAT
Enabling ISAKMP
Missing sysopt commands
Combining PIX-PIX and PIX-VPN client issues
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
555555 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Bypassing NAT
Nat needs to be bypassed on the PIX in order for the remote side to access the private network behind the PIX seamlessly
Use the NAT 0 command with an access list to achieve that
565656 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Enabling ISAKMP
Unlike the router, ISAKMP is not enabled by default on the PIX
Use the command isakmp enable to enable it on an interface
Pix(config)# isakmp enable outside
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
575757 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Missing Sysopt Commands
After decryption, PIX will check the access-lists or conduits against the decrypted IP packets
Access-lists or conduits need to be configured to permit decrypted IP traffic
Enable sysopt connection permit-ipsec to bypass the access-list/conduit checking against VPN traffic after decryption
585858 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Combining PIX-PIX and PIX-Client Issues
If you are doing mode config or x-auth for the VPN clients you would need to disable them for the site-to-site VPN connections
Use the no-config-mode and no x-auth tags at the end of the pre-shared key definitions to disable mode config and x-auth
isakmp peer fqdn fqdn no-xauth no-config-mode in case rsa-sig is used as IKE authentication method
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
595959 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling And IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
606060 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
172.18.124.96
Layout
VPN ClientWINS
DNS
209.165.200.227
10.1.1.0/24
Router
209.165.201.2PIX
14.38.1.0/24
14.38.2.0/24
209.165.201.4
Internet
EasyVPN Clients
Router
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
616161 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco VPN Clients to a Router
aaa new-modelaaa authentication login userauthen localaaa authorization network groupauthor localusername cisco password 0 cisco123username pix password 0 cisco123!crypto isakmp policy 3encr 3desauthentication pre-sharegroup 2
!
crypto isakmp client configuration group vpnclientkey cisco123dns 10.1.1.10wins 10.1.1.20domain cisco.compool ippoolacl 100
aaa Commands Enable User Authentication and Group Authorization
ISAKMP Policy Defines Phase 1 Parameters
Crypto isakmp client configuration Commands Define Mode-configuration Parameters To Be Passed to the VPN Clients
209.165.200.227 172.18.124.96
VPN ClientRouter
626262 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco VPN Clients to a Router
crypto IPSec.. Command Defines IPSec Encryption and Authentication Algorithm
crypto map Commands Define the Actual Map which Would Be Applied to the Outbound Interface for the Data Encryption
crypto dynamic-map Defines a Dynamic Map which Would Be Included in the Actual Map
crypto IPSec transform-set myset esp-3des esp-sha-hmac!
crypto dynamic-map dynmap 10set transform-set myset
!
crypto map clientmap client authentication list userauthencrypto map clientmap isakmp authorization list groupauthorcrypto map clientmap client configuration address respondcrypto map clientmap 10 IPsec-isakmp dynamic dynmap
209.165.200.227 172.18.124.96
VPN ClientRouter
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
636363 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco VPN Clients to a Router
access-list Defines Split-Tunneling
crypto map Is then Applied to the Outbound Interface
ip local pool Command Defines a Pool of Addresses to Be Assigned Back to the VPN Client
ip local pool ippool 14.1.1.1 14.1.1.254!
access-list 100 permit ip 10.1.1.0 0.0.0.255 14.1.1.0 0.0.0.255access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.1.0 0.0.0.255access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.2.0 0.0.0.255!
interface FastEthernet2/0ip address 209.165.200.227 255.255.255.0crypto map clientmap
209.165.200.227 172.18.124.96
VPN ClientRouter
646464 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
172.18.124.96
Layout
VPN ClientWINS
DNS
209.165.200.226
10.1.1.0/24
Router
209.165.201.2PIX
14.38.1.0/24
14.38.2.0/24
209.165.201.4
Internet
EasyVPN Clients
PIX
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
656565 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco VPN Client to a PIX
Define an Access-List, that Would Be Used to Bypass NAT for the IPSec Traffic
Define IP Address on the Interfaces
ISAKMP Policy Defines Phase 1 Parameters
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.1.0 255.255.255.0access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.2.0 255.255.255.0
nat (inside) 0 access-list 101
ip address outside 209.165.200.226 255.255.255.224ip address inside 10.1.1.1 255.255.255.0
isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400
209.165.200.226 172.18.124.96
VPN ClientPIX
666666 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco VPN Client to a PIX
sysopt connection permit-IPsec
vpngroup vpnclient address-pool ippoolvpngroup vpnclient dns-server 10.1.1.2vpngroup vpnclient wins-server 10.1.1.2vpngroup vpnclient default-domain cisco.comvpngroup vpnclient split-tunnel 101vpngroup vpnclient idle-time 1800vpngroup vpnclient password ********
crypto IPSec transform-set myset esp-des esp-md5-hmaccrypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 IPsec-isakmp dynamic dynmapcrypto map mymap interface outside
Sysopt Command Bypasses Conduits or ACLs
vpngroup Commands Enable Group Authorization; You Can Pass Down Mode-Configuration Parameters Within This Section Back to the VPN Client; Note That Access-List 101 Can Be Used Again for Split-Tunneling
crypto map Commands Defines the Actual Map which Would Be Applied to an Interface for the Data Encryption
Crypto ipsec transform-set Command Defines Phase 2 Negotiation Parameters
209.165.200.226 172.18.124.96
VPN ClientPIX
ip local pool ippool 10.1.2.1-10.1.2.254 Define a Pool of Addresses To Be Assigned Back to the VPN Client
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
676767 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
To Launch the VPN client, click:Start | Programs | Cisco Systems VPN client | VPN Client
Software VPN Client Configuration
686868 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco IOS EasyVPN Client
crypto ipsec client ezvpn ezvpnclientconnect autogroup vpnclient key cisco123mode network-extensionpeer 209.165.200.227
interface Ethernet0ip address 14.38.1.1 255.255.255.0crypto ipsec client ezvpn ezvpnclient insidehold-queue 100 out
interface Ethernet1ip address 209.165.201.4 255.255.255.224crypto ipsec client ezvpn ezvpnclient
crypto ipsec client Commands Define the Connection Parameters to Establish an EasyVPN tunnel
crypto ipsec client inside Command Defines the Private Subnet for the IPSec Encryption
crypto ipsec client Command Is then Applied to an Outbound Interface
209.165.200.227 209.165.201.4
EZVPN ClientRouter
14.38.1.0/24
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
696969 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
hostname vpn-pix501bdomain-name cisco.com
vpnclient server 209.165.200.227vpnclient mode network-extension-modevpnclient vpngroup vpnclient password ********vpnclient username cisco password ********vpnclient enable
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
ip address outside 209.165.201.2 255.255.255.224ip address inside 14.38.2.1 255.255.255.0
PIX EasyVPN
vpnclient Commands Define the Connection Parameters to Establish an EasyVPN Tunnel
209.165.200.227 209.165.201.2
EZVPN ClientRouter
14.38.2.0/24
707070 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco IOS Debugs: Phase I Negotiation
Debug crypto isakmpDebug crypto isakmpDebug crypto ipsecDebug crypto ipsecDebug crypto ipsec client ezvpn ( on EZVPN client )Debug crypto ipsec client ezvpn ( on EZVPN client )
ISAKMP (0:0): received packet from 172.18.124.96 (N) NEW SAISAKMP: local port 500, remote port 500ISAKMP (0:10): Checking ISAKMP transform 1 against priority 3
policyISAKMP: encryption 3DES-CBCISAKMP: hash SHAISAKMP: default group 2ISAKMP: auth XAUTHInitPreSharedISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9BISAKMP (0:10): atts are acceptable. Next payload is 3Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
Router Is Trying to Match the Received Proposal #1 with the Configured Proposal #3
Received Proposal Is Acceptable
This Message Indicates That This Router Received an isakmpMessage from the EZVPN client on src port 500, dst port=500
Since the VPN Client Uses Aggressive Mode, the New State Is IKE_R_AM_AAA_AWAIT
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
717171 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco IOS Debugs: Xauth
ISAKMP (0:10): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE_V2
ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
...
ISAKMP: Config payload REPLYISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Router Is Requesting the VPN Client for User Authentication
Router Is Receiving the x-auth Attributes from the VPN Client
727272 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco IOS Debugs: Mode ConfigurationISAKMP (0:10): checking request:ISAKMP: IP4_ADDRESSISAKMP: IP4_NETMASKISAKMP: IP4_DNSISAKMP: IP4_NBNSISAKMP: ADDRESS_EXPIRYISAKMP: APPLICATION_VERSIONISAKMP: UNKNOWN Unknown Attr: 0x7000ISAKMP: Sending private address: 14.1.1.3ISAKMP: Unknown Attr: IP4_NETMASK (0x2)ISAKMP: Sending IP4_DNS server address: 14.36.1.10ISAKMP: Sending IP4_NBNS server address: 14.36.1.20ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the
address: 86395ISAKMP: Sending APPLICATION_VERSION string: Cisco
Internetwork OperatingSystem SoftwareIOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T,
RELEASE SOFTWARE (fc1)ISAKMP: Unknown Attr: UNKNOWN (0x7000)
Received Mode Configuration Request from the VPN Client
Router Is Sending the Mode-Configuration Parameters Back to the VPN Client
Unknown attr: Is Not an Error; It Just Means that Router Does Not Support This Mode-ConfigAttribute Requested by the VPN Client
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
737373 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Cisco IOS Debugs: Phase II Negotiation
Router Is Checking and Validating the IPSec Proposals
After Validating the Phase II, the IPSec SAs Are Created; One SA for Inbound Traffic and the Other SA for the Outbound Traffic
ISAKMP (0:11): Checking IPSec proposal 4ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: authenticator is HMAC-SHAISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9BISAKMP (0:11): atts are acceptable.ISAKMP (0:11): Creating IPSec SAs
inbound SA from 172.18.124.96 to 14.36.100.101(proxy 14.1.1.4 to 14.36.100.101)has spi 0x962A493B and conn_id 2000 and flags 4lifetime of 2147483 secondsoutbound SA from 14.36.100.101 to 172.18.124.96 (proxy
14.36.100.101 to 14.1.1.4)has spi -2145675534 and conn_id 2001 and flags Clifetime of 2147483 seconds
747474 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Common Issues
VPN clients only propose DH group 2 and 5 Configure DH group 2 or 5 on Cisco IOS or PIX
Configure isakmp identity hostname if rsa-sig is used as an IKE authentication method
aaa authorization needs to be enabled on the router, so that router can accept/send mode-configuration attributes
On, Cisco IOS EasyVPN client, for X-Auth, you have to manually type crypto ipsec client ezvpn xauth; However, this restriction has been lifted in the latest version of code
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
757575 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Quiz Time
1. To bypass conduits or ACL checking against the decrypted VPN traffic
2. To bypass NAT for the IPSec traffic
3. To bypass the assignment of IP address to the VPN client
4. To bypass X-Auth for the VPN clients
The Purpose of sysopt connection permit-IPsec Is:
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
767676 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Common Problems
Bypassing NAT entries
NAT in the middle of an IPSec tunnel
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
777777 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Bypassing NAT Entries
Bypassing dynamic NAT entries
ip nat inside source route-map nonat interface Ethernet1/0 overloadaccess list 150 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 150 permit ip 10.1.2.0 0.0.0.255 anyroute-map nonat permit 10
match ip address 150
Static NAT entries can be bypassed using a loopback interface and policy routing for Cisco IOS images prior to 12.2.4T; Starting from 12.2.4T a route-map can be used with static NAT to bypass NAT
Tools to debug this setup are:show ip nat translationdebug ip natdebug ip policy
787878 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmpset peer 209.165.201.4set transform-set myset match address 101
interface Loopback1 ip address 10.2.2.2 255.255.255.252
interface Ethernet0/3ip address 209.165.200.227 255.255.255.0ip nat outsidecrypto map vpn
interface Ethernet0/2ip address 10.1.1.3 255.255.255.0 ip nat insideip policy route-map nonat
ip nat inside source list 1 interface Ethernet0/3 overloadip nat inside source static 10.1.1.1 209.165.200.230
access list 1 permit 10.0.0.0 0.255.255.255access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
route-map nonat permit 10 match ip address 120 set ip next-hop 10.2.2.1
e0/2nat in
e0/3nat out
crypto map
lo1
Be Careful:Be Careful:Packets Get PROCESS SWITCHEDPackets Get PROCESS SWITCHED
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
797979 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmpset peer 209.165.201.4set transform-set myset match address 101
interface Ethernet0/3ip address 209.165.200.227 55.255.255.0ip nat outsidecrypto map vpn
interface Ethernet0/2ip address 10.1.1.3 255.255.255.0 ip nat inside
ip nat inside source list 1 interface Ethernet0/3 overloadip nat inside source static 10.1.1.1 209.165.200.230 route-map nonataccess-list 1 permit 10.1.1.0 255.255.255.0access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 120 permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10match ip address 120
e0/2nat in
e0/3nat out
crypto map
808080 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
NAT in the Middle of an IPSec Tunnel
In many cases, VPN clients are behind NAT/PAT devices
IPSec over NAT (NAT-T) support was first introduced in 12.2.15T for routers and version 6.3 for PIX
IPSec pass-thru feature is supported on certain NAT/PAT devices; ISAKMP cookie and ESP SPI are used to build translation table
NAT-T is turned on by default on Cisco IOS Use isakmp nat-traversal to turn on
NAT-T on PIX Turn on IPSec over UDP or IPSec over TCP feature
in case of VPN 3000 Concentrator
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
818181 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
828282 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Firewall in the Middle
ESP (IP protocol type 50) or/and AH (IP/51)
UDP port 500 (ISAKMP), and/or UDP port 4500 (NAT-T)
PrivateEncrypted
Internet
Private
Public
Router
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
838383 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Firewalling and IPSec (Current Behavior)
Firewall on the IPSec endpoint router:ESP or/andAH
UDP port 500 (IKE) and 4500 (NAT-T)
Decrypted packet IP addresses (incoming access group is applied twice)
Firewall on the IPSec endpoint PIX:Sysopt connection permit-IPsec(no conduit or access-list is needed)
Use of conduits or access-list(no sysopt connection permit-ipsec is neededgives you more security for the decrypted pkts)
848484 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IPSec and Packet Filtering (New Behavior)
Functionality first introduced in 12.3(8)T
No need to permit clear text traffic through the interface access-list.
New set ip access-group command under crypto map, if clear traffic packet filtering is required
ESP and/or AH packets have to be allowed if outbound ACLs are being used; this was not required in the pre-12.3(8)T code
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
858585 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IPSec and Packet Filtering (New Behavior) (Cont.)
crypto map vpnmap 10 ipsec-isakmpset peer 192.168.2.1set transform-set trans1match address 101set ip access-group 171 inset ip access-group 181 out
interface Ethernet0/0ip address 10.1.1.1 255.255.255.0
interface Serial1/0ip address 192.168.1.1 255.255.255.0ip access-group 150 inip access-group 160 outcrypto map vpnmap
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500access-list 150 permit esp host 192.168.2.1 host 192.168.1.1
access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500access-list 160 permit esp host 192.168.1.1 host 192.168.2.1
access-list 171 permit tcp 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq telnetaccess-list 181 permit tcp 10.1.1.0 0.0.0.255 eq telnet 10.1.2.0 0.0.0.255
set ip access-group Commands Are Optional; They Are Used for Clear-Text Packet Filtering
Optional: Access List Permitting Telnet Access
868686 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling And IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
878787 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IPSec MTU Issues
Overhead introduced by IPSec encapsulation (~60 bytes)
Possible fragmentation after encryption leads to reassembly on the VPN peer router (process-switched, performance degradation)
IPSec and Path MTU discovery (PMTU)IPSec copies Dont Fragment (DF) bit from original data packets IP headerIPSec dynamically update Path MTU in the SADB if router receives PMTU ICMP messageThe MTU hint in the PMTU ICMP message is physical MTU- ipsec_overhead (calculated based on transform-set)
888888 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
IPSec and PMTU
1500 DF=1
ICMP Type3 Code 4
(1454)
1454 DF=1 1500 DF copied
Path 1500Media 1500
IPSec Tunnel
MTU 1500 MTU 1500
MTU1500
MTU1400
MTU1500
Path 1500Media 1500
10.1.1.2 10.1.2.2
e1/1 e1/0
172.16.172.20/28172.16.172.10/28
ICMP (1400)
IPSec SPI copied
1454 DF=1
ICMP Type3 Code 4
(1354)
1400 1354 14001354 DF=1
ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11Adjust path MTU on corresponding IPSec SA
path mtu 1400, media mtu 1500current outbound spi: EB84DC85
ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to
10.1.1.2 (debug ip icmp output)
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
898989 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Common Problem
PMTU ICMP packets lost or blocked Debug ip icmp on router to verify if ICMP packets are sent or received
Use sniffer to verify if ICMP packets are lost
Work arounds Reduce MTU or disable PMTU on end host
Adjust TCP MSS on router to fine tune TCP windows
Configure router to clear DF bit of data packetsLook-ahead fragmentation
909090 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
MTU Issues Work Around: Adjusting TCP MSS
Adjust TCP MSS (maximum send segment) under ingress interface:
ip tcp adjust-mss
Router will sniff on the incoming TCP SYN packets and tweak the TCP MSS field to configured number
Remote host will use adjusted MSS value correspondingly
Choose MSS to avoid fragmentationMSS
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
919191 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
MTU Issues Work Around: Policy Routing
crypto map vpn 10 IPsec-isakmpset peer 172.16.172.10set transform-set mysetmatch address 101
interface Ethernet1/0ip address 172.16.172.20 255.255.255.240crypto map vpn
interface Ethernet1/1ip address 10.1.2.1 255.255.255.0ip policy route-map ClearDF
route-map ClearDF permit 10match ip address 101set ip df 0
access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Use policy routing to set DF bit of the
interesting traffic to 0
929292 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
MTU Issues Work Around: DF Bit Override Feature
DF bit override feature with IPSec allows router to set, copy or clear the DF bit from the IPSec encapsulated header
Router(config)#crypto ipsec df-bit clear
First introduced in 12.2(2)T
Only works for IPSec tunnel mode
With df-bit clear option, large packets will be fragmented after encryption
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
939393 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
MTU Issues Work Around: Look ahead Fragmentation
Fragment large packets before IPSec encryption to avoid performance issues
Works for IPSec tunnel mode only
Depends on crypto ipsec df-bit config
First introduced in 12.1(11)E; the feature was integrated in 12.2.(13)T and 12.2(14)S
Crypto ipsec df-bit clearCrypto ipsec fragmentation before-encryption
949494 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Quiz Time
1. To adjust the TCP-MSS value in the syn packets 2. To help the router in doing Path MTU Discovery3. To drop the IPSec packets if dont fragment bit is
set4. To remove the dont fragment bit
The Purpose of crypto ipsec df-bit clear Is:
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling And IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
959595 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec
InternetInternet
TCP hdrTCP hdr DataData
TCP hdrGRE hdrESP hdrESP hdr
TCP hdrGRE hdrESP hdrESP hdr
a. Original Packetb. GRE Encapsulationc. GRE over IPSec Transport Moded. GRE over IPSec Tunnel Mode
a
b
c
d
IPSecIPSec
GRE
DataDataTCP hdrTCP hdrIP Hdr 1IP Hdr 1
IP Hdr 1
IP Hdr 1
GRE hdrGRE hdr
IP hdr 2
Data
Data
IP Hdr 1IP Hdr 1
IP hdr 2IP hdr 2
IP hdr 3IP hdr 3
IP hdr 2IP hdr 2
969696 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec(Common Configuration Issues)
Apply crypto map on both the tunnel interfaces and the physical interfaces; However, this restriction has been taken off in the latest Cisco IOS
Specify GRE traffic as IPSec interesting traffic access-list 101 permit gre host 200.1.1.1 host 150.1.1.1
Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
979797 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec (Avoid Recursive Routing)
Use different routing protocols or separate routing protocol identifiers
Keep tunnel IP address and actual IP network addresses ranges distinct
For tunnel interface IP address, dont use unnumbered to loopback interface when the loopbacks IP address resides in the ISP address space
To Avoid GRE Tunnel Interface Flapping Due to Recursive Routing, Keep Transport and Passenger Routing Information Separate:
989898 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec (MTU Issues)
Overhead calculation of GRE over IPSec (assume ESP-DES and ESP-MD5-HMAC):
ESP overhead (with authentication): 3138 bytesGRE header: 24 bytes
IP header: 20 bytes
GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
999999 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec (MTU Issues)
After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0
The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets
The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation
100100100 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec (MTU Issues)
To avoid fragementation and reassembly of IPSec packets:
1. Set ip mtu 1420 (GRE/IPsec tunnel mode), ip mtu 1440 (GRE/IPsec transport mode) under tunnel interface
2. Enable tunnel path-mtu-discovery (DF bit copied after GRE encapsulation) under tunnel interface
3. Turn on Look-Ahead Fragmentation feature
Use show int switching to verify switching path
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
101101101 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
GRE over IPSec (MTU Issues)
Workarounds in case PMTU ICMP packets are lost or blocked
Incoming big size packets with DF=1 will not be dropped by GRE tunnel due to larger MTU setting
The IPSec packets after GRE encapsulation (DF=0) will be fragmented before they leave the router
Performance affects due to reassembly of the packets
int tunnel 0ip mtu 1500
102102102 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
DMVPN Configuration
interface Tunnel0ip address 192.1.1.1 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 90
ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 1ip nhrp holdtime 360
no ip split-horizon eigrp 90tunnel source 192.168.1.1tunnel mode gre multipointtunnel key 652560tunnel protection ipsec profile cisco
interface Tunnel0ip address 192.1.1.2 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 90
ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp map 192.1.1.1 192.168.1.1ip nhrp map multicast 192.168.1.1ip nhrp network-id 1ip nhrp holdtime 360ip nhrp nhs 192.1.1.1
no ip split-horizon eigrp 90tunnel source 192.168.1.2tunnel mode gre multipointtunnel key 652560tunnel protection ipsec profile cisco
Hub Router Spoke Router
AddressesAddresses
NHRPNHRP
MGRE TunnelMGRE Tunnel
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
103103103 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
DMVPN TroubleshootingCrypto debugs
Debug crypto isakmpDebug crypto ipsec
Debug crypto socketDebug tunnel Protection
NHRP debugsDebug nhrp
Debug nhrp packetDebug nhrp cache
NHRP: Encapsulation succeeded. Tunnel IP addr 192.168.1.1NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 84src: 192.1.1.2, dst: 192.1.1.1NHRP: 84 bytes out Tunnel0
...NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 104
...
NHRP: Sending packet to NHS 192.1.1.1 on Tunnel0NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84
src: 192.1.1.2, dst: 192.1.1.1NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 84NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 112
Registration ProcessRegistration Process
Resolution ProcessResolution Process
104104104 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Agenda
Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling And IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
105105105 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
SPIPeerLocal_idRemote_idTransform
SPIPeerLocal_idRemote_idTransform
IPSec SA IPSec SA
Internet
SPIPeerLocal_idRemote_idTransform
SPIPeerLocal_idRemote_idTransform
IPSec SA IPSec SA
00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xB1D1EA3F(-1311643073)
00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xB1D1EA3F(-1311643073)
Loss of Connectivity of IPSec Peers
ESP SPI=0xB1D1EA3F
106106106 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Loss of Connectivity of IPSec Peers
Use ISAKMP keepalives to detect loss of connectivity of Cisco IOS IPSec peers
crypto isakmp keepalive
ISAKMP keepalives might cause performance degradation for large deployments, choose keepalive parameters carefully
In latest Cisco IOS and PIX versions, ISAKMP keepalives are replaced by DPD (Dead Peer Detection) for lower CPU overhead
-
2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1
107107107 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1
Complete Your Online Session Evaluation!
WHAT: Complete an online session evaluation and your name will be entered into a daily drawing
WHY: Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located throughout the Convention Center
HOW: Winners will be posted on the onsiteNetworkers Website; four winners per day
108108108 2004 Cisco Systems, Inc. All rights reserved.SEC-30109825_05_2004_c1