VPN - VRF-aware Ipsec Cheat Sheet - Real World - Part1: (Phase2)

VPN - VRF-aware ipsec cheat sheet - Real
World - Part1
Hi Everybody.
I want to share my investigation of how can you configure a VPN for multi tenant and finish the VPN into a VRF
of you Customer for example.
If you are not familiarise with the VRF Aware Ipsec concept look this Topic it can help use to understand.
MultiSite Redundancy
VPN IP SLA
You Can follow the phase two juste here (Phase2)
HSRP & DHCP in VRF
You Can follow the phase three juste here (Phase3)
Cisco
VRF-Aware Ipsec Cisco
VRF-Aware Ipsec Cisco 2
VRF-Aware Ipsec Cisco PDF
Topic
VRF-Aware Ipsec Topic
VRF-Aware Ipsec Topic 2
2016 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.
Generated on 2016-04-23-07:00
1
VPN - VRF-aware ipsec cheat sheet - Real World - Part1
First Senario Two Customer is connected to a DC1 in a single VPN acsess (Phase1)
Topology
The Goal of this first phase is to simule two vpn client connection to two different customer to a single device.
These customer have the same block of IP int the locale and a remote site and need for this reason to made
VRF-Aware Ipsec.
!! Note the clients need to have two separate environnement !!
To bring up the magic in this case we need to benefited of IKE Profil with Keyring and VRF
1. IKE
OVERVIEW OF THE ISAKMP PROFILE
An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set
of peers (Figure 1). An ISAKMP profile applies parameters to an incoming IPSec connection
identified uniquely through its concept of match identity criteria. These criteria are based
on the IKE identity that is presented by incoming IKE connections and includes IP address,
fully qualified domain name (FQDN), and group (the virtual private network [VPN] remote
client grouping). The granularity of the match identity criteria will impose the granularity of
applying the specified parameters. The ISAKMP profile applies parameters specific to each
profile, such as trust points, peer identities, and XAUTH authentication, authorization, and
accounting (AAA) list, keepalive, and others listed in the following sections.

Generated on 2016-04-23-07:00
2
The ISAKMP profile is an enhancement to Internet Security Association and Key

Management Protocol (ISAKMP) configurations. It enables modularity of ISAKMP
configuration for phase 1 negotiations. This modularity allows mapping different ISAKMP
parameters to different IP Security (IPSec) tunnels, and mapping different IPSec tunnels
to different VPN forwarding and routing (VRF) instances. ISAKMP profile enhancement
was released as part of the VRF-aware IPSec feature in Cisco IOS Software Release
12.2(15)T. Today, many applications and enhancements use the ISAKMP profile, including
quality of service (QoS), router certificate management, and Multiprotocol Label Switching
(MPLS) VPN configurations. This document provides an overview of the ISAKMP profile,
and a description of the current applications that use the profile.
Cisco
ISAKMP Profile Overview
2. Keyring

Generated on 2016-04-23-07:00
3
Crypto Keyring Configuration

A crypto keyring is a repository of preshared and RSA public keys. The keyring is
configured in the router and assigned a key name. The keyring is then configured in the
ISAKMP profile. There can be zero or more keyrings in the crypto ISAKMP profile. The
following example shows the configuration of a crypto keyring:
Keyring Overview + Lab

3. VRF
Use Virtual Routing and Forwarding to create multiple routing tables on same router
Cisco
Cisco VRF
Cisco VRF 2
Topic
VRF
VRF 2
LAB (Phase1)
In this lab we are setup the two VPNs to the CX Routeur and I start the vpn from the CX to the customer.
The file of the three routeur are in the Zip file.
CX-ASR Configuration
CX-ASR Basic configuration
enable
!
Conf t
!
hostn CX-ASR
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!

Generated on 2016-04-23-07:00
4

Generated on 2016-04-23-07:00
5
CX-ASR SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh
!

Generated on 2016-04-23-07:00
6
CX-ASR VRF Outside configuration (FVRF)

ip vrf outside-vrf
!
description Outside WAN
!

Generated on 2016-04-23-07:00
7

Generated on 2016-04-23-07:00
8
CX-ASR VRF configuration (IVRF)

ip vrf cust1-vrf
!
description Customer 1 Vrf
!

Generated on 2016-04-23-07:00
9
CX-ASR VRF configuration (IVRF)

ip vrf cust2-vrf
!
description Customer 2 Vrf
!

Generated on 2016-04-23-07:00
10
CX-ASR WAN Interfaces configuration

inte fa0/0
!
ip vrf forw outside-vrf
!
ip add 85.147.160.1 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
11

Generated on 2016-04-23-07:00
12
CX-ASR Global Clients Interface configuration

inte g1/0
!
no shut
!

Generated on 2016-04-23-07:00
13
CX-ASR Cust1 Interfaces configuration

inte g1/0.10
!
ip vrf forw cust1-vrf
!
encapsulation dot1Q 1000
!
ip add 192.168.20.1 255.255.255.0
!
no shut
!
descr Lan interface Cust-1
!

Generated on 2016-04-23-07:00
14
CX-ASR Cust2 Interfaces configuration

inte g1/0.20
!
ip vrf forw cust2-vrf
!
encapsulation dot1Q 2000
!
ip add 192.168.20.1 255.255.255.0
!
no shut
!
descr Lan interface Cust-2
!

Generated on 2016-04-23-07:00
15

Generated on 2016-04-23-07:00
16
CX-ASR Kering configuration (For Cust1)

crypto keyring cust1-keyring vrf outside-vrf
!
pre-shared-key address 85.147.160.10 key cust-1
!

Generated on 2016-04-23-07:00
17

!
!

Generated on 2016-04-23-07:00
18
CX-ASR ISAKMP (IKE) Phase 1 configuration

crypto isakmp policy 100
!
encr 3des
!
authentication pre-share
!
group 2
!
lifetime 86400
!

Generated on 2016-04-23-07:00
19

Generated on 2016-04-23-07:00
20
CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)

crypto isakmp profile cust1-ike-prof
!
vrf cust1-vrf
!
keyring cust1-keyring
!
match identity address 85.147.160.10 255.255.255.240 outside-vrf
!

Generated on 2016-04-23-07:00
21

!
vrf cust2-vrf
!
!
!

Generated on 2016-04-23-07:00
22
CX-ASR IPsec Phase 2 configuration

crypto ipsec transform-set strong ah-sha-hmac esp-3des
!

Generated on 2016-04-23-07:00
23

Generated on 2016-04-23-07:00
24
CX-ASR Crypto Map Phase 2 configuration (For Cust1)

crypto map ipsec-maps 10 ipsec-isakmp
!
description ** Client 1 **
!
set peer 85.147.160.10
!
set transform-set strong
!
set isakmp-profile cust1-ike-prof
!
match address cust-1
!

Generated on 2016-04-23-07:00
25
CX-ASR Crypto Map Phase 2 configuration (For Cust2)

!
!
set peer 85.147.160.11
!
!
set isakmp-profile cust2-ike-prof
!
!

Generated on 2016-04-23-07:00
26

Generated on 2016-04-23-07:00
27
CX-ASR Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
crypto map ipsec-maps
!

Generated on 2016-04-23-07:00
28
CX-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!

Generated on 2016-04-23-07:00
29
CX-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!

Generated on 2016-04-23-07:00
30
CX-ASR NAT Overload configuration (Wan Traffic)

ip nat inside source list 100 interface fastethernet0/0 overload
!

Generated on 2016-04-23-07:00
31

Generated on 2016-04-23-07:00
32
CX-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark

Generated on 2016-04-23-07:00
33
CX-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust1-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!

Generated on 2016-04-23-07:00
34
CX-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust2-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!

Generated on 2016-04-23-07:00
35
CX-ASR Save commande (Save Configuration) !! Don't Forget !!

copy run start
!

Generated on 2016-04-23-07:00
36
CX-ASR ToubleShooting
CX-ASR Show Commande (General view)
sho ip int b
!
sho run
!

Generated on 2016-04-23-07:00
37
CX-ASR Show Commande (For VPN)

sho
!
sho
!
sho
!
sho
!
sho
!
sho
crypto isakmp key

crypto isakmp policy
crypto isakmp profile
crypto ipsec transform-set
crypto map
ip access-lists

Generated on 2016-04-23-07:00
38

Generated on 2016-04-23-07:00
39
CX-ASR Show Commande (For VRF)

sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf
ip route vrf cust1-vrf
ip route vrf cust2-vrf

Generated on 2016-04-23-07:00
40
CX-ASR Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat

Generated on 2016-04-23-07:00
41
Cust1 Configuration
Cust1 Basic configuration
enable
!
Conf t
!
hostn Cust1
!
no ip domain-lo
!
!
!

Generated on 2016-04-23-07:00
42
Cust1 SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!

Generated on 2016-04-23-07:00
43
line vty 0 15
!
login local
!
tran in ssh

Generated on 2016-04-23-07:00
44
Cust1 WAN Interfaces configuration

inte fa0/0
!
ip add 85.147.160.10 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
45
Cust1 Interfaces Lan configuration

inte g1/0
!
ip add 192.168.10.1 255.255.255.0
!
no shut
!
descr Lan interface
!

Generated on 2016-04-23-07:00
46
Cust1 Pre-Share Key configuration

crypto isakmp key cust-1 address 85.147.160.1
!

Generated on 2016-04-23-07:00
47
Cust1 ISAKMP (IKE) Phase 1 configuration

!
encr 3des
!
!
group 2
!
lifetime 86400
!

Generated on 2016-04-23-07:00
48
Cust1 IPsec Phase 2 configuration

!

Generated on 2016-04-23-07:00
49
Cust1 Crypto Map Phase 2 configuration

!
!
set peer 85.147.160.1
!
!
!

Generated on 2016-04-23-07:00
50
Cust1 Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
!

Generated on 2016-04-23-07:00
51
Cust1 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!

Generated on 2016-04-23-07:00
52
Cust1 NAT Overload configuration (Wan Traffic)

!

Generated on 2016-04-23-07:00
53
Cust1 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
access-list
!
access-list
!
access-list
!
access-list
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark

Generated on 2016-04-23-07:00
54
Cust1 Route (Default Route) !! Note more Specific route can be set up !!

Generated on 2016-04-23-07:00
55
ip route 192.168.20.0 255.255.255.0 85.147.160.1

!
Cust1 Save commande (Save Configuration) !! Don't Forget !!

Generated on 2016-04-23-07:00
56
copy run start

!
Cust1 ToubleShooting

Generated on 2016-04-23-07:00
57
Cust1 Show Commande (General view)

sho ip int b
!
sho run
!

Generated on 2016-04-23-07:00
58
Cust1 Show Commande (For VPN)

sho
!
sho
!
sho
!
sho
!
sho
!
crypto isakmp key

crypto map
ip access-lists

Generated on 2016-04-23-07:00
59
Cust1 Show Route Commande

sho ip route
!

Generated on 2016-04-23-07:00
60
Cust1 Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat

Generated on 2016-04-23-07:00
61
Cust2 Configuration
Cust2 Basic configuration
enable
!
Conf t
!
hostn Cust2
!
no ip domain-lo
!
!
!

Generated on 2016-04-23-07:00
62
Cust2 SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh

Generated on 2016-04-23-07:00
63
Cust2 WAN Interfaces configuration

inte fa0/0
!
ip add 85.147.160.11 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
64
Cust2 Interfaces Lan configuration

inte g1/0
!
ip add 192.168.10.1 255.255.255.0
!
no shut
!
descr Lan interface

Generated on 2016-04-23-07:00
65
Cust2 Pre-Share Key configuration

crypto isakmp key cust-2 address 85.147.160.1
!

Generated on 2016-04-23-07:00
66
Cust2 ISAKMP (IKE) Phase 1 configuration

!
encr 3des
!

Generated on 2016-04-23-07:00
67
!
group 2
!
lifetime 86400
!
Cust2 IPsec Phase 2 configuration

Generated on 2016-04-23-07:00
68

!
Cust2 Crypto Map Phase 2 configuration


Generated on 2016-04-23-07:00
69
!
!
set peer 85.147.160.1
!
!
!

Generated on 2016-04-23-07:00
70
Cust2 Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
!

Generated on 2016-04-23-07:00
71
Cust2 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!

Generated on 2016-04-23-07:00
72
Cust2 NAT Overload configuration (Wan Traffic)

!
Cust2 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)

Generated on 2016-04-23-07:00
73
access-list
!
access-list
!
access-list
!
access-list
!
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark

Generated on 2016-04-23-07:00
74
Cust2 Route (Default Route) !! Note more Specific route can be set up !!
ip route 192.168.20.0 255.255.255.0 85.147.160.1
!

Generated on 2016-04-23-07:00
75
Cust2 Save commande (Save Configuration) !! Don't Forget !!

copy run start
!
Cust2 ToubleShooting
Cust2 Show Commande (General view)

Generated on 2016-04-23-07:00
76
sho ip int b
!
sho run
!
Cust2 Show Commande (For VPN)

Generated on 2016-04-23-07:00
77
sho
!
sho
!
sho
!
sho
!
sho
!
crypto isakmp key

crypto map
ip access-lists

Generated on 2016-04-23-07:00
78
Cust2 Show Route Commande

sho ip route
!

Generated on 2016-04-23-07:00
79
Cust2 Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat

Generated on 2016-04-23-07:00
80
Test Connectivity (Initiator is CX-ASR)

I initiate the connectivity fron CX-ASR to the customer Routers you can show and the screen the two VPNs is
down in the beginning
ping vrf cust1-vrf 192.168.10.1 source 192.168.20.1

Generated on 2016-04-23-07:00
81
The connectivity is good and the vpn for Cust1 is going UP

Generated on 2016-04-23-07:00
82

Generated on 2016-04-23-07:00
83
The same test for customer 2

Generated on 2016-04-23-07:00
84
The connectivity is good and the vpn for Cust2 is going UP

Generated on 2016-04-23-07:00
85

Generated on 2016-04-23-07:00
86
Now we have the two connection is UP

Now I try to ping from Cust1 to CX-ASR
ping 192.168.20.1 source 192.168.10.1
I have a connectivity from Cust1

Generated on 2016-04-23-07:00
87
Now I try to ping from Cust2 to CX-ASR

ping 192.168.20.1 source 192.168.10.1

Generated on 2016-04-23-07:00
88
I have a connectivity from Cust2
We have now a full connectivity and the connectivity from the differents customers is droped to the diffents
VRFs.
We have the exact same subnet and we can see the capability to use it.
Test Connectivity (Initiator is Cust1 and Cust2)
(Cust2 Can Initiate the Vpn But Cust1 doesn't)
Now I clear the session and make down the VPNs in CX-ASR
clear crypto session
!
clear crypto isakmp
!
clear crypto sa
!
show crypto session
!

Generated on 2016-04-23-07:00
89

Generated on 2016-04-23-07:00
90
We can see these both VPNs are down and we can begin to initiate the VPNs from the theses differents
customer.
We try now the ping from Cust1


Generated on 2016-04-23-07:00
91
We don't have connectivity and the vpn for Cust1 is Down

We try now the ping from Cust2

Generated on 2016-04-23-07:00
92

Generated on 2016-04-23-07:00
93
We don't have connectivity and the vpn for Cust2 is Down
We have a connectivity with CX-ASR from cuts2

Troubleshooting (VPN initiation)
Cust1
CX-ASR
*Feb 26 14:11:17.487: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 85.147.160.10,
remote= 85.147.160.1,
*Feb 26 14:11:29.763: ISAKMP (0:0): received

packet from 85.147.160.10 dport 500 sport 500
outside-vrf (N) NEW SA

Generated on 2016-04-23-07:00
94
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= AH, transform= ah-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x37A39C(3646364), conn_id= 0, keysize= 0,
flags= 0x400A
remote= 85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= ESP, transform= esp-3des (Tunnel),
*Feb 26 14:11:29.767: ISAKMP: Created a peer

struct for 85.147.160.10, peer port 500
*Feb 26 14:11:29.767: ISAKMP: New peer created
peer = 0x64557CBC peer_handle = 0x8000000C
*Feb 26 14:11:29.767: ISAKMP: Locking
peer struct 0x64557CBC, IKE refcount 1 for
crypto_isakmp_process_block
*Feb 26 14:11:29.771: ISAKMP: local port 500,
remote port 500
*Feb 26 14:11:29.771: insert sa successfully sa =
65915AAC
*Feb 26 14:11:29.771: ISAKMP:(0:0:N/A:0):Input =
IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 26 14:11:29.775: ISAKMP:(0:0:N/A:0):Old State
= IKE_READY New State = IKE_R_MM1
spi= 0x19D3BA0A(433306122), conn_id= 0,

keysize= 0, flags= 0x400A
*Feb 26 14:11:17.499: ISAKMP: received ke
message (1/2)
*Feb 26 14:11:17.499: ISAKMP:(0:0:N/A:0): SA
request profile is (NULL)
*Feb 26 14:11:17.499: ISAKMP: Created a peer
struct for 85.147.160.1, peer port 500
*Feb 26 14:11:17.499: ISAKMP: New peer created
peer = 0x65A05774 peer_handle = 0x80000008
*Feb 26 14:11:17.503: ISAKMP: Locking peer struct
0x65A05774, IKE refcount 1 for isakmp_initiator
*Feb 26 14:11:17.503: ISAKMP: local port 500,
remote port 500
*Feb 26 14:11:17.503: ISAKMP: set new node 0 to
QM_IDLE
*Feb 26 14:11:17.503: insert sa successfully sa =
65915AAC
*Feb 26 14:11:17.507: ISAKMP:(0:0:N/A:0):Can not
start Aggressive mode, trying Main mode.
*Feb 26 14:11:17.507: ISAKMP:(0:0:N/A:0):found
peer pre-shared key matching 85.147.160.1
*Feb 26 14:11:17.507: ISAKMP:(0:0:N/A:0):
constructed NAT-T vendor-07 ID
*Feb 26 14:11:17.511: ISAKMP:(0:0:N/A:0):
*Feb 26 14:11:29.783: ISAKMP:(0:0:N/A:0):

processing SA payload. message ID = 0
*Feb 26 14:11:29.787: ISAKMP:(0:0:N/A:0):
processing vendor id payload
*Feb 26 14:11:29.787: ISAKMP:(0:0:N/A:0): vendor
ID seems Unity/DPD but major 245 mismatch
*Feb 26 14:11:29.787: ISAKMP (0:0): vendor ID is
NAT-T
CX-ASR#v7
*Feb 26 14:11:29.787: ISAKMP:(0:0:N/A:0):
ID is NAT-T v3
*Feb 26 14:11:29.791: ISAKMP:(0:0:N/A:0):
ID is NAT-T v2
*Feb 26 14:11:29.795: ISAKMP:(0:0:N/A:0): local
preshared key found

Generated on 2016-04-23-07:00
95
*Feb 26 14:11:17.511: ISAKMP:(0:0:N/A:0):

IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
= IKE_READY New State = IKE_I_MM1
*Feb 26 14:11:29.795: ISAKMP : Scanning profiles

for xauth ... cust1-ike-prof cust2-ike-prof
*Feb 26 14:11:29.799: ISAKMP:(0:0:N/A:0):Checking
ISAKMP transform 1 against priority 100 policy
*Feb 26 14:11:29.799: ISAKMP:
encryption 3DESCBC
*Feb 26 14:11:29.799: ISAKMP:
hash SHA
*Feb 26 14:11:29.799: ISAKMP:
default group 2
*Feb 26 14:11:17.515: ISAKMP:(0:0:N/A:.0):
*Feb 26 14:11:29.799: ISAKMP:
beginning Main Mode exchange
CX-ASR# auth pre-share
*Feb 26 14:11:17.515: ISAKMP:(0:0:N/A:0): sending *Feb 26 14:11:29.799: ISAKMP:
life type in
packet to 85.147.160.1 my_port 500 peer_port 500
seconds
(I) MM_NO_STATE
*Feb 26 14:11:29.803: ISAKMP:
life duration (VPI)
*Feb 26 14:11:17.583: ISAKMP (0:0): received packet of 0x0 0x1 0x51 0x80
from 85.147.160.1 dport 500 sport 500 Global (I)
*Feb 26 14:11:29.803: ISAKMP:(0:0:N/A:0):atts are
MM_NO_STATE
acceptable. Next payload is 3
*Feb 26 14:11:30.955: ISAKMP:(0:2:SW:1):
= IKE_I_MM1 New State = IKE_I_MM2

*Feb 26 14:11:30.959: ISAKMP:(0:2:SW:1): vendor
*Feb 26 14:11:30.959: ISAKMP (0:134217730):
vendor ID is NAT-T v7
*Feb 26 14:11:17.591: ISAKMP:(0:0:N/A:0):
*Feb 26 14:11:30.959: ISAKMP:(0:2:SW:1):
processing SA payload. message ID = 0
*Feb 26 14:11:17.591: ISAKMP:(0:0:N/A:0):
ID is NAT-T v3
*Feb 26 14:11:17.595: ISAKMP (0:0): vendor ID is
*Feb 26 14:11:30.963: ISAKMP:(0:2:SW:1):
NAT-T v7
*Feb 26 14:11:17.595: ISAKMP:(0:0:N/A:0): local
preshared key found
ID is NAT-T v2
*Feb 26 14:11:17.599: ISAKMP : Scanning profiles *Feb 26 14:11:30.967: ISAKMP:(0:2:SW:1):Input =
for xauth ...
IKE_MESG_INTERNAL, IKE_PROCESS_MAI
*Feb 26 14:11:17.599: ISAKMP:(0:0:N/A:0):Checking CX-ASR#N_MODE
ISAKMP transform 1 against priority 100 policy
*Feb 26 14:11:30.967: ISAKMP:(0:2:SW:1):Old State
*Feb 26 14:11:17.599: ISAKMP:
encryption 3DES- = IKE_R_MM1 New State = IKE_R_MM1
CBC
*Feb 26 14:11:17.599: ISAKMP:
hash SHA
*Feb 26 14:11:17.599: ISAKMP:
default group 2
*Feb 26 14:11:30.983: ISAKMP:(0:2:SW:1):
*Feb 26 14:11:17.599: ISAKMP:
auth pre-share

Generated on 2016-04-23-07:00
96
*Feb 26 14:11:17.603: ISAKMP:

life type in
seconds
*Feb 26 14:11:17.603: ISAKMP:
life duration (VPI)
of 0x0 0x1 0x51 0x80
*Feb 26 14:11:17.603: ISAKMP:(0:0:N/A:0):atts are
*Feb 26 14:11:18.847: ISAKMP:(0:1:SW:1):
*Feb 26 14:11:18.847: ISAKMP (0:134217729):
vendor ID is NAT-T v7
*Feb 26 14:11:18.851: ISAKMP:
(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Feb 26 14:11:30.983: ISAKMP:(0:2:SW:1): sending

(R) MM_SA_SETUP
*Feb 26 14:11:30.987: ISAKMP:
IKE_PROCESS_COMPLETE
= IKE_R_MM1 New State = IKE_R_MM2

packet to 85.147.160.1 my_port 500 peer_port 500 (I)
MM_SA_.SETUP
*Feb 26 14:11:18.867: ISAKMP:
*Feb 26 14:11:31.091: ISAKMP:(0:2:SW:1):

processing KE payload. message ID = 0
*Feb 26 14:11:31.735: ISAKMP:(0:2:SW:1):
processing NONCE payload. message ID = 0
*Feb 26 14:11:31.735: ISAKMP:(0:2:SW:1):found
peer pre-shared key matching
CX-ASR# 85.147.160.10
*Feb 26 14:11:31.739: ISAKMP:(0:2:SW:1):SKEYID
state generated
*Feb 26 14:11:31.739: ISAKMP:(0:2:SW:1):
ID is Unity
*Feb 26 14:11:31.739: ISAKMP:(0:2:SW:1):
ID is DPD
*Feb 26 14:11:31.739: ISAKMP:(0:2:SW:1):
*Feb 26 14:11:31.739: ISAKMP:(0:2:SW:1): speaking
to another IOS box!
*Feb 26 14:11:31.739: ISAKMP:
*Feb 26 14:11:18.943: ISAKMP (0:134217729):

received packet from 85.147.160.1 dport 500 sport
500 Global (I) MM_SA_SETUP
*Feb 26 14:11:18.947: ISAKMP:(0:1:SW:1):Input =
*Feb 26 14:11:18.951: ISAKMP:(0:1:SW:1):

processing KE payload. message ID = 0
*Feb 26 14:11:20.423: ISAKMP:(0:1:SW:1):
processing NONCE payload. message ID = 0

*Feb 26 14:11:31.083: ISAKMP (0:134217730):

500 outside-vrf (R) MM_SA_SETUP
Generated on 2016-04-23-07:00
97
*Feb 26 14:11:20.427: ISAKMP:(0:1:SW:1):found

*Feb 26 14:11:20.431: ISAKMP:(0:1:SW:1):SKEYID
state generated
*Feb 26 14:11:20.431: ISAKMP:(0:1:SW:1):
ID is Unity
*Feb 26 14:11:20.435: ISAKMP:(0:1:SW:1):
ID is DPD
*Feb 26 14:11:20.435: ISAKMP:(0:1:SW:1):
*Feb 26 14:11:20.439: ISAKMP:(0:1:SW:1): speaking
to another IOS box!
*Feb 26 14:11:20.439: ISAKMP:


*Feb 26 14:11:20.451: ISAKMP:(0:1:SW:1):Send

initial contact
*Feb 26 14:11:20.451: ISAKMP:(0:1:SW:1):SA is
doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Feb 26 14:11:20.455: ISAKMP (0:134217729): ID
payload
next-payload : 8
type
:1
address
: 85.147.160.10
protocol : 17
port
: 500
length
: 12
*Feb 26 14:11:20.455: ISAKMP:(0:1:SW:1):Total
payload length: 12
MM_KEY_EXCH
*Feb 26 14:11:31.783: ISAKMP:(0:2:SW:1):

processing ID payload. message ID = 0
*Feb 26 14:11:31.787: ISAKMP (0:134217730): ID
payload
next-payload : 8
type
:1
address
: 85.147.160.10
protocol : 17
port
: 500
length
: 12
*Feb 26 14:11:31.787: ISAKMP:(0:2:SW:1):: peer
matches cust2-ike-prof profile
*Feb 26 14:11:31.791: ISAKMP:(0:2:SW:1):Key not
found in keyrings of profile , aborting exchange
*Feb 26 14:11:31.791: ISAKMP (0:134217730): FSM
action returned error: 2
*Feb 26 14:11:31.791: ISAKMP:


(R) MM_KEY_EXCH
*Feb 26 14:11:31.739: ISAKMP:
*Feb 26 14:11:31.775: ISAKMP (0:134217730)

CX-ASR#: received packet from 85.147.160.10 dport
500 sport 500 outside-vrf (R) MM_KEY_EXCH
Generated on 2016-04-23-07:00
98
*Feb 26 14:11:20.463: ISAKMP:

IKE_PROCESS._COMPLETE
..
Success rate is 0 percent (0/5)
Cust-1#
*Feb 26 14:11:30.463: ISAKMP:(0:1:SW:1):
retransmitting phase 1 MM_KEY_EXCH...
*Feb 26 14:11:30.463: ISAKMP (0:134217729):
incrementing error counter on sa, attempt 1 of 5:
retransmit phase 1
*Feb 26 14:11:30.463: ISAKMP:(0:1:SW:1):
retransmitting phase 1 MM_KEY_EXCH
MM_KEY_EXCH
Cust-1#
*Feb 26 14:11:40.467: ISAKMP:(0:1:SW:1):
*Feb 26 14:11:40.467: ISAKMP (0:134217729):
retransmit phase 1
*Feb 26 14:11:40.467: ISAKMP:(0:1:SW:1):
MM_KEY_EXCH
Cust-1#
*Feb 26 14:11:47.487: IPSEC(key_engine): request
timer fired: count = 1,
(identity) local= 85.147.160.10, remote=
85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4)
remote= 85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),


*Feb 26 14:11:31.795: ISAKMP:(0:2:SW:1):pe

CX-ASR#er does not do paranoid keepalives.
*Feb 26 14:11:31.795: ISAKMP:(0:2:SW:1):deleting

SA reason "IKMP_ERR_NO_RETRANS" state (R)
MM_KEY_EXCH (peer 85.147.160.10)
*Feb 26 14:11:31.795: ISAKMP (0:134217730): FSM
IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

SA reason "IKMP_ERR_NO_RETRANS" state (R)
*Feb 26 14:11:31.795: ISAKMP: Unlocking IKE struct
0x64557CBC for isadb_mark_sa_deleted(), count 0
*Feb 26 14:11:31.795: ISAKMP: Deleting peer node
by peer_reap for 85.147.160.10: 64557CBC
IKE_MESG_INTERNAL, IKE_PHASE1_DEL
= IKE_R_MM4 New State = IKE_DEST_SA
*Feb 26 14:11:31.799: IPSEC(key_engine): got a

queue event with 1 kei messages
CX-ASR#
*Feb 26 14:11:41.731: ISAKMP (0:134217730):
500 outside-vrf (R) MM_NO_STATE
CX-ASR#
*Feb 26 14:11:51.723: ISAKMP (0:134217730):
Generated on 2016-04-23-07:00
99
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= AH, transform= ah-sha-hmac (Tunnel),
spi= 0x3DA1C07F(1034010751), conn_id= 0,
*Feb 26 14:11:47.491: IPSEC(sa_request):
Cust-1#,
remote= 85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= ESP, transform= esp-3des (Tunnel),
spi= 0xAE492F46(2924031814), conn_id= 0,
*Feb 26 14:11:52.703: ISAKMP:(0:1:SW:1):purging

SA., sa=64559FD8, delme=64559FD8
CX-ASR#
*Feb 26 14:12:01.531: ISAKMP (0:134217730):
CX-ASR#
*Feb 26 14:12:11.459: ISAKMP (0:134217730):
CX-ASR#
*Feb 26 14:12:21.691: ISAKMP (0:134217730):
CX-ASR#
*Feb 26 14:12:31.795: ISAKMP:(0:2:SW:1):purging
SA., sa=65915AAC, delme=65915AAC

message (1/2)
*Feb 26 14:11:47.499: ISAKMP: set new node 0 to
QM_IDLE
*Feb 26 14:11:47.503: ISAKMP:(0:1:SW:1):SA is
still budding. Attached new ipsec request to it. (local
85.147.160.10, remote 85.147.160.1)
Cust-1#
*Feb 26 14:11:50.471: ISAKMP:(0:1:SW:1):
*Feb 26 14:11:50.471: ISAKMP (0:134217729):
retransmit phase 1
*Feb 26 14:11:50.471: ISAKMP:(0:1:SW:1):
MM_KEY_EXCH
Cust-1#
*Feb 26 14:12:00.475: ISAKMP:(0:1:SW:1):
*Feb 26 14:12:00.475: ISAKMP (0:134217729):
retransmit phase 1

Generated on 2016-04-23-07:00
100
*Feb 26 14:12:00.475: ISAKMP:(0:1:SW:1):

MM_KEY_EXCH
Cust-1#
*Feb 26 14:12:10.479: ISAKMP:(0:1:SW:1):
*Feb 26 14:12:10.479: ISAKMP (0:134217729):
retransmit phase 1
*Feb 26 14:12:10.479: ISAKMP:(0:1:SW:1):
MM_KEY_EXCH
Cust-1#
*Feb 26 14:12:17.487: IPSEC(key_engine): request
timer fired: count = 2,
(identity) local= 85.147.160.10, remote=
85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4)
message (3/1)
*Feb 26 14:12:17.491: ISAKMP:(0:1:SW:1):peer does
not do paranoid keepalives.

SA reason "P1 delete notify (in)" state (I)
SA reason "P1 delete notify (in)" state (I)
Cust-1#
*Feb 26 14:12:17.499: ISAKMP: Unlocking IKE struct
0x65A05774 for isadb_mark_sa_deleted(), count 0
*Feb 26 14:12:17.499: ISAKMP: Deleting peer node
by peer_reap for 85.147.160.1: 65A05774

Generated on 2016-04-23-07:00
101

node -849001735 error FALSE reason "IKE deleted"
node -888693032 error FALSE reason "IKE deleted"
IKE_MESG_INTERNAL, IKE_PHASE1_DEL
= IKE_I_MM5 New State = IKE_DEST_SA
*Feb 26 14:12:17.507: IPSEC(key_engine): got a

queue event with 1 kei messages
Initiator Cust1
Target CX-ASR
The raison of the deletation of SA seem to be because Key not found in keyrings of profile , aborting
exchange because the key are not found in cust1 profile on the CX-ASR
and I saw the second Profile is use in the end of debuging but the good Profile is the Cust1 and not this one
"not peer matches cust2-ike-prof profile"
I read a lot of things for a issus can occure when you use the same IP addresse into differents Keyring; But
is look like is note the same case because we don't use the same IP adress in this Lab but the Symptom look
very similar.
I saw in cisco LAB Keiring when you use kering the Debug is different of mine but we have the same profile no
matche maybe is something I can begin with.
Example Scenarios
In the first scenario, R1 is the ISAKMP initiator. The tunnel is negotiating correctly, and traffic is protected as
expected.
The second scenario uses the same topology, but has R2 as the ISAKMP initiator when phase1 negotiation is
failing.
Internet Key Exchange Version 1 (IKEv1) needs a pre-shared key for skey calculation, which is used in order
to decrypt/encrypt Main Mode packet 5 (MM5) and subsequent IKEv1 packets. The skey is derived from
the Diffie-Hellman (DH) computation and the pre-shared key. That pre-shared key needs to be determined
after MM3 (responder) or MM4 (initiator) is received, so that the skey, which is used in MM5/MM6, can be
computed.
For the ISAKMP responder in MM3, the specific ISAKMP profile is not yet determined because that happens
after the IKEID is received in MM5. Instead, all keyrings are searched for a pre-shared key, and the first or best
matching keyring from the global configuration is selected. That keyring is used in order to calculate the skey
that is used for decryption of MM5 and encryption of MM6. After the decryption of MM5 and after the ISAKMP
profile and associated keyring are determined, the ISAKMP responder performs verification if the same keyring
has been selected; if the same keyring is not selected, the connection is dropped.

Generated on 2016-04-23-07:00
102
Thus, for the ISAKMP responder, you should use a single keyring with multiple entries whenever possible.
Cisco Debug Lab R1 Initiate (Correct)
Cisco Debug Lab R2 Initiate (Fail)
1. R1 initiates the tunnel, sends the MM1 packet with 1. R2 initiates the tunnel:
policy proposals, and receives MM2 in response.
MM3 is then prepared:
R2#ping 192.168.100.1 source lo0 repeat 1
2. Since R2 is the initiator, the ISAKMP profile and
R1#ping 192.168.200.1 source lo0 repeat 1
keyring are known. The pre-shared key from
Type escape sequence to abort.
keyring1 is used for DH computations and is sent
in MM3. R2 is receiving MM2 and is preparing
Sending 1, 100-byte ICMP Echos to
MM3 based on that key:
192.168.200.1, timeout is 2 seconds:
Packet sent with a source address of
192.168.100.1
*Jun 19 12:28:44.256: ISAKMP (0): received

packet from 192.168.0.1 dport
*Jun 19 10:04:24.826: IPSEC(sa_request): ,
500 sport 500 Global (I) MM_NO_STATE
(key eng. msg.) OUTBOUND local=

192.168.0.1:500, remote= 192.168.0.2:500,
*Jun 19 12:28:44.256: ISAKMP:(0):Input =

local_proxy=
192.168.0.1/255.255.255.255/47/0,
*Jun 19 12:28:44.256: ISAKMP:(0):Old State =

IKE_I_MM1 New State =
remote_proxy=
192.168.0.2/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes espsha256-hmac (Tunnel),
spi= 0x0(0), conn_id= 0, keysize= 128, flags=
0x0
*Jun 19 10:04:24.826: ISAKMP:(0): SA request
profile is profile2
*Jun 19 10:04:24.826: ISAKMP: Found a peer
struct for 192.168.0.2, peer
port 500
*Jun 19 10:04:24.826: ISAKMP: Locking peer
struct 0xF483A970, refcount 1
for isakmp_initiator
*Jun 19 10:04:24.826: ISAKMP: local port 500,
remote port 500
*Jun 19 10:04:24.826: ISAKMP: set new node 0 to
QM_IDLE
IKE_I_MM2
*Jun 19 12:28:44.256: ISAKMP:(0): processing SA
payload. message ID = 0
*Jun 19 12:28:44.256: ISAKMP:(0): processing
vendor id payload
*Jun 19 12:28:44.256: ISAKMP:(0): vendor ID
seems Unity/DPD but major
69 mismatch
*Jun 19 12:28:44.256: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jun 19 12:28:44.256: ISAKMP:(0):Found
ADDRESS key in keyring keyring1
*Jun 19 12:28:44.256: ISAKMP:(0): local
preshared key found
*Jun 19 12:28:44.256: ISAKMP : Looking for xauth
in profile profile1
*Jun 19 12:28:44.256: ISAKMP:(0):Checking
ISAKMP transform 1 against
priority 10 policy
*Jun 19 10:04:24.826: ISAKMP:(0):insert sa

successfully sa = F474C2E8
*Jun 19 12:28:44.256: ISAKMP:

3DES-CBC
encryption
*Jun 19 10:04:24.826: ISAKMP:(0):Can not start

Aggressive mode, trying
*Jun 19 12:28:44.256: ISAKMP:
hash MD5
*Jun 19 12:28:44.256: ISAKMP:
default group 2
*Jun 19 12:28:44.256: ISAKMP:
auth pre-share
Main mode.

Generated on 2016-04-23-07:00
103
*Jun 19 10:04:24.826: ISAKMP:(0):Found

*Jun 19 12:28:44.256: ISAKMP:

seconds
life type in
*Jun 19 10:04:24.826: ISAKMP:(0): constructed

NAT-T vendor-rfc3947 ID
*Jun 19 12:28:44.256: ISAKMP:

(VPI) of 0x0 0x1
life duration

NAT-T vendor-07 ID
NAT-T vendor-03 ID
NAT-T vendor-02 ID
*Jun 19 10:04:24.826: ISAKMP:(0):Input =
IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
IKE_READY New State =
IKE_I_MM1
*Jun 19 10:04:24.826: ISAKMP:(0): beginning
Main Mode exchange
*Jun 19 10:04:24.826: ISAKMP:(0): sending
packet to 192.168.0.2 my_port
500 peer_port 500 (I) MM_NO_STATE
*Jun 19 10:04:24.826: ISAKMP:(0):Sending an
IKE IPv4 Packet.
500 sport 500 Global (I) MM_NO_STATE
*Jun 19 10:04:24.827: ISAKMP:(0):Input =
IKE_I_MM2
0x51 0x80
*Jun 19 12:28:44.256: ISAKMP:(0):atts are
*Jun 19 12:28:44.256: ISAKMP:(0):Acceptable
atts:actual life: 0
atts:life: 0
*Jun 19 12:28:44.257: ISAKMP:(0):Fill atts in sa
vpi_length:4
life_in_seconds:86400
*Jun 19 12:28:44.257: ISAKMP:(0):Returning
Actual lifetime: 86400
*Jun 19 12:28:44.257: ISAKMP:(0)::Started
lifetime timer: 86400.
vendor id payload
69 mismatch
NAT-T RFC 3947
*Jun 19 12:28:44.257: ISAKMP:(0):Input =
IKE_MESG_INTERNAL,
IKE_I_MM2
*Jun 19 10:04:24.827: ISAKMP:(0): processing SA

vendor id payload
seems Unity/DPD but major 69
mismatch
NAT-T RFC 3947
*Jun 19 10:04:24.827: ISAKMP:(0):Found


500 peer_port 500 (I) MM_SA_SETUP
3. R1 receives MM3 from R2. At this stage, R1 does
not know which ISAKMP profile to use, so it does
not know which keyring to use. R1 thus uses the
first keyring from the global configuration, which
is keyring1. R1 use that pre-shared key for DH
computations and sends MM4:
*Jun 19 12:28:44.263: ISAKMP:(0):found peer
pre-shared key matching
Generated on 2016-04-23-07:00
104
*Jun 19 10:04:24.827: ISAKMP:(0): local

preshared key found
*Jun 19 10:04:24.827: ISAKMP : Looking for xauth
in profile profile2
*Jun 19 10:04:24.827: ISAKMP:(0):Checking
ISAKMP transform 1 against
priority 10 policy
192.168.0.2
vendor id payload
is DPD
vendor id payload
*Jun 19 10:04:24.827: ISAKMP:

3DES-CBC
encryption
*Jun 19 12:28:44.263: ISAKMP:(1012): speaking

to another IOS box!
*Jun 19 10:04:24.827: ISAKMP:
hash MD5
*Jun 19 10:04:24.827: ISAKMP:
default group 2

vendor id payload
*Jun 19 10:04:24.827: ISAKMP:
auth pre-share
*Jun 19 10:04:24.827: ISAKMP:

seconds
life type in
*Jun 19 10:04:24.827: ISAKMP:

(VPI) of 0x0 0x1 0x51 0x80
life duration

151 mismatch
is XAUTH
*Jun 19 10:04:24.827: ISAKMP:(0):atts are

*Jun 19 12:28:44.263: ISAKMP:received payload

type 20

atts:actual life: 0
*Jun 19 12:28:44.263: ISAKMP (1012): His hash

no match - this node

atts:life: 0
vpi_length:4
life_in_seconds:86400
*Jun 19 10:04:24.827: ISAKMP:(0):Returning
Actual lifetime: 86400
*Jun 19 10:04:24.827: ISAKMP:(0)::Started
lifetime timer: 86400.
vendor id payload
seems Unity/DPD but major 69
mismatch
NAT-T RFC 3947
*Jun 19 10:04:24.827: ISAKMP:(0):Input =
IKE_MESG_INTERNAL,
outside NAT
type 20
*Jun 19 12:28:44.263: ISAKMP (1012): No NAT
Found for self or peer
*Jun 19 12:28:44.263: ISAKMP:(1012):Input =
IKE_MESG_INTERNAL,
IKE_R_MM3 New State =
IKE_R_MM3
500 peer_port 500 (R) MM_KEY_EXC
4. R2 receives MM4 from R1, uses the pre-shared
key from keyring1 in order to compute DH, and
prepares the MM5 packet and the IKEID:
*Jun 19 12:28:44.269: ISAKMP:(0):Found
vendor id payload
is Unity
IKE_I_MM2

Generated on 2016-04-23-07:00
105


vendor id payload
500 peer_port 500 (I) MM_SA_SETUPFrom the

outset, R1 knows that ISAKMP profile2 should be
used because it is bound under the IPSec profile
used for that VTI.

is DPD
Thus, the correct keyring (keyring2) has been

selected. The pre-shared key from keyring2 is
used as the keying material for DH calculations
when the MM3 packet is being prepared.

to another IOS box!

vendor id payload

type 20
2. When R2 receives that MM3 packet, it still does

not know which ISAKMP profile should be used,
but it needs a pre-shared key for DH generation.
That is why R2 searches all keyrings in order to
find the pre-shared key for that peer:


*Jun 19 12:28:44.269: ISAKMP (1012): No NAT

500 sport 500 Global (R) MM_SA_SETUP

*Jun 19 10:04:24.828: ISAKMP:(0):Input =
IKE_R_MM3
*Jun 19 10:04:24.828: ISAKMP:(0): processing KE
NONCE payload. message ID = 0
outside NAT
type 20
*Jun 19 12:28:44.269: ISAKMP:(1012):Input =

IKE_MESG_INTERNAL,
IKE_I_MM4
*Jun 19 12:28:44.270: ISAKMP:(1012):SA is
doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Jun 19 12:28:44.270: ISAKMP (1012): ID payload
next-payload : 8
*Jun 19 10:04:24.831: ISAKMP:(0):found peer

pre-shared key matching
192.168.0.1The key for 192.168.0.1 has been
found in the first defined keyring (keyring1).
type
3. R2 then prepares the MM4 packet with DH

calculations and with the 'cisco' key from keyring1:
port
address
protocol
length
:1
: 192.168.0.2
: 17
: 500
: 12

vendor id payload
*Jun 19 12:28:44.270: ISAKMP:(1012):Total

payload length: 12

is DPD

packet to 192.168.0.1
my_port 500 peer_port 500 (I) MM_KEY_EXCH

5.
R1
receives MM5 from R1. Because the IKEID
vendor id payload
equals 192.168.0, profile2 has been selected.
Keyring2 has been configured in profile2 so
to another IOS box!
keyring2 is selected. Previously, for the DH
computation in MM4, R1 selected the first
vendor id payload

Generated on 2016-04-23-07:00
106

32 mismatch
is XAUTH
type 20
outside NAT
type 20
*Jun 19 10:04:24.831: ISAKMP (1011): No NAT
*Jun 19 10:04:24.831: ISAKMP:(1011):Input =
IKE_MESG_INTERNAL,
IKE_R_MM3
500 peer_port 500 (R) MM_KEY_EXCH
IKE IPv4 Packet.
4. When R1 receives MM4, it prepares the MM5
packet with IKEID and with the correct key
selected earlier (from keyring2):
500 sport 500 Global (I) MM_SA_SETUP
*Jun 19 10:04:24.831: ISAKMP:(0):Input =
configured keyring, which was keyring1. Even

though the passwords are exactly the same, the
validation for the keyring fails because these are
different keyring objects:
packet from 192.168.0.2
dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jun 19 12:28:44.270: ISAKMP:(1012):Input =
IKE_MESG_FROM_PEER,
IKE_MM_EXCH
IKE_R_MM5
ID payload. message ID = 0
next-payload : 8
type
address
protocol
port
length
:1
: 192.168.0.2
: 17
: 500
: 12
*Jun 19 12:28:44.270: ISAKMP:(0):: peer

matches profile2 profile
*Jun 19 12:28:44.270: ISAKMP:(1012):Found
*Jun 19 12:28:44.270: ISAKMP:(1012):Key not
found in keyrings of profile ,
aborting exchange
*Jun 19 12:28:44.270: ISAKMP (1012): FSM

IKE_I_MM4
*Jun 19 10:04:24.831: ISAKMP:(0): processing KE
NONCE payload. message ID = 0
*Jun 19 10:04:24.837: ISAKMP:(0):Found

Generated on 2016-04-23-07:00
107

vendor id payload
is Unity
vendor id payload
is DPD
vendor id payload
to another IOS box!
type 20
outside NAT
type 20
*Jun 19 10:04:24.838: ISAKMP (1011): No NAT
*Jun 19 10:04:24.838: ISAKMP:(1011):Input =
IKE_MESG_INTERNAL,
IKE_I_MM4
*Jun 19 10:04:24.838: ISAKMP:(1011):Send initial
contact
*Jun 19 10:04:24.838: ISAKMP:(1011):SA is
next-payload : 8
type
address
protocol
port
length
:1
: 192.168.0.1
: 17
: 500
: 12
*Jun 19 10:04:24.838: ISAKMP:(1011):Total

payload length: 12

Generated on 2016-04-23-07:00
108

500 peer_port 500 (I) MM_KEY_EXCH
5. The MM5 packet, which contains the IKEID of
192.168.0.1, is received by R2. At this point, R2
knows to which ISAKMP profile that traffic should
be bound (the match identity addresscommand):
500 sport 500 Global (R) MM_KEY_EXCH
*Jun 19 10:04:24.838: ISAKMP:(1011):Input =
IKE_R_MM5
next-payload : 8
type
address
protocol
port
length
:1
: 192.168.0.1
: 17
: 500
: 12
*Jun 19 10:04:24.838: ISAKMP:(0):: peer

matches profile1 profile
*Jun 19 10:04:24.838: ISAKMP:(1011):Found
HASH payload. message ID = 0
NOTIFY INITIAL_CONTACT
protocol 1
spi 0, message ID = 0, sa = 0xF46295E8
*Jun 19 10:04:24.838: ISAKMP:(1011):SA
authentication status:
authenticated
*Jun 19 10:04:24.838: ISAKMP:(1011):SA has
been authenticated with
192.168.0.1
*Jun 19 10:04:24.838: ISAKMP:(1011):SA

Generated on 2016-04-23-07:00
109
authenticated
6. R2 now performs verification if the keyring that
was been blindly selected for the MM4 packet is
the same as the keyring configured for ISAKMP
profile now chosen. Because keyring1 is the
first one in the configuration, it was selected
previously, and it is selected now. The validation is
successful, and the MM6 packet can be sent:
*Jun 19 10:04:24.838: ISAKMP:(1011):SA is
next-payload : 8
type
address
protocol
port
length
:1
: 192.168.0.2
: 17
: 500
: 12
*Jun 19 10:04:24.838: ISAKMP:(1011):Total

payload length: 12
packet to 192.168.0.1
my_port 500 peer_port 500 (R) MM_KEY_EXCH
IKE IPv4 Packet.
*Jun 19 10:04:24.838: ISAKMP:(1011):Input =
IKE_MESG_INTERNAL,
IKE_P1_COMPLETE
7. R1 receives MM6 and does not need to perform
verification of the keyring because it was known
from the first packet; the initiator always know
which ISAKMP profile to use and what keyring is
associated with that profile. The authentication is
successful, and Phase1 finishes correctly:
packet from 192.168.0.2
dport 500 sport 500 Global (I) MM_KEY_EXCH
next-payload : 8

Generated on 2016-04-23-07:00
110
type
address
protocol
port
length
:1
: 192.168.0.2
: 17
: 500
: 12

HASH payload. message ID = 0
*Jun 19 10:04:24.838: ISAKMP:(1011):SA
authenticated
*Jun 19 10:04:24.838: ISAKMP:(1011):SA has
been authenticated with
192.168.0.2
*Jun 19 10:04:24.838: ISAKMP AAA: Accounting
is not enabled
*Jun 19 10:04:24.838: ISAKMP:(1011):Input =
IKE_MESG_FROM_PEER,
IKE_MM_EXCH
IKE_I_MM6
*Jun 19 10:04:24.839: ISAKMP:(1011):Input =
IKE_MESG_INTERNAL,
IKE_I_MM6
*Jun 19 10:04:24.843: ISAKMP:(1011):Input =
IKE_MESG_INTERNAL,
IKE_P1_COMPLETE
*Jun 19 10:04:24.843: ISAKMP:(1011):beginning
Quick Mode exchange, M-ID
of 2816227709
8. Phase2 starts normally and is successfully
completed.
I'm going to try one Keyring with multiple match and I come back.
Change One (Cust2 Can Initiate the Vpn But Cust1 still doesn't)

Generated on 2016-04-23-07:00
111
I tryed differents things like use the same Kering on diffrent profile and now the seconde customer with the
second profile can initiate the VPN but the Customer 1 can't do the same thing always the Profile Cust2 is
apply
Overview on the changement I made
! Conf Keyring
!
crypto keyring client-keyring vrf outside-vrf
!
pre-shared-key address 85.147.160.10 key client
!
pre-shared-key address 85.147.160.11 key client
!
! Conf de Profile ISAKMP (IKE) Phase 1

!
!
vrf cust1-vrf
!
keyring client-keyring
!
!
!
vrf cust2-vrf
!
keyring client-keyring
!
!

Generated on 2016-04-23-07:00
112
I going to try to made a fake match and presharkey after that the real profile of cust1 to see if the profile is
apply after the fake stuff
I'm begin with this troubleshooting and I not see the problem yet but if you known already leave me a comment
Rsolution (Is Always Dumb where you found the case)
I was debing and see always one profile match the first one depend on what device is began the VPN.
I clear always the session in the both side and I change the node Cust1, Cust2, Cust3
clear crypto session
!
clear crypto sa
!
clear crypto isakmp
!
Sample of miss match for Cust1 for example

*Jun 19 12:28:44.270: ISAKMP:(0):: peer matches profile2 profile
*Jun 19 12:28:44.270: ISAKMP:(1012):Found ADDRESS key in keyring keyring2
*Jun 19 12:28:44.270: ISAKMP:(1012):Key not found in keyrings of profile ,
aborting exchange
After that I decide to focus on the configuration of the profile and see why the first and miss match profile is
aplly and I find three things is boring me

Generated on 2016-04-23-07:00
113
1) I used in this LAB three IP WAN in a block on same network 85.147.160.0 255.255.255.240 and the first
conf I made is enable IP classless
CX-ASR IPClassless
ip classless
2) I Change the Kering Definition because I've made unique kering with differents match in my Change one
topic
!
!

!
!

Generated on 2016-04-23-07:00
114
3) I Change also the differents profile for matching with the full match 255.255.255.255
!
vrf cust1-vrf
!
!
!
The same thing

!
vrf cust2-vrf
!
!
!

Generated on 2016-04-23-07:00
115
Now we have the full connectivity and I give you the last configuration of this Lab int attached file
In My Second step I'm going to use the IP SLA For Multi Site Redundancy
Phase 2 Multi Site Redundancy
@ By Djebbouri Faial
Ce document a t gnr partir de la discussion suivante :LAB VPN - VRF-aware ipsec cheat sheet (In
GNS3)

Generated on 2016-04-23-07:00
116

VPN - VRF-aware Ipsec Cheat Sheet - Real World - Part1: (Phase2)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN - VRF-aware Ipsec Cheat Sheet - Real World - Part1: (Phase2)

Uploaded by

Copyright:

Available Formats

VPN - VRF-aware ipsec cheat sheet - Real

2016 Cisco and/or its affiliates. All Rights Reserved.