On R1 let's get the loopback and the interfaces configured.
R1#
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface GigabitEthernet1.12
encapsulation dot1Q 12
ip address 12.12.12.1 255.255.255.0
crypto map ipsec_map
end
interface GigabitEthernet1.21
encapsulation dot1Q 21
ip address 21.21.21.1 255.255.255.0
delay 100000
crypto map ipsec_map
end
router eigrp 1
network 1.1.1.1 0.0.0.0
network 12.12.12.0 0.0.0.255
network 21.21.21.0 0.0.0.255
network 65.65.65.0 0.0.0.255
On R1, let's get the crypto maps configured.
R1#
crypto isakmp policy 10
!!--> Lower priority is higher priority. You could have more than one policy.
encr aes 192
!!--> Type of encryption to use and in this case I am using aes 192 bits
hash md5
!!--> Type of hash
authentication pre-share
!!--> Configure the authentication method
group 2
!!--> Pick the diffie-hellman group. Higher group number is better.
crypto isakmp key cisco1234 address 2.2.2.2
crypto ipsec transform-set t1 esp-aes 192 esp-md5-hmac
mode tunnel
crypto map ipsec_map local-address Loopback0
crypto map ipsec_map 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set t1
match address ipsec_vpn
On R2 let's get the interfaces and basic Layer 3 configured.
R2#
interface loopback0
ip address 2.2.2.2 255.255.255.255
interface GigabitEthernet1.12
encapsulation dot1Q 12
ip address 12.12.12.2 255.255.255.0
crypto map ipsec_map
end
interface GigabitEthernet1.21
encapsulation dot1Q 21
ip address 21.21.21.2 255.255.255.0
delay 100000
crypto map ipsec_map
end
router eigrp 1
network 2.2.2.2 0.0.0.0
network 12.12.12.0 0.0.0.255
network 21.21.21.0 0.0.0.255
network 55.55.55.0 0.0.0.255
On R2, let's get the crypto maps configured.
R2#
crypto isakmp policy 10
encr aes 192
hash md5
authentication pre-share
group 2
crypto isakmp key cisco1234 address 1.1.1.1
crypto ipsec transform-set t1 esp-aes 192 esp-md5-hmac
mode tunnel
crypto map ipsec_map local-address Loopback0
crypto map ipsec_map 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set t1
match address ipsec_vpn
Now let's create "interesting" traffic to trigger the IPSEC ACL to match so it can initiate the IPSEC negotiations.
R1# ping 55.55.55.1 source int gig1.65
Sending 5, 100-byte ICMP Echos to 55.55.55.1, timeout is 2 seconds:
Packet sent with a source address of 65.65.65.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 3/3/4 ms
The 1st packet missed because the IPSEC negotiation is in progress. If all goes well you should be able to do "show crypto isakmp sa" and see QM_IDLE.
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 QM_IDLE 1019 ACTIVE
Let's do some 'show' commands to verify the connection.
R1#show crypto ipsec sa
interface: GigabitEthernet1.12
Crypto map tag: ipsec_map, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (65.65.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (55.55.55.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
!!--> Make sure the packets are being encapsulated and decapsulated
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.12
current outbound spi: 0x1A69F602(443151874)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF96545D6(4184163798)
transform: esp-192-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2711, flow_id: CSR:711, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1A69F602(443151874)
transform: esp-192-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2712, flow_id: CSR:712, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
interface: GigabitEthernet1.21
Crypto map tag: ipsec_map, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (65.65.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (55.55.55.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.12
current outbound spi: 0x1A69F602(443151874)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF96545D6(4184163798)
transform: esp-192-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2711, flow_id: CSR:711, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1A69F602(443151874)
transform: esp-192-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2712, flow_id: CSR:712, sibling_flags FFFFFFFF80004048, crypto map: ipsec_map
sa timing: remaining key lifetime (k/sec): (4607999/3303)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
As the connection was being built, I enabled debugs on R1 using "debug crypto isakmp" and "debug crypto ipsec" and the output is below. I've highlighted the things you should be looking for.
IPSEC(sa_request):
!!--> Make sure the peer IPs match the 'crypto isakmp key address'
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
!!--> Make sure the ACL is correct and that it is a mirror image on both routers
local_proxy= 65.65.65.0/255.255.255.0/256/0, remote_proxy= 55.55.55.0/255.255.255.0/256/0,
!!--> Make sure the transform set has the correct AH and ESP parameters
protocol= ESP, transform= esp-aes 192 esp-md5-hmac (Tunnel),
!!--> life is negotiated
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
!!--> This just means that we hit the right ACL and are now starting the IPSEC negotiations
ISAKMP: New peer created peer = 0x7F1FEB13C050 peer_handle = 0x80000009
ISAKMP: Locking peer struct 0x7F1FEB13C050, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):insert sa successfully sa = 7F1FEB13B348
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
!!-->IKE is ready for Main Mode
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
ISAKMP:(0): processing
SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 192
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
!!--> This is what you need to look for for Phase 1 to be successful
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_SA_SETUP
ISAKMP:(0):Input IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
ISAKMP:(1019): processing vendor id payload
ISAKMP:(1019): vendor ID is Unity
ISAKMP:(1019): processing vendor id payload
ISAKMP:(1019): vendor ID is DPD
ISAKMP:(1019): processing vendor id payload
ISAKMP:(1019): speaking to another IOS box!
ISAKMP (1019): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1019): No NAT Found for self or peer
ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1019):Old State = IKE_I_MM4 New State = IKE_I_MM4
ISAKMP:(1019):Send initial contact
ISAKMP:(1019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1019): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
ISAKMP:(1019):Total payload length: 12
ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP:(1019):Sending an IKE IPv4 Packet.
!!-->This is also good because now it can move to actual Key Exchange
ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE ISAKMP:(1019):Old State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (1019): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP:(1019): processing ID payload. message ID = 0
ISAKMP (1019): ID payload
next-payload : 8
type : 1
address : 2.2.2.2
protocol : 17
port : 500
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1019): processing HASH payload. message ID = 0
!!--> This means we have the correct key on both sides
ISAKMP:(1019):SA authentication status: authenticated
ISAKMP:(1019):SA has been authenticated with 2.2.2.2
ISAKMP: Trying to insert a peer 1.1.1.1/2.2.2.2/500/, and inserted successfully 7F1FEB13C050.
ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1019):Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1019):Old State = IKE_I_MM6 New State = IKE_I_MM6
ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1019):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
ISAKMP:(1019):beginning Quick Mode exchange, M-ID of 960097831
ISAKMP:(1019):QM Initiator gets spi
ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1019):Sending an IKE IPv4 Packet.
ISAKMP:(1019):Node 960097831, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1019):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1019):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (1019): received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1019): processing HASH payload. message ID = 960097831
ISAKMP:(1019): processing SA payload. message ID = 9
VDSL daemon error condition debugging is off
VDSL daemon state machine debugging is off
VDSL daemon information debugging is off
VDSL ipc error condition debugging is off
VDSL ipc tx debugging is off
VDSL ipc rx debugging is off
VDSL MIB error debugging is off
VDSL MIB information debugging is off60097831
ISAKMP:(1019):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 192
!!--> This is good this means everything worked out and now ready to move to IPSEC
ISAKMP:(1019):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 65.65.65.0/255.255.255.0/256/0,
remote_proxy= 55.55.55.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes 192 esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
Crypto mapdb : proxy_match
src addr : 65.65.65.0
dst addr : 55.55.55.0
protocol : 0
src port : 0
dst port : 0
!!--> This means the transform set and everything matches
ipsec_process_proposal)Map Accepted: ipsec_map, 10
ISAKMP:(1019): processing NONCE payload. message ID = 960097831
ISAKMP:(1019): processing ID payload. message ID = 960097831
ISAKMP:(1019): processing ID payload. message ID = 960097831
ISAKMP:(1019):Node 960097831, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1019):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 65.65.65.0
dst addr : 55.55.55.0
protocol : 256
src port : 0
dst port : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found ipsec_map, 10
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 2.2.2.2
IPSEC(create_sa): sa created,
(sa) sa_dest= 1.1.1.1, sa_proto= 50,
sa_spi= 0xF96545D6(4184163798),
sa_trans= esp-aes 192 esp-md5-hmac , sa_conn_id= 2711
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 65.65.65.0/255.255.255.0/256/0,
remote_proxy= 55.55.55.0/255.255.255.0/256/0
!!--> This means the security associations are created and SPI is assigned.
IPSEC(create_sa): sa created,
(sa) sa_dest= 2.2.2.2, sa_proto= 50,
sa_spi= 0x1A69F602(443151874),
sa_trans= esp-aes-192 esp-md5-hmac , sa_conn_id= 2712
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 65.65.65.0/255.255.255.0/256/0,
remote_proxy= 55.55.55.0/255.255.255.0/256/0
ISAKMP: Failed to find peer index node to update peer_info_list
ISAKMP:(1019):Received IPSec Install callback... proceeding with the negotiation
ISAKMP:(1019):Successfully installed IPSEC SA (SPI:0xF96545D6) on GigabitEthernet1.12
ISAKMP:(1019): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1019):Sending an IKE IPv4 Packet.
ISAKMP:(1019):deleting node 960097831 error FALSE reason "No Error"
ISAKMP:(1019):Node 960097831, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP:(1019):Old State = IKE_QM_IPSEC_INSTALL_AWAIT
!!--> Everything complete and tunnel is established and traffic can be encrypted.
New State = IKE_QM_PHASE2_COMPLETE
Many more articles to come so ....
Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.
No comments:
Post a Comment