Professional Documents
Culture Documents
SEC-3010
9825_05_2004_c1
Agenda
Introduction
Router IPSec VPNS
PIX IPSec VPNS
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
SEC-3010
9825_05_2004_c1
SEC-3010
9825_05_2004_c1
SEC-3010
9825_05_2004_c1
Secure Communications
Using IPSec VPN
Message
Message
Me
ss
ag
SEC-3010
9825_05_2004_c1
es
sa
ge
Two-phase protocol:
Phase I exchange: two peers establish a secure, authenticated channel
with which to communicate; main mode or aggressive mode
accomplishes a phase I exchange
Phase II exchange: security associations are negotiated on behalf
of IPSec services; quick mode accomplishes a phase II exchange
Responder
SEC-3010
9825_05_2004_c1
Protected by Phase I SA
Optional DH exchange for Perfect Forward Secrecy (PFS)
Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR]
Two unidirectional IPSec SA established with unique SPI number
Nonce exchanged for generating session key
KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)
SEC-3010
9825_05_2004_c1
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
10
Layout
209.165.200.227
209.165.201.4
Backbone
Router1
Router2
10.1.1.0/24
10.1.2.0/24
Encrypted
SEC-3010
9825_05_2004_c1
11
Router Configurations
crypto isakmp policy 10
crypto isakmp policy Defines the
Phase 1 SA Parameters
encr 3des
authentication pre-share
!
crypto map vpn 10 ipsec-isakmp
set peer 209.165.201.4
set transform-set myset
SEC-3010
9825_05_2004_c1
12
Router Configurations
interface Ethernet0/2
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
ip address 209.165.200.227 255.255.255.0
SEC-3010
9825_05_2004_c1
13
Router Configurations
R1# show crypto map
Crypto Map "vpn" 10 IPSec-isakmp
Peer = 209.165.201.4
Extended IP access list 101
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Current peer: 209.165.201.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet0/3
SEC-3010
9825_05_2004_c1
14
SEC-3010
9825_05_2004_c1
15
SEC-3010
9825_05_2004_c1
16
Tunnel Establishment
Interesting Traffic Received
The ping source and destination addresses matched the match address access
list for the crypto map VPN
22:17:24.426: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
The local is the local tunnel end-point, the remote is the remote crypto end
point as configured in the map; The src proxy is the src interesting traffic as
defined by the match address access list; The dst proxy is the destination
interesting traffic as defined by the match address access list
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x400A
The protocol and the transforms are specified by the crypto map which has been
hit, as are the lifetimes
SEC-3010
9825_05_2004_c1
17
Responder
IKE
Begins Main Mode exchange; the first two packets negotiate phase I SA
parameters
ISAKMP: received ke message (1/1)
ISAKMP: local port 500, remote port 500
ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State =
IKE_READY
(I) MM_NO_STATE
18
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
ISAKMP (0:1):
ISAKMP (0:1):
ISAKMP (0:1):
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP (0:1):
SEC-3010
9825_05_2004_c1
19
20
21
The IPSec SA proposal offered by far end will be checked against local crypto
map configuration
22
attributes in transform:
ISAKMP:
encaps is 1
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
authenticator is HMAC-MD5
23
SEC-3010
9825_05_2004_c1
24
25
26
Show Commands
Show crypto engine connection active
Show crypto isakmp sa [detail]
Show crypto ipsec sa [detail]
SEC-3010
9825_05_2004_c1
27
Show Commands
Router#show cry engine connection active
ID
Interface
IP-Address
State
1
Ethernet0/3
209.165.200.227 set
This is ISAKMP SA
2000 Ethernet0/3
209.165.200.227 set
2001 Ethernet0/3
209.165.200.227 set
These two are IPSec SAs
Router#sh crypto isakmp sa
dst
src
state
209.165.201.4
209.165.200.227
QM_IDLE
Algorithm
HMAC_SHA+3DES_56_C
Encrypt
0
HMAC_MD5+3DES_56_C
HMAC_MD5+3DES_56_C
conn-id
1
Decrypt
0
0
19
19
0
slot
0
Local
Remote
I-VRF
209.165.200.227
209.165.201.4
Connection-id:Engine-id = 1:1(software)
SEC-3010
9825_05_2004_c1
28
Show Commands
Router# show crypto ipsec sa
interface: Ethernet0/3
Crypto map tag: vpn, local addr. 209.165.200.227
local
29
Show Commands
inbound esp sas:
spi: 0x4579753B(1165587771)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8E1CB77A(2384246650)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
SEC-3010
9825_05_2004_c1
30
Show Commands
Router# show crypto ipsec sa detail
...
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
...
SEC-3010
9825_05_2004_c1
31
Hardware info
Show diag
Display statistics
SEC-3010
9825_05_2004_c1
32
Indicates Hardware
Crypto Engine On
show diag
slot : 0
Encryption AIM 0:
SEC-3010
9825_05_2004_c1
Hardware revision
: 1.0
: 800-15369-03
Board revision
: B0
33
34
35
Privileged Mode:
0x0000
unknown
Maximum DH index:
1014
ISA/ISM
Maximum SA index:
2029
CryptIC Version:
CGX Version:
FF41
0111
0003030F
3-DES [07F000260000]
Compression:
3 DES:
SEC-3010
9825_05_2004_c1
4059
No
4096
0000
platform: predator
crypto_engine
Unlock Count:
Yes
2004 Cisco Systems, Inc. All rights reserved.
36
Common Issues
Incompatible ISAKMP policy or
pre-shared secrets
Incompatible transform sets
Incompatible or incorrect access lists
Crypto map on the wrong interface
Overlapping ACLs
Routing and filtering issues
Caveats: switching paths
SEC-3010
9825_05_2004_c1
37
hash algorithm:
authentication method:
Rivest-Shamir-Adleman Signature
Diffie-Hellman group:
#1 (768 bit)
lifetime:
38
encryption 3DES-CBC
ISAKMP:
hash MD5
ISAKMP:
default group 1
ISAKMP:
auth pre-share
ISAKMP:
ISAKMP:
life duration (VPI) of
0x0 0x1 0x51 0x80
ISAKMP (0:1): Hash algorithm offered
does not match policy!
ISAKMP (0:1): atts are not acceptable.
Next payload is 0
SEC-3010
9825_05_2004_c1
encryption 3DES-CBC
ISAKMP:
hash MD5
ISAKMP:
default group 1
ISAKMP:
auth pre-share
ISAKMP:
ISAKMP:
life duration (VPI) of
0x0 0x1 0x51 0x80
ISAKMP (0:1): Encryption algorithm
offered does not match policy!
ISAKMP (0:1): atts are not acceptable.
Next payload is 0
ISAKMP (0:1): no offers accepted!
ISAKMP (0:1): phase 1 SA not
acceptable!
39
SEC-3010
9825_05_2004_c1
40
41
Phase II Parameters
IPSec mode (tunnel or transport)
SEC-3010
9825_05_2004_c1
42
SEC-3010
9825_05_2004_c1
43
44
45
Overlapping ACLs
If there are multiple peers to a router, make sure
that the match address access-lists for each of the
peers are mutually exclusive from the match
address access-list for the other peers
If this is not done, the router will choose the wrong
crypto map to try and establish a tunnel with one of
the other peers
SEC-3010
9825_05_2004_c1
46
47
Routing Issues
A packet needs to be routed to the interface which
has the crypto map configured on it before IPSec
kicks in
Routes need to be there for:
The router to reach its peers address
The IP subnets of the destination host before the packets
are encrypted
The IP subnets of the destination host once the packets
are decrypted
48
SEC-3010
9825_05_2004_c1
49
Quiz Time
Agenda
PROXY
IDS NOT SUPPORTED..
Introduction
Debug Message Means:
Router IPSec VPNs
PIX
IPSec
VPNs is mismatched
1.
Phase
2 Hashing
Cisco
EasyVPN
2.
Access-List
is Clients
mismatched
NAT
with2 IPSec
3.
Phase
Encryption type is mismatched
Firewalling and IPSec
4. DH group is mismatched
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
50
Layout
10.1.2.0/24
10.1.1.0/24
209.165.200.226
209.165.202.129
Internet
PIX 1
PIX 2
Private
Encrypted
Private
Public
SEC-3010
9825_05_2004_c1
51
Access-List bypassnat
Defines Interesting Traffic
to bypass NAT for VPN
Access-list encrypt
Defines VPN Interesting
Traffic
SEC-3010
9825_05_2004_c1
Standard Site-to-Site
VPN Configuration Highlight
crypto ipsec transform-set mysetdes esp-des
esp-md5-hmac
crypto
crypto
crypto
crypto
crypto
map
map
map
map
map
encryptmap
encryptmap
encryptmap
encryptmap
encryptmap
20 ipsec-isakmp
20 match address encrypt
20 set peer 209.165.200.226
20 set transform-set mysetdes
interface outside
crypto map..
Commands Define the
IPSec SA (Phase II
SA) Parameters
policy
policy
policy
policy
policy
SEC-3010
9825_05_2004_c1
10
10
10
10
10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
53
Common Issues
Bypassing NAT
Enabling ISAKMP
Missing sysopt commands
Combining PIX-PIX and PIX-VPN client issues
SEC-3010
9825_05_2004_c1
54
Bypassing NAT
Nat needs to be bypassed on the PIX in order for
the remote side to access the private network
behind the PIX seamlessly
Use the NAT 0 command with an access list to
achieve that
SEC-3010
9825_05_2004_c1
55
Enabling ISAKMP
Unlike the router, ISAKMP is not enabled by default
on the PIX
Use the command isakmp enable <interface> to
enable it on an interface
SEC-3010
9825_05_2004_c1
56
SEC-3010
9825_05_2004_c1
57
Combining PIX-PIX
and PIX-Client Issues
If you are doing mode config or x-auth for the VPN
clients you would need to disable them for the siteto-site VPN connections
Use the no-config-mode and no x-auth tags at the
end of the pre-shared
key definitions to disable mode config
and x-auth
isakmp peer fqdn fqdn no-xauth no-config-mode in
case rsa-sig is used as IKE authentication method
SEC-3010
9825_05_2004_c1
58
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling And IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
59
Layout
172.18.124.96
WINS
VPN Client
10.1.1.0/24
Internet
14.38.1.0/24
Router
209.165.200.227
209.165.201.4
Router
14.38.2.0/24
DNS
PIX
209.165.201.2
SEC-3010
9825_05_2004_c1
EasyVPN Clients
60
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username cisco password 0 cisco123
username pix password 0 cisco123
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.1.1.10
wins 10.1.1.20
domain cisco.com
pool ippool
acl 100
SEC-3010
9825_05_2004_c1
172.18.124.96
VPN
Client
Router
61
Router
172.18.124.96
VPN
Client
SEC-3010
9825_05_2004_c1
62
172.18.124.96
VPN
Client
Router
interface FastEthernet2/0
ip address 209.165.200.227 255.255.255.0
crypto map clientmap
SEC-3010
9825_05_2004_c1
63
Layout
172.18.124.96
WINS
VPN Client
10.1.1.0/24
Internet
14.38.1.0/24
PIX
209.165.200.226
209.165.201.4
Router
14.38.2.0/24
DNS
PIX
209.165.201.2
SEC-3010
9825_05_2004_c1
EasyVPN Clients
64
172.18.124.96
VPN
Client
PIX
65
172.18.124.96
PIX
VPN
Client
SEC-3010
9825_05_2004_c1
67
Router
209.165.201.4
EZVPN Client
interface Ethernet0
ip address 14.38.1.1 255.255.255.0
crypto ipsec client ezvpn ezvpnclient inside
hold-queue 100 out
interface Ethernet1
ip address 209.165.201.4 255.255.255.224
crypto ipsec client ezvpn ezvpnclient
SEC-3010
9825_05_2004_c1
14.38.1.0/24
68
PIX EasyVPN
209.165.200.227
Router
209.165.201.2
14.38.2.0/24
EZVPN Client
hostname vpn-pix501b
domain-name cisco.com
SEC-3010
9825_05_2004_c1
69
SEC-3010
9825_05_2004_c1
71
72
SEC-3010
9825_05_2004_c1
73
Common Issues
VPN clients only propose DH group 2 and 5
Configure DH group 2 or 5 on Cisco IOS or PIX
Configure isakmp identity hostname if rsa-sig is
used as an IKE authentication method
aaa authorization needs to be enabled on the
router, so that router can accept/send modeconfiguration attributes
On, Cisco IOS EasyVPN client, for X-Auth, you have
to manually type crypto ipsec client ezvpn xauth;
However, this restriction has been lifted in the
latest version of code
SEC-3010
9825_05_2004_c1
74
Quiz Time
Agenda
The
Purpose of
Introduction
sysopt connection permit-IPsec Is:
75
Common Problems
Bypassing NAT entries
NAT in the middle of an IPSec tunnel
SEC-3010
9825_05_2004_c1
76
77
lo1
interface Loopback1
ip address 10.2.2.2 255.255.255.252
e0/2
nat in
interface Ethernet0/3
ip address 209.165.200.227 255.255.255.0
ip nat outside
crypto map vpn
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
ip nat inside
ip policy route-map nonat
e0/3
nat out
crypto map
Be Careful:
Packets Get PROCESS SWITCHED
78
e0/2
nat in
e0/3
nat out
crypto map
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
ip nat inside
ip nat inside source list 1 interface Ethernet0/3 overload
ip nat inside source static 10.1.1.1 209.165.200.230 route-map nonat
access-list 1 permit 10.1.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
SEC-3010
9825_05_2004_c1
79
80
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
81
Internet
Router
Private
Encrypted
Private
Public
SEC-3010
9825_05_2004_c1
82
83
SEC-3010
9825_05_2004_c1
84
set ip access-group
Commands Are Optional;
They Are Used for ClearText Packet Filtering
access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500
access-list 150 permit esp host 192.168.2.1 host 192.168.1.1
access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500
access-list 160 permit esp host 192.168.1.1 host 192.168.2.1
access-list 171 permit tcp 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq telnet
access-list 181 permit tcp 10.1.1.0 0.0.0.255 eq telnet 10.1.2.0 0.0.0.255
SEC-3010
9825_05_2004_c1
85
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling And IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
86
87
10.1.1.2
172.16.172.10/28
e1/0 MTU
1500
e1/1
172.16.172.20/28
MTU
1400
IPSec Tunnel
Path 1500
Media 1500
MTU 1500
10.1.2.2
MTU
1500
Path 1500
Media 1500
1500 DF=1
ICMP Type3 Code 4
(1454)
1454 DF=1
1500 DF copied
ICMP (1400)
1454 DF=1
1400
1400
1354
88
Common Problem
PMTU ICMP packets lost or blocked
Debug ip icmp on router to verify if ICMP packets
are sent or received
Use sniffer to verify if ICMP packets are lost
Work arounds
Reduce MTU or disable PMTU on end host
Adjust TCP MSS on router to fine tune TCP windows
Configure router to clear DF bit of data packets
Look-ahead fragmentation
SEC-3010
9825_05_2004_c1
89
SEC-3010
9825_05_2004_c1
90
91
SEC-3010
9825_05_2004_c1
92
SEC-3010
9825_05_2004_c1
93
Agenda
Quiz Time
The
Introduction
Purpose of
ipsecVPNs
df-bit clear Is:
crypto
Router IPSec
PIX IPSec VPNs
1. To adjust the TCP-MSS value in the syn packets
Cisco EasyVPN Clients
2. To help the router in doing Path MTU Discovery
NAT with IPSec
3. To drop the IPSec packets if dont fragment bit is
set
Firewalling
And IPSec
ToIssues
remove the dont fragment bit
4.
MTU
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
94
c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a
b
c
d
IP hdr 3
SEC-3010
9825_05_2004_c1
IP Hdr 1
TCP hdr
Data
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
IP hdr 2
ESP hdr
GRE hdr
IP Hdr 1
TCP hdr
Data
ESP hdr
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
95
SEC-3010
9825_05_2004_c1
96
97
SEC-3010
9825_05_2004_c1
98
SEC-3010
9825_05_2004_c1
99
SEC-3010
9825_05_2004_c1
100
101
DMVPN Configuration
Hub Router
Spoke Router
interface Tunnel0
ip address 192.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 90
Addresses
no ip split-horizon eigrp 90
tunnel source 192.168.1.1
tunnel mode gre multipoint
tunnel key 652560
tunnel protection ipsec profile cisco
SEC-3010
9825_05_2004_c1
NHRP
MGRE Tunnel
interface Tunnel0
ip address 192.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 90
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.1.1.1 192.168.1.1
ip nhrp map multicast 192.168.1.1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 192.1.1.1
no ip split-horizon eigrp 90
tunnel source 192.168.1.2
tunnel mode gre multipoint
tunnel key 652560
tunnel protection ipsec profile cisco
102
DMVPN Troubleshooting
Crypto debugs
NHRP debugs
Debug nhrp
Debug nhrp cache
Registration Process
NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 112
Resolution Process
SEC-3010
9825_05_2004_c1
103
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling And IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
SEC-3010
9825_05_2004_c1
104
Internet
IPSec SA
IPSec SA
SPI
Peer
Local_id
Remote_id
Transform
ESP SPI=0xB1D1EA3F
SPI
Peer
Local_id
Remote_id
Transform
105
SEC-3010
9825_05_2004_c1
106
WHY:
SEC-3010
9825_05_2004_c1
107
SEC-3010
9825_05_2004_c1
108