IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. It provides these security services at the IP layer; it uses Internetwork Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPsec. You can use IPsec to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later.
This post summarizes typical Cisco IOS IPSec VPN IKEv1 set up. It includes standalone or High Availability implementation. The next post will includes how to use different CA to authenticate IKE. It focus on IKEv1 (Internet Key Exchange version 1). Later IKEv2 will be summarized in this blog.
Typical Topology:
R1: G0/0 – 19.26.116.141 (It is VIP in high availability deployment)
R2: G0/0 – 19.26.116.137
R1: G0/1 – Internal Interface for network 192.168.20.x/24
R2: G0/1 – Internal Interface for network 172.21.91.x/24
1. Standalone IOS Router set up IPSec VPN
1.1 Configuration:
R1#
crypto isakmp policy1 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 19.26.116.141 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac ! crypto map vpn 10 ipsec-isakmp set peer 19.26.116.141 set transform-set mysec set pfs group14 match address 110 reverse-route ! access-list 110 permit ip host 172.21.91.37 host 192.168.20.25 access-list 110 permit ip host 192.168.20.25 host 172.21.91.37 ! interface GigabitEthernet0/0 ip address 19.26.116.137 255.255.255.192 duplex auto speed auto crypto map vpn ==================================================================== R2#sh run crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 19.26.116.137 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac ! crypto map vpn 10 ipsec-isakmp set peer 19.26.116.137 set transform-set mysec set pfs group14 match address 110 reverse-route ! ! interface GigabitEthernet0/0 ip address 19.26.116.141 255.255.255.192 duplex auto speed auto crypto map vpn access-list 110 permit ip host 192.168.20.25 host 172.21.91.37 access-list 110 permit ip host 172.21.91.37 host 192.168.20.25 |
1.2 Logs for ISAKMP and IPSEC Packets
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA dst src state conn-id status 19.26.116.141 19.26.116.137 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA R1#show crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: vpn, local addr 19.26.116.141 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0) current_peer 19.26.116.137 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x74E1A91F(1960945951) PFS (Y/N): Y, DH group: group14 inbound esp sas: spi: 0x2C3EB4EE(742307054) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4512351/3283) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x74E1A91F(1960945951) transform: esp-256-aes esp-sha256-hmac , in use settings ={Tunnel, } conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4512352/3283) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0) current_peer 19.26.116.137 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: R1# 040672: Jan 6 14:32:12.454 EST: ISAKMP (0): received packet from 19.26.116.137 dport 500 sport 500 Global (N) NEW SA 040673: Jan 6 14:32:12.454 EST: ISAKMP: Created a peer struct for 19.26.116.137, peer port 500 040674: Jan 6 14:32:12.454 EST: ISAKMP: New peer created peer = 0x28DDE524 peer_handle = 0x80000009 040675: Jan 6 14:32:12.454 EST: ISAKMP: Locking peer struct 0x28DDE524, refcount 1 for crypto_isakmp_process_block 040676: Jan 6 14:32:12.454 EST: ISAKMP: local port 500, remote port 5 R1#00 040677: Jan 6 14:32:12.454 EST: ISAKMP:(0):insert sa successfully sa = 300A8474 040678: Jan 6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 040679: Jan 6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 040680: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing SA payload. message ID = 0 040681: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040682: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mism R1#atch 040683: Jan 6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947 040684: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040685: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 040686: Jan 6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T v7 040687: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040688: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch 040689: Jan 6 14:32:12 R1#.454 EST: ISAKMP:(0): vendor ID is NAT-T v3 040690: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040691: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 040692: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID is NAT-T v2 040693: Jan 6 14:32:12.454 EST: ISAKMP:(0):found peer pre-shared key matching 19.26.116.137 040694: Jan 6 14:32:12.454 EST: ISAKMP:(0): local preshared key found 040695: Jan 6 14:32:12.454 EST: ISAKMP : Scanning profiles R1#for xauth … 040696: Jan 6 14:32:12.454 EST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy 040697: Jan 6 14:32:12.454 EST: ISAKMP: encryption AES-CBC 040698: Jan 6 14:32:12.454 EST: ISAKMP: keylength of 256 040699: Jan 6 14:32:12.454 EST: ISAKMP: hash SHA256 040700: Jan 6 14:32:12.454 EST: ISAKMP: default group 14 040701: Jan 6 14:32:12.454 EST: ISAKMP: auth pre-share 040702: Jan 6 14:32:12.454 EST: ISAKMP: life type in seconds 040703: Jan 6 R1# 14:32:12.454 EST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 040704: Jan 6 14:32:12.454 EST: ISAKMP:(0):atts are acceptable. Next payload is 0 040705: Jan 6 14:32:12.454 EST: ISAKMP:(0):Acceptable atts:actual life: 0 040706: Jan 6 14:32:12.454 EST: ISAKMP:(0):Acceptable atts:life: 0 040707: Jan 6 14:32:12.454 EST: ISAKMP:(0):Fill atts in sa vpi_length:4 040708: Jan 6 14:32:12.454 EST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 040709: Jan 6 14:32:12.454 EST: ISAKMP:(0):Retur R1#ning Actual lifetime: 86400 040710: Jan 6 14:32:12.454 EST: ISAKMP:(0)::Started lifetime timer: 86400. 040711: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040712: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch 040713: Jan 6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947 040714: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040715: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 R1#mismatch 040716: Jan 6 14:32:12.454 EST: ISAKMP (0): vendor ID is NAT-T v7 040717: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040718: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch 040719: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID is NAT-T v3 040720: Jan 6 14:32:12.454 EST: ISAKMP:(0): processing vendor id payload 040721: Jan 6 14:32:12.454 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 040722: Jan 6 14:32:12.4 R1#54 EST: ISAKMP:(0): vendor ID is NAT-T v2 040723: Jan 6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 040724: Jan 6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 040725: Jan 6 14:32:12.454 EST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 040726: Jan 6 14:32:12.454 EST: ISAKMP:(0): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_SA_SETUP 040727: Jan 6 14:32:12.454 EST: ISAKMP:(0):Sending an IKE IPv4 Packet. 0407 R1#28: Jan 6 14:32:12.454 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 040729: Jan 6 14:32:12.454 EST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 040730: Jan 6 14:32:12.462 EST: ISAKMP (0): received packet from 19.26.116.137 dport 500 sport 500 Global (R) MM_SA_SETUP 040731: Jan 6 14:32:12.462 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 040732: Jan 6 14:32:12.462 EST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 040733: Jan 6 14:32:12.4 R1#62 EST: ISAKMP:(0): processing KE payload. message ID = 0 040734: Jan 6 14:32:12.646 EST: ISAKMP:(0): processing NONCE payload. message ID = 0 040735: Jan 6 14:32:12.646 EST: ISAKMP:(0):found peer pre-shared key matching 19.26.116.137 040736: Jan 6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload 040737: Jan 6 14:32:12.646 EST: ISAKMP:(1002): vendor ID is DPD 040738: Jan 6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload 040739: Jan 6 14:32:12.646 EST: ISAKMP:(1002): R1# speaking to another IOS box! 040740: Jan 6 14:32:12.646 EST: ISAKMP:(1002): processing vendor id payload 040741: Jan 6 14:32:12.646 EST: ISAKMP:(1002): vendor ID seems Unity/DPD but major 31 mismatch 040742: Jan 6 14:32:12.646 EST: ISAKMP:(1002): vendor ID is XAUTH 040743: Jan 6 14:32:12.646 EST: ISAKMP:received payload type 20 040744: Jan 6 14:32:12.646 EST: ISAKMP (1002): His hash no match – this node outside NAT 040745: Jan 6 14:32:12.646 EST: ISAKMP:received payload type 20 040746: Jan 6 R1# 14:32:12.646 EST: ISAKMP (1002): No NAT Found for self or peer 040747: Jan 6 14:32:12.646 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 040748: Jan 6 14:32:12.646 EST: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3 040749: Jan 6 14:32:12.646 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_KEY_EXCH 040750: Jan 6 14:32:12.646 EST: ISAKMP:(1002):Sending an IKE IPv4 Packet. 040751: Jan 6 14:32:12.646 EST: ISAKMP:(1002):Input R1# = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 040752: Jan 6 14:32:12.646 EST: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4 040753: Jan 6 14:32:12.810 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) MM_KEY_EXCH 040754: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 040755: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5 040756: Jan 6 14:32:12.810 EST: ISAKMP:(1002): processing R1# ID payload. message ID = 0 040757: Jan 6 14:32:12.810 EST: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 19.26.116.137 protocol : 17 port : 500 length : 12 040758: Jan 6 14:32:12.810 EST: ISAKMP:(0):: peer matches *none* of the profiles 040759: Jan 6 14:32:12.810 EST: ISAKMP:(1002): processing HASH payload. message ID = 0 040760: Jan 6 14:32:12.810 EST: ISAKMP:received payload type 17 040761: Jan 6 14:32:12.810 EST: ISAKMP:(1002): R1# processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 0x300A8474 040762: Jan 6 14:32:12.810 EST: ISAKMP:(1002):SA authentication status: authenticated 040763: Jan 6 14:32:12.810 EST: ISAKMP:(1002):SA has been authenticated with 19.26.116.137 040764: Jan 6 14:32:12.810 EST: ISAKMP:(1002):SA authentication status: authenticated 040765: Jan 6 14:32:12.810 EST: ISAKMP:(1002): Process initial contact, bring down existing phase 1 and 2 SA’s with local 19.26.116.141 remote 1 R1#99.246.116.137 remote port 500 040766: Jan 6 14:32:12.810 EST: ISAKMP: Trying to insert a peer 19.26.116.141/19.26.116.137/500/, and inserted successfully 28DDE524. 040767: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 040768: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5 040769: Jan 6 14:32:12.810 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s) 040770: Jan 6 14:32:12.810 EST: ISAKMP:(1002):SA is R1# doing pre-shared key authentication using id type ID_IPV4_ADDR 040771: Jan 6 14:32:12.810 EST: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 19.26.116.141 protocol : 17 port : 500 length : 12 040772: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Total payload length: 12 040773: Jan 6 14:32:12.810 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) MM_KEY_EXCH 040774: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Send R1#ing an IKE IPv4 Packet. 040775: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 040776: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 040777: Jan 6 14:32:12.810 EST: ISAKMP:(1002):IKE_DPD is enabled, initializing timers 040778: Jan 6 14:32:12.810 EST: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE R1#14:32:12.810 EST: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 040780: Jan 6 14:32:12.942 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) QM_IDLE 040781: Jan 6 14:32:12.942 EST: ISAKMP: set new node 1209818338 to QM_IDLE 040782: Jan 6 14:32:12.942 EST: ISAKMP:(1002): processing HASH payload. message ID = 1209818338 040783: Jan 6 14:32:12.942 EST: ISAKMP:(1002): processing SA payload. message ID = 1209818338 040784: Jan 6 14:32:12.942 EST: ISAKMP:(1002):Checking IPSec proposal 1 040785: Jan 6 14:32:12.9 R1#42 EST: ISAKMP: transform 1, ESP_AES 040786: Jan 6 14:32:12.942 EST: ISAKMP: attributes in transform: 040787: Jan 6 14:32:12.942 EST: ISAKMP: encaps is 1 (Tunnel) 040788: Jan 6 14:32:12.942 EST: ISAKMP: SA life type in seconds 040789: Jan 6 14:32:12.942 EST: ISAKMP: SA life duration (basic) of 3600 040790: Jan 6 14:32:12.942 EST: ISAKMP: SA life type in kilobytes 040791: Jan 6 14:32:12.942 EST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 040792: Jan 6 14: R1#32:12.942 EST: ISAKMP: authenticator is HMAC-SHA256 040793: Jan 6 14:32:12.942 EST: ISAKMP: key length is 256 040794: Jan 6 14:32:12.942 EST: ISAKMP: group is 14 040795: Jan 6 14:32:12.942 EST: ISAKMP:(1002):atts are acceptable. 040796: Jan 6 14:32:12.942 EST: IPSEC(validate_proposal_request): proposal part #1 040797: Jan 6 14:32:12.942 EST: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 19.26.116.141:0, remote= 19.26.116.137:0, loca R1#l_proxy= 192.168.20.25/255.255.255.255/0/0 (type=1), remote_proxy= 172.21.91.37/255.255.255.255/0/0 (type=1), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 040798: Jan 6 14:32:12.942 EST: Crypto mapdb : proxy_match src addr : 192.168.20.25 dst addr : 172.21.91.37 protocol : 0 src port : 0 dst port : 0 040799: Jan 6 14:32:13.082 EST: ISAKMP:(1002): processing NONCE payload. message ID R1#= 1209818338 040800: Jan 6 14:32:13.082 EST: ISAKMP:(1002): processing KE payload. message ID = 1209818338 040801: Jan 6 14:32:13.258 EST: ISAKMP:(1002): processing ID payload. message ID = 1209818338 040802: Jan 6 14:32:13.258 EST: ISAKMP:(1002): processing ID payload. message ID = 1209818338 040803: Jan 6 14:32:13.258 EST: ISAKMP:(1002):QM Responder gets spi 040804: Jan 6 14:32:13.258 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 040805: Jan 6 14:32:13.258 EST: I R1#SAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 040806: Jan 6 14:32:13.258 EST: ISAKMP:(1002): Creating IPSec SAs 040807: Jan 6 14:32:13.258 EST: inbound SA from 19.26.116.137 to 19.26.116.141 (f/i) 0/ 0 (proxy 172.21.91.37 to 192.168.20.25) 040808: Jan 6 14:32:13.258 EST: has spi 0x2C3EB4EE and conn_id 0 040809: Jan 6 14:32:13.258 EST: lifetime of 3600 seconds 040810: Jan 6 14:32:13.262 EST: lifetime of 4608000 kilobytes 040811: R1# Jan 6 14:32:13.262 EST: outbound SA from 19.26.116.141 to 19.26.116.137 (f/i) 0/0 (proxy 192.168.20.25 to 172.21.91.37) 040812: Jan 6 14:32:13.262 EST: has spi 0x74E1A91F and conn_id 0 040813: Jan 6 14:32:13.262 EST: lifetime of 3600 seconds 040814: Jan 6 14:32:13.262 EST: lifetime of 4608000 kilobytes 040815: Jan 6 14:32:13.262 EST: ISAKMP:(1002): sending packet to 19.26.116.137 my_port 500 peer_port 500 (R) QM_IDLE 040816: Jan 6 14:32:13.2 R1#62 EST: ISAKMP:(1002):Sending an IKE IPv4 Packet. 040817: Jan 6 14:32:13.262 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI 040818: Jan 6 14:32:13.262 EST: ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 040819: Jan 6 14:32:13.262 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s) 040820: Jan 6 14:32:13.262 EST: Crypto mapdb : proxy_match src addr : 192.168.20.25 dst addr : 172.21.91.37 protocol : 0 R1#t : 0 dst port : 0 040821: Jan 6 14:32:13.262 EST: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 19.26.116.137 040822: Jan 6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Event create SA based on crypto ACL in real time for 19.26.116.137 040823: Jan 6 14:32:13.262 EST: IPSEC(rte_mgr): Route add Peer 19.26.116.137 , Destination 172.21.91.37, Nexthop 0.0.0.0, RT type 1 040824: Jan 6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0 R1#040825: Jan 6 14:32:13.262 EST: IPSEC(rte_mgr): VPN Route Added 172.21.91.37 255.255.255.255 via 19.26.116.137 in IP DEFAULT TABLE with tag 0 distance 1 040826: Jan 6 14:32:13.262 EST: IPSEC(policy_db_add_ident): src 192.168.20.25, dest 172.21.91.37, dest_port 0 040827: Jan 6 14:32:13.262 EST: IPSEC(create_sa): sa created, (sa) sa_dest= 19.26.116.141, sa_proto= 50, sa_spi= 0x2C3EB4EE(742307054), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 5 sa_lifetime(k/sec)= (451235 R1#2/3600) 040828: Jan 6 14:32:13.262 EST: IPSEC(create_sa): sa created, (sa) sa_dest= 19.26.116.137, sa_proto= 50, sa_spi= 0x74E1A91F(1960945951), sa_trans= esp-aes 256 esp-sha256-hmac , sa_conn_id= 6 sa_lifetime(k/sec)= (4512352/3600) 040829: Jan 6 14:32:13.430 EST: ISAKMP (1002): received packet from 19.26.116.137 dport 500 sport 500 Global (R) QM_IDLE 040830: Jan 6 14:32:13.430 EST: ISAKMP:(1002):deleting node 1209818338 error FALSE reason “QM done (await)” 040831: Jan R1# 6 14:32:13.430 EST: ISAKMP:(1002):Node 1209818338, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 040832: Jan 6 14:32:13.430 EST: ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE 040833: Jan 6 14:32:13.430 EST: IPSEC(key_engine): got a queue event with 1 KMI message(s) 040834: Jan 6 14:32:13.430 EST: IPSEC(key_engine_enable_outbound): rec’d enable notify from ISAKMP 040835: Jan 6 14:32:13.430 EST: IPSEC(key_engine_enable_outbound): enable SA with spi 1960945951/50 040836: Jan R1# 6 14:32:13.430 EST: IPSEC(update_current_outbound_sa): get enable SA peer 19.26.116.137 current outbound sa to SPI 74E1A91F 040837: Jan 6 14:32:13.430 EST: IPSEC(update_current_outbound_sa): updated peer 19.26.116.137 current outbound sa to SPI 74E1A91F R1# |
2. Cisco High Availability Environment – IKEv1 Site to Site IPSec VPN Configuration
Troubleshooting with IPSec Send Error issue.
It was not working when I first configured Crypto Map on HSRP interface with “crypto map vpn” Command just like usually when I do it on standalone VPN set up. When type “show crypto ipsec sa”, I got “sends error” number increasing during testing VPN tunnel. What I found is when configuration IPSec on High Availability (HSRP) Interface, at least you will need to configure “crypto map vpn redundancy VPNHA” for stateless failover. It will let your device to commnucate with peer using HSRP Virtual IP 19.26.116.141, not local IP 19.26.116.139.
Since issue cause has been found, the solution will be following two ways, either using stateless failover or stateful failover.
2.1 Stateless Failover Configuration
R1#sh run
….[Omitted] crypto isakmp policy 1 encr aes 256 hash sha256 group 14 crypto isakmp key cisco123 address 20.15.6.6 no-xauth crypto isakmp keepalive 10 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac ! crypto map vpn 10 ipsec-isakmp set peer 20.15.6.6 set transform-set mysec set pfs group14 match address GandD reverse-route ! ! interface GigabitEthernet0/0 ip address 19.26.116.139 255.255.255.192 ip accounting output-packets standby 199 ip 19.26.116.141 standby 199 priority 105 standby 199 preempt standby 199 name VPNHA standby 199 track 2 decrement 10 duplex auto speed auto crypto map vpn redundancy VPNHA ! ip access-list extended GandD permit ip host 192.168.20.25 172.21.90.0 0.0.1.255 permit icmp host 192.168.20.25 172.21.90.0 0.0.1.255 ====================================================================== //After I changed crypto map configuration from “crypto map vpn ” to “crypto map vpn redundancy VPNHA”, local addr changed from 19.26.116.139 to 19.26.116.141. IPSec VPN tunnel can be built on this ip address as expected.
R1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: vpn, local addr 19.26.116.141
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.25/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.21.91.37/255.255.255.255/0/0)
current_peer 19.26.116.137 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1109, #pkts encrypt: 1109, #pkts digest: 1109
#pkts decaps: 1109, #pkts decrypt: 1109, #pkts verify: 1109
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 19.26.116.141, remote crypto endpt.: 19.26.116.137
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x2811DA7F(672258687)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x2F3884(3094660)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4588296/3485)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2811DA7F(672258687)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4588296/3485)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
|
2.2 Stateful Failover Configuation
Stateful Failover for IP Security (IPsec) allows a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. A backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and requires neither adjustment nor reconfiguration of any remote peer.
Stateful Failover for IPsec is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP).
- HSRP provides network redundancy for IP networks, helping ensure that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of IKE and IPsec security associations is passed to the standby router (which transitions to the HSRP active state).
- SSO allows the active and standby routers to share IKE and IPsec state information so that each router has enough information to become the active router at any time. To configure Stateful Failover for IPsec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Enabling Stateful Failover for IKE and IPsec
There is no specific command-line interface (CLI) necessary to enable Stateful Failover for IKE. It is enabled for a particular VIP address when a Stateful Failover crypto map is applied to an interface. Use “crypto map map-name [redundancy standby-group-name [stateful]]” command to enable Stateful Failover for IPsec . All IPsec state information is transferred from the active router to the standby router through the SSO redundancy channel that was specified in the configuration IPC part.
R1#sh run
….[Omitted] ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 192.168.20.139 retransmit-timeout 300 10000 path-retransmit 10 assoc-retransmit 10 remote-port 5000 remote-ip 192.168.20.140 ! redundancy inter-device scheme standby VPNHA ! crypto isakmp policy 1 encr aes 256 hash sha256 group 14 crypto isakmp key cisco123 address 20.15.6.6 no-xauth crypto isakmp keepalive 10 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set mysec esp-aes 256 esp-sha256-hmac ! crypto map vpn 10 ipsec-isakmp set peer 20.15.6.6 set transform-set mysec set pfs group14 match address GandD reverse-route ! ! interface GigabitEthernet0/0 ip address 19.26.116.139 255.255.255.192 ip accounting output-packets standby 199 ip 19.26.116.141 standby 199 priority 105 standby 199 preempt standby 199 name VPNHA standby 199 track 2 decrement 10 duplex auto speed auto crypto map vpn redundancy VPNHA stateful ! ip access-list extended GandD permit ip host 192.168.20.25 172.21.90.0 0.0.1.255 permit icmp host 192.168.20.25 172.21.90.0 0.0.1.255 |
Improve from Stateless Failover from Stateful Failover
This post is only presenting Pre-Share key based IPSec VPN. If you are looking for certificate based site to site IPSec VPN, there are some other posts in this blog relating to that, please check them using following list:
- Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN – HA Deployment
- Using PKI Build Route-Based IPSec VPN between Juniper SRX
- Certification based Cisco IPSec VPN Down caused by ‘signature invalid’
- Troubleshooting Symantec Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)
- Using Symantec Verisign SSL Certificate for Check Point SSL VPN Mobile Access Portal
- Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN
- Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) – Using Two Different CA Certificates
Reference:
How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication
Cisco High Availability Solution: Stateful Failover for IPsec