Sunday, October 25, 2015

Configuring IPSEC VPN w/ Crypto Maps

In this blogtorial, we will set up a simple preshared key IPSEC VPN tunnel between two routers. We will also use the same topology for my next blogtorial 'Troubleshooting IPSEC VPN'. Lot's of debug and output posted with comments, see below. "Complexity is the enemy of security" therefore we will keep this a simple topology and get started.



On R1 let's get the loopback and the interfaces configured.

R1#  
 interface Loopback0  
  ip address 1.1.1.1 255.255.255.255  

 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 12.12.12.1 255.255.255.0  
  crypto map ipsec_map  
 end  

 interface GigabitEthernet1.21  
  encapsulation dot1Q 21  
  ip address 21.21.21.1 255.255.255.0  
  delay 100000  
  crypto map ipsec_map  
 end  

 router eigrp 1  
  network 1.1.1.1 0.0.0.0  
  network 12.12.12.0 0.0.0.255  
  network 21.21.21.0 0.0.0.255  
  network 65.65.65.0 0.0.0.255  

On R1, let's get the crypto maps configured.

R1#  
 crypto isakmp policy 10  
!!--> Lower priority is higher priority. You could have more than one policy. 
  encr aes 192  
!!--> Type of encryption to use and in this case I am using aes 192 bits
  hash md5  
!!--> Type of hash 
  authentication pre-share  
!!--> Configure the authentication method
  group 2  
!!--> Pick the diffie-hellman group. Higher group number is better. 
 crypto isakmp key cisco1234 address 2.2.2.2  
 crypto ipsec transform-set t1 esp-aes 192 esp-md5-hmac   
  mode tunnel  
 crypto map ipsec_map local-address Loopback0  
 crypto map ipsec_map 10 ipsec-isakmp   
  set peer 2.2.2.2  
  set transform-set t1   
  match address ipsec_vpn  

On R2 let's get the interfaces and basic Layer 3 configured.

R2#  
 interface loopback0 
  ip address 2.2.2.2 255.255.255.255

 interface GigabitEthernet1.12  
  encapsulation dot1Q 12  
  ip address 12.12.12.2 255.255.255.0  
  crypto map ipsec_map  
 end  

 interface GigabitEthernet1.21  
  encapsulation dot1Q 21  
  ip address 21.21.21.2 255.255.255.0  
  delay 100000  
  crypto map ipsec_map  
 end  

 router eigrp 1  
  network 2.2.2.2 0.0.0.0  
  network 12.12.12.0 0.0.0.255  
  network 21.21.21.0 0.0.0.255  
  network 55.55.55.0 0.0.0.255  

On R2, let's get the crypto maps configured.

R2#  
 crypto isakmp policy 10  
  encr aes 192  
  hash md5  
  authentication pre-share  
  group 2  
 crypto isakmp key cisco1234 address 1.1.1.1  
 crypto ipsec transform-set t1 esp-aes 192 esp-md5-hmac   
  mode tunnel  
 crypto map ipsec_map local-address Loopback0  
 crypto map ipsec_map 10 ipsec-isakmp   
  set peer 1.1.1.1  
  set transform-set t1   
  match address ipsec_vpn  

Now let's create "interesting" traffic to trigger the IPSEC ACL to match so it can initiate the IPSEC negotiations. 

 R1# ping 55.55.55.1 source int gig1.65   
 Sending 5, 100-byte ICMP Echos to 55.55.55.1, timeout is 2 seconds:  
 Packet sent with a source address of 65.65.65.1   
 .!!!!  
 Success rate is 80 percent (4/5), round-trip min/avg/max = 3/3/4 ms  

The 1st packet missed because the IPSEC negotiation is in progress. If all goes well you should be able to do "show crypto isakmp sa" and see QM_IDLE.

 R1#show crypto isakmp sa  
 IPv4 Crypto ISAKMP SA  
   dst        src         state       conn-id    status  
 2.2.2.2     1.1.1.1     QM_IDLE       1019      ACTIVE  

Let's do some 'show' commands to verify the connection.
 R1#show crypto ipsec sa   
 interface: GigabitEthernet1.12  
   Crypto map tag: ipsec_map, local addr 1.1.1.1  
   protected vrf: (none)  
   local ident (addr/mask/prot/port): (65.65.65.0/255.255.255.0/0/0)  
   remote ident (addr/mask/prot/port): (55.55.55.0/255.255.255.0/0/0)  
   current_peer 2.2.2.2 port 500  
    PERMIT, flags={origin_is_acl,}  

!!--> Make sure the packets are being encapsulated and decapsulated

   #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  
   #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4  

   #pkts compressed: 0, #pkts decompressed: 0  
   #pkts not compressed: 0, #pkts compr. failed: 0  
   #pkts not decompressed: 0, #pkts decompress failed: 0  
   #send errors 0, #recv errors 0  
    local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2  
    plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.12  
    current outbound spi: 0x1A69F602(443151874)  
    PFS (Y/N): N, DH group: none  
    inbound esp sas:  
    spi: 0xF96545D6(4184163798)  
     transform: esp-192-aes esp-md5-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 2711, flow_id: CSR:711, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map  
     sa timing: remaining key lifetime (k/sec): (4607999/3303)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    inbound ah sas:  
    inbound pcp sas:  
    outbound esp sas:  
    spi: 0x1A69F602(443151874)  
     transform: esp-192-aes esp-md5-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 2712, flow_id: CSR:712, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map  
     sa timing: remaining key lifetime (k/sec): (4607999/3303)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    outbound ah sas:  
    outbound pcp sas:  
 interface: GigabitEthernet1.21  
   Crypto map tag: ipsec_map, local addr 1.1.1.1  
   protected vrf: (none)  
   local ident (addr/mask/prot/port): (65.65.65.0/255.255.255.0/0/0)  
   remote ident (addr/mask/prot/port): (55.55.55.0/255.255.255.0/0/0)  
   current_peer 2.2.2.2 port 500  
    PERMIT, flags={origin_is_acl,}  
   #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  
   #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4  
   #pkts compressed: 0, #pkts decompressed: 0  
   #pkts not compressed: 0, #pkts compr. failed: 0  
   #pkts not decompressed: 0, #pkts decompress failed: 0  
   #send errors 0, #recv errors 0  
    local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2  
    plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.12  
    current outbound spi: 0x1A69F602(443151874)  
    PFS (Y/N): N, DH group: none  
    inbound esp sas:  
    spi: 0xF96545D6(4184163798)  
     transform: esp-192-aes esp-md5-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 2711, flow_id: CSR:711, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map  
     sa timing: remaining key lifetime (k/sec): (4607999/3303)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    inbound ah sas:  
    inbound pcp sas:  
    outbound esp sas:  
    spi: 0x1A69F602(443151874)  
     transform: esp-192-aes esp-md5-hmac ,  
     in use settings ={Tunnel, }  
     conn id: 2712, flow_id: CSR:712, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map  
     sa timing: remaining key lifetime (k/sec): (4607999/3303)  
     IV size: 16 bytes  
     replay detection support: Y  
     Status: ACTIVE(ACTIVE)  
    outbound ah sas:  
    outbound pcp sas:  

As the connection was being built, I enabled debugs on R1 using "debug crypto isakmp" and "debug crypto ipsec" and the output is below. I've highlighted the things you should be looking for. 

 IPSEC(sa_request):   

 !!--> Make sure the peer IPs match the 'crypto isakmp key address'   
  (key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,    

 !!--> Make sure the ACL is correct and that it is a mirror image on both routers   
 local_proxy= 65.65.65.0/255.255.255.0/256/0, remote_proxy= 55.55.55.0/255.255.255.0/256/0,   

 !!--> Make sure the transform set has the correct AH and ESP parameters   
   protocol= ESP, transform= esp-aes 192 esp-md5-hmac (Tunnel),   

 !!--> life is negotiated   
   lifedur= 3600s and 4608000kb,   
   spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0  
 ISAKMP:(0): SA request profile is (NULL)  
 ISAKMP: Created a peer struct for 2.2.2.2, peer port 500   

 !!--> This just means that we hit the right ACL and are now starting the IPSEC negotiations   
 ISAKMP: New peer created peer = 0x7F1FEB13C050 peer_handle = 0x80000009   
 ISAKMP: Locking peer struct 0x7F1FEB13C050, refcount 1 for isakmp_initiator  
 ISAKMP: local port 500, remote port 500  
 ISAKMP: set new node 0 to QM_IDLE     
 ISAKMP:(0):insert sa successfully sa = 7F1FEB13B348  
 ISAKMP:(0):Can not start Aggressive mode, trying Main mode.  
 ISAKMP:(0):found peer pre-shared key matching 2.2.2.2  
 ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID  
 ISAKMP:(0): constructed NAT-T vendor-07 ID  
 ISAKMP:(0): constructed NAT-T vendor-03 ID  
 ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM  

 !!-->IKE is ready for Main Mode   
 ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1   
 ISAKMP:(0): beginning Main Mode exchange  
 ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE  
 ISAKMP:(0):Sending an IKE IPv4 Packet.  
 ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_NO_STATE  
 ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH  
 ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2   
 ISAKMP:(0): processing   
 SA payload. message ID = 0  
 ISAKMP:(0): processing vendor id payload  
 ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch  
 ISAKMP (0): vendor ID is NAT-T RFC 3947  
 ISAKMP:(0):found peer pre-shared key matching 2.2.2.2  
 ISAKMP:(0): local preshared key found  
 ISAKMP : Scanning profiles for xauth ...  
 ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy  
 ISAKMP:   encryption AES-CBC  
 ISAKMP:   keylength of 192  
 ISAKMP:   hash MD5  
 ISAKMP:   default group 2  
 ISAKMP:   auth pre-share  
 ISAKMP:   life type in seconds  
 ISAKMP:   life duration (VPI) of 0x0 0x1 0x51 0x80   

 !!--> This is what you need to look for for Phase 1 to be successful  
 ISAKMP:(0):atts are acceptable. Next payload is 0   
 ISAKMP:(0):Acceptable atts:actual life: 0   
 ISAKMP:(0):Acceptable atts:life: 0  

 ISAKMP:(0):Fill atts in sa vpi_length:4  
 ISAKMP:(0):Fill atts in sa life_in_seconds:86400  
 ISAKMP:(0):Returning Actual lifetime: 86400  
 ISAKMP:(0)::Started lifetime timer: 86400.  
 ISAKMP:(0): processing vendor id payload  
 ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch  
 ISAKMP (0): vendor ID is NAT-T RFC 3947  
 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE  
 ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2   
 ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_SA_SETUP  
 ISAKMP:(0):Sending an IKE IPv4 Packet.  
 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE  
 ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3   
 ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_SA_SETUP  
 ISAKMP:(0):Input IKE_MESG_FROM_PEER, IKE_MM_EXCH  
 ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4   
 ISAKMP:(0): processing KE payload. message ID = 0  
 ISAKMP:(0): processing NONCE payload. message ID = 0  
 ISAKMP:(0):found peer pre-shared key matching 2.2.2.2  
 ISAKMP:(1019): processing vendor id payload  
 ISAKMP:(1019): vendor ID is Unity  
 ISAKMP:(1019): processing vendor id payload  
 ISAKMP:(1019): vendor ID is DPD  
 ISAKMP:(1019): processing vendor id payload  
 ISAKMP:(1019): speaking to another IOS box!  
 ISAKMP (1019): His hash no match - this node outside NAT  
 ISAKMP:received payload type 20  
 ISAKMP (1019): No NAT Found for self or peer  
 ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE  
 ISAKMP:(1019):Old State = IKE_I_MM4 New State = IKE_I_MM4   
 ISAKMP:(1019):Send initial contact  
 ISAKMP:(1019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR  
 ISAKMP (1019): ID payload   
     next-payload : 8  
     type     : 1   
     address  : 1.1.1.1   
     protocol : 17   
     port     : 500   
     length    : 12  
 ISAKMP:(1019):Total payload length: 12  
 ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH  
 ISAKMP:(1019):Sending an IKE IPv4 Packet.  

 !!-->This is also good because now it can move to actual Key Exchange  
 ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP:(1019):Old State = IKE_I_MM4 New State = IKE_I_MM5   
 ISAKMP (1019): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH  
 ISAKMP:(1019): processing ID payload. message ID = 0  
 ISAKMP (1019): ID payload   
     next-payload : 8  
     type     : 1   
     address   : 2.2.2.2   
     protocol   : 17   
     port     : 500   
     length    : 12  
 ISAKMP:(0):: peer matches *none* of the profiles  
 ISAKMP:(1019): processing HASH payload. message ID = 0  

 !!--> This means we have the correct key on both sides  
 ISAKMP:(1019):SA authentication status: authenticated   
 ISAKMP:(1019):SA has been authenticated with 2.2.2.2  
 ISAKMP: Trying to insert a peer 1.1.1.1/2.2.2.2/500/, and inserted successfully 7F1FEB13C050.  
 ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH  
 ISAKMP:(1019):Old State = IKE_I_MM5 New State = IKE_I_MM6   
 ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE  
 ISAKMP:(1019):Old State = IKE_I_MM6 New State = IKE_I_MM6   
 ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE  
 ISAKMP:(1019):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE   
 ISAKMP:(1019):beginning Quick Mode exchange, M-ID of 960097831  
 ISAKMP:(1019):QM Initiator gets spi  
 ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE     
 ISAKMP:(1019):Sending an IKE IPv4 Packet.  
 ISAKMP:(1019):Node 960097831, Input = IKE_MESG_INTERNAL, IKE_INIT_QM  
 ISAKMP:(1019):Old State = IKE_QM_READY New State = IKE_QM_I_QM1  
 ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE  
 ISAKMP:(1019):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE   
 ISAKMP (1019): received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE     
 ISAKMP:(1019): processing HASH payload. message ID = 960097831  
 ISAKMP:(1019): processing SA payload. message ID = 9  
 VDSL daemon error condition debugging is off  
 VDSL daemon state machine debugging is off  
 VDSL daemon information debugging is off  
 VDSL ipc error condition debugging is off  
 VDSL ipc tx debugging is off  
 VDSL ipc rx debugging is off  
 VDSL MIB error debugging is off  
 VDSL MIB information debugging is off60097831  
 ISAKMP:(1019):Checking IPSec proposal 1  
 ISAKMP: transform 1, ESP_AES   
 ISAKMP:  attributes in transform:  
 ISAKMP:   encaps is 1 (Tunnel)  
 ISAKMP:   SA life type in seconds  
 ISAKMP:   SA life duration (basic) of 3600  
 ISAKMP:   SA life type in kilobytes  
 ISAKMP:   SA life duration (VPI) of 0x0 0x46 0x50 0x0   
 ISAKMP:   authenticator is HMAC-MD5  
 ISAKMP:   key length is 192  

 !!--> This is good this means everything worked out and now ready to move to IPSEC  
 ISAKMP:(1019):atts are acceptable.   
 IPSEC(validate_proposal_request): proposal part #1  
 IPSEC(validate_proposal_request): proposal part #1,  
  (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,  
   local_proxy= 65.65.65.0/255.255.255.0/256/0,  
   remote_proxy= 55.55.55.0/255.255.255.0/256/0,  
   protocol= ESP, transform= esp-aes 192 esp-md5-hmac (Tunnel),   
   lifedur= 0s and 0kb,   
   spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0  
 Crypto mapdb : proxy_match  
     src addr   : 65.65.65.0  
     dst addr   : 55.55.55.0  
     protocol   : 0  
     src port   : 0  
     dst port   : 0  

 !!--> This means the transform set and everything matches   
 ipsec_process_proposal)Map Accepted: ipsec_map, 10   
 ISAKMP:(1019): processing NONCE payload. message ID = 960097831  
 ISAKMP:(1019): processing ID payload. message ID = 960097831  
 ISAKMP:(1019): processing ID payload. message ID = 960097831  
 ISAKMP:(1019):Node 960097831, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH  
 ISAKMP:(1019):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT  
 IPSEC(key_engine): got a queue event with 1 KMI message(s)  
 Crypto mapdb : proxy_match  
     src addr   : 65.65.65.0  
     dst addr   : 55.55.55.0  
     protocol   : 256  
     src port   : 0  
     dst port   : 0  
 IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipsec_map, 10  
 IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2.2.2.2  
 IPSEC(create_sa): sa created,  
  (sa) sa_dest= 1.1.1.1, sa_proto= 50,   
   sa_spi= 0xF96545D6(4184163798),   
   sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 2711  
   sa_lifetime(k/sec)= (4608000/3600),  
  (identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,  
   local_proxy= 65.65.65.0/255.255.255.0/256/0,  
   remote_proxy= 55.55.55.0/255.255.255.0/256/0  

 !!--> This means the security associations are created and SPI is assigned.   
 IPSEC(create_sa): sa created,   
  (sa) sa_dest= 2.2.2.2, sa_proto= 50,   
   sa_spi= 0x1A69F602(443151874),   
   sa_trans= esp-aes-192 esp-md5-hmac , sa_conn_id= 2712  
   sa_lifetime(k/sec)= (4608000/3600),  
  (identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,  
   local_proxy= 65.65.65.0/255.255.255.0/256/0,  
   remote_proxy= 55.55.55.0/255.255.255.0/256/0  
 ISAKMP: Failed to find peer index node to update peer_info_list  
 ISAKMP:(1019):Received IPSec Install callback... proceeding with the negotiation  
 ISAKMP:(1019):Successfully installed IPSEC SA (SPI:0xF96545D6) on GigabitEthernet1.12  
 ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE     
 ISAKMP:(1019):Sending an IKE IPv4 Packet.  
 ISAKMP:(1019):deleting node 960097831 error FALSE reason "No Error"  
 ISAKMP:(1019):Node 960097831, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE  
 ISAKMP:(1019):Old State = IKE_QM_IPSEC_INSTALL_AWAIT   

 !!--> Everything complete and tunnel is established and traffic can be encrypted.   
 New State = IKE_QM_PHASE2_COMPLETE   

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.