Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (1) - High Availability IPSec - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, January 11, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (1) - High Availability IPSec

IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. It provides these security services at the IP layer; it uses Internetwork Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPsec. You can use IPsec to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later.

This post summarizes typical Cisco IOS IPSec VPN IKEv1 set up. It includes standalone or High Availability implementation. The next post will includes how to use different CA to authenticate IKE.  It focus on IKEv1 (Internet Key Exchange version 1). Later IKEv2 will be summarized in this blog.

Typical Topology:
R1: G0/0 - 19.26.116.141 (It is VIP in high availability deployment)
R2: G0/0 - 19.26.116.137


R1: G0/1 - Internal Interface for network 192.168.20.x/24
R2: G0/1 - Internal Interface for network 172.21.91.x/24


1. Standalone IOS Router set up IPSec VPN

1.1 Configuration:



 R1#
crypto isakmp policy1
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key cisco123 address 19.26.116.141
crypto isakmp keepalive 10
!       
!
crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 19.26.116.141
 set transform-set mysec
 set pfs group14
 match address 110
 reverse-route
!
access-list 110 permit ip host 172.21.91.37 host 192.168.20.25
access-list 110 permit ip host 192.168.20.25 host 172.21.91.37
!
interface GigabitEthernet0/0
 ip address 19.26.116.137 255.255.255.192
 duplex auto
 speed auto
 crypto map vpn

====================================================================

 R2#sh run

 crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key cisco123 address 19.26.116.137
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 19.26.116.137
 set transform-set mysec
 set pfs group14
 match address 110
 reverse-route
!
!
interface GigabitEthernet0/0
 ip address 19.26.116.141 255.255.255.192
 duplex auto
 speed auto
 crypto map vpn

access-list 110 permit ip host 192.168.20.25 host 172.21.91.37
access-list 110 permit ip host 172.21.91.37 host 192.168.20.25



1.2 Logs for ISAKMP and IPSEC Packets


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
19.26.116.141  19.26.116.137 QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: vpn, local addr 19.26.116.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   current_peer 19.26.116.137 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x74E1A91F(1960945951)
     PFS (Y/N): Y, DH group: group14

     inbound esp sas:
      spi: 0x2C3EB4EE(742307054)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4512351/3283)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x74E1A91F(1960945951)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4512352/3283)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
         
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   current_peer 19.26.116.137 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


R1#
040672: Jan  6 14:32:12.454 EST: ISAKMP (0): received packet from 19.26.116.137 dport 500 sport 500 Global (N) NEW SA
040673: Jan  6 14:32:12.454 EST: ISAKMP: Created a peer struct for 19.26.116.137, peer port 500
040674: Jan  6 14:32:12.454 EST: ISAKMP: New peer created peer = 0x28DDE524 peer_handle = 0x80000009
040675: Jan  6 14:32:12.454 EST: ISAKMP: Locking peer struct 0x28DDE524, refcount 1 for crypto_isakmp_process_block
040676: Jan  6 14:32:12.454 EST: ISAKMP: local port 500, remote port 5
R1#00
040677: Jan  6 14:32:12.454 EST: ISAKMP:(0):insert sa successfully sa = 300A8474
040678: Jan  6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
040679: Jan  6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

040680: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing SA payload. message ID = 0
040681: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040682: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mism
R1#atch
040683: Jan  6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947
040684: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040685: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
040686: Jan  6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T v7
040687: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040688: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
040689: Jan  6 14:32:12
R1#.454 EST: ISAKMP:(0): vendor ID is NAT-T v3
040690: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040691: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
040692: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID is NAT-T v2
040693: Jan  6 14:32:12.454 EST: ISAKMP:(0):found peer pre-shared key matching 19.26.116.137
040694: Jan  6 14:32:12.454 EST: ISAKMP:(0): local preshared key found
040695: Jan  6 14:32:12.454 EST: ISAKMP : Scanning profiles
R1#for xauth ...
040696: Jan  6 14:32:12.454 EST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
040697: Jan  6 14:32:12.454 EST: ISAKMP:      encryption AES-CBC
040698: Jan  6 14:32:12.454 EST: ISAKMP:      keylength of 256
040699: Jan  6 14:32:12.454 EST: ISAKMP:      hash SHA256
040700: Jan  6 14:32:12.454 EST: ISAKMP:      default group 14
040701: Jan  6 14:32:12.454 EST: ISAKMP:      auth pre-share
040702: Jan  6 14:32:12.454 EST: ISAKMP:      life type in seconds
040703: Jan  6
R1# 14:32:12.454 EST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
040704: Jan  6 14:32:12.454 EST: ISAKMP:(0):atts are acceptable. Next payload is 0
040705: Jan  6 14:32:12.454 EST: ISAKMP:(0):Acceptable atts:actual life: 0
040706: Jan  6 14:32:12.454 EST: ISAKMP:(0):Acceptable atts:life: 0
040707: Jan  6 14:32:12.454 EST: ISAKMP:(0):Fill atts in sa vpi_length:4
040708: Jan  6 14:32:12.454 EST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
040709: Jan  6 14:32:12.454 EST: ISAKMP:(0):Retur
R1#ning Actual lifetime: 86400
040710: Jan  6 14:32:12.454 EST: ISAKMP:(0)::Started lifetime timer: 86400.

040711: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040712: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
040713: Jan  6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947
040714: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040715: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245
R1#mismatch
040716: Jan  6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T v7
040717: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040718: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
040719: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID is NAT-T v3
040720: Jan  6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload
040721: Jan  6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
040722: Jan  6 14:32:12.4
R1#54 EST: ISAKMP:(0): vendor ID is NAT-T v2
040723: Jan  6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
040724: Jan  6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

040725: Jan  6 14:32:12.454 EST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
040726: Jan  6 14:32:12.454 EST: ISAKMP:(0): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_SA_SETUP
040727: Jan  6 14:32:12.454 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.
0407
R1#28: Jan  6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
040729: Jan  6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

040730: Jan  6 14:32:12.462 EST: ISAKMP (0): received packet from 19.26.116.137 dport 500 sport 500 Global (R) MM_SA_SETUP
040731: Jan  6 14:32:12.462 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
040732: Jan  6 14:32:12.462 EST: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

040733: Jan  6 14:32:12.4
R1#62 EST: ISAKMP:(0): processing KE payload. message ID = 0
040734: Jan  6 14:32:12.646 EST: ISAKMP:(0): processing NONCE payload. message ID = 0
040735: Jan  6 14:32:12.646 EST: ISAKMP:(0):found peer pre-shared key matching 19.26.116.137
040736: Jan  6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload
040737: Jan  6 14:32:12.646 EST: ISAKMP:(1002): vendor ID is DPD
040738: Jan  6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload
040739: Jan  6 14:32:12.646 EST: ISAKMP:(1002):
R1# speaking to another IOS box!
040740: Jan  6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload
040741: Jan  6 14:32:12.646 EST: ISAKMP:(1002): vendor ID seems Unity/DPD but major 31 mismatch
040742: Jan  6 14:32:12.646 EST: ISAKMP:(1002): vendor ID is XAUTH
040743: Jan  6 14:32:12.646 EST: ISAKMP:received payload type 20
040744: Jan  6 14:32:12.646 EST: ISAKMP (1002): His hash no match - this node outside NAT
040745: Jan  6 14:32:12.646 EST: ISAKMP:received payload type 20
040746: Jan  6
R1# 14:32:12.646 EST: ISAKMP (1002): No NAT Found for self or peer
040747: Jan  6 14:32:12.646 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
040748: Jan  6 14:32:12.646 EST: ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM3

040749: Jan  6 14:32:12.646 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_KEY_EXCH
040750: Jan  6 14:32:12.646 EST: ISAKMP:(1002):Sending an IKE IPv4 Packet.
040751: Jan  6 14:32:12.646 EST: ISAKMP:(1002):Input
R1# = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
040752: Jan  6 14:32:12.646 EST: ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM4

040753: Jan  6 14:32:12.810 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) MM_KEY_EXCH
040754: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
040755: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM4  New State = IKE_R_MM5

040756: Jan  6 14:32:12.810 EST: ISAKMP:(1002): processing
R1# ID payload. message ID = 0
040757: Jan  6 14:32:12.810 EST: ISAKMP (1002): ID payload
        next-payload : 8
        type         : 1
        address      : 19.26.116.137
        protocol     : 17
        port         : 500
        length       : 12
040758: Jan  6 14:32:12.810 EST: ISAKMP:(0):: peer matches *none* of the profiles
040759: Jan  6 14:32:12.810 EST: ISAKMP:(1002): processing HASH payload. message ID = 0
040760: Jan  6 14:32:12.810 EST: ISAKMP:received payload type 17
040761: Jan  6 14:32:12.810 EST: ISAKMP:(1002):
R1# processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x300A8474
040762: Jan  6 14:32:12.810 EST: ISAKMP:(1002):SA authentication status:
        authenticated
040763: Jan  6 14:32:12.810 EST: ISAKMP:(1002):SA has been authenticated with 19.26.116.137
040764: Jan  6 14:32:12.810 EST: ISAKMP:(1002):SA authentication status:
        authenticated
040765: Jan  6 14:32:12.810 EST: ISAKMP:(1002): Process initial contact,
bring down existing phase 1 and 2 SA's with local 19.26.116.141 remote 1
R1#99.246.116.137 remote port 500
040766: Jan  6 14:32:12.810 EST: ISAKMP: Trying to insert a peer 19.26.116.141/19.26.116.137/500/,  and inserted successfully 28DDE524.
040767: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
040768: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_R_MM5

040769: Jan  6 14:32:12.810 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
040770: Jan  6 14:32:12.810 EST: ISAKMP:(1002):SA is
R1# doing pre-shared key authentication using id type ID_IPV4_ADDR
040771: Jan  6 14:32:12.810 EST: ISAKMP (1002): ID payload
        next-payload : 8
        type         : 1
        address      : 19.26.116.141
        protocol     : 17
        port         : 500
        length       : 12
040772: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Total payload length: 12
040773: Jan  6 14:32:12.810 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_KEY_EXCH
040774: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Send
R1#ing an IKE IPv4 Packet.
040775: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
040776: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

040777: Jan  6 14:32:12.810 EST: ISAKMP:(1002):IKE_DPD is enabled, initializing timers
040778: Jan  6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
R1#14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

040780: Jan  6 14:32:12.942 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) QM_IDLE     
040781: Jan  6 14:32:12.942 EST: ISAKMP: set new node 1209818338 to QM_IDLE     
040782: Jan  6 14:32:12.942 EST: ISAKMP:(1002): processing HASH payload. message ID = 1209818338
040783: Jan  6 14:32:12.942 EST: ISAKMP:(1002): processing SA payload. message ID = 1209818338
040784: Jan  6 14:32:12.942 EST: ISAKMP:(1002):Checking IPSec proposal 1
040785: Jan  6 14:32:12.9
R1#42 EST: ISAKMP: transform 1, ESP_AES
040786: Jan  6 14:32:12.942 EST: ISAKMP:   attributes in transform:
040787: Jan  6 14:32:12.942 EST: ISAKMP:      encaps is 1 (Tunnel)
040788: Jan  6 14:32:12.942 EST: ISAKMP:      SA life type in seconds
040789: Jan  6 14:32:12.942 EST: ISAKMP:      SA life duration (basic) of 3600
040790: Jan  6 14:32:12.942 EST: ISAKMP:      SA life type in kilobytes
040791: Jan  6 14:32:12.942 EST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
040792: Jan  6 14:
R1#32:12.942 EST: ISAKMP:      authenticator is HMAC-SHA256
040793: Jan  6 14:32:12.942 EST: ISAKMP:      key length is 256
040794: Jan  6 14:32:12.942 EST: ISAKMP:      group is 14
040795: Jan  6 14:32:12.942 EST: ISAKMP:(1002):atts are acceptable.
040796: Jan  6 14:32:12.942 EST: IPSEC(validate_proposal_request): proposal part #1
040797: Jan  6 14:32:12.942 EST: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 19.26.116.141:0, remote= 19.26.116.137:0,
    loca
R1#l_proxy= 192.168.20.25/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.21.91.37/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
040798: Jan  6 14:32:12.942 EST: Crypto mapdb : proxy_match
        src addr     : 192.168.20.25
        dst addr     : 172.21.91.37
        protocol     : 0
        src port     : 0
        dst port     : 0
040799: Jan  6 14:32:13.082 EST: ISAKMP:(1002): processing NONCE payload. message ID
R1#= 1209818338
040800: Jan  6 14:32:13.082 EST: ISAKMP:(1002): processing KE payload. message ID = 1209818338
040801: Jan  6 14:32:13.258 EST: ISAKMP:(1002): processing ID payload. message ID = 1209818338
040802: Jan  6 14:32:13.258 EST: ISAKMP:(1002): processing ID payload. message ID = 1209818338
040803: Jan  6 14:32:13.258 EST: ISAKMP:(1002):QM Responder gets spi
040804: Jan  6 14:32:13.258 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
040805: Jan  6 14:32:13.258 EST: I
R1#SAKMP:(1002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
040806: Jan  6 14:32:13.258 EST: ISAKMP:(1002): Creating IPSec SAs
040807: Jan  6 14:32:13.258 EST:         inbound SA from 19.26.116.137 to 19.26.116.141 (f/i)  0/ 0
        (proxy 172.21.91.37 to 192.168.20.25)
040808: Jan  6 14:32:13.258 EST:         has spi 0x2C3EB4EE and conn_id 0
040809: Jan  6 14:32:13.258 EST:         lifetime of 3600 seconds
040810: Jan  6 14:32:13.262 EST:         lifetime of 4608000 kilobytes
040811:
R1# Jan  6 14:32:13.262 EST:         outbound SA from 19.26.116.141 to 19.26.116.137 (f/i) 0/0
        (proxy 192.168.20.25 to 172.21.91.37)
040812: Jan  6 14:32:13.262 EST:         has spi  0x74E1A91F and conn_id 0
040813: Jan  6 14:32:13.262 EST:         lifetime of 3600 seconds
040814: Jan  6 14:32:13.262 EST:         lifetime of 4608000 kilobytes
040815: Jan  6 14:32:13.262 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) QM_IDLE     
040816: Jan  6 14:32:13.2
R1#62 EST: ISAKMP:(1002):Sending an IKE IPv4 Packet.
040817: Jan  6 14:32:13.262 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
040818: Jan  6 14:32:13.262 EST: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
040819: Jan  6 14:32:13.262 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
040820: Jan  6 14:32:13.262 EST: Crypto mapdb : proxy_match
        src addr     : 192.168.20.25
        dst addr     : 172.21.91.37
        protocol     : 0
R1#t     : 0
        dst port     : 0
040821: Jan  6 14:32:13.262 EST: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 19.26.116.137
040822: Jan  6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Event create SA based on crypto ACL in real time for 19.26.116.137
040823: Jan  6 14:32:13.262 EST:  IPSEC(rte_mgr): Route add Peer 19.26.116.137 , Destination 172.21.91.37, Nexthop 0.0.0.0, RT type 1
040824: Jan  6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0

R1#040825: Jan  6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Added 172.21.91.37 255.255.255.255 via 19.26.116.137 in IP DEFAULT TABLE with tag 0 distance 1
040826: Jan  6 14:32:13.262 EST: IPSEC(policy_db_add_ident): src 192.168.20.25, dest 172.21.91.37, dest_port 0

040827: Jan  6 14:32:13.262 EST: IPSEC(create_sa): sa created,
  (sa) sa_dest= 19.26.116.141, sa_proto= 50,
    sa_spi= 0x2C3EB4EE(742307054),
    sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 5
    sa_lifetime(k/sec)= (451235
R1#2/3600)
040828: Jan  6 14:32:13.262 EST: IPSEC(create_sa): sa created,
  (sa) sa_dest= 19.26.116.137, sa_proto= 50,
    sa_spi= 0x74E1A91F(1960945951),
    sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 6
    sa_lifetime(k/sec)= (4512352/3600)
040829: Jan  6 14:32:13.430 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) QM_IDLE     
040830: Jan  6 14:32:13.430 EST: ISAKMP:(1002):deleting node 1209818338 error FALSE reason "QM done (await)"
040831: Jan
R1#  6 14:32:13.430 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
040832: Jan  6 14:32:13.430 EST: ISAKMP:(1002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
040833: Jan  6 14:32:13.430 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
040834: Jan  6 14:32:13.430 EST: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
040835: Jan  6 14:32:13.430 EST: IPSEC(key_engine_enable_outbound): enable SA with spi 1960945951/50
040836: Jan
R1#  6 14:32:13.430 EST: IPSEC(update_current_outbound_sa): get enable SA peer 19.26.116.137 current outbound sa to SPI 74E1A91F
040837: Jan  6 14:32:13.430 EST: IPSEC(update_current_outbound_sa): updated peer 19.26.116.137 current outbound sa to SPI 74E1A91F
R1#

2. Cisco High Availability Environment - IKEv1 Site to Site IPSec VPN Configuration

Troubleshooting with IPSec Send Error issue.

It was not working when I first configured Crypto Map on HSRP interface with "crypto map vpn" Command just like usually when I do it on standalone VPN set up. When type "show crypto ipsec sa", I got "sends error" number increasing during testing VPN tunnel. What I found is when configuration IPSec on High Availability (HSRP) Interface, at least you will need to configure "crypto map vpn redundancy VPNHA" for stateless failover. It will let your device to commnucate with peer using HSRP Virtual IP 19.26.116.141, not local IP 19.26.116.139.


R2#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: vpn, local addr 19.26.116.137

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   current_peer 19.26.116.141 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 19.26.116.137, remote crypto endpt.: 19.26.116.141
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:
         
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   current_peer 19.26.116.141 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 82, #recv errors 0

     local crypto endpt.: 19.26.116.137, remote crypto endpt.: 19.26.116.141
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

================================================================

 R1#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: vpn, local addr 19.26.116.139  // It is wrong. It should be HSRP virtual IP 19.26.116.141.

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   current_peer 19.26.116.137 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 19.26.116.139, remote crypto endpt.: 19.26.116.137
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:
        
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

R1(config-if)#do sh run int g0/0
Building configuration...

Current configuration : 306 bytes
!
!
interface GigabitEthernet0/0
 ip address 19.26.116.139 255.255.255.192
 ip accounting output-packets
 standby 199 ip 19.26.116.141
 standby 199 priority 105
 standby 199 preempt
 standby 199 name VPNHA
 standby 199 track 2 decrement 10
 duplex auto
 speed auto
 crypto map vpn // This configuration is wrong in HSRP interface. This configuration will let VPN Gateway to use local IP 19.26.116.139 to communicate with peer.
end




Since issue cause has been found, the solution will be following two ways, either using stateless failover or stateful failover.  
2.1 Stateless Failover Configuration


R1#sh run
....[Omitted]

crypto isakmp policy 1
 encr aes 256
 hash sha256
 group 14
crypto isakmp key cisco123 address 20.15.6.6 no-xauth
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 20.15.6.6
 set transform-set mysec
 set pfs group14
 match address GandD
 reverse-route
!
!
interface GigabitEthernet0/0
 ip address 19.26.116.139 255.255.255.192
 ip accounting output-packets
 standby 199 ip 19.26.116.141
 standby 199 priority 105
 standby 199 preempt
 standby 199 name VPNHA
 standby 199 track 2 decrement 10
 duplex auto
 speed auto
 crypto map vpn redundancy VPNHA
!

ip access-list extended GandD
 permit ip host 192.168.20.25 172.21.90.0 0.0.1.255
 permit icmp host 192.168.20.25 172.21.90.0 0.0.1.255




======================================================================


//After I changed crypto map configuration from "crypto map vpn " to "crypto map vpn redundancy VPNHA", local addr changed from 19.26.116.139 to 19.26.116.141. IPSec VPN tunnel can be built on this ip address as expected.

R1#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: vpn, local addr 19.26.116.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
   current_peer 19.26.116.137 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1109, #pkts encrypt: 1109, #pkts digest: 1109
    #pkts decaps: 1109, #pkts decrypt: 1109, #pkts verify: 1109
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x2811DA7F(672258687)
     PFS (Y/N): Y, DH group: group14

     inbound esp sas:
      spi: 0x2F3884(3094660)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 7, flow_id: SW:7, sibling_flags 80000046, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4588296/3485)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2811DA7F(672258687)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 8, flow_id: SW:8, sibling_flags 80000046, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4588296/3485)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#



2.2 Stateful Failover Configuation
Stateful Failover for IP Security (IPsec) allows a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. A backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and requires neither adjustment nor reconfiguration of any remote peer.

Stateful Failover for IPsec is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP).

  • HSRP provides network redundancy for IP networks, helping ensure that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of IKE and IPsec security associations is passed to the standby router (which transitions to the HSRP active state).
  • SSO allows the active and standby routers to share IKE and IPsec state information so that each router has enough information to become the active router at any time. To configure Stateful Failover for IPsec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Enabling Stateful Failover for IKE and IPsec
There is no specific command-line interface (CLI) necessary to enable Stateful Failover for IKE. It is enabled for a particular VIP address when a Stateful Failover crypto map is applied to an interface. Use "crypto map map-name [redundancy standby-group-name [stateful]]" command to enable Stateful Failover for IPsec . All IPsec state information is transferred from the active router to the standby router through the SSO redundancy channel that was specified in the configuration IPC part.


R1#sh run
....[Omitted]

ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 192.168.20.139
    retransmit-timeout 300 10000
    path-retransmit 10
    assoc-retransmit 10
   remote-port 5000
    remote-ip 192.168.20.140
!

redundancy inter-device
 scheme standby VPNHA

!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 group 14
crypto isakmp key cisco123 address 20.15.6.6 no-xauth
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 20.15.6.6
 set transform-set mysec
 set pfs group14
 match address GandD
 reverse-route
!
!
interface GigabitEthernet0/0
 ip address 19.26.116.139 255.255.255.192
 ip accounting output-packets
 standby 199 ip 19.26.116.141
 standby 199 priority 105
 standby 199 preempt
 standby 199 name VPNHA
 standby 199 track 2 decrement 10
 duplex auto
 speed auto
 crypto map vpn redundancy VPNHA stateful
!

ip access-list extended GandD
 permit ip host 192.168.20.25 172.21.90.0 0.0.1.255
 permit icmp host 192.168.20.25 172.21.90.0 0.0.1.255


Improve from Stateless Failover from Stateful Failover
Before enable Stateful Failover, ping timed out 39 times:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!.....................................!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


After enabled stateful failover, ping timed out only 13 times.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



This post is only presenting Pre-Share key based IPSec VPN. If you are looking for certificate based site to site IPSec VPN, there are some other posts in this blog relating to that, please check them using following list:


Reference:
How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication
Cisco High Availability Solution: Stateful Failover for IPsec

No comments:

Post a Comment