Professional Documents
Culture Documents
World - Part1
Hi Everybody.
I want to share my investigation of how can you configure a VPN for multi tenant and finish the VPN into a VRF
of you Customer for example.
If you are not familiarise with the VRF Aware Ipsec concept look this Topic it can help use to understand.
MultiSite Redundancy
VPN IP SLA
You Can follow the phase two juste here (Phase2)
HSRP & DHCP in VRF
You Can follow the phase three juste here (Phase3)
Cisco
VRF-Aware Ipsec Cisco
VRF-Aware Ipsec Cisco 2
VRF-Aware Ipsec Cisco PDF
Topic
VRF-Aware Ipsec Topic
VRF-Aware Ipsec Topic 2
Generated on 2016-04-23-07:00
1
First Senario Two Customer is connected to a DC1 in a single VPN acsess (Phase1)
Topology
The Goal of this first phase is to simule two vpn client connection to two different customer to a single device.
These customer have the same block of IP int the locale and a remote site and need for this reason to made
VRF-Aware Ipsec.
!! Note the clients need to have two separate environnement !!
To bring up the magic in this case we need to benefited of IKE Profil with Keyring and VRF
1. IKE
OVERVIEW OF THE ISAKMP PROFILE
An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set
of peers (Figure 1). An ISAKMP profile applies parameters to an incoming IPSec connection
identified uniquely through its concept of match identity criteria. These criteria are based
on the IKE identity that is presented by incoming IKE connections and includes IP address,
fully qualified domain name (FQDN), and group (the virtual private network [VPN] remote
client grouping). The granularity of the match identity criteria will impose the granularity of
applying the specified parameters. The ISAKMP profile applies parameters specific to each
profile, such as trust points, peer identities, and XAUTH authentication, authorization, and
accounting (AAA) list, keepalive, and others listed in the following sections.
Generated on 2016-04-23-07:00
2
Cisco
ISAKMP Profile Overview
2. Keyring
Generated on 2016-04-23-07:00
3
Cisco
Cisco VRF
Cisco VRF 2
Topic
VRF
VRF 2
LAB (Phase1)
In this lab we are setup the two VPNs to the CX Routeur and I start the vpn from the CX to the customer.
The file of the three routeur are in the Zip file.
CX-ASR Configuration
CX-ASR Basic configuration
enable
!
Conf t
!
hostn CX-ASR
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
4
Generated on 2016-04-23-07:00
5
Generated on 2016-04-23-07:00
6
Generated on 2016-04-23-07:00
7
Generated on 2016-04-23-07:00
8
Generated on 2016-04-23-07:00
9
Generated on 2016-04-23-07:00
10
Generated on 2016-04-23-07:00
11
Generated on 2016-04-23-07:00
12
Generated on 2016-04-23-07:00
13
Generated on 2016-04-23-07:00
14
Generated on 2016-04-23-07:00
15
Generated on 2016-04-23-07:00
16
Generated on 2016-04-23-07:00
17
Generated on 2016-04-23-07:00
18
Generated on 2016-04-23-07:00
19
Generated on 2016-04-23-07:00
20
Generated on 2016-04-23-07:00
21
Generated on 2016-04-23-07:00
22
Generated on 2016-04-23-07:00
23
Generated on 2016-04-23-07:00
24
Generated on 2016-04-23-07:00
25
Generated on 2016-04-23-07:00
26
Generated on 2016-04-23-07:00
27
Generated on 2016-04-23-07:00
28
CX-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
Generated on 2016-04-23-07:00
29
CX-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-2
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
Generated on 2016-04-23-07:00
30
Generated on 2016-04-23-07:00
31
Generated on 2016-04-23-07:00
32
CX-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark
Generated on 2016-04-23-07:00
33
CX-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust1-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!
Generated on 2016-04-23-07:00
34
CX-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust2-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!
Generated on 2016-04-23-07:00
35
Generated on 2016-04-23-07:00
36
CX-ASR ToubleShooting
CX-ASR Show Commande (General view)
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
37
Generated on 2016-04-23-07:00
38
Generated on 2016-04-23-07:00
39
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf
ip route vrf cust1-vrf
ip route vrf cust2-vrf
Generated on 2016-04-23-07:00
40
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
41
Cust1 Configuration
Cust1 Basic configuration
enable
!
Conf t
!
hostn Cust1
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
42
Generated on 2016-04-23-07:00
43
line vty 0 15
!
login local
!
tran in ssh
Generated on 2016-04-23-07:00
44
Generated on 2016-04-23-07:00
45
Generated on 2016-04-23-07:00
46
Generated on 2016-04-23-07:00
47
Generated on 2016-04-23-07:00
48
Generated on 2016-04-23-07:00
49
Generated on 2016-04-23-07:00
50
Generated on 2016-04-23-07:00
51
Cust1 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
Generated on 2016-04-23-07:00
52
Generated on 2016-04-23-07:00
53
Cust1 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
access-list
!
access-list
!
access-list
!
access-list
100 remark -=[Define NAT Service]=100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark
Generated on 2016-04-23-07:00
54
Cust1 Route (Default Route) !! Note more Specific route can be set up !!
Generated on 2016-04-23-07:00
55
Generated on 2016-04-23-07:00
56
Cust1 ToubleShooting
Generated on 2016-04-23-07:00
57
Generated on 2016-04-23-07:00
58
Generated on 2016-04-23-07:00
59
Generated on 2016-04-23-07:00
60
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
61
Cust2 Configuration
Cust2 Basic configuration
enable
!
Conf t
!
hostn Cust2
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
62
Generated on 2016-04-23-07:00
63
Generated on 2016-04-23-07:00
64
Generated on 2016-04-23-07:00
65
Generated on 2016-04-23-07:00
66
Generated on 2016-04-23-07:00
67
!
group 2
!
lifetime 86400
!
Generated on 2016-04-23-07:00
68
Generated on 2016-04-23-07:00
69
!
description ** Client 2 **
!
set peer 85.147.160.1
!
set transform-set strong
!
match address cust-2
!
Generated on 2016-04-23-07:00
70
Generated on 2016-04-23-07:00
71
Cust2 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-2
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
Generated on 2016-04-23-07:00
72
Cust2 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
Generated on 2016-04-23-07:00
73
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark
Generated on 2016-04-23-07:00
74
Cust2 Route (Default Route) !! Note more Specific route can be set up !!
ip route 192.168.20.0 255.255.255.0 85.147.160.1
!
Generated on 2016-04-23-07:00
75
Cust2 ToubleShooting
Cust2 Show Commande (General view)
Generated on 2016-04-23-07:00
76
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
77
sho
!
sho
!
sho
!
sho
!
sho
!
Generated on 2016-04-23-07:00
78
Generated on 2016-04-23-07:00
79
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
80
Generated on 2016-04-23-07:00
81
Generated on 2016-04-23-07:00
82
Generated on 2016-04-23-07:00
83
Generated on 2016-04-23-07:00
84
Generated on 2016-04-23-07:00
85
Generated on 2016-04-23-07:00
86
Generated on 2016-04-23-07:00
87
Generated on 2016-04-23-07:00
88
We have now a full connectivity and the connectivity from the differents customers is droped to the diffents
VRFs.
We have the exact same subnet and we can see the capability to use it.
Test Connectivity (Initiator is Cust1 and Cust2)
(Cust2 Can Initiate the Vpn But Cust1 doesn't)
Now I clear the session and make down the VPNs in CX-ASR
clear crypto session
!
clear crypto isakmp
!
clear crypto sa
!
show crypto session
!
Generated on 2016-04-23-07:00
89
Generated on 2016-04-23-07:00
90
We can see these both VPNs are down and we can begin to initiate the VPNs from the theses differents
customer.
Generated on 2016-04-23-07:00
91
Generated on 2016-04-23-07:00
92
Generated on 2016-04-23-07:00
93
CX-ASR
Generated on 2016-04-23-07:00
94
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= AH, transform= ah-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x37A39C(3646364), conn_id= 0, keysize= 0,
flags= 0x400A
*Feb 26 14:11:17.491: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 85.147.160.10,
remote= 85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
Generated on 2016-04-23-07:00
95
Generated on 2016-04-23-07:00
96
Generated on 2016-04-23-07:00
97
(0:1:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Feb 26 14:11:20.439: ISAKMP:(0:1:SW:1):Old State
= IKE_I_MM4 New State = IKE_I_MM4
Generated on 2016-04-23-07:00
98
Generated on 2016-04-23-07:00
99
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= AH, transform= ah-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x3DA1C07F(1034010751), conn_id= 0,
keysize= 0, flags= 0x400A
*Feb 26 14:11:47.491: IPSEC(sa_request):
Cust-1#,
(key eng. msg.) OUTBOUND local= 85.147.160.10,
remote= 85.147.160.1,
local_proxy= 192.168.10.0/255.255.255.0/0/0
(type=4),
remote_proxy= 192.168.20.0/255.255.255.0/0/0
(type=4),
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xAE492F46(2924031814), conn_id= 0,
Generated on 2016-04-23-07:00
100
Generated on 2016-04-23-07:00
101
Target CX-ASR
The raison of the deletation of SA seem to be because Key not found in keyrings of profile , aborting
exchange because the key are not found in cust1 profile on the CX-ASR
and I saw the second Profile is use in the end of debuging but the good Profile is the Cust1 and not this one
"not peer matches cust2-ike-prof profile"
I read a lot of things for a issus can occure when you use the same IP addresse into differents Keyring; But
is look like is note the same case because we don't use the same IP adress in this Lab but the Symptom look
very similar.
I saw in cisco LAB Keiring when you use kering the Debug is different of mine but we have the same profile no
matche maybe is something I can begin with.
Example Scenarios
In the first scenario, R1 is the ISAKMP initiator. The tunnel is negotiating correctly, and traffic is protected as
expected.
The second scenario uses the same topology, but has R2 as the ISAKMP initiator when phase1 negotiation is
failing.
Internet Key Exchange Version 1 (IKEv1) needs a pre-shared key for skey calculation, which is used in order
to decrypt/encrypt Main Mode packet 5 (MM5) and subsequent IKEv1 packets. The skey is derived from
the Diffie-Hellman (DH) computation and the pre-shared key. That pre-shared key needs to be determined
after MM3 (responder) or MM4 (initiator) is received, so that the skey, which is used in MM5/MM6, can be
computed.
For the ISAKMP responder in MM3, the specific ISAKMP profile is not yet determined because that happens
after the IKEID is received in MM5. Instead, all keyrings are searched for a pre-shared key, and the first or best
matching keyring from the global configuration is selected. That keyring is used in order to calculate the skey
that is used for decryption of MM5 and encryption of MM6. After the decryption of MM5 and after the ISAKMP
profile and associated keyring are determined, the ISAKMP responder performs verification if the same keyring
has been selected; if the same keyring is not selected, the connection is dropped.
Generated on 2016-04-23-07:00
102
Thus, for the ISAKMP responder, you should use a single keyring with multiple entries whenever possible.
1. R1 initiates the tunnel, sends the MM1 packet with 1. R2 initiates the tunnel:
policy proposals, and receives MM2 in response.
MM3 is then prepared:
R2#ping 192.168.100.1 source lo0 repeat 1
2. Since R2 is the initiator, the ISAKMP profile and
R1#ping 192.168.200.1 source lo0 repeat 1
keyring are known. The pre-shared key from
Type escape sequence to abort.
keyring1 is used for DH computations and is sent
in MM3. R2 is receiving MM2 and is preparing
Sending 1, 100-byte ICMP Echos to
MM3 based on that key:
192.168.200.1, timeout is 2 seconds:
Packet sent with a source address of
192.168.100.1
local_proxy=
192.168.0.1/255.255.255.255/47/0,
remote_proxy=
192.168.0.2/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes espsha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags=
0x0
*Jun 19 10:04:24.826: ISAKMP:(0): SA request
profile is profile2
*Jun 19 10:04:24.826: ISAKMP: Found a peer
struct for 192.168.0.2, peer
port 500
*Jun 19 10:04:24.826: ISAKMP: Locking peer
struct 0xF483A970, refcount 1
for isakmp_initiator
*Jun 19 10:04:24.826: ISAKMP: local port 500,
remote port 500
*Jun 19 10:04:24.826: ISAKMP: set new node 0 to
QM_IDLE
IKE_I_MM2
*Jun 19 12:28:44.256: ISAKMP:(0): processing SA
payload. message ID = 0
*Jun 19 12:28:44.256: ISAKMP:(0): processing
vendor id payload
*Jun 19 12:28:44.256: ISAKMP:(0): vendor ID
seems Unity/DPD but major
69 mismatch
*Jun 19 12:28:44.256: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jun 19 12:28:44.256: ISAKMP:(0):Found
ADDRESS key in keyring keyring1
*Jun 19 12:28:44.256: ISAKMP:(0): local
preshared key found
*Jun 19 12:28:44.256: ISAKMP : Looking for xauth
in profile profile1
*Jun 19 12:28:44.256: ISAKMP:(0):Checking
ISAKMP transform 1 against
priority 10 policy
encryption
hash MD5
default group 2
auth pre-share
Main mode.
Generated on 2016-04-23-07:00
103
life type in
life duration
0x51 0x80
*Jun 19 12:28:44.256: ISAKMP:(0):atts are
acceptable. Next payload is 0
*Jun 19 12:28:44.256: ISAKMP:(0):Acceptable
atts:actual life: 0
*Jun 19 12:28:44.257: ISAKMP:(0):Acceptable
atts:life: 0
*Jun 19 12:28:44.257: ISAKMP:(0):Fill atts in sa
vpi_length:4
*Jun 19 12:28:44.257: ISAKMP:(0):Fill atts in sa
life_in_seconds:86400
*Jun 19 12:28:44.257: ISAKMP:(0):Returning
Actual lifetime: 86400
*Jun 19 12:28:44.257: ISAKMP:(0)::Started
lifetime timer: 86400.
*Jun 19 12:28:44.257: ISAKMP:(0): processing
vendor id payload
*Jun 19 12:28:44.257: ISAKMP:(0): vendor ID
seems Unity/DPD but major
69 mismatch
*Jun 19 12:28:44.257: ISAKMP (0): vendor ID is
NAT-T RFC 3947
*Jun 19 12:28:44.257: ISAKMP:(0):Input =
IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Jun 19 12:28:44.257: ISAKMP:(0):Old State =
IKE_I_MM2 New State =
IKE_I_MM2
Generated on 2016-04-23-07:00
104
192.168.0.2
*Jun 19 12:28:44.263: ISAKMP:(1012): processing
vendor id payload
*Jun 19 12:28:44.263: ISAKMP:(1012): vendor ID
is DPD
*Jun 19 12:28:44.263: ISAKMP:(1012): processing
vendor id payload
encryption
hash MD5
default group 2
auth pre-share
life type in
life duration
outside NAT
*Jun 19 12:28:44.263: ISAKMP:received payload
type 20
*Jun 19 12:28:44.263: ISAKMP (1012): No NAT
Found for self or peer
*Jun 19 12:28:44.263: ISAKMP:(1012):Input =
IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Jun 19 12:28:44.263: ISAKMP:(1012):Old State =
IKE_R_MM3 New State =
IKE_R_MM3
*Jun 19 12:28:44.263: ISAKMP:(1012): sending
packet to 192.168.0.2 my_port
500 peer_port 500 (R) MM_KEY_EXC
4. R2 receives MM4 from R1, uses the pre-shared
key from keyring1 in order to compute DH, and
prepares the MM5 packet and the IKEID:
*Jun 19 12:28:44.269: ISAKMP:(0):Found
ADDRESS key in keyring keyring1
*Jun 19 12:28:44.269: ISAKMP:(1012): processing
vendor id payload
*Jun 19 12:28:44.269: ISAKMP:(1012): vendor ID
is Unity
IKE_I_MM2
Generated on 2016-04-23-07:00
105
outside NAT
*Jun 19 12:28:44.269: ISAKMP:received payload
type 20
type
port
address
protocol
length
:1
: 192.168.0.2
: 17
: 500
: 12
Generated on 2016-04-23-07:00
106
:1
: 192.168.0.2
: 17
: 500
: 12
Generated on 2016-04-23-07:00
107
:1
: 192.168.0.1
: 17
: 500
: 12
Generated on 2016-04-23-07:00
108
:1
: 192.168.0.1
: 17
: 500
: 12
Generated on 2016-04-23-07:00
109
authenticated
6. R2 now performs verification if the keyring that
was been blindly selected for the MM4 packet is
the same as the keyring configured for ISAKMP
profile now chosen. Because keyring1 is the
first one in the configuration, it was selected
previously, and it is selected now. The validation is
successful, and the MM6 packet can be sent:
*Jun 19 10:04:24.838: ISAKMP:(1011):SA is
doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Jun 19 10:04:24.838: ISAKMP (1011): ID payload
next-payload : 8
type
address
protocol
port
length
:1
: 192.168.0.2
: 17
: 500
: 12
Generated on 2016-04-23-07:00
110
type
address
protocol
port
length
:1
: 192.168.0.2
: 17
: 500
: 12
Generated on 2016-04-23-07:00
111
I tryed differents things like use the same Kering on diffrent profile and now the seconde customer with the
second profile can initiate the VPN but the Customer 1 can't do the same thing always the Profile Cust2 is
apply
Overview on the changement I made
! Conf Keyring
!
crypto keyring client-keyring vrf outside-vrf
!
pre-shared-key address 85.147.160.10 key client
!
pre-shared-key address 85.147.160.11 key client
!
Generated on 2016-04-23-07:00
112
I going to try to made a fake match and presharkey after that the real profile of cust1 to see if the profile is
apply after the fake stuff
I'm begin with this troubleshooting and I not see the problem yet but if you known already leave me a comment
Rsolution (Is Always Dumb where you found the case)
I was debing and see always one profile match the first one depend on what device is began the VPN.
I clear always the session in the both side and I change the node Cust1, Cust2, Cust3
clear crypto session
!
clear crypto sa
!
clear crypto isakmp
!
Generated on 2016-04-23-07:00
113
1) I used in this LAB three IP WAN in a block on same network 85.147.160.0 255.255.255.240 and the first
conf I made is enable IP classless
CX-ASR IPClassless
ip classless
2) I Change the Kering Definition because I've made unique kering with differents match in my Change one
topic
CX-ASR Kering configuration (For Cust1)
crypto keyring cust1-keyring vrf outside-vrf
!
pre-shared-key address 85.147.160.10 key cust-1
!
Generated on 2016-04-23-07:00
114
3) I Change also the differents profile for matching with the full match 255.255.255.255
CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)
crypto isakmp profile cust1-ike-prof
!
vrf cust1-vrf
!
keyring cust1-keyring
!
match identity address 85.147.160.10 255.255.255.255 outside-vrf
!
Generated on 2016-04-23-07:00
115
Now we have the full connectivity and I give you the last configuration of this Lab int attached file
In My Second step I'm going to use the IP SLA For Multi Site Redundancy
Phase 2 Multi Site Redundancy
@ By Djebbouri Faial
Ce document a t gnr partir de la discussion suivante :LAB VPN - VRF-aware ipsec cheat sheet (In
GNS3)
Generated on 2016-04-23-07:00
116