GlobalConfig.net » Studies In VPN

VPN3k CLI only

Brandon Carroll — Fri, 19 Dec 2008 07:54:59 +0000

It is possible to configure a L2L session on a VPN3k using CLI only. It is a completley different configuration. Here is the summation of it:

Create an SA
Create inbound and Outbound rules for the hosts to be encrypted.
Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
Create a group with the preshared key.
Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.

Uploaded with plasq‘s Skitch!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Studies in VPN: Part 3

Brandon Carroll — Fri, 24 Oct 2008 16:00:07 +0000

IOS Lan-to-Lan with PSK through an ASA.
***The Catch: Nat configured and Dynamic Crypto Maps configured.

Uploaded with plasq‘s Skitch!

I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
	Peer = 136.5.122.2
	Extended IP access list r1tor2
	    access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
	Current peer: 136.5.122.2
	Security association lifetime: 4608000 kilobytes/3600 seconds
	PFS (Y/N): N
	Transform sets={
		3des-esp,
	}
	Interfaces using crypto map vpn:
		FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
     path mtu 1500, media mtu 1500
     current outbound spi: 674293ED

     inbound esp sas:
      spi: 0xBD012AAD(3170970285)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590553/3219)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x674293ED(1732416493)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590551/3219)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Studies in VPN: Part 2

Brandon Carroll — Thu, 23 Oct 2008 05:44:22 +0000

IOS to IOS with PSK thru an ASA without NAT

The topology:

Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:

r2(config-if)#cry isa pol 10
r2(config-isakmp)#enc 3
r2(config-isakmp)#has md
r2(config-isakmp)#authen pre
r2(config-isakmp)#exit

Next define the pre-shared-key

r2(config)#cry isa key CISCO address 136.7.121.1

Next create a transform set:

r2(config)#cry ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

now create an access-list to define interesting traffic:

r2(config)#ip access-l ext vpn-to-r1
r2(config-ext-nacl)#permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
r2(config-ext-nacl)#exit

Now tie it together with a crypto map and apply it to the interface:

r2(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r2(config-crypto-map)#match add vpn-to-r1
r2(config-crypto-map)# set peer 136.7.121.1
r2(config-crypto-map)#set trans 3des-md5
r2(config-crypto-map)#int f0/0
r2(config-if)#cry map vpn
r2(config-if)#end
r2#

Now I just need to duplicate the same config on R1:

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#int lo0
r1(config-if)#ip add 150.1.1.1 255.255.255.0
r1(config-if)#exit
r1(config)#cry isa pol 10
r1(config-isakmp)#enc 3
r1(config-isakmp)#has md
r1(config-isakmp)#authen pre
r1(config-isakmp)#exit
r1(config)#cry isa key CISCO add 136.7.122.2
r1(config)#cry ipsec trans 3des-md5 esp-3 esp-m
r1(cfg-crypto-trans)#exit
r1(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r1(config-crypto-map)#match add vpn-to-r2
r1(config-crypto-map)#set peer 136.7.122.2
r1(config-crypto-map)#set trans 3des-md5
r1(config-crypto-map)#exit
r1(config)#ip access-l ext vpn-to-r2
r1(config-ext-nacl)#permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
r1(config-ext-nacl)#int f0/0
r1(config-if)#cry map vpn
r1(config-if)#end
r1#
Oct 22 22

now ill turn on isakmp debugs while i test:

r1#
r1#debug cry isa
Crypto ISAKMP debugging is on
r1#

before testing make sure that each router has a route to the others loopback. the lab probably wont allow static routes so im going to advertise them into rip:

r1(config)#router rip
r1(config-router)#net 150.1.0.0
r1(config-router)#

r2(config)#router rip
r2(config-router)#net 150.1.0.0
r2(config-router)#end

and to test source a packet from the loopback interface of r1 to the loopback interface or r2:

r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1

Oct 22 22:09:53.890: ISAKMP: received ke message (1/1)
Oct 22 22:09:53.890: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:09:53.890: ISAKMP: local port 500, remote port 500
Oct 22 22:09:53.890: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:09:53.890: ISAKMP: insert sa successfully sa = 82E92840
Oct 22 22:09:53.890: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:09:53.894: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:53.894: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:09:53.894: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:09:53.894: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:09:53.894: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:09:53.894: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.074: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:09:54.078: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:09:54.078: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.078: ISAKMP: Looking for a matching key .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r1#for 136.7.122.2 in default : success
Oct 22 22:09:54.078: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.078: ISAKMP (0:1) local preshared key found
Oct 22 22:09:54.082: ISAKMP : Scanning profiles for xauth ...
Oct 22 22:09:54.082: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:09:54.082: ISAKMP:      encryption 3DES-CBC
Oct 22 22:09:54.082: ISAKMP:      hash MD5
Oct 22 22:09:54.082: ISAKMP:      default group 1
Oct 22 22:09:54.082: ISAKMP:      auth pre-share
Oct 22 22:09:54.082: ISAKMP:      life type in seconds
Oct 22 22:09:54.082: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:09:54.082: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:09:54.243: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.243: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.243: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:09:54.255: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:09:54.259: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.259: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:09:54.467: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:09:54.471: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.471: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:09:54.471: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:54.671: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.675: ISAKMP (0:1): SKEYID state generated
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:09:54.679: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.679: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:09:54.679: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.679: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:09:54.683: ISAKMP (0:1): Send initial contact
Oct 22 22:09:54.683: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:09:54.683: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.121.1
protocol     : 17
port         : 500
length       : 8
Oct 22 22:09:54.683: ISAKMP (1): Total payload length: 12
Oct 22 22:09:54.687: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:09:54.687: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.687: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:09:54.699: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:09:54.703: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): SA has been authenticated with 136.7.122.2
Oct 22 22:09:54.703: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:09:54.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.703: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:09:54.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.707: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.707: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1599248551
Oct 22 22:09:54.711: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.715: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:09:54.715: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.976: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:09:54.980: ISAKMP (0:1): processing HASH payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): processing SA payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:09:54.980: ISAKMP: transform 1, ESP_3DES
Oct 22 22:09:54.980: ISAKMP:   attributes in transform:
Oct 22 22:09:54.980: ISAKMP:      encaps is 1
Oct 22 22:09:54.980: ISAKMP:      SA life type in seconds
Oct 22 22:09:54.980: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:09:54.980: ISAKMP:      SA life type in kilobytes
Oct 22 22:09:54.980: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:09:54.980: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:09:54.984: ISAKMP (0:1): atts are acceptable.
Oct 22 22:09:54.984: ISAKMP (0:1): processing NONCE payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.992: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:09:54.992:         inbound SA from 136.7.122.2 to 136.7.121.1 (f/i)  0/ 0
(proxy 150.1.2.0 to 150.1.1.0)
Oct 22 22:09:54.992:         has spi 0xE2D71338 and conn_id 2000 and flags 2
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.992:         outbound SA from 136.7.121.1     to 136.7.122.2     (f/i)  0/ 0 (proxy 150.1.1.0       to 150.1.2.0      )
Oct 22 22:09:54.992:         has spi 771123710 and conn_id 2001 and flags A
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.996: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.996: ISAKMP (0:1): deleting node -1599248551 error FALSE reason ""
Oct 22 22:09:54.996: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:09:54.996: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETEping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
r1#

So after a really long debug output we can see that the pings worked. Lets make sure they are actually being encrypted:

r1#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r1#sh cry ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 136.7.121.1

protected vrf:
local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0)
current_peer: 136.7.122.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 136.7.121.1, remote crypto endpt.: 136.7.122.2
path mtu 1500, media mtu 1500
current outbound spi: 2DF669FE

inbound esp sas:
spi: 0xE2D71338(3805745976)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2DF669FE(771123710)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

We have both an ISAKMP sa and an IPSEC sa. the IPSEC sa shows that we have packets flowing. Lets filter the output a bit and ping again:

r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
r1#

Perfect! Before we had 9 packets, after the ping we have 14. The numbers add up. Now for good measure I want to establish the tunnel from the outside interface of the ASA by pinging from R2:

First Ill kill the SA:

r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r2#clear cry isakmp 1
r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     MM_NO_STATE          1    0 (deleted)

Then Ill turn debug on for R2:

r2#debug cry isa sa

Then I generate the ping:

r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2

Oct 22 22:17:30.687: ISAKMP: received ke message (1/1)
Oct 22 22:17:30.687: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:17:30.687: ISAKMP: local port 500, remote port 500
Oct 22 22:17:30.691: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:17:30.691: ISAKMP: insert sa successfully sa = 835EF214
Oct 22 22:17:30.691: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:17:30.691: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.691: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:17:30.695: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:17:30.695: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:17:30.695: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:17:30.695: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:17:30.868: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:17:30.872: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:30.872: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:17:30.872: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:17:30.872: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:30.872: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:30.876: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:30.876: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.876: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.876: ISAKMP (0:1) local preshared key found
Oct 22 22:17:30.876: ISAKMP : Scanning profiles for xauth.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r2# ...
Oct 22 22:17:30.876: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:17:30.876: ISAKMP:      encryption 3DES-CBC
Oct 22 22:17:30.876: ISAKMP:      hash MD5
Oct 22 22:17:30.876: ISAKMP:      default group 1
Oct 22 22:17:30.876: ISAKMP:      auth pre-share
Oct 22 22:17:30.876: ISAKMP:      life type in seconds
Oct 22 22:17:30.876: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:17:30.880: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:17:31.040: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:31.040: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.040: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:17:31.044: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:17:31.048: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.048: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:17:31.264: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:17:31.264: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.264: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:17:31.268: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:31.469: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:31.469: ISAKMP (0:1): SKEYID state generated
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:17:31.473: ISAKMP:received payload type 17
Oct 22 22:17:31.473: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.473: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:17:31.477: ISAKMP:received payload type 17
Oct 22 22:17:31.477: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.477: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:17:31.477: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.477: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:17:31.493: ISAKMP (0:1): Send initial contact
Oct 22 22:17:31.493: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:17:31.493: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.122.2
protocol     : 17
port         : 500
length       : 8
Oct 22 22:17:31.493: ISAKMP (1): Total payload length: 12
Oct 22 22:17:31.497: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:17:31.497: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.497: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:17:31.509: ISAKMP (0:0): received packet from 136.7.121.1 dport 500 sport 500 Global (N) NEW SA
Oct 22 22:17:31.509: %CRYPTO-4-IKMP_NO_SA: IKE message from 136.7.121.1     has no SA and is not an initialization offer
Oct 22 22:17:31.509: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:17:31.513: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:17:31.513: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:17:31.517: ISAKMP (0:1): SA has been authenticated with 136.7.121.1
Oct 22 22:17:31.517: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.517: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.521: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.521: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -308265645
Oct 22 22:17:31.525: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.525: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:17:31.525: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:17:31.529: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:17:31.529: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.789: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:17:31.793: ISAKMP (0:1): processing HASH payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): processing SA payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:17:31.793: ISAKMP: transform 1, ESP_3DES
Oct 22 22:17:31.793: ISAKMP:   attributes in transform:
Oct 22 22:17:31.793: ISAKMP:      encaps is 1
Oct 22 22:17:31.793: ISAKMP:      SA life type in seconds
Oct 22 22:17:31.797: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:17:31.797: ISAKMP:      SA life type in kilobytes
Oct 22 22:17:31.797: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:17:31.797: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:17:31.797: ISAKMP (0:1): atts are acceptable.
Oct 22 22:17:31.797: ISAKMP (0:1): processing NONCE payload. message ID = -308265645
Oct 22 22:17:31.797: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.801: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.805: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:17:31.805:         inbound SA from 136.7.121.1 to 136.7.122.2 (f/i)  0/ 0
(proxy 150.1.1.0 to 150.1.2.0)
Oct 22 22:17:31.805:         has spi 0xF684B57D and conn_id 2000 and flags 2
Oct 22 22:17:31.805:         lifetime of 3600 seconds
Oct 22 22:17:31.805:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.805:         has client flags 0x0
Oct 22 22:17:31.805:         outbound SA from 136.7.122.2     to 136.7.121.1     (f/i)  0/ 0 (proxy 150.1.2.0       to 150.1.1.0      )
Oct 22 22:17:31.809:         has spi -1711058480 and conn_id 2001 and flags A
Oct 22 22:17:31.809:         lifetime of 3600 seconds
Oct 22 22:17:31.809:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.809:         has client flags 0x0
Oct 22 22:17:31.809: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.809: ISAKMP (0:1): deleting node -308265645 error FALSE reason ""
Oct 22 22:17:31.809: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:17:31.813: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r2#

And again after a very long output we see a success.

Here are my ending configs:

final-configs

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Studies in VPN: Part 1

Brandon Carroll — Wed, 22 Oct 2008 17:31:58 +0000

DISCLAIMER***

The first note I want to make as regards to the VPN topics that I will be blogging is that these are actually my personal notes from Internetwork Experts Volume 1 and 2 Lab Guide and the IPexpert Security Lab Workbook. There are a few topologies that I will be exploring, and I dont plan on taking you through each step of the Lab guide, rather I will be making notes on the tangents I take. If you want to do their labs dont rely on these posts, go buy their workbooks. Its worth every penny.

Site-to-Site between routers with a PIX in the middle

The First VPN configuration is based on one of the IPexpert Security Workbook Labs. It requires that I configure a VPN between two routers, with the VPN traffic passing through a PIX.

The first step was to load the default configs. There were no default for the switches so I had to create them on the fly. You can find the initial configurations here:

Switch1
Switch2
R1
R2
R4
R5
PIX

The next step was to statically map R5 and make sure that IPSec traffic could pass thru the PIX:

pixfirewall(config)# sh run static

static (inside,outside) 192.1.24.5 10.5.5.5 netmask 255.255.255.255

pixfirewall(config)# sh access-l

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list OUTSIDE_IN; 3 elements

access-list OUTSIDE_IN line 1 extended permit esp host 192.1.24.2 host 192.1.24.5 (hitcnt=0) 0xcadcd23c

access-list OUTSIDE_IN line 2 extended permit udp host 192.1.24.2 host 192.1.24.5 eq isakmp (hitcnt=0) 0xcaafeac6

access-list OUTSIDE_IN line 3 extended permit udp host 192.1.24.2 host 192.1.24.5 eq 4500 (hitcnt=0) 0xd5b0a424

Next I configured r5 policies:

R5#conf t Enter configuration commands, one per line. End with CNTL/Z. R5(config)#cry isa pol 10 R5(config-isakmp)#authen pre R5(config-isakmp)#do sh cry isa pol

Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R5(config-isakmp)#g 2
R5(config-isakmp)#cry isa key 0 ccie address 192.1.24.2
R5(config)#cry ipsec trans ESP_DES_MD5 esp
R5(config)#cry ipsec trans ESP_DES_MD5 esp-d
R5(config)#cry ipsec trans ESP_DES_MD5 esp-des es
R5(config)#cry ipsec trans ESP_DES_MD5 esp-des esp-m
R5(config)#cry ipsec trans ESP_DES_MD5 esp-des esp-md5-hmac
R5(cfg-crypto-trans)#exit
R5(config)#ip access-l ext r5-to-r2
R5(config-ext-nacl)#permit ip 5.0.0.0 0.255.255.255 2.0.0.0 0.255.255.255
R5(config-ext-nacl)#exit
R5(config)#cry map VPN 10 ip
R5(config)#cry map VPN 10 ipsec-i
R5(config)#cry map VPN 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R5(config-crypto-map)#match add r5-to-r2

R5(config-crypto-map)#set peer 192.1.24.2

R5(config-crypto-map)#set trans ESP_DES_MD5

R5(config-crypto-map)#exit

R5(config-if)#cry map VPN

R5(config-if)# *Oct 22 06:58:27.679:

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R5(config-if)#

and then r2 policies:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#cry isa pol 10
R2(config-isakmp)#authen pre
R2(config-isakmp)#do sh cry isa pol

R2(config)#cry isa key 0 ?
WORD The UNENCRYPTED (cleartext) user password

R2(config)#cry isa key 0 ccie ?
address define shared key with IP address
hostname define shared key with hostname

R2(config)#cry isa key 0 ccie add
R2(config)#cry isa key 0 ccie address 192.1.24.5 ?
A.B.C.D Peer IP subnet mask
no-xauth Bypasses XAuth for this peer

R2(config)#cry isa key 0 ccie address 192.1.24.5
R2(config)#cry ipsec trans ESP_DES_MD5 esp
R2(config)#cry ipsec trans ESP_DES_MD5 esp-d
R2(config)#cry ipsec trans ESP_DES_MD5 esp-des es
R2(config)#cry ipsec trans ESP_DES_MD5 esp-des esp-m
R2(config)#cry ipsec trans ESP_DES_MD5 esp-des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#ip access-l ext r2-to-r5
R2(config-ext-nacl)#permit ip 2.0.0.0 0.255.255.255 5.0.0.0 0.255.255.255
R2(config-ext-nacl)#exit
R2(config)#cry map VPN 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match add r2-to-r5
R2(config-crypto-map)#set trans ESP_DES_MD5
R2(config-crypto-map)#set peer 192.1.24.5
R2(config-crypto-map)#exit
R2(config)#int f1/0
R2(config-if)#cry map VPN
R2(config-if)#
*Oct 22 06:32:46.903: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
R2(config-if)#end
R2#
*Oct 22 06:32:55.251: %SYS-5-CONFIG_I: Configured from console by console
R2#

A show crypto map on either side to verify:

R5(config-if)#do sh cry map
Crypto Map “VPN” 10 ipsec-isakmp
Peer = 192.1.24.2
Extended IP access list r5-to-r2
access-list r5-to-r2 permit ip 5.0.0.0 0.255.255.255 2.0.0.0 0.255.255.255
Current peer: 192.1.24.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP_DES_MD5,
}
Interfaces using crypto map VPN:
FastEthernet0/0

R5(config-if)#

R2#sh cry map
Crypto Map “VPN” 10 ipsec-isakmp
Peer = 192.1.24.5
Extended IP access list r2-to-r5
access-list r2-to-r5 permit ip 2.0.0.0 0.255.255.255 5.0.0.0 0.255.255.255
Current peer: 192.1.24.5
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP_DES_MD5,
}
Interfaces using crypto map VPN:
FastEthernet1/0

R2#

So far so good. Next step is to generate traffic from one side and see if the tunnel establishes. To test this I will enable debugs on r5, then ping from r2:

R5#debug cry isakmp
Crypto ISAKMP debugging is on
R5#

R2#ping 5.5.5.5 source l0

The first few attempts didnt work and didnt generate any debugs on r5. I decided to try in the opposite direction. That caused some debugs and I noticed that R5 was not being translated. After looking at the pix i realized it had a bad static. R5 is actually on the DMZ5 not the inside. I corrected that:

static (DMZ5,outside) 192.1.24.5 10.5.5.5 netmask 255.255.255.255

Still the connection didnt work. I came across a document on CCO that talked about using the no-xauth option on the end of the pre-shared key. The document said that you needed no-xauth if you had both L2L and Remote-Access to the same interface. In this cause I dont, and at this point I dont really know how to differentiate like you do on the ASA with the tunnel-group type ipsec-l2l command. After adding the no-xauth the tunnel does in fact establish:

R2#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#sh cry isa sa
dst src state conn-id slot status
192.1.24.5 192.1.24.2 QM_IDLE 2 0 ACTIVE

R2#sh cry ipsec sa

interface: FastEthernet1/0
Crypto map tag: VPN, local addr 192.1.24.2

protected vrf: (none)
local ident (addr/mask/prot/port): (2.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (5.0.0.0/255.0.0.0/0/0)
current_peer 192.1.24.5 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.1.24.2, remote crypto endpt.: 192.1.24.5
path mtu 1500, ip mtu 1500
current outbound spi: 0x2C03C7BB(738445243)

inbound esp sas:
spi: 0x3E761120(1047925024)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4580398/3209)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2C03C7BB(738445243)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4580398/3207)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R2#

Same Topology, Same config with the exception of using isakmp profiles.

I decided to spice things up a bit. I removed the crypto map from the interfaces and decided to try isakmp profiles. I know I am not strong at these. The plan is that ratger

So the next set of VPN “stuff” will be VPN between a Cisco Router and an ASA. This should be interesting. Lets start with Pre-shared keys.

First things first, I used this document as a guide for configuring the profiles. There are probably some better ones out there, but I just wanted a reference.

In creating the profile you are presented with a message telling you that the profile is not valid until you have “match identity” statements. I figured this meant that I had to determing how to match a peers identity to find a key for them.

I created the following profiles on r2 as well as keyrings. Notice how the profile points to the keyring:

crypto keyring vpnkeys
pre-shared-key address 0.0.0.0 0.0.0.0 key ccie

crypto isakmp profile vpn
keyring vpnkeys
self-identity address
match identity address 192.1.24.5 255.255.255.255

and on r5:

rypto keyring vpnkeys
pre-shared-key address 0.0.0.0 0.0.0.0 key ccie
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile vpn
keyring vpnkeys
self-identity address
match identity address 192.1.24.2 255.255.255.255

The reason I used a 0.0.0.0 0.0.0.0 value in the key ring is because I defined it in the profile. In other words, I am saying that you can use this profile if you are 192.1.x.x and if you are you can go ahead and use this keyring, which doesnt care what your IP address is. To verify that this is how it should be done I will change the pre-shared-key address and test again.

In the meantime here is the debug that shows the pre-shared-key matching:

R2#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

*Oct 22 07:20:00.831: ISAKMP: received ke message (1/1)
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 22 07:20:00.831: ISAKMP: Created a peer struct for 192.1.24.5, peer port 500
*Oct 22 07:20:00.831: ISAKMP: New peer created peer = 0×67805288 peer_handle = 0x8000000F
*Oct 22 07:20:00.831: ISAKMP: Locking peer struct 0×67805288, IKE refcount 1 for isakmp_initiator
*Oct 22 07:20:00.831: ISAKMP: local port 500, remote port 500
*Oct 22 07:20:00.831: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 07:20:00.831: insert sa successfully sa = 660AA5DC
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in default
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in vpnkeys
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0): : success
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.1.24.5
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 22 07:20:00.831: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

<<< Ill spare you the output on the rest of the debug for now. >>>

R2#
R2#ping 5.5.5.5 source l0

Alas it works. Now to change the pre-shared-key to an ip address instead of all zeros. Here is the before:

crypto keyring vpnkeys
pre-shared-key address 0.0.0.0 0.0.0.0 key ccie

and here is the after on r2:

crypto keyring vpnkeys
pre-shared-key address 192.1.24.2 key ccie

and r5:

crypto keyring vpnkeys
pre-shared-key address 192.1.24.5 key ccie

and survey say….Success!

In looking at the debugs we can see

R2#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

*Oct 22 07:36:06.211: ISAKMP: received ke message (1/1)
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 22 07:36:06.211: ISAKMP: Created a peer struct for 192.1.24.5, peer port 500
*Oct 22 07:36:06.211: ISAKMP: New peer created peer = 0×67805288 peer_handle = 0×80000010
*Oct 22 07:36:06.211: ISAKMP: Locking peer struct 0×67805288, IKE refcount 1 for isakmp_initiator
*Oct 22 07:36:06.211: ISAKMP: local port 500, remote port 500
*Oct 22 07:36:06.211: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 07:36:06.211: insert sa successfully sa = 660AA5DC
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in default
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in vpnkeys
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0): : success
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.1.24.5
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 22 07:36:06.211: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

<<<< Again Ill spare you the rest of the output. >>>>
R2#
R2#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#
*Oct 22 07:36:56.379: ISAKMP:(0:1:SW:1):purging node 570215642
R2#

So I suppose I would assume that at this point you can use a pre-shared-key of all zeros if you are going to have multiple peers using the same key, or you can specify the address that the key ties to. If I am wrong on this please let me know.

Next I thought I would try to get rid of IP addresses all together and try to use hostname as identity. Here is what I did:

First I modified the isakmp profile to reflect self-identity using hostname. This should cause the router to send its hostname instead of its ip address.

Then I changed the the match-identity command to refer to hostnames.

Finally I changed to pre-shared-key to reflect hostname rather than address.

Here is what it lookd like on r2:

crypto keyring vpnkeys
pre-shared-key hostname r5.cisco.com key ccie
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile vpn
keyring vpnkeys
self-identity fqdn
match identity host r5.cisco.com

and r5:

crypto keyring vpnkeys
pre-shared-key hostname r2.cisco.com key ccie
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile vpn
keyring vpnkeys
self-identity fqdn
match identity host r2.cisco.com

I also set the domain-name to cisco.com:

R2(config)#ip domain-name cisco.com
R5(config)#ip domain-name cisco.com

finally i changed the hostname to lowercase since i screwed up when I created the match command.

R2(config)#host r2
r2(config)#

R5(config)#host r5
r5(config)#

I also created host entries so that r2 was resolved to 192.1.24.2 and r5 was resolved to 192.1.24.5.

After initiating the connection from r2 it fails. I see the following debug output on r2 and nothing at all on r5:

r2#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

*Oct 22 07:57:24.187: ISAKMP: received ke message (1/1)
*Oct 22 07:57:24.187: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 22 07:57:24.187: ISAKMP: Created a peer struct for 192.1.24.5, peer port 500
*Oct 22 07:57:24.187: ISAKMP: New peer created peer = 0x6609FD58 peer_handle = 0×80000013
*Oct 22 07:57:24.187: ISAKMP: Locking peer struct 0x6609FD58, IKE refcount 1 for isakmp_initiator
*Oct 22 07:57:24.191: ISAKMP: local port 500, remote port 500
*Oct 22 07:57:24.191: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 07:57:24.191: insert sa successfully sa = 660AA5DC
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in default
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in vpnkeys
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):No pre-shared key with 192.1.24.5!
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0): No Cert or pre-shared address key.
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0): construct_initial_message: Can not start Main mode
*Oct 22 07:57:24.191: ISAKMP: Unlocking IKE struct 0x6609FD58 for isadb_unlock_peer_delete_sa(), count 0
*Oct 22 07:57:24.191: ISAKMP: Deleting peer node by peer_reap for 192.1.24.5: 6609FD58
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):purging SA., sa=660AA5DC, delme=660AA5DC
*Oct 22 07:57:24.191: ISAKMP:(0:0:N/A:0):purging node 544759869…..
Success rate is 0 percent (0/5)
r2#
*Oct 22 07:57:54.187: ISAKMP: received ke message (1/1)
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 22 07:57:54.187: ISAKMP: Created a peer struct for 192.1.24.5, peer port 500
*Oct 22 07:57:54.187: ISAKMP: New peer created peer = 0x6609FD58 peer_handle = 0×80000014
*Oct 22 07:57:54.187: ISAKMP: Locking peer struct 0x6609FD58, IKE refcount 1 for isakmp_initiator
*Oct 22 07:57:54.187: ISAKMP: local port 500, remote port 500
*Oct 22 07:57:54.187: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 07:57:54.187: insert sa successfully sa = 660AA5DC
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in default
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):Looking for a matching key for 192.1.24.5 in vpnkeys
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):No pre-shared key with 192.1.24.5!
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0): No Cert o
r2#r pre-shared address key.
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0): construct_initial_message: Can not start Main mode
*Oct 22 07:57:54.187: ISAKMP: Unlocking IKE struct 0x6609FD58 for isadb_unlock_peer_delete_sa(), count 0
*Oct 22 07:57:54.187: ISAKMP: Deleting peer node by peer_reap for 192.1.24.5: 6609FD58
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):purging SA., sa=660AA5DC, delme=660AA5DC
*Oct 22 07:57:54.187: ISAKMP:(0:0:N/A:0):purging node -1887375418
r2#
*Oct 22 07:58:24.187: ISAKMP: received ke message (3/1)
*Oct 22 07:58:24.187: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 192.1.24.2 dst 192.1.24.5 for SPI 0×0
r2#

While this has been a lot of fun, I still have to work in the morning and its really late here. Anyone know what I did wrong on the last example?

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.