22
Oct

Studies in VPN: Part 2

Written by Brandon Carroll  |  under CCIE Security, IE Labs, Studies In VPN

Welcome back!

IOS to IOS with PSK thru an ASA without NAT

The topology:

Picture 8
Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:

r2(config-if)#cry isa pol 10
r2(config-isakmp)#enc 3
r2(config-isakmp)#has md
r2(config-isakmp)#authen pre
r2(config-isakmp)#exit

Next define the pre-shared-key

r2(config)#cry isa key CISCO address 136.7.121.1

Next create a transform set:

r2(config)#cry ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

now create an access-list to define interesting traffic:

r2(config)#ip access-l ext vpn-to-r1
r2(config-ext-nacl)#permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
r2(config-ext-nacl)#exit

Now tie it together with a crypto map and apply it to the interface:

r2(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r2(config-crypto-map)#match add vpn-to-r1
r2(config-crypto-map)# set peer 136.7.121.1
r2(config-crypto-map)#set trans 3des-md5
r2(config-crypto-map)#int f0/0
r2(config-if)#cry map vpn
r2(config-if)#end
r2#

Now I just need to duplicate the same config on R1:

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#int lo0
r1(config-if)#ip add 150.1.1.1 255.255.255.0
r1(config-if)#exit
r1(config)#cry isa pol 10
r1(config-isakmp)#enc 3
r1(config-isakmp)#has md
r1(config-isakmp)#authen pre
r1(config-isakmp)#exit
r1(config)#cry isa key CISCO add 136.7.122.2
r1(config)#cry ipsec trans 3des-md5 esp-3 esp-m
r1(cfg-crypto-trans)#exit
r1(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r1(config-crypto-map)#match add vpn-to-r2
r1(config-crypto-map)#set peer 136.7.122.2
r1(config-crypto-map)#set trans 3des-md5
r1(config-crypto-map)#exit
r1(config)#ip access-l ext vpn-to-r2
r1(config-ext-nacl)#permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
r1(config-ext-nacl)#int f0/0
r1(config-if)#cry map vpn
r1(config-if)#end
r1#
Oct 22 22

now ill turn on isakmp debugs while i test:

r1#
r1#debug cry isa
Crypto ISAKMP debugging is on
r1#

before testing make sure that each router has a route to the others loopback. the lab probably wont allow static routes so im going to advertise them into rip:

r1(config)#router rip
r1(config-router)#net 150.1.0.0
r1(config-router)#

r2(config)#router rip
r2(config-router)#net 150.1.0.0
r2(config-router)#end

and to test source a packet from the loopback interface of r1 to the loopback interface or r2:

r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1

Oct 22 22:09:53.890: ISAKMP: received ke message (1/1)
Oct 22 22:09:53.890: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:09:53.890: ISAKMP: local port 500, remote port 500
Oct 22 22:09:53.890: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:09:53.890: ISAKMP: insert sa successfully sa = 82E92840
Oct 22 22:09:53.890: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:09:53.894: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:53.894: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:09:53.894: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:09:53.894: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:09:53.894: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:09:53.894: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.074: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:09:54.078: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:09:54.078: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.078: ISAKMP: Looking for a matching key .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r1#for 136.7.122.2 in default : success
Oct 22 22:09:54.078: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.078: ISAKMP (0:1) local preshared key found
Oct 22 22:09:54.082: ISAKMP : Scanning profiles for xauth ...
Oct 22 22:09:54.082: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:09:54.082: ISAKMP:      encryption 3DES-CBC
Oct 22 22:09:54.082: ISAKMP:      hash MD5
Oct 22 22:09:54.082: ISAKMP:      default group 1
Oct 22 22:09:54.082: ISAKMP:      auth pre-share
Oct 22 22:09:54.082: ISAKMP:      life type in seconds
Oct 22 22:09:54.082: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:09:54.082: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:09:54.243: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.243: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.243: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:09:54.255: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:09:54.259: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.259: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:09:54.467: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:09:54.471: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.471: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:09:54.471: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:54.671: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.675: ISAKMP (0:1): SKEYID state generated
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:09:54.679: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.679: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:09:54.679: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.679: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:09:54.683: ISAKMP (0:1): Send initial contact
Oct 22 22:09:54.683: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:09:54.683: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.121.1
protocol     : 17
port         : 500
length       : 8
Oct 22 22:09:54.683: ISAKMP (1): Total payload length: 12
Oct 22 22:09:54.687: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:09:54.687: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.687: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:09:54.699: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:09:54.703: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): SA has been authenticated with 136.7.122.2
Oct 22 22:09:54.703: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:09:54.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.703: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:09:54.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.707: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.707: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1599248551
Oct 22 22:09:54.711: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.715: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:09:54.715: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.976: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:09:54.980: ISAKMP (0:1): processing HASH payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): processing SA payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:09:54.980: ISAKMP: transform 1, ESP_3DES
Oct 22 22:09:54.980: ISAKMP:   attributes in transform:
Oct 22 22:09:54.980: ISAKMP:      encaps is 1
Oct 22 22:09:54.980: ISAKMP:      SA life type in seconds
Oct 22 22:09:54.980: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:09:54.980: ISAKMP:      SA life type in kilobytes
Oct 22 22:09:54.980: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:09:54.980: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:09:54.984: ISAKMP (0:1): atts are acceptable.
Oct 22 22:09:54.984: ISAKMP (0:1): processing NONCE payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.992: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:09:54.992:         inbound SA from 136.7.122.2 to 136.7.121.1 (f/i)  0/ 0
(proxy 150.1.2.0 to 150.1.1.0)
Oct 22 22:09:54.992:         has spi 0xE2D71338 and conn_id 2000 and flags 2
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.992:         outbound SA from 136.7.121.1     to 136.7.122.2     (f/i)  0/ 0 (proxy 150.1.1.0       to 150.1.2.0      )
Oct 22 22:09:54.992:         has spi 771123710 and conn_id 2001 and flags A
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.996: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.996: ISAKMP (0:1): deleting node -1599248551 error FALSE reason ""
Oct 22 22:09:54.996: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:09:54.996: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETEping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
r1#

So after a really long debug output we can see that the pings worked. Lets make sure they are actually being encrypted:

r1#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r1#sh cry ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 136.7.121.1

protected vrf:
local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0)
current_peer: 136.7.122.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 136.7.121.1, remote crypto endpt.: 136.7.122.2
path mtu 1500, media mtu 1500
current outbound spi: 2DF669FE

inbound esp sas:
spi: 0xE2D71338(3805745976)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2DF669FE(771123710)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

We have both an ISAKMP sa and an IPSEC sa. the IPSEC sa shows that we have packets flowing. Lets filter the output a bit and ping again:

r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
r1#

Perfect! Before we had 9 packets, after the ping we have 14. The numbers add up. Now for good measure I want to establish the tunnel from the outside interface of the ASA by pinging from R2:

First Ill kill the SA:

r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r2#clear cry isakmp 1
r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     MM_NO_STATE          1    0 (deleted)

Then Ill turn debug on for R2:

r2#debug cry isa sa

Then I generate the ping:

r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2

Oct 22 22:17:30.687: ISAKMP: received ke message (1/1)
Oct 22 22:17:30.687: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:17:30.687: ISAKMP: local port 500, remote port 500
Oct 22 22:17:30.691: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:17:30.691: ISAKMP: insert sa successfully sa = 835EF214
Oct 22 22:17:30.691: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:17:30.691: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.691: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:17:30.695: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:17:30.695: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:17:30.695: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:17:30.695: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:17:30.868: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:17:30.872: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:30.872: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:17:30.872: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:17:30.872: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:30.872: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:30.876: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:30.876: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.876: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.876: ISAKMP (0:1) local preshared key found
Oct 22 22:17:30.876: ISAKMP : Scanning profiles for xauth.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r2# ...
Oct 22 22:17:30.876: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:17:30.876: ISAKMP:      encryption 3DES-CBC
Oct 22 22:17:30.876: ISAKMP:      hash MD5
Oct 22 22:17:30.876: ISAKMP:      default group 1
Oct 22 22:17:30.876: ISAKMP:      auth pre-share
Oct 22 22:17:30.876: ISAKMP:      life type in seconds
Oct 22 22:17:30.876: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:17:30.880: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:17:31.040: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:31.040: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.040: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:17:31.044: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:17:31.048: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.048: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:17:31.264: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:17:31.264: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.264: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:17:31.268: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:31.469: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:31.469: ISAKMP (0:1): SKEYID state generated
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:17:31.473: ISAKMP:received payload type 17
Oct 22 22:17:31.473: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.473: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:17:31.477: ISAKMP:received payload type 17
Oct 22 22:17:31.477: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.477: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:17:31.477: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.477: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:17:31.493: ISAKMP (0:1): Send initial contact
Oct 22 22:17:31.493: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:17:31.493: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.122.2
protocol     : 17
port         : 500
length       : 8
Oct 22 22:17:31.493: ISAKMP (1): Total payload length: 12
Oct 22 22:17:31.497: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:17:31.497: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.497: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:17:31.509: ISAKMP (0:0): received packet from 136.7.121.1 dport 500 sport 500 Global (N) NEW SA
Oct 22 22:17:31.509: %CRYPTO-4-IKMP_NO_SA: IKE message from 136.7.121.1     has no SA and is not an initialization offer
Oct 22 22:17:31.509: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:17:31.513: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:17:31.513: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:17:31.517: ISAKMP (0:1): SA has been authenticated with 136.7.121.1
Oct 22 22:17:31.517: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.517: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.521: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.521: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -308265645
Oct 22 22:17:31.525: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.525: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:17:31.525: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:17:31.529: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:17:31.529: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.789: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:17:31.793: ISAKMP (0:1): processing HASH payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): processing SA payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:17:31.793: ISAKMP: transform 1, ESP_3DES
Oct 22 22:17:31.793: ISAKMP:   attributes in transform:
Oct 22 22:17:31.793: ISAKMP:      encaps is 1
Oct 22 22:17:31.793: ISAKMP:      SA life type in seconds
Oct 22 22:17:31.797: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:17:31.797: ISAKMP:      SA life type in kilobytes
Oct 22 22:17:31.797: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:17:31.797: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:17:31.797: ISAKMP (0:1): atts are acceptable.
Oct 22 22:17:31.797: ISAKMP (0:1): processing NONCE payload. message ID = -308265645
Oct 22 22:17:31.797: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.801: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.805: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:17:31.805:         inbound SA from 136.7.121.1 to 136.7.122.2 (f/i)  0/ 0
(proxy 150.1.1.0 to 150.1.2.0)
Oct 22 22:17:31.805:         has spi 0xF684B57D and conn_id 2000 and flags 2
Oct 22 22:17:31.805:         lifetime of 3600 seconds
Oct 22 22:17:31.805:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.805:         has client flags 0x0
Oct 22 22:17:31.805:         outbound SA from 136.7.122.2     to 136.7.121.1     (f/i)  0/ 0 (proxy 150.1.2.0       to 150.1.1.0      )
Oct 22 22:17:31.809:         has spi -1711058480 and conn_id 2001 and flags A
Oct 22 22:17:31.809:         lifetime of 3600 seconds
Oct 22 22:17:31.809:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.809:         has client flags 0x0
Oct 22 22:17:31.809: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.809: ISAKMP (0:1): deleting node -308265645 error FALSE reason ""
Oct 22 22:17:31.809: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:17:31.813: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r2#

And again after a very long output we see a success.

Here are my ending configs:

final-configs

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Leave a feedback:

Name (required)

Email (required)

Website

Comments

2008 (c) GlobalConfig.net, Using the Minimalistic Theme : Powered by WordPress

Switch to our mobile site