Site 2 Site VPN
Content
http://forum.saigonctt.com.vn/showthread.php?157-H%E1%BB%8Fi-v%E1%BB%81-VPNtren-FTTH-d%E1%BB%B1a-tr%EAn-thi%E1%BA%BFt-b%E1%BB%8B-Cisco. http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/ http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d5 11.shtml
Following is a turnkey solution for a site-to-site IPSec based VPN between a Cisco ASA5505 running version 7.3(4) on one end (Site A) and a Cisco router 2621 running IOS version 12.3 on the other end (Site B). This scenario was tested in the Lab with a router in between the ASA and the 2621 end router in order to better simulate the Internet. This “middle” WAN router is optional but it surely adds more realism to the Lab. The IP addresses used in this LAB are private for the two sites behind the ASA and the router and public on the WAN (Internet) sides. You can adjust the following configurations to your own IP addressing schema depending on your personal needs. SITE A Enc. Domain: 192.168.9.0/24, Cisco ASA 5505 Version 7.3(4) Interface E0 IP: 172.100.99.65/29 Interface E1 IP: 192.168.9.254/24, Test PC: 192.168.9.22, 192.168.9.50 Internet (simulated) WAN Router Cisco 2611 (in between ASA and End Router): E0/0: 172.100.99.70/29 (ASA‟s Gateway) E0/1: 172.77.200.193/28 (Router‟s Gateway)
SITE B Enc. Domain: 192.168.50.0/24, Cisco 2621 IOS Version 12.3 F0/ IP: 172.77.200.206/28, F0/0 IP: 192.168.50.1/24, Test PC: 192.168.50.23, 192.168.50.101
Network Diagram
IPSec Tunnel Parameters
Pre-shared key: Cisco123 Encryption: 3des Hash: md5 Group: 2 Lifetime: 86400
Site A: Cisco ASA5505 Configuration
TechCity-ASA5505# sh run : Saved : ASA Version 7.2(4) ! hostname TechCity-ASA5505 domain-name cgngroup.com enable password [--removed--] encrypted passwd [--removed--] encrypted names ! interface Vlan1 description Most Secure Inside LAN Connection nameif inside security-level 100 ip address 192.168.9.254 255.255.255.0 ! interface Vlan2 description Outside WAN Connection
nameif outside security-level 0 ip address 172.100.99.65 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 interface Ethernet0/2 interface Ethernet0/3 interface Ethernet0/4 interface Ethernet0/5 interface Ethernet0/6 interface Ethernet0/7 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS domain-name cgngroup.com access-list ACL_INBOUND remark --- allow return traffic back for ICMP from inside --access-list ACL_INBOUND extended permit icmp any any unreachable access-list ACL_INBOUND extended permit icmp any any echo-reply access-list ACL_INBOUND extended permit icmp any any time-exceeded access-list ACL_INBOUND extended permit icmp any any source-quench access-list ACL_ENCRYPTION remark --- Link to Cisco 2621 TechCity_Lab_C2621 -access-list ACL_ENCRYPTION extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list ACL_NONAT remark --- NO NAT ACL --access-list ACL_NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 pager lines 60 logging enable logging timestamp logging buffer-size 16384 logging asdm informational logging device-id ipaddress outside mtu inside 1500 mtu outside 1454 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm image disk0:/asdm-524.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list ACL_NONAT nat (inside) 1 192.168.9.0 255.255.255.0 access-group ACL_INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 172.100.99.70 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.9.0 255.255.255.0 inside crypto ipsec transform-set labset esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outside crypto map labmap 1 match address ACL_ENCRYPTION crypto map labmap 1 set pfs crypto map labmap 1 set peer 172.77.200.206 crypto map labmap 1 set transform-set labset crypto map labmap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 client-update enable telnet 192.168.9.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.9.0 255.255.255.0 inside ssh timeout 25 console timeout 25 management-access inside username cris password [--removed--] encrypted privilege 15 username Admin password [--removed--] encrypted privilege 15 tunnel-group 172.77.200.206 type ipsec-l2l tunnel-group 172.77.200.206 ipsec-attributes pre-shared-key Cisco123 ! prompt hostname context Cryptochecksum:[--removed--] : end TechCity-ASA5505#
Site B: Cisco 2621 Router Configuration
TechCity_Lab_C2621#sh run Building configuration... Current ! version service service service ! configuration : 2110 bytes 12.3 timestamps debug uptime timestamps log uptime password-encryption
hostname TechCity_Lab_C2621 ! boot-start-marker boot-end-marker ! enable secret [--removed--] enable password [--removed--] ! aaa new-model aaa authentication login default local aaa session-id common ip subnet-zero ip cef ! no ip domain lookup ip domain name cgngroup.com ip audit po max-events 100 ! username cris privilege 15 secret [--removed--] username Admin privilege 15 secret [--removed--] ! ip ssh time-out 5 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key Cisco123 address 172.100.99.65 ! crypto ipsec transform-set labset esp-3des esp-md5-hmac ! crypto map labmap 1 ipsec-isakmp description --- Link to the ASA TechCity-ASA5505 --set peer 172.100.99.65 set security-association lifetime seconds 86400 set transform-set labset set pfs group2 match address 101 ! interface FastEthernet0/0 description LAN Connection Interface to SITE B ip address 192.168.50.1 255.255.255.0 ip nat inside ! interface FastEthernet0/1 description WAN Connection Interface ip address 172.77.200.206 255.255.255.240 ip nat outside crypto map labmap ! ip nat inside source route-map nonat interface FastEthernet0/1 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 172.77.200.193 !
access-list 100 remark --- NO NAT ACL --access-list 100 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 100 permit ip 192.168.50.0 0.0.0.255 any access-list 101 remark --- Link to the Cisco 2621 TechCity-ASA5505 --access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 ! route-map nonat permit 10 match ip address 100 ! line con 0 session-timeout 3600 exec-timeout 60 0 password [--removed--] line aux 0 line vty 0 4 session-timeout 60 exec-timeout 3600 0 password [--removed--] transport input all ! ! end TechCity_Lab_C2621#
The “Middle” Cisco 2611 WAN Router Configuration
TechCity_Lab_C2611WAN# sh run Building configuration... Current configuration : 899 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname TechCity_Lab_C2611WAN ! username cris password [--removed--] ! ip subnet-zero no ip finger no ip domain-lookup ip domain-name cgngroup.com ! interface Ethernet0/0 description Connected to the Cisco ASA5505 Outside Interface ip address 172.100.99.70 255.255.255.248 ip accounting output-packets ! interface Ethernet0/1 description Connected to the Cisco 2621 F0/1 Interface ip address 172.77.200.193 255.255.255.240
ip accounting output-packets ! ip classless no ip http server ! line con 0 session-timeout 60 exec-timeout 60 0 password [--removed--] login transport input none line aux 0 line vty 0 4 session-timeout 60 exec-timeout 60 0 password [--removed--] login ! no scheduler allocate end TechCity_Lab_C2611WAN#
Various investigative commands related to VPN
ASA troubleshooting commands sh ipsec sa peer 172.77.200.206 sh isakmp sa sh crypto isakmp sh crypto protocol statistics ipsec sh access-list [acl_name] debug crypto isakmp debug crypto ipsec Router troubleshooting commands sh crypto ipsec sa sh crypto engine connections active sh access-list [acl_name] debug crypto isakmp debug crypto ipsec debug crypto engine
From SITE A, Test PC we generate useful traffic:
C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.9.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.1 C:\> C:\>ping 192.168.50.23
Pinging 192.168.50.23 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Reply from 192.168.50.23: bytes=32 time=6ms TTL=254 Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss), Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms C:\> C:\>ping 192.168.50.23 Pinging 192.168.50.23 with 32 bytes of data: Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 5ms, Average = 5ms C:\>
On Site B we test connectivity from the Test PC behind the 2621:
C:\>ipconfig Windows IP Configuration Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.50.23 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.50.1 C:\>ping 192.168.9.50 Pinging 192.168.9.50 with 32 bytes of data: Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Ping statistics for 192.168.9.50: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms C:\>
Troubleshooting SITE A, Cisco ASA5505:
Capture before and immediately after issuing the ping commands:
TechCity-ASA5505# sh crypto isakmp sa There are no isakmp sas TechCity-ASA5505# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# sh crypto ipsec sa interface: outside Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y
TechCity-ASA5505# sh crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 6 Encapsulate packet requests: 6 Decrypt packet requests: 5 Decapsulate packet requests: 5 HMAC calculation requests: 11 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 TechCity-ASA5505# TechCity-ASA5505# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACL_INBOUND; 4 elements access-list ACL_INBOUND line 1 extended permit icmp any any unreachable (hitcnt=0) 0x8a00bb1d access-list ACL_INBOUND line 2 extended permit icmp any any echo-reply (hitcnt=2) 0xbd068d3d access-list ACL_INBOUND line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0x1487340b access-list ACL_INBOUND line 4 extended permit icmp any any source-quench (hitcnt=0) 0xe202f87b access-list ACL_ENCRYPTION; 1 elements access-list ACL_ENCRYPTION line 1 remark --- Link to Cisco 2621 TechCity_Lab_C2621 --access-list ACL_ENCRYPTION line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=5) 0x0b6bc5e7 access-list ACL_NONAT; 1 elements access-list ACL_NONAT line 1 remark --- NO NAT ACL --access-list ACL_NONAT line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0x5c3c3d90 TechCity-ASA5505# TechCity-ASA5505# sh ipsec sa peer 172.77.200.206 peer address: 172.77.200.206 Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51 #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 51, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): IV size: 8 bytes replay detection support: Y TechCity-ASA5505# sh isakmp sa
} (4274995/28137)
} (4274995/28137)
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# debug crypto isakmp TechCity-ASA5505# conf t TechCity-ASA5505(config)# logging console debug TechCity-ASA5505(config)# May 05 2011 13:43:36 172.100.99.65 : %ASA-5-111008: User 'enable_15' executed the 'logging console debug' command. May 05 2011 13:43:37 172.100.99.65 : %ASA-7-710005: UDP request discarded from 192.168.9.22/59483 to inside:255.255.255.255/34447 May 05 2011 13:43:39 172.100.99.65 : %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:192.168.50.23 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609002: Teardown local-host outside:192.168.50.23 duration 0:00:00 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 May 05 2011 13:43:40 172.100.99.65 : %ASA-5-713041: IP = 172.77.200.206, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.77.200.206 local Proxy Address 192.168.9.0, remote Proxy Address 192.168.50.0, Crypto map (labmap) May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ISAKMP SA payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Fragmentation VID + extended capabilities payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host NP Identity Ifc:172.100.99.65 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:172.77.200.206 May 05 2011 13:43:40 172.100.99.65 : %ASA-6-302015: Built outbound UDP connection 175 for outside:172.77.200.206/500 (172.77.200.206/500) to NP Identity Ifc:172.100.99.65/500 (172.100.99.65/500)
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing SA payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Oakley proposal is acceptable May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ke payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing nonce payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Cisco Unity VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing xauth V6 VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send IOS VID May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send Altiga/Cisco VPN3000/Cisco ASA GW VID May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ke payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ISA_KE payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing nonce payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received Cisco Unity client VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received DPD VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f) May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received xauth V6 VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Generating keys for Initiator... May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing ID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing hash payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMP May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715034: IP = 172.77.200.206, Constructing IOS keep alive payload: proposal=32767/32767 sec. May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing dpd vid payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing ID payload May 05 2011 13:43:42 172.100.99.65 : %ASA-7-714011: Group = 172.77.200.206, IP = 172.77.200.206, ID_IPV4_ADDR ID received 172.77.200.206 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing hash payload May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMP May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206 May 05 2011 13:43:43 172.100.99.65 : %ASA-4-713903: Group = 172.77.200.206, IP = 172.77.200.206, Freeing previously allocated memory for authorizationdn-attributes May 05 2011 13:43:43 172.100.99.65 : %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 172.77.200.206 May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Oakley begin quick mode May 05 2011 13:43:43 172.100.99.65 : %ASA-7-714002: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator starting QM: msg id = d2a3e6cb May 05 2011 13:43:43 172.100.99.65 : %ASA-3-713119: Group = 172.77.200.206, IP = 172.77.200.206, PHASE 1 COMPLETED May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713121: IP = 172.77.200.206, Keep-alive type for this connection: DPD May 05 2011 13:43:43 172.100.99.65 : %ASA-7-715080: Group = 172.77.200.206, IP = 172.77.200.206, Starting P1 rekey timer: 82080 seconds. May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715006: Group = 172.77.200.206, IP = 172.77.200.206, IKE got SPI from key engine: SPI = 0x4cc39f88 May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, oakley constucting quick mode May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing blank hash payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec SA payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec nonce payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing pfs ke payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715001: Group = 172.77.200.206, IP = 172.77.200.206, constructing proxy ID
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Transmitting Proxy Id: Local subnet: 192.168.9.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.50.0 Mask 255.255.255.0 Protocol 0 Port 0 May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714007: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending Initial Contact May 05 2011 13:43:45 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing qm hash payload May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714004: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending 1st QM pkt: msg id = d2a3e6cb May 05 2011 13:43:45 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=d2a3e6cb) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328 TechCity-ASA5505(config)# no logging console debug TechCity-ASA5505(config)# exit TechCity-ASA5505# undebug all
Troubleshooting SITE B, Cisco 2621:
TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot
TechCity_Lab_C2621# debug crypto isakmp Crypto ISAKMP debugging is on TechCity_Lab_C2621# 00:06:00: ISAKMP (0:0): received packet from 172.100.99.65 dport 500 sport 500 Global (N) NEW SA 00:06:00: ISAKMP: Created a peer struct for 172.100.99.65, peer port 500 00:06:00: ISAKMP: Locking peer struct 0x830314A4, IKE refcount 1 for Responding to new initiation 00:06:00: ISAKMP: local port 500, remote port 500 00:06:00: ISAKMP: insert sa successfully sa = 82FE5814 00:06:00: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:00: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1 00:06:00: ISAKMP (0:1): processing SA payload. message ID = 0 00:06:00: ISAKMP (0:1): processing vendor id payload 00:06:00: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:00: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success 00:06:00: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:00: ISAKMP (0:1) local preshared key found 00:06:00: ISAKMP : Scanning profiles for xauth ... 00:06:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 00:06:00: ISAKMP: default group 2 00:06:00: ISAKMP: encryption 3DES-CBC 00:06:00: ISAKMP: hash MD5 00:06:00: ISAKMP: auth pre-share 00:06:00: ISAKMP: life type in seconds 00:06:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 00:06:00: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): processing KE payload. message ID = 0 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = 0 00:06:01: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success 00:06:01: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:01: ISAKMP (0:1): SKEYID state generated 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is Unity 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 211 mismatch 00:06:01: ISAKMP (0:1): vendor ID is XAUTH 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): speaking to another IOS box! 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): processing ID payload. message ID = 0 00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.100.99.65 protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = 0 00:06:01: ISAKMP:received payload type 17 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is DPD 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): SA has been authenticated with 172.100.99.65 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.77.200.206 protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (1): Total payload length: 12 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:01: ISAKMP: set new node -1712801892 to QM_IDLE 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing SA payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): Checking IPSec proposal 1 00:06:01: ISAKMP: transform 1, ESP_3DES 00:06:01: ISAKMP: attributes in transform: 00:06:01: ISAKMP: SA life type in seconds 00:06:01: ISAKMP: SA life duration (basic) of 28800 00:06:01: ISAKMP: SA life type in kilobytes 00:06:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 00:06:01: ISAKMP: encaps is 1 (Tunnel) 00:06:01: ISAKMP: authenticator is HMAC-MD5 00:06:01: ISAKMP: group is 2 00:06:01: ISAKMP (0:1): atts are acceptable. 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing KE payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = -1712801892, sa = 82FE5814 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's with local 172.77.200.206 remote 172.100.99.65 remote port 500 00:06:01: ISAKMP (0:1): asking for 1 spis from ipsec 00:06:01: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 00:06:01: ISAKMP: received ke message (2/1) 00:06:02: ISAKMP: Locking peer struct 0x830314A4, IPSEC refcount 1 for for stuff_ke 00:06:02: ISAKMP (0:1): Creating IPSec SAs 00:06:02: inbound SA from 172.100.99.65 to 172.77.200.206 (f/i) 0/ 0 (proxy 192.168.9.0 to 192.168.50.0) 00:06:02: has spi 0x2899FC7D and conn_id 2000 and flags 23 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: outbound SA from 172.77.200.206 to 172.100.99.65 (f/i) 0/ 0 (proxy 192.168.50.0 to 192.168.9.0 )
00:06:02: has spi -1758734664 and conn_id 2001 and flags 2B 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) QM_IDLE 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY 00:06:02: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:02: ISAKMP: set new node -894521910 to QM_IDLE 00:06:02: ISAKMP (0:1): processing HASH payload. message ID = -894521910 00:06:02: ISAKMP (0:1): processing NOTIFY unknown protocol 1 spi 0, message ID = -894521910, sa = 82FE5814 00:06:02: ISAKMP (0:1): deleting node -894521910 error FALSE reason "informational (in) state 1" 00:06:02: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 00:06:02: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:02: ISAKMP (0:1): deleting node -1712801892 error FALSE reason "quick mode done (await)" 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 00:06:02: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot 172.77.200.206 172.100.99.65 QM_IDLE 1 0 TechCity_Lab_C2621# TechCity_Lab_C2621# undebug all All possible debugging has been turned off TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: labmap, local addr. 172.77.200.206 protected vrf: local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) current_peer: 172.100.99.65:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.77.200.206, remote crypto endpt.: 172.100.99.65 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 972BD6B8 inbound esp sas:
spi: 0x2899FC7D(681180285) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28629) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x972BD6B8(2536232632) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28627) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto engine connections active ID Interface Address State 1 FastEthernet0/1 0 2000 FastEthernet0/1 6 2001 FastEthernet0/1 0 IPAlgorithm 172.77.200.206 172.77.200.206 172.77.200.206 set set set Encrypt Decrypt 0 0 5
HMAC_MD5+3DES_56_C HMAC_MD5+3DES_56_C HMAC_MD5+3DES_56_C
TechCity_Lab_C2621# sh access-lists Extended IP access list 100 10 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (5 matches) 20 permit ip 192.168.50.0 0.0.0.255 any Extended IP access list 101 10 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (11 matches) TechCity_Lab_C2621#
Verify the “Middle” WAN router
Note only the packets related to public IP addresses (the VPN peers) are “seen”:
TechCity_Lab_C2611WAN# sh ip accounting Source Destination 172.100.99.65 172.77.200.206 172.77.200.206 172.100.99.65 Accounting data age is 01:19 Packets 236 227 Bytes 32788 29996
Site to Site VPN between Cisco ASA and Router
Wednesday, May 25th, 2011 at 5:33 pm
In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let‟s start our LAB example and we‟ll see how it‟s done. Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.
Equipment Used in this LAB:
ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3) Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4
Scenario: LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet. First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let‟s start IPSEC VPN configuration. Cisco ASA Configuration
First I started ASA configuration. I‟ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel. ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 !IKE PHASE #1 ! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys. ASA(config)# crypto isakmp policy 1 ! For authentication I used Pre-shared. This method is most frequently used today. ASA(config)# authentication pre-share !For encryption I used 3des. ASA(config)# encryption 3des ! Hashing md5. ASA(config)# hash md5 ! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5. ASA(config)# group 2 ! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed. ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2 NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way. tunnel-group 192.168.2.2 ipsec-attributes pre-shared-key * ! Activate policy on Outside interface. ASA(config)# crypto isakmp enable outside ! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase. ! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers. ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac ! Apply the access list created earlier for matching the interesting traffic. ASA(config)# crypto map vpn 10 match address vpn
! I indicated address of Remote2 peer public outside interface. ASA(config)# crypto map vpn 10 set peer 192.168.2.2 ! Apply also the transform-set. ASA(config)# crypto map vpn 10 set transform-set ts ! Attach the already created Crypto-map and VPN to outside interface. ASA(config)# crypto map vpn interface outside ASA configuration is completed here (regarding the VPN config of course). Now let‟s start Router Configuration below. Cisco Router Configuration ISAKMP Phase 1 ! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy. Router(config)# crypto isakmp policy 10 ! Turn on 3des as an encryption type. Router(config)# encr 3des ! I indicated MD5 as a hashing type. Router(config)# hash md5 ! I indicated pre-share authentication. Router(config)# authentication pre-share ! I used second group of diffie-hellman. group1 is used by default. Router(config)# group 2 ! I defined peer key same as ASA site. Router(config)# crypto isakmp secretsharedkey address 192.168.1.2 It‟s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful. ! Access list for matching interesting traffic. Router(config)# ip access-list extended vpn Router(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 ISAKMP PHASE 2 ! ! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later. Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
! Enter into crypto-map configuration mode. Router(config)# crypto map vpn 10 ipsec-isakmp ! Indicate IP address of peer. Router(config)# set peer 192.168.1.2 ! Indicate IPsec transform-set created above. Router(config)# set transform-set ts ! Apply access list created above. Router(config)# match address vpn ! Apply crypto-map to interface. Router(config)# interface FastEthernet0/0 Router(config)# crypto map vpn With this, VPN configuration is completed so let‟s start verification. ! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully. ASA# show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.168.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Router# show crypto isakmp sa dst src state conn-id slot 192.168.1.2 192.168.2.2 MM_ACTIVE 1 0 ! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel. ASA# show crypto ipsec sa interface: outside Crypto map tag: vpn, seq num: 10, local addr: 192.168.1.2 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) current_peer: 192.168.2.2
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344 #pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 Router# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn, local addr 192.168.2.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer 192.168.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344 #pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 VPN Tunnel is established and works.
ASA Site-to-Site IPsec VPN Today, I would like to write about the simplest configuration of ASA for Site-to-Site IPsec VPN. I'm going to post configuration example along with comments about every particular command.
!--- Configure the outside interface. !interface Ethernet0/1 nameif outside security-level 0 ip address 172.16.1.1 255.255.255.0 !--- Configure the inside interface. !interface Ethernet0/2 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 !-- Output suppressed !passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 100 extended permit ip any any access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- This access list (inside_nat0_outbound) is used !--- with the nat zero command. This prevents traffic which !--- matches the access list from undergoing network address translation (NAT). !--- The traffic specified by this ACL is traffic that is to be encrypted and !--- sent across the VPN tunnel. This ACL is intentionally !--- the same as (outside_1_cryptomap). !--- Two separate access lists should always be used in this configuration. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- This access list (outside_cryptomap) is used !--- with the crypto map outside_map !--- to determine which traffic should be encrypted and sent !--- across the tunnel. !--- This ACL is intentionally the same as (inside_nat0_outbound). !--- Two separate access lists should always be used in this configuration.pager lines 24
mtu inside 1500 mtu outside 1500 no failover asdm image disk0:/asdm-613.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound !--- NAT 0 prevents NAT for networks specified in !--- the ACL inside_nat0_outbound. access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 172.16.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 dmz no snmp-server location no snmp-server contact !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac !--- Define the transform set for Phase 2. crypto map outside_map 1 match address outside_1_cryptomap !--- Define which traffic should be sent to the IPsec peer. crypto map outside_map 1 set peer 172.17.1.1 !--- Sets the IPsec peer crypto map outside_map 1 set transform-set ESP-DES-SHA !--- Sets the IPsec transform set "ESP-AES-256-SHA" !--- to be used with the crypto map entry "outside_map". crypto map outside_map interface outside !--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used. crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! tunnel-group 172.17.1.1 type ipsec-l2l !--- In order to create and manage the database of connection-specific !--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command !--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 172.17.1.1 ipsec-attributes pre-shared-key * !--- Enter the pre-shared-key in order to configure the !--- authentication method.
Site to site VPN tunnel between ASA and Router
May 2nd, 2010
Using the above network diagram, the scripts below can be applied to both ASA‟s to build a site to site VPN tunnel. The firewall on the left is a Cisco ASA and device on the right is a Cisco Router. The router needs to have an IOS that supports VPN‟s. You can test this by typing „crypto ?‟ and see if it has the commands available to make the tunnel. After applying the config below the device at 192.168.11.2 should be able to access 172.16.22.2 and vice versa. BLUE ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^! ! The policy number is arbitrary. The parameters inside the policy ! must match with the other side in order for Phase 1 to complete. ! Lower policy numbers will likely be used before higher ones. crypto isakmp policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 86400
! Enable ISAKMP on the outside interface crypto isakmp enable OUTSIDE ! Define the pre-shared-key tunnel-group 22.22.22.22 type ipsec-l2l tunnel-group 22.22.22.22 ipsec-attributes pre-shared-key sekretk3y !^^^^^^^ IPSEC (Phase 2) ^^^^^^^! ! Define the interesting traffic in the ACL access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0 crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac ! Create a crypto map entry that defines the tunnel crypto map MAP-OUTSIDE 20 set peer 22.22.22.22 ! ACL must be exactly the opposite of the other sides ACL crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN ! Transform set must match other side identically crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000 ! Apply crypto map to an interface crypto map MAP-OUTSIDE interface OUTSIDE !^^^^^^^ Routes and No-NATS ^^^^^^^! ! Point the destination network out the outside interface with a next hop as the default gateway. route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1 ! Make sure that the VPN traffic is NOT NAT’d access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0 nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
RED ROUTER WITH CRYPTO SUPPORT !^^^^^^^ ISAKMP (Phase 1) ^^^^^^^! ! Note: The default isakmp settings on a router are Encr:DES Hash:SHA DH:Group 1 ! If these settings are used, they will not show under „show run‟ crypto isakmp policy 5 encr aes hash sha authentication pre-share group 2 crypto isakmp key sekretk3y address 11.11.11.11 !^^^^^^^ IPSEC (Phase 2) ^^^^^^^! ! Define the interesting traffic in the ACL ip access-list extended ACL-VPN permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255 crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac crypto map VPN-TUNNEL 1 ipsec-isakmp set peer 11.11.11.11 set transform-set AES-SHA match address ACL-VPN interface Fa0/0 crypto map VPN-TUNNEL ip nat outside interface Vlan2
ip nat inside !^^^^^^^ Routes and No-NATS ^^^^^^^! ! Point the destination network out the outside interface with a next hop as the default gateway. ip route 192.168.11.0 255.255.255.0 22.22.22.1
! Make sure that the VPN traffic is NOT NAT‟d ip access-list extended ACL-NAT deny ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255 permit ip any any ip nat inside source list ACL-NAT interface Fa0/0 overload
Following is a turnkey solution for a site-to-site IPSec based VPN between a Cisco ASA5505 running version 7.3(4) on one end (Site A) and a Cisco router 2621 running IOS version 12.3 on the other end (Site B). This scenario was tested in the Lab with a router in between the ASA and the 2621 end router in order to better simulate the Internet. This “middle” WAN router is optional but it surely adds more realism to the Lab. The IP addresses used in this LAB are private for the two sites behind the ASA and the router and public on the WAN (Internet) sides. You can adjust the following configurations to your own IP addressing schema depending on your personal needs. SITE A Enc. Domain: 192.168.9.0/24, Cisco ASA 5505 Version 7.3(4) Interface E0 IP: 172.100.99.65/29 Interface E1 IP: 192.168.9.254/24, Test PC: 192.168.9.22, 192.168.9.50 Internet (simulated) WAN Router Cisco 2611 (in between ASA and End Router): E0/0: 172.100.99.70/29 (ASA‟s Gateway) E0/1: 172.77.200.193/28 (Router‟s Gateway)
SITE B Enc. Domain: 192.168.50.0/24, Cisco 2621 IOS Version 12.3 F0/ IP: 172.77.200.206/28, F0/0 IP: 192.168.50.1/24, Test PC: 192.168.50.23, 192.168.50.101
Network Diagram
IPSec Tunnel Parameters
Pre-shared key: Cisco123 Encryption: 3des Hash: md5 Group: 2 Lifetime: 86400
Site A: Cisco ASA5505 Configuration
TechCity-ASA5505# sh run : Saved : ASA Version 7.2(4) ! hostname TechCity-ASA5505 domain-name cgngroup.com enable password [--removed--] encrypted passwd [--removed--] encrypted names ! interface Vlan1 description Most Secure Inside LAN Connection nameif inside security-level 100 ip address 192.168.9.254 255.255.255.0 ! interface Vlan2 description Outside WAN Connection
nameif outside security-level 0 ip address 172.100.99.65 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 interface Ethernet0/2 interface Ethernet0/3 interface Ethernet0/4 interface Ethernet0/5 interface Ethernet0/6 interface Ethernet0/7 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS domain-name cgngroup.com access-list ACL_INBOUND remark --- allow return traffic back for ICMP from inside --access-list ACL_INBOUND extended permit icmp any any unreachable access-list ACL_INBOUND extended permit icmp any any echo-reply access-list ACL_INBOUND extended permit icmp any any time-exceeded access-list ACL_INBOUND extended permit icmp any any source-quench access-list ACL_ENCRYPTION remark --- Link to Cisco 2621 TechCity_Lab_C2621 -access-list ACL_ENCRYPTION extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list ACL_NONAT remark --- NO NAT ACL --access-list ACL_NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 pager lines 60 logging enable logging timestamp logging buffer-size 16384 logging asdm informational logging device-id ipaddress outside mtu inside 1500 mtu outside 1454 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm image disk0:/asdm-524.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list ACL_NONAT nat (inside) 1 192.168.9.0 255.255.255.0 access-group ACL_INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 172.100.99.70 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication serial console LOCAL http server enable http 192.168.9.0 255.255.255.0 inside crypto ipsec transform-set labset esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outside crypto map labmap 1 match address ACL_ENCRYPTION crypto map labmap 1 set pfs crypto map labmap 1 set peer 172.77.200.206 crypto map labmap 1 set transform-set labset crypto map labmap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 client-update enable telnet 192.168.9.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.9.0 255.255.255.0 inside ssh timeout 25 console timeout 25 management-access inside username cris password [--removed--] encrypted privilege 15 username Admin password [--removed--] encrypted privilege 15 tunnel-group 172.77.200.206 type ipsec-l2l tunnel-group 172.77.200.206 ipsec-attributes pre-shared-key Cisco123 ! prompt hostname context Cryptochecksum:[--removed--] : end TechCity-ASA5505#
Site B: Cisco 2621 Router Configuration
TechCity_Lab_C2621#sh run Building configuration... Current ! version service service service ! configuration : 2110 bytes 12.3 timestamps debug uptime timestamps log uptime password-encryption
hostname TechCity_Lab_C2621 ! boot-start-marker boot-end-marker ! enable secret [--removed--] enable password [--removed--] ! aaa new-model aaa authentication login default local aaa session-id common ip subnet-zero ip cef ! no ip domain lookup ip domain name cgngroup.com ip audit po max-events 100 ! username cris privilege 15 secret [--removed--] username Admin privilege 15 secret [--removed--] ! ip ssh time-out 5 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key Cisco123 address 172.100.99.65 ! crypto ipsec transform-set labset esp-3des esp-md5-hmac ! crypto map labmap 1 ipsec-isakmp description --- Link to the ASA TechCity-ASA5505 --set peer 172.100.99.65 set security-association lifetime seconds 86400 set transform-set labset set pfs group2 match address 101 ! interface FastEthernet0/0 description LAN Connection Interface to SITE B ip address 192.168.50.1 255.255.255.0 ip nat inside ! interface FastEthernet0/1 description WAN Connection Interface ip address 172.77.200.206 255.255.255.240 ip nat outside crypto map labmap ! ip nat inside source route-map nonat interface FastEthernet0/1 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 172.77.200.193 !
access-list 100 remark --- NO NAT ACL --access-list 100 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 100 permit ip 192.168.50.0 0.0.0.255 any access-list 101 remark --- Link to the Cisco 2621 TechCity-ASA5505 --access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 ! route-map nonat permit 10 match ip address 100 ! line con 0 session-timeout 3600 exec-timeout 60 0 password [--removed--] line aux 0 line vty 0 4 session-timeout 60 exec-timeout 3600 0 password [--removed--] transport input all ! ! end TechCity_Lab_C2621#
The “Middle” Cisco 2611 WAN Router Configuration
TechCity_Lab_C2611WAN# sh run Building configuration... Current configuration : 899 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname TechCity_Lab_C2611WAN ! username cris password [--removed--] ! ip subnet-zero no ip finger no ip domain-lookup ip domain-name cgngroup.com ! interface Ethernet0/0 description Connected to the Cisco ASA5505 Outside Interface ip address 172.100.99.70 255.255.255.248 ip accounting output-packets ! interface Ethernet0/1 description Connected to the Cisco 2621 F0/1 Interface ip address 172.77.200.193 255.255.255.240
ip accounting output-packets ! ip classless no ip http server ! line con 0 session-timeout 60 exec-timeout 60 0 password [--removed--] login transport input none line aux 0 line vty 0 4 session-timeout 60 exec-timeout 60 0 password [--removed--] login ! no scheduler allocate end TechCity_Lab_C2611WAN#
Various investigative commands related to VPN
ASA troubleshooting commands sh ipsec sa peer 172.77.200.206 sh isakmp sa sh crypto isakmp sh crypto protocol statistics ipsec sh access-list [acl_name] debug crypto isakmp debug crypto ipsec Router troubleshooting commands sh crypto ipsec sa sh crypto engine connections active sh access-list [acl_name] debug crypto isakmp debug crypto ipsec debug crypto engine
From SITE A, Test PC we generate useful traffic:
C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.9.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.1 C:\> C:\>ping 192.168.50.23
Pinging 192.168.50.23 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Reply from 192.168.50.23: bytes=32 time=6ms TTL=254 Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss), Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms C:\> C:\>ping 192.168.50.23 Pinging 192.168.50.23 with 32 bytes of data: Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Reply from 192.168.50.23: bytes=32 time=5ms TTL=254 Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 5ms, Average = 5ms C:\>
On Site B we test connectivity from the Test PC behind the 2621:
C:\>ipconfig Windows IP Configuration Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.50.23 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.50.1 C:\>ping 192.168.9.50 Pinging 192.168.9.50 with 32 bytes of data: Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Reply from 192.168.9.50: bytes=32 time=6ms TTL=31 Ping statistics for 192.168.9.50: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms C:\>
Troubleshooting SITE A, Cisco ASA5505:
Capture before and immediately after issuing the ping commands:
TechCity-ASA5505# sh crypto isakmp sa There are no isakmp sas TechCity-ASA5505# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# sh crypto ipsec sa interface: outside Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y
TechCity-ASA5505# sh crypto protocol statistics ipsec [IPsec statistics] Encrypt packet requests: 6 Encapsulate packet requests: 6 Decrypt packet requests: 5 Decapsulate packet requests: 5 HMAC calculation requests: 11 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 TechCity-ASA5505# TechCity-ASA5505# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACL_INBOUND; 4 elements access-list ACL_INBOUND line 1 extended permit icmp any any unreachable (hitcnt=0) 0x8a00bb1d access-list ACL_INBOUND line 2 extended permit icmp any any echo-reply (hitcnt=2) 0xbd068d3d access-list ACL_INBOUND line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0x1487340b access-list ACL_INBOUND line 4 extended permit icmp any any source-quench (hitcnt=0) 0xe202f87b access-list ACL_ENCRYPTION; 1 elements access-list ACL_ENCRYPTION line 1 remark --- Link to Cisco 2621 TechCity_Lab_C2621 --access-list ACL_ENCRYPTION line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=5) 0x0b6bc5e7 access-list ACL_NONAT; 1 elements access-list ACL_NONAT line 1 remark --- NO NAT ACL --access-list ACL_NONAT line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0x5c3c3d90 TechCity-ASA5505# TechCity-ASA5505# sh ipsec sa peer 172.77.200.206 peer address: 172.77.200.206 Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51 #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 51, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): IV size: 8 bytes replay detection support: Y TechCity-ASA5505# sh isakmp sa
} (4274995/28137)
} (4274995/28137)
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE TechCity-ASA5505# TechCity-ASA5505# debug crypto isakmp TechCity-ASA5505# conf t TechCity-ASA5505(config)# logging console debug TechCity-ASA5505(config)# May 05 2011 13:43:36 172.100.99.65 : %ASA-5-111008: User 'enable_15' executed the 'logging console debug' command. May 05 2011 13:43:37 172.100.99.65 : %ASA-7-710005: UDP request discarded from 192.168.9.22/59483 to inside:255.255.255.255/34447 May 05 2011 13:43:39 172.100.99.65 : %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:192.168.50.23 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609002: Teardown local-host outside:192.168.50.23 duration 0:00:00 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 May 05 2011 13:43:40 172.100.99.65 : %ASA-5-713041: IP = 172.77.200.206, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.77.200.206 local Proxy Address 192.168.9.0, remote Proxy Address 192.168.50.0, Crypto map (labmap) May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ISAKMP SA payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Fragmentation VID + extended capabilities payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host NP Identity Ifc:172.100.99.65 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:172.77.200.206 May 05 2011 13:43:40 172.100.99.65 : %ASA-6-302015: Built outbound UDP connection 175 for outside:172.77.200.206/500 (172.77.200.206/500) to NP Identity Ifc:172.100.99.65/500 (172.100.99.65/500)
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84 May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing SA payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Oakley proposal is acceptable May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ke payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing nonce payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Cisco Unity VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing xauth V6 VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send IOS VID May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing VID payload May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send Altiga/Cisco VPN3000/Cisco ASA GW VID May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ke payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ISA_KE payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing nonce payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received Cisco Unity client VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received DPD VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f) May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received xauth V6 VID May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Generating keys for Initiator... May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing ID payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing hash payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMP May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715034: IP = 172.77.200.206, Constructing IOS keep alive payload: proposal=32767/32767 sec. May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing dpd vid payload May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing ID payload May 05 2011 13:43:42 172.100.99.65 : %ASA-7-714011: Group = 172.77.200.206, IP = 172.77.200.206, ID_IPV4_ADDR ID received 172.77.200.206 May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing hash payload May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMP May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206 May 05 2011 13:43:43 172.100.99.65 : %ASA-4-713903: Group = 172.77.200.206, IP = 172.77.200.206, Freeing previously allocated memory for authorizationdn-attributes May 05 2011 13:43:43 172.100.99.65 : %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 172.77.200.206 May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Oakley begin quick mode May 05 2011 13:43:43 172.100.99.65 : %ASA-7-714002: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator starting QM: msg id = d2a3e6cb May 05 2011 13:43:43 172.100.99.65 : %ASA-3-713119: Group = 172.77.200.206, IP = 172.77.200.206, PHASE 1 COMPLETED May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713121: IP = 172.77.200.206, Keep-alive type for this connection: DPD May 05 2011 13:43:43 172.100.99.65 : %ASA-7-715080: Group = 172.77.200.206, IP = 172.77.200.206, Starting P1 rekey timer: 82080 seconds. May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715006: Group = 172.77.200.206, IP = 172.77.200.206, IKE got SPI from key engine: SPI = 0x4cc39f88 May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, oakley constucting quick mode May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing blank hash payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec SA payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec nonce payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing pfs ke payload May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715001: Group = 172.77.200.206, IP = 172.77.200.206, constructing proxy ID
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Transmitting Proxy Id: Local subnet: 192.168.9.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.50.0 Mask 255.255.255.0 Protocol 0 Port 0 May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714007: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending Initial Contact May 05 2011 13:43:45 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing qm hash payload May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714004: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending 1st QM pkt: msg id = d2a3e6cb May 05 2011 13:43:45 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=d2a3e6cb) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328 TechCity-ASA5505(config)# no logging console debug TechCity-ASA5505(config)# exit TechCity-ASA5505# undebug all
Troubleshooting SITE B, Cisco 2621:
TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot
TechCity_Lab_C2621# debug crypto isakmp Crypto ISAKMP debugging is on TechCity_Lab_C2621# 00:06:00: ISAKMP (0:0): received packet from 172.100.99.65 dport 500 sport 500 Global (N) NEW SA 00:06:00: ISAKMP: Created a peer struct for 172.100.99.65, peer port 500 00:06:00: ISAKMP: Locking peer struct 0x830314A4, IKE refcount 1 for Responding to new initiation 00:06:00: ISAKMP: local port 500, remote port 500 00:06:00: ISAKMP: insert sa successfully sa = 82FE5814 00:06:00: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:00: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1 00:06:00: ISAKMP (0:1): processing SA payload. message ID = 0 00:06:00: ISAKMP (0:1): processing vendor id payload 00:06:00: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:00: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success 00:06:00: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:00: ISAKMP (0:1) local preshared key found 00:06:00: ISAKMP : Scanning profiles for xauth ... 00:06:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 00:06:00: ISAKMP: default group 2 00:06:00: ISAKMP: encryption 3DES-CBC 00:06:00: ISAKMP: hash MD5 00:06:00: ISAKMP: auth pre-share 00:06:00: ISAKMP: life type in seconds 00:06:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 00:06:00: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_SA_SETUP 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): processing KE payload. message ID = 0 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = 0 00:06:01: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success 00:06:01: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.65 00:06:01: ISAKMP (0:1): SKEYID state generated 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is Unity 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 211 mismatch 00:06:01: ISAKMP (0:1): vendor ID is XAUTH 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): speaking to another IOS box! 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): processing ID payload. message ID = 0 00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.100.99.65 protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = 0 00:06:01: ISAKMP:received payload type 17 00:06:01: ISAKMP (0:1): processing vendor id payload 00:06:01: ISAKMP (0:1): vendor ID is DPD 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): SA has been authenticated with 172.100.99.65 00:06:01: ISAKMP (0:1): peer matches *none* of the profiles 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5 00:06:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.77.200.206 protocol : 17 port : 500 length : 12 00:06:01: ISAKMP (1): Total payload length: 12 00:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 00:06:01: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:01: ISAKMP: set new node -1712801892 to QM_IDLE 00:06:01: ISAKMP (0:1): processing HASH payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing SA payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): Checking IPSec proposal 1 00:06:01: ISAKMP: transform 1, ESP_3DES 00:06:01: ISAKMP: attributes in transform: 00:06:01: ISAKMP: SA life type in seconds 00:06:01: ISAKMP: SA life duration (basic) of 28800 00:06:01: ISAKMP: SA life type in kilobytes 00:06:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 00:06:01: ISAKMP: encaps is 1 (Tunnel) 00:06:01: ISAKMP: authenticator is HMAC-MD5 00:06:01: ISAKMP: group is 2 00:06:01: ISAKMP (0:1): atts are acceptable. 00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing KE payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing ID payload. message ID = -1712801892 00:06:01: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = -1712801892, sa = 82FE5814 00:06:01: ISAKMP (0:1): SA authentication status: authenticated 00:06:01: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's with local 172.77.200.206 remote 172.100.99.65 remote port 500 00:06:01: ISAKMP (0:1): asking for 1 spis from ipsec 00:06:01: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 00:06:01: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 00:06:01: ISAKMP: received ke message (2/1) 00:06:02: ISAKMP: Locking peer struct 0x830314A4, IPSEC refcount 1 for for stuff_ke 00:06:02: ISAKMP (0:1): Creating IPSec SAs 00:06:02: inbound SA from 172.100.99.65 to 172.77.200.206 (f/i) 0/ 0 (proxy 192.168.9.0 to 192.168.50.0) 00:06:02: has spi 0x2899FC7D and conn_id 2000 and flags 23 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: outbound SA from 172.77.200.206 to 172.100.99.65 (f/i) 0/ 0 (proxy 192.168.50.0 to 192.168.9.0 )
00:06:02: has spi -1758734664 and conn_id 2001 and flags 2B 00:06:02: lifetime of 28800 seconds 00:06:02: lifetime of 4608000 kilobytes 00:06:02: has client flags 0x0 00:06:02: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) QM_IDLE 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY 00:06:02: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:02: ISAKMP: set new node -894521910 to QM_IDLE 00:06:02: ISAKMP (0:1): processing HASH payload. message ID = -894521910 00:06:02: ISAKMP (0:1): processing NOTIFY unknown protocol 1 spi 0, message ID = -894521910, sa = 82FE5814 00:06:02: ISAKMP (0:1): deleting node -894521910 error FALSE reason "informational (in) state 1" 00:06:02: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 00:06:02: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE 00:06:02: ISAKMP (0:1): deleting node -1712801892 error FALSE reason "quick mode done (await)" 00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 00:06:02: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto isakmp sa dst src state conn-id slot 172.77.200.206 172.100.99.65 QM_IDLE 1 0 TechCity_Lab_C2621# TechCity_Lab_C2621# undebug all All possible debugging has been turned off TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: labmap, local addr. 172.77.200.206 protected vrf: local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) current_peer: 172.100.99.65:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.77.200.206, remote crypto endpt.: 172.100.99.65 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 972BD6B8 inbound esp sas:
spi: 0x2899FC7D(681180285) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28629) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x972BD6B8(2536232632) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28627) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: TechCity_Lab_C2621# TechCity_Lab_C2621# sh crypto engine connections active ID Interface Address State 1 FastEthernet0/1 0 2000 FastEthernet0/1 6 2001 FastEthernet0/1 0 IPAlgorithm 172.77.200.206 172.77.200.206 172.77.200.206 set set set Encrypt Decrypt 0 0 5
HMAC_MD5+3DES_56_C HMAC_MD5+3DES_56_C HMAC_MD5+3DES_56_C
TechCity_Lab_C2621# sh access-lists Extended IP access list 100 10 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (5 matches) 20 permit ip 192.168.50.0 0.0.0.255 any Extended IP access list 101 10 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (11 matches) TechCity_Lab_C2621#
Verify the “Middle” WAN router
Note only the packets related to public IP addresses (the VPN peers) are “seen”:
TechCity_Lab_C2611WAN# sh ip accounting Source Destination 172.100.99.65 172.77.200.206 172.77.200.206 172.100.99.65 Accounting data age is 01:19 Packets 236 227 Bytes 32788 29996
Site to Site VPN between Cisco ASA and Router
Wednesday, May 25th, 2011 at 5:33 pm
In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let‟s start our LAB example and we‟ll see how it‟s done. Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.
Equipment Used in this LAB:
ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3) Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4
Scenario: LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet. First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let‟s start IPSEC VPN configuration. Cisco ASA Configuration
First I started ASA configuration. I‟ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel. ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 !IKE PHASE #1 ! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys. ASA(config)# crypto isakmp policy 1 ! For authentication I used Pre-shared. This method is most frequently used today. ASA(config)# authentication pre-share !For encryption I used 3des. ASA(config)# encryption 3des ! Hashing md5. ASA(config)# hash md5 ! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5. ASA(config)# group 2 ! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed. ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2 NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way. tunnel-group 192.168.2.2 ipsec-attributes pre-shared-key * ! Activate policy on Outside interface. ASA(config)# crypto isakmp enable outside ! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase. ! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers. ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac ! Apply the access list created earlier for matching the interesting traffic. ASA(config)# crypto map vpn 10 match address vpn
! I indicated address of Remote2 peer public outside interface. ASA(config)# crypto map vpn 10 set peer 192.168.2.2 ! Apply also the transform-set. ASA(config)# crypto map vpn 10 set transform-set ts ! Attach the already created Crypto-map and VPN to outside interface. ASA(config)# crypto map vpn interface outside ASA configuration is completed here (regarding the VPN config of course). Now let‟s start Router Configuration below. Cisco Router Configuration ISAKMP Phase 1 ! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy. Router(config)# crypto isakmp policy 10 ! Turn on 3des as an encryption type. Router(config)# encr 3des ! I indicated MD5 as a hashing type. Router(config)# hash md5 ! I indicated pre-share authentication. Router(config)# authentication pre-share ! I used second group of diffie-hellman. group1 is used by default. Router(config)# group 2 ! I defined peer key same as ASA site. Router(config)# crypto isakmp secretsharedkey address 192.168.1.2 It‟s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful. ! Access list for matching interesting traffic. Router(config)# ip access-list extended vpn Router(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 ISAKMP PHASE 2 ! ! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later. Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
! Enter into crypto-map configuration mode. Router(config)# crypto map vpn 10 ipsec-isakmp ! Indicate IP address of peer. Router(config)# set peer 192.168.1.2 ! Indicate IPsec transform-set created above. Router(config)# set transform-set ts ! Apply access list created above. Router(config)# match address vpn ! Apply crypto-map to interface. Router(config)# interface FastEthernet0/0 Router(config)# crypto map vpn With this, VPN configuration is completed so let‟s start verification. ! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully. ASA# show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.168.2.2 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Router# show crypto isakmp sa dst src state conn-id slot 192.168.1.2 192.168.2.2 MM_ACTIVE 1 0 ! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel. ASA# show crypto ipsec sa interface: outside Crypto map tag: vpn, seq num: 10, local addr: 192.168.1.2 access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) current_peer: 192.168.2.2
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344 #pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 Router# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn, local addr 192.168.2.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer 192.168.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344 #pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 VPN Tunnel is established and works.
ASA Site-to-Site IPsec VPN Today, I would like to write about the simplest configuration of ASA for Site-to-Site IPsec VPN. I'm going to post configuration example along with comments about every particular command.
!--- Configure the outside interface. !interface Ethernet0/1 nameif outside security-level 0 ip address 172.16.1.1 255.255.255.0 !--- Configure the inside interface. !interface Ethernet0/2 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 !-- Output suppressed !passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 100 extended permit ip any any access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- This access list (inside_nat0_outbound) is used !--- with the nat zero command. This prevents traffic which !--- matches the access list from undergoing network address translation (NAT). !--- The traffic specified by this ACL is traffic that is to be encrypted and !--- sent across the VPN tunnel. This ACL is intentionally !--- the same as (outside_1_cryptomap). !--- Two separate access lists should always be used in this configuration. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- This access list (outside_cryptomap) is used !--- with the crypto map outside_map !--- to determine which traffic should be encrypted and sent !--- across the tunnel. !--- This ACL is intentionally the same as (inside_nat0_outbound). !--- Two separate access lists should always be used in this configuration.pager lines 24
mtu inside 1500 mtu outside 1500 no failover asdm image disk0:/asdm-613.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound !--- NAT 0 prevents NAT for networks specified in !--- the ACL inside_nat0_outbound. access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 172.16.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 dmz no snmp-server location no snmp-server contact !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac !--- Define the transform set for Phase 2. crypto map outside_map 1 match address outside_1_cryptomap !--- Define which traffic should be sent to the IPsec peer. crypto map outside_map 1 set peer 172.17.1.1 !--- Sets the IPsec peer crypto map outside_map 1 set transform-set ESP-DES-SHA !--- Sets the IPsec transform set "ESP-AES-256-SHA" !--- to be used with the crypto map entry "outside_map". crypto map outside_map interface outside !--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used. crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! tunnel-group 172.17.1.1 type ipsec-l2l !--- In order to create and manage the database of connection-specific !--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command !--- tunnel-group in global configuration mode.
!--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 172.17.1.1 ipsec-attributes pre-shared-key * !--- Enter the pre-shared-key in order to configure the !--- authentication method.
Site to site VPN tunnel between ASA and Router
May 2nd, 2010
Using the above network diagram, the scripts below can be applied to both ASA‟s to build a site to site VPN tunnel. The firewall on the left is a Cisco ASA and device on the right is a Cisco Router. The router needs to have an IOS that supports VPN‟s. You can test this by typing „crypto ?‟ and see if it has the commands available to make the tunnel. After applying the config below the device at 192.168.11.2 should be able to access 172.16.22.2 and vice versa. BLUE ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^! ! The policy number is arbitrary. The parameters inside the policy ! must match with the other side in order for Phase 1 to complete. ! Lower policy numbers will likely be used before higher ones. crypto isakmp policy 5 authentication pre-share encryption aes hash sha group 2 lifetime 86400
! Enable ISAKMP on the outside interface crypto isakmp enable OUTSIDE ! Define the pre-shared-key tunnel-group 22.22.22.22 type ipsec-l2l tunnel-group 22.22.22.22 ipsec-attributes pre-shared-key sekretk3y !^^^^^^^ IPSEC (Phase 2) ^^^^^^^! ! Define the interesting traffic in the ACL access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0 crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac ! Create a crypto map entry that defines the tunnel crypto map MAP-OUTSIDE 20 set peer 22.22.22.22 ! ACL must be exactly the opposite of the other sides ACL crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN ! Transform set must match other side identically crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000 ! Apply crypto map to an interface crypto map MAP-OUTSIDE interface OUTSIDE !^^^^^^^ Routes and No-NATS ^^^^^^^! ! Point the destination network out the outside interface with a next hop as the default gateway. route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1 ! Make sure that the VPN traffic is NOT NAT’d access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0 nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
RED ROUTER WITH CRYPTO SUPPORT !^^^^^^^ ISAKMP (Phase 1) ^^^^^^^! ! Note: The default isakmp settings on a router are Encr:DES Hash:SHA DH:Group 1 ! If these settings are used, they will not show under „show run‟ crypto isakmp policy 5 encr aes hash sha authentication pre-share group 2 crypto isakmp key sekretk3y address 11.11.11.11 !^^^^^^^ IPSEC (Phase 2) ^^^^^^^! ! Define the interesting traffic in the ACL ip access-list extended ACL-VPN permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255 crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac crypto map VPN-TUNNEL 1 ipsec-isakmp set peer 11.11.11.11 set transform-set AES-SHA match address ACL-VPN interface Fa0/0 crypto map VPN-TUNNEL ip nat outside interface Vlan2
ip nat inside !^^^^^^^ Routes and No-NATS ^^^^^^^! ! Point the destination network out the outside interface with a next hop as the default gateway. ip route 192.168.11.0 255.255.255.0 22.22.22.1
! Make sure that the VPN traffic is NOT NAT‟d ip access-list extended ACL-NAT deny ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255 permit ip any any ip nat inside source list ACL-NAT interface Fa0/0 overload
