Gre Ipsec Ospf

PIX/ASA 7.
x and later : VPN/IPsec with OSPF

Configuration Example
Document ID: 63882
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Configure the PIX/ASA Security Appliance Version 7.x
Use ASDM
Enable Reverse Route Injection (RRI)
Verify
View the Logs
Troubleshoot
Related Information
Introduction
This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on
Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA). PIX/ASA
7.x allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic
Routing Encapsulation (GRE) tunnel.
Prerequisites
Requirements
Ensure that you can establish the VPN connection before you attempt this configuration.
Components Used
The information in this document is based on these software and hardware versions:
• Cisco 2500 that runs Cisco IOS® Software Release 12.1 and later
• Cisco 2500 that runs Cisco IOS Software Release 12.0 and later
• ASA 5500 Security Appliance running Software Version 7.x and later
Note: The PIX 500 Series Version 7.x/8.x runs the same software seen in ASA 5500 Version 7.x/8.x.
The configurations in this document are applicable to both product lines.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
• Router Left
• Router House
Router Left
version 12.1
no service single−slot−reload−enable
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Left
!
!
!
!
!
!
ip subnet−zero
ip tcp synwait−time 5
no ip domain−lookup
!
!
!
!
interface Loopback11
ip address 11.11.11.11 255.255.255.0
!
interface Ethernet0
ip address 10.10.10.2 255.255.255.0
no keepalive
!
interface Serial0
no ip address
no keepalive
no fair−queue
ignore−dcd
!
interface Serial1
no ip address
shutdown
ignore−dcd
!
interface BRI0
no ip address
shutdown
!
router ospf 11
log−adjacency−changes
network 10.10.10.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
!
logging trap debugging
logging 20.20.20.2
access−list 100 permit ip any any
access−list 101 permit ip any any
!
line con 0
exec−timeout 0 0
line aux 0
line vty 0 4
privilege level 15
no login
!
end
Router House
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Right
!
aaa new−model
aaa authentication login default group tacacs+ none
aaa authorization exec default group tacacs+ none
!
!
!
!
!
ip subnet−zero
no ip domain−lookup
!
cns event−service server
!
!
!
!
!
interface Loopback22
ip address 22.22.22.22 255.255.255.0
no ip directed−broadcast
!
interface Tunnel0
no ip address
!
interface Ethernet0
ip address 20.20.20.2 255.255.255.0
!
interface Serial0
no ip address
no ip mroute−cache
shutdown
no fair−queue
!
interface Serial1
no ip address
shutdown
!
interface Async1
no ip address
encapsulation ppp
!
router ospf 22
log−adjacency−changes
network 20.20.20.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
!
!
!
line con 0
transport input none
line 1 8
line aux 0
line vty 0 4
!
end
Configure the PIX/ASA Security Appliance Version 7.x

You can use the Advanced Security Device Manager (ASDM) in order to configure the PIX/ASA Security
Appliance by either the command−line interface (CLI) or GUI. The configuration in this section is for the
ASA "Local". You configure the ASA "Remote" in the same way and only adjust for the differences in IP
addressing.
Console into the PIX/ASA to configure the PIX/ASA Security Appliance version 7.x. From a cleared
configuration, use the interactive prompts in order to enable the ASDM GUI for the management of the
PIX/ASA from workstation 10.10.10.3.
Note: If the OSPF neighbor does not come up, consider the option to reduce the maximum transmission unit
(MTU) size.
PIX/ASA−ASDM Bootstrap
Pre−configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Enable password [<use current password>]: cisco
Allow password recovery [yes]?
Clock (UTC):
Year [2006]:
Month [May]:
Day [25]:
Time [06:00:44]:
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3
The following configuration will be used:

Enable password: cisco
Allow password recovery: yes
Clock (UTC): 06:00:44 May 25 2006
Firewall Mode: Routed
Inside IP address: 10.10.10.1
Inside network mask: 255.255.255.0
Host name: Local
Domain name: cisco.com
IP address of host running Device Manager: 10.10.10.3
Use this configuration and write to flash? yes

INFO: Security level for "inside" set to 100 by default.
Cryptochecksum: 34f55366 a32e232d ebc32ac1 3bfa201a
969 bytes copied in 0.880 secs
Use ASDM
Complete these steps in order to configure via the ASDM GUI:
1. From workstation 10.10.10.3, open a browser and use ASDM.
In this example, you use https://10.10.10.1.

2. Click Yes on the certificate prompts.
3. Log in with the enable password.
This login appears in the PIX/ASA−ASDM Bootstrap configuration.

4. Make a selection at the prompt to use ASDM Launcher or ASDM as a Java App.
This prompt appears only if this is the first time that you have run ASDM on the PC. This example
has selected and installed the ASDM Launcher.
5. Go to the ASDM Home window and click the Configuration tab.
6. Choose Interface > Edit in order to configure the outside interface.
7. Click OK.
8. Enter the interface details and click OK when complete.
9. Click OK in the Security Level Change dialog box.
10. Click Apply in order to accept the interface configuration.

The configuration also gets pushed onto the PIX.
Note: This example uses static routes.

11. Choose Features > Routing > Static Route and click Add.
12. Configure the default gateway and click OK.
13. Configure a host based static for the remote peer in order to avoid possible recursive routing when
OSPF comes up and then click OK.
14. Click Apply in order to accept the routing configuration.
The configuration also gets pushed onto the PIX.

15. Choose Wizards > VPN Wizard in order to use the VPN Wizard and create the LAN−to−LAN
connection.
16. In the VPN Wizard window, click Next where Site−to−Site is the default selection.
17. Add the Peer IP Address, Tunnel Group Name (which is the IP address), and Pre−Shared Key
information, and click Next.
18. Add the Encryption type, Authentication type, DH Group information, and click Next.
19. Add the IPsec parameters, Encryption type, Authentication type information, and click Next.
20. Configure the inside host network. Click Add in order to move the address to the Selected
Host/Networks field within this window. Click Next when complete.
21. Configure the outside host network. Click Add in order to move the address to the Selected
Host/Networks field within this window. Click Next when complete.
22. Review the Summary for accuracy, then click Next.

23. Choose Configuration > VPN in order to verify the LAN−to−LAN tunnel configurations that the
VPN Wizard created.
24. Create an access list in order to allow OSPF traffic to go across the VPN.
This VPN access list is for the OSPF routes that are learned. Choose Configuration > VPN.
25. Choose IPSec > IPSec Rules and click Add.

26. Add the OSPF neighbor (IP address) data in this window and click OK.
Note: Be sure that you work on the outside interface.
27. Verify that the information is correct and click Apply.

28. Choose Configuration > NAT and click Translation Exemption Rules in order to verify the
Network Address Translation (NAT) configurations that the VPN Wizard created.
29. Because this example uses NAT, uncheck the check box for Enable traffic through the firewall
without address translation, then click Add. This step configures the NAT Rule.
30. Configure the Source Network. Click Browse in order to define the NAT pool addresses for the
inside. Then select outside for Translate Address on Interface and click Manage Pools.
31. Select the outside interface and click Add.
32. Because Port Address Translation (PAT) uses the IP address of the interface in this example, click
Port Address Translation (PAT) using the IP address of the interface.
33. Click OK after you configure the PAT pools.
34. In the Add Address Translation Rule window, select the Address Pool that the configured Source
Network is to use.
35. Click OK. This window shows the output from the NAT configuration.
36. Click Apply in order to save the configuration.
37. Choose Configuration > Routing > OSPF > Setup, go to the Process Instances tab and check
Enable this OSPF Process in order to set up OSPF on the PIX.
38. Choose Area/Networks and click Add.

39. Enter the IP Address and Netmask of one network in the OSPF process field and click OK (MD5 was
chosen to show it as an optional element, but is not required).
40. Verify that the information is correct and click Edit.
41. Enter the IP Address and Netmask of the second network and outside remote peer in the OSPF
process field and click OK.
42. Verify that the information is correct and click Apply.
43. Choose OSPF > Interface > Properties > Outside and click Edit.
44. Uncheck Broadcast on the outside interface.

Note: This must be unicast.
45. Check the Broadcast column for the outside interface in order to verify that the selection is no and
click Apply.
46. Choose OSPF > Static Neighbor and click Add.

47. Enter the IP address in the Neighbor field and select outside for the Interface. Click OK.
48. Verify that the information is correct and click Apply. This action completes the configuration.
Choose File > Show Running Configuration in New Window in order to view the CLI configuration.
ASA Local
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security−level 0
ip address 30.30.30.1 255.255.255.0
!−−− This line allows the unicast of OSPF over the IPsec tunnel.
ospf network point−to−point non−broadcast
!−−− This line is optional and not required for OSPF to work.
!−−− Enable this option only if you want to enable MD5 digest for OSPF.
ospf message−digest−key 10 md5 cisco

!
nameif inside
security−level 100
ip address 10.10.10.1 255.255.255.0
!
shutdown
no nameif
no security−level
no ip address
!
shutdown
no nameif
no security−level
no ip address
!
interface Management0/0
shutdown
no nameif
no security−level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Local
ftp mode passive
!−−− These access control list (ACL) entries define

!−−− interesting traffic for IPsec encryption and allow
!−−− the traffic to bypass NAT. Note that OSPF is permitted and only
!−−− in the crypto ACL.
same−security−traffic permit intra−interface

access−list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access−list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.2
access−list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo−reply outside
icmp permit any echo inside
icmp permit any echo−reply inside
asdm image disk0:/asdm−502.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
!−−− Do not translate traffic with NAT.

nat (inside) 0 access−list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!
!−−− This is OSPF.

!−−− Note: You must define the outside network of the remote peer.
router ospf 100

network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!−−− This is where OSPF is told where the

!−−− PEER is located.
neighbor 40.40.40.2 interface outside

log−adj−changes
!
!−−− This is a host based static. This is not always

!−−− necessary, but recommended to prevent recursive routing loops when
!−−− OSPF comes up over the IPsec tunnel.
route outside 40.40.40.2 255.255.255.255 30.30.30.2 1

route outside 0.0.0.0 0.0.0.0 30.30.30.2 1
timeout xlate 3:00:00

timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp−server location
no snmp−server contact
snmp−server enable traps snmp
!−−− This is the IPsec and IKE/ISAKMP configuration.

!−−− Make sure basic IPsec connectivity is present
!−−− before you add in OSPF.
crypto ipsec transform−set myset esp−3des esp−sha−hmac

crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform−set myset
crypto map outside_map 10 set security−association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre−share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 hash sha
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel−group 40.40.40.2 type ipsec−l2l

tunnel−group 40.40.40.2 ipsec−attributes
pre−shared−key cisco
class−map inspection_default
match default−inspection−traffic
policy−map asa_global_fw_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
ASA Remote
ASA Version 7.X
no names
!
nameif outside
security−level 0
ip address 40.40.40.2 255.255.255.0
!−−− This line allows the unicast of OSPF over to

!−−− the IPsec tunnel.
ospf network point−to−point non−broadcast
!−−− This line is optional and not required for OSPF to work.
!−−− Enable this option only if you want to enable MD5 digest for OSPF.
ospf message−digest−key 10 md5 cisco
!
nameif inside
security−level 100
ip address 20.20.20.1 255.255.255.0
!
shutdown
no nameif
no security−level
no ip address
!
shutdown
no nameif
no security−level
no ip address
!
interface Management0/0
shutdown
no nameif
no security−level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive
!−−− These ACL entries define interesting traffic for IPsec encryption and allow
!−−− the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.
same−security−traffic permit intra−interface

access−list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access−list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access−list crypto extended permit ospf interface outside host 30.30.30.1
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo−reply outside
icmp permit any echo inside
icmp permit any echo−reply inside
asdm image disk0:/asdm−502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface
!−−− Do not translate traffic with NAT.
nat (inside) 0 access−list nonat

nat (inside) 20 20.20.20.0 255.255.255.0
!
!−−− This is OSPF.

!−−− Note: You must define the remote peer's outside network.
router ospf 100

network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!−−− This is where the OSPF is told where the PEER is located.
neighbor 30.30.30.1 interface outside

log−adj−changes
!
!−−− This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.
route outside 0.0.0.0 0.0.0.0 40.40.40.1 1

route outside 30.30.30.1 255.255.255.255 40.40.40.1 1
timeout xlate 3:00:00

timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp−server location
no snmp−server contact
snmp−server enable traps snmp
!−−− This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.
crypto ipsec transform−set myset esp−3des esp−sha−hmac

crypto map vpn 10 match address crypto
crypto map vpn 10 set peer 30.30.30.1
crypto map vpn 10 set transform−set myset
crypto map vpn interface outside
isakmp identity address

isakmp enable outside
isakmp policy 10 hash md5

isakmp policy 65535 hash sha
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel−group 30.30.30.1 type ipsec−l2l

tunnel−group 30.30.30.1 ipsec−attributes
pre−shared−key cisco
class−map inspection_default
match default−inspection−traffic
policy−map asa_global_fw_policy
class inspection_default
inspect dns maximum−length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service−policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
Enable Reverse Route Injection (RRI)

In order to inject the information of the remote LAN−to−LAN VPN networks into the OSPF running network,
refer to Verify that Routing is Correct for CLI configuration and LAN²LAN Network RRI for ASDM
configuration.
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to
view an analysis of show command output.
• logging buffer debuggingShows the establishment of connections and denial of connections to

hosts that go through the PIX. The PIX log buffer stores the information. You can see the output if
you use the show log command.
You can use ASDM in order to enable logging and to view the logs:
• show crypto isakmp saShows the Internet Security Association and Key Management Protocol
(ISAKMP) security association (SA) that is built between peers.
Local#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 40.40.40.2

Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Remote#show crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 30.30.30.1

Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
• show crypto ipsec saShows each Phase 2 SA that is built and the amount of traffic that is sent.
Local#show crypto ipsec sa

interface: outside
Crypto map tag: vpn, local addr: 30.30.30.1
local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)

remote ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)
current_peer: 40.40.40.2
#pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355

#pkts decaps: 355, #pkts decrypt: 355, #pkts verify: 355
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 355, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2
path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: 83444440
inbound esp sas:

spi: 0xAE9AB30C (2929373964)
transform: esp−3des esp−sha−hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto−map: vpn
sa timing: remaining key lifetime (kB/sec): (3824976/25399)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x83444440 (2202289216)
IV size: 8 bytes
Remote#show crypto ipsec sa

interface: outside
Crypto map tag: vpn, local addr: 40.40.40.2
local ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0)

remote ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)
current_peer: 30.30.30.1
#pkts encaps: 364, #pkts encrypt: 364, #pkts digest: 364

#pkts decaps: 364, #pkts decrypt: 364, #pkts verify: 364
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 364, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 40.40.40.2, remote crypto endpt.: 30.30.30.1
path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: AE9AB30C
inbound esp sas:

spi: 0x83444440 (2202289216)
IV size: 8 bytes
outbound esp sas:
spi: 0xAE9AB30C (2929373964)
IV size: 8 bytes
• show ospf neighborShows OSPF neighbor relationships have formed.
Local#show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
40.40.40.2 1 FULL/ − 0:00:38 40.40.40.2 outside
11.11.11.11 1 FULL/DR 0:00:33 10.10.10.2 inside
Remote#show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
30.30.30.1 1 FULL/ − 0:00:38 30.30.30.1 outside
22.22.22.22 1 FULL/DR 0:00:38 20.20.20.2 inside
• show debugDisplays the debug output.
Local(config)#show debug
debug crypto ipsec enabled at level 1
debug crypto engine enabled at level 1
debug crypto isakmp enabled at level 1
May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,

IKE SA MM:ec9c234a rcv'd Terminate: state MM_ACTIVE flags 0x0021c042,
ref2cnt 1, tuncnt 1
May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
constructing blank hash
May 25 12:49:21 [IKEv1 DEBUG]: constructing IPSec delete payload
constructing qm hash
May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message
(msgid=df6487d8) with payloads : HDR + HASH (8) + DELETE (12) + NONE
(0) total length : 64
Active unit receives a delete event for remote peer 40.40.40.2.

IKE Deleting SA: Remote Proxy 40.40.40.2, Local Proxy 30.30.30.1
IKE SA MM:ec9c234a terminating: flags 0x0121c002, refcnt 0, tuncnt 0
May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message
May 25 12:49:21 [IKEv1 DEBUG]: constructing IKE delete payload
(msgid=ec167928) with payloads : HDR + HASH (8) + DELETE (12) + NONE
(0) total length : 76
May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x504ea964
May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x79fbcb2d
28−05−05−ASA5520−2(config)# May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2,
processing SA payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Oakley proposal is acceptable
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Fragmentation VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE Peer included IKE
fragmentation capability flags: Main Mode: True Aggressive Mode: True
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing IKE SA
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE SA Proposal # 1,
Transform # 1 acceptable Matches global IKE entry # 3
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ISA_SA for isakmp
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Fragmentation
VID + extended capabilities payload
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total
length : 108
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ke payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ISA_KE
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing nonce payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Cisco Unity client VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received xauth V6 VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing VPN3000/ASA
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Altiga/Cisco
VPN3000/Cisco ASA GW VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ke payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing nonce payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Cisco Unity
VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing xauth V6 VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send IOS VID
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing ASA spoofing IOS
Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing VID payload
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group
40.40.40.2
Generating keys for Responder...
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14)
+ VENDOR (13) + NONE (0) total length : 92
Processing ID
May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received
40.40.40.2
processing hash
computing hash
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing IOS keep
alive payload: proposal=32767/32767 sec.
processing VID payload
Received DPD VID
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on
tunnel_group 40.40.40.2
constructing ID
construct hash payload
computing hash
May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing IOS
keep alive payload: proposal=32767/32767 sec.
constructing dpd vid payload
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING
Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) +
IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
PHASE 1 COMPLETED
May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Keep−alive type for
this connection: DPD
Starting phase 1 rekey timer: 73440000 (ms)
May 25 12:49:39 [IKEv1 DECODE]: IP = 40.40.40.2, IKE Responder starting
QM: msg id = 0529ac6b
(msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
processing hash
processing SA payload
processing nonce payload
Processing ID
40.40.40.2
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Received remote Proxy Host data in ID Payload: Address 40.40.40.2,
Protocol 89, Port 0
Processing ID
30.30.30.1
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Received local Proxy Host data in ID Payload: Address 30.30.30.1,
Protocol 89, Port 0
Processing Notify payload
May 25 12:49:39 [IKEv1]: QM IsRekeyed old sa not found by addr
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Static Crypto Map check, checking map = vpn, seq = 10...
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Static Crypto Map check, map vpn, seq = 10 is a successful match
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE Remote Peer configured for SA: vpn
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
processing IPSEC SA
IPSec SA Proposal # 1, Transform # 1 acceptable Matches global
IPSec SA entry # 10
May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
IKE: requesting SPI!
May 25 12:49:39 [IKEv1]: Received unexpected event
EV_ACTIVATE_NEW_SA in state MM_ACTIVE
May 25 12:49:40 [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xf629186e
oakley constucting quick mode
constructing ISA_SA for ipsec
constructing ipsec nonce payload
constructing proxy ID
Transmitting Proxy Id:
Remote host: 40.40.40.2 Protocol 89 Port 0
Local host: 30.30.30.1 Protocol 89 Port 0
May 25 12:49:40 [IKEv1 DECODE]: IKE Responder sending 2nd QM pkt:
msg id = 0529ac6b
(msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NONE (0) total length : 156
(msgid=529ac6b) with payloads : HDR + HASH (8) + NONE (0) total length : 48
processing hash
loading all IPSEC SAs
Generating Quick Mode Key!
Generating Quick Mode Key!
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Security negotiation complete for LAN−to−LAN Group (40.40.40.2)
Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4
May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
Starting P2 Rekey timer to expire in 24480 seconds
May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2,
PHASE 2 COMPLETED (msgid=0529ac6b)
Verify that the LAN−to−LAN connection passes routing traffic by checking the routers:
• show ip routeDisplays IP routing table entries.
Left#show ip route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets

O 20.20.20.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
O 22.22.22.22 [110/31] via 10.10.10.1, 00:59:37, Ethernet0
O 40.40.40.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0
C 10.10.10.0 is directly connected, Ethernet0
C 11.11.11.0 is directly connected, Loopback11
O 30.30.30.0 [110/20] via 10.10.10.1, 00:59:38, Ethernet0
S* 0.0.0.0/0 [1/0] via 10.10.10.1
Left#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100−byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
!!!!!
Right#show ip route
Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP
D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area
N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2
E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP
i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area
* − candidate default, U − per−user static route, o − ODR
P − periodic downloaded static route
Gateway of last resort is 20.20.20.1 to network 0.0.0.0

C 20.20.20.0 is directly connected, Ethernet0
C 22.22.22.0 is directly connected, Loopback22
O 40.40.40.0 [110/20] via 20.20.20.1, 01:01:45, Ethernet0
O 10.10.10.0 [110/30] via 20.20.20.1, 01:01:45, Ethernet0
O 11.11.11.11 [110/31] via 20.20.20.1, 01:01:45, Ethernet0
O 30.30.30.0 [110/30] via 20.20.20.1, 01:01:46, Ethernet0
S* 0.0.0.0/0 [1/0] via 20.20.20.1
Right#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100−byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round−trip min/avg/max = 12/12/12 ms
View the Logs

Complete these steps in order to view the logs:
1. Choose Configuration > Properties > Logging > Logging Setup, check Enable logging, and click
Apply.
2. Choose Monitoring > Logging > Log Buffer > Logging Level, select Logging Buffer from the
drop−down menu, and click View.
Here is an example of the Log Buffer:
In order to view related graphs, choose Monitoring > VPN > IPSEC Tunnels. Then, move IPsec
Active Tunnels and IKE Active Tunnels to Selected Graphs, and choose Show Graphs.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
• Cisco ASA 5500 Series Adaptive Security Appliances
• Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
• Cisco PIX Firewall Software
• Cisco Secure PIX Firewall Command References
• Product Field Notice Summary page (including PIX)
• Requests for Comments (RFCs)
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map

© 2009 − 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Oct 14, 2008 Document ID: 63882

Gre Ipsec Ospf

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gre Ipsec Ospf

Uploaded by

Copyright:

Available Formats

PIX/ASA 7.

x and later : VPN/IPsec with OSPF

Configure the PIX/ASA Security Appliance Version 7.x

The following configuration will be used:

Use this configuration and write to flash? yes

969 bytes copied in 0.880 secs

1. From workstation 10.10.10.3, open a browser and use ASDM.

In this example, you use https://10.10.10.1.

This login appears in the PIX/ASA−ASDM Bootstrap configuration.

9. Click OK in the Security Level Change dialog box.

10. Click Apply in order to accept the interface configuration.

Note: This example uses static routes.

The configuration also gets pushed onto the PIX.

22. Review the Summary for accuracy, then click Next.

25. Choose IPSec > IPSec Rules and click Add.

Note: Be sure that you work on the outside interface.

27. Verify that the information is correct and click Apply.

33. Click OK after you configure the PAT pools.

38. Choose Area/Networks and click Add.

44. Uncheck Broadcast on the outside interface.

46. Choose OSPF > Static Neighbor and click Add.

ospf network point−to−point non−broadcast

ospf message−digest−key 10 md5 cisco

!−−− These access control list (ACL) entries define

same−security−traffic permit intra−interface

!−−− Do not translate traffic with NAT.

!−−− This is OSPF.

router ospf 100

!−−− This is where OSPF is told where the

neighbor 40.40.40.2 interface outside

!−−− This is a host based static. This is not always

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1

timeout xlate 3:00:00

!−−− This is the IPsec and IKE/ISAKMP configuration.

crypto ipsec transform−set myset esp−3des esp−sha−hmac

tunnel−group 40.40.40.2 type ipsec−l2l

!−−− This line allows the unicast of OSPF over to

ospf network point−to−point non−broadcast

ospf message−digest−key 10 md5 cisco

same−security−traffic permit intra−interface

!−−− Do not translate traffic with NAT.

nat (inside) 0 access−list nonat

!−−− This is OSPF.

router ospf 100

neighbor 30.30.30.1 interface outside

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1

timeout xlate 3:00:00

crypto ipsec transform−set myset esp−3des esp−sha−hmac

isakmp identity address

isakmp policy 65535 authentication pre−share

tunnel−group 30.30.30.1 type ipsec−l2l

Enable Reverse Route Injection (RRI)

• logging buffer debuggingShows the establishment of connections and denial of connections to

Local#show crypto isakmp sa

1 IKE Peer: 40.40.40.2

Remote#show crypto isa sa

1 IKE Peer: 30.30.30.1

Local#show crypto ipsec sa

local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0)

#pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355

local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2

path mtu 1500, ipsec overhead 60, media mtu 1500