TroublesCisco IOS Firewallhooting Cisco IOS Firewall-Based and Cisco Secure PIX Firewall-Based IPSec VPNs

2004 Cisco Systems, Inc. All rights reserved. Printed in USA.9825_05_2004_c1

1 2004 Cisco Systems, Inc. All rights reserved.SEC-30109825_05_2004_c1

TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC IMPLEMENTATIONSSESSION SEC-3010

222 2004 Cisco Systems, Inc. All rights reserved.9825_05_2004_c1SEC-30109825_05_2004_c1

Agenda

Introduction Router IPSec VPNS PIX IPSec VPNS Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers



Whats Not Covered

PKI-based troubleshooting

Debugs from the PIX platforms

IPSec VPN Services Module

VRF aware IPSec


Why Troubleshooting Is Important in Todays VPN Deployment

Complex security association and key management protocols and a rich set of cryptographic algorithms from which VPN peers can choose

VPNs are often implemented on top of existing networks

Some advance features could break IPSec Implementations

VPNs could be used between different vendors



A Key Point to Remember

DEBUG AND SHOW COMMANDS ARE YOUR FRIENDS IN TROUBLESHOOTING ANY IPSEC RELATED ISSUES.


BMessage

Mes

sage Message

Message

A

Needs Secure Communications over Insecure Channel

Secure Communications Using IPSec VPN



IKE (Two-Phase Protocol)

Two-phase protocol:Phase I exchange: two peers establish a secure, authenticated channel with which to communicate; main mode or aggressive modeaccomplishes a phase I exchange

Phase II exchange: security associations are negotiated on behalf of IPSec services; quick mode accomplishes a phase II exchange

Each phase has its SAs: ISAKMP SA (phase I) and IPSec SA(phase II)


DH key exchange complete, share secret SKEYIDe derivedNonce exchange defeat replay

Main Mode with Pre-Shared KeyInitiator Responder

Phase I SA parameter negotiation complete



Phase II Quick Mode Negotiation

Protected by Phase I SA Optional DH exchange for Perfect Forward Secrecy (PFS) Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR] Two unidirectional IPSec SA established with unique SPI number Nonce exchanged for generating session key

KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)


Agenda

Introduction

Router IPSec VPNs

PIX IPSec VPNs

Cisco EasyVPN Clients

NAT with IPSec

Firewalling and IPSec

MTU Issues

GRE over IPSec

Loss of Connectivity of IPSec Peers



Encrypted

Backbone

209.165.200.227 209.165.201.4

Layout

Router1 Router2

10.1.1.0/24 10.1.2.0/24


Router Configurations

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key jw4ep9846804ijl address 209.165.201.4

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 209.165.201.4

set transform-set myset

match address 101

crypto isakmp policy Defines the Phase 1 SA Parameters

crypto map.. Commands Defines the IPSec SA (Phase II SA) Parameters

crypto ipsec transform-set.. Command Defines IPSec Encryption and authen algo




interface Ethernet0/2ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/3

ip address 209.165.200.227 255.255.255.0

crypto map vpn

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

crypto map applied to the outbound Interface

Interface that is connected to the Private network

Access-list defines interesting VPNtraffic



R1# show crypto map

Crypto Map "vpn" 10 IPSec-isakmp

Peer = 209.165.201.4

Extended IP access list 101


Current peer: 209.165.201.4

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ myset, }

Interfaces using crypto map vpn:

Ethernet0/3



Important Debugs Commands

debug crypto isakmp

debug crypto ipsec

debug crypto engine

debug ip packet detail


Main Mode IKE Negotiation

Quick Mode Negotiation

Establishment of Tunnel

Interesting Traffic Received

Debugs Functionality Flow Chart



Tunnel Establishment

The ping source and destination addresses matched the match address access list for the crypto map VPN22:17:24.426: IPSEC(sa_request): ,(key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

The local is the local tunnel end-point, the remote is the remote crypto end point as configured in the map; The src proxy is the src interesting traffic as defined by the match address access list; The dst proxy is the destination interesting traffic as defined by the match address access listprotocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x400A

The protocol and the transforms are specified by the crypto map which has been hit, as are the lifetimes

Interesting Traffic Received


IKE Main Mode Negotiation:Phase I SA Negotiation

Begins Main Mode exchange; the first two packets negotiate phase I SA parameters

ISAKMP: received ke message (1/1)ISAKMP: local port 500, remote port 500ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State =

IKE_READY New State = IKE_I_MM1ISAKMP (0:1): beginning Main Mode exchange22:17:24: ISAKMP (0:1): sending packet to 209.165.201.4(I)MM_NO_STATE22:17:24: ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_NO_STATE22:17:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_I_MM1 New State = IKE_I_MM2

Initiator ResponderIKEIKE



22:17:24: ISAKMP (0:1): processing SA payload. message ID = 022:17:24: ISAKMP (0:1): processing vendor id payload22:17:24: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy22:17:24: ISAKMP: hash SHA22:17:24: ISAKMP: default group 122:17:24: ISAKMP: auth pre-share22:17:24: ISAKMP: life type in seconds22:17:24: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 22:17:24: ISAKMP (0:1): atts are acceptable. Next payload is 0

22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEOld State = IKE_I_MM2 New State = IKE_I_MM2

IKE Main Mode Negotiation:Phase I SA Negotiation

The policy 10 on this router and the atts offered by the other side matched


ISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_SA_SETUPISAKMP (0:1): Input = IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE Old State = IKE_I_MM2 New State = IKE_I_MM3ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_SA_SETUPISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_I_MM3 New State = IKE_I_MM4

ISAKMP (0:1): processing KE payload. message ID = 0ISAKMP (0:1): processing NONCE payload. message ID = 0ISAKMP (0:1): found peer pre-shared key matching 209.165.201.4ISAKMP (0:1): SKEYID state generatedISAKMP (0:1): processing vendor id payload

IKE Main Mode Negotiation:DH Exchange

The third and fourth packets completes Diffie-Hellman exchange



ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDRISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_KEY_EXCHISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5

ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCHISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHOld State = IKE_I_MM5 New State = IKE_I_MM6ISAKMP (0:1): processing ID payload. message ID = 0ISAKMP (0:1): processing HASH payload. message ID = 0ISAKMP (0:1): SA has been authenticated with 209.165.201.4ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM6 New State = IKE_P1_COMPLETE

IKE Main Mode Negotiation:Authentication

The fifth and sixth packets complete IKE authentication; Phase 1 SA established


IKE Quick ModeIPSec SA Negotiations

Begin Quick Mode exchange; IPSec SA will be negotiated in QM

The IPSec SA proposal offered by far end will be checked against local crypto map configuration

ISAKMP (0:1): beginning Quick Mode exchange,M-ID of 843945273ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLEISAKMP (0:1): Node 843945273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY New State = IKE_QM_I_QM1ISAKMP (0:1): received packet from 209.165.201.4 (I) QM_IDLE

ISAKMP (0:1): processing HASH payload. message ID = 843945273ISAKMP (0:1): processing SA payload. message ID = 843945273



IKE Quick ModeIPSec SA Negotiations

ISAKMP (0:1): Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0ISAKMP: authenticator is HMAC-MD5ISAKMP (0:1): atts are acceptable.IPsec(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4,local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2


ISAKMP (0:1): Creating IPSec SAsinbound SA from 209.165.201.4 to 209.165.200.227(proxy 10.1.2.0 to 10.1.1.0)has spi 0x8EAB0B22 and conn_id 2000 and flags 2lifetime of 3600 seconds lifetime of 4608000 kilobytesoutbound SA from 209.165.200.227 to 209.165.201.4 (proxy 10.1.1.0 to 10.1.2.0)has spi -1910720646 and conn_id 2001 and flags Alifetime of 3600 seconds lifetime of 4608000 kilobytes

IKE Quick ModeSA Creation

Two IPSec SAs have been negotiated, an incoming SA with the SPI generated by the local machine and an outbound SA with the SPIs proposed by the remote end



22:17:25 : IPsec(key_engine): got a queue event...22:17:25: IPSEC(initialize_sas): ,

(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 2000, keysize= 0, flags=0x2

22:17:25: IPsec(initialize_sas): ,(key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4,local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 3600s and 4608000kb,spi= 0x8E1CB77A(2384246650), conn_id= 2001, keysize= 0, flags= 0xA

IKE Quick ModeSA Initialization

The IPSec SA info negotiated by IKE will be populated into routers SADB


IKE Quick ModePhase 2 Completion

IPSec SA created in SADB, sent out last packet with commit bit set; IPSec tunnel established

IPsec(create_sa): sa created,(sa) sa_dest= 209.165.200.227,sa_prot= 50,sa_spi= 0x4579753B(1165587771),sa_trans= esp-3des esp-md5-hmac ,sa_conn_id= 2000IPsec(create_sa): sa created,(sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(2384246650),sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLEISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCHOld State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE



Show Commands

Show crypto engine connection active

Show crypto isakmp sa [detail]

Show crypto ipsec sa [detail]


Show Commands

Router#show cry engine connection activeID Interface IP-Address State Algorithm Encrypt Decrypt1 Ethernet0/3 209.165.200.227 set HMAC_SHA+3DES_56_C 0 0

This is ISAKMP SA2000 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 0 192001 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 19 0

These two are IPSec SAsRouter#sh crypto isakmp sadst src state conn-id slot209.165.201.4 209.165.200.227 QM_IDLE 1 0

Router#show crypto isakmp sa detailCodes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversalX - IKE Extended Authenticationpsk - Preshared key, rsig - RSA signature, renc - RSA encryption

C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap.1 209.165.200.227 209.165.201.4 3des sha psk 1 23:59:40

Connection-id:Engine-id = 1:1(software)



Router# show crypto ipsec sainterface: Ethernet0/3

Crypto map tag: vpn, local addr. 209.165.200.227

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)current_peer: 209.165.201.4PERMIT, flags={origin_is_acl,}#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0#send errors 1, #recv errors 0

local crypto endpt.: 209.165.200.227, remote crypto endpt.: 209.165.201.4path mtu 1500, media mtu 1500current outbound spi: 8E1CB77A

Show Commands


Show Commandsinbound esp sas:

spi: 0x4579753B(1165587771)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2000, flow_id: 1, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4456885/3531)IV size: 8 bytesreplay detection support: Y

outbound esp sas:spi: 0x8E1CB77A(2384246650)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 2001, flow_id: 2, crypto map: vpnsa timing: remaining key lifetime (k/sec): (4456885/3531)IV size: 8 bytesreplay detection support: Y



Show Commands

Router# show crypto ipsec sa detail...#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#pkts no sa (send) 1, #pkts invalid sa (rcv) 0#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0#pkts invalid prot (recv) 0, #pkts verify failed: 0#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0##pkts replay failed (rcv): 0#pkts internal err (send): 0, #pkts internal err (recv) 0...


Hardware Crypto Engine

In latest Cisco IOS versions, show commands for different types of hardware crypto cards have been unified

Show crypto engine configurationVerify hardware/softwarecrypto engine

Hardware info

Turn on/off the hardwarecrypto engine

Display statistics

Debug crypto engine

Show diag

[no] crypto engine accelerator [slot_no.]

Show crypto engine accelerator stat

Debug crypto engine accelerator control/packet



Hardware Crypto Engine (Cont.)

show crypto engine configuration crypto engine name: Virtual Private Network (VPN) Modulecrypto engine type: hardware

Product name: AIM-VPN/EP

show diagslot : 0

Encryption AIM 0:

Hardware revision : 1.0Top assy. part number : 800-15369-03

Board revision : B0

Indicates HardwareIndicates HardwareCrypto Engine OnCrypto Engine On

Shows the Type ofShows the Type ofHardware EncryptionHardware Encryption



show crypto engine accelerator statistic

Virtual Private Network (VPN) Module in aim slot : 0Statistics for Hardware VPN Module since the last clearof counters 31 seconds ago605 packets in 605 packets out0 packet overruns 0 output packets droppedLast 5 minutes:605 packets in 605 packets out307 packets decrypted 298 packets encrypted15708 bytes decrypted 13854 bytes encrypted19 paks/sec in 19 paks/sec out 17 Kbits/sec decrypted 14 Kbits/sec encrypted




Debug crypto engine acceleratordebug cry engine accelerator controldetail display the entire command content

error display errors from control commands

debug cry engine accelerator packet

detail display packet going through crypto acceleratorerror display errors from packets going through crypto

acceleratornumber number of packet to be printed


Verify Crypto Engine

router#sh crypto engine configuration

crypto engine name: unknowncrypto engine type: ISA/ISMCryptIC Version: FF41CGX Version: 0111DSP firmware version: 0061MIPS firmware version: 0003030FISA/ISM serial number:

B82CA6C09E080DF0E0A1029EF8E7112F3FF5F67B

PCBD info: 3-DES [07F000260000]Compression: No3 DES: Yes

Privileged Mode: 0x0000Maximum buffer length: 4096Maximum DH index: 1014Maximum SA index: 2029Maximum Flow index: 4059Maximum RSA key size: 0000crypto engine in slot: 5platform: predator

crypto_engine

Crypto Adjacency Counts:Lock Count: 0

Unlock Count: 0



Common Issues

Incompatible ISAKMP policy or pre-shared secrets

Incompatible transform sets

Incompatible or incorrect access lists

Crypto map on the wrong interface

Overlapping ACLs

Routing and filtering issues

Caveats: switching paths


Incompatible ISAKMP Policy or Pre-Shared Secrets

If the configured ISAKMP policies dont match the proposed policy by the remote peer, the router tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation

Default protection suiteencryption algorithm: DESData Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main-mode failed




3d01h: ISAKMP (0:1): processing SA payload. message ID = 03d01h: ISAKMP (0:1): found peer pre-shared key matching 209.165.200.227ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policyISAKMP: encryption 3DES-CBCISAKMP: hash MD5ISAKMP: default group 1ISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP (0:1): Hash algorithm offered does not match policy!ISAKMP (0:1): atts are not acceptable.Next payload is 0

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policyISAKMP: encryption 3DES-CBCISAKMP: hash MD5ISAKMP: default group 1ISAKMP: auth pre-shareISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80ISAKMP (0:1): Encryption algorithm offered does not match policy!ISAKMP (0:1): atts are not acceptable. Next payload is 0ISAKMP (0:1): no offers accepted!ISAKMP (0:1): phase 1 SA not acceptable!



If the pre-shared secrets are not the same on both sides, the negotiation will fail again, with the router complaining about sanity check failed

A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main mode failed



ISAKMP (62): processing SA payload. message ID = 0ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy

encryption DES-CBChash SHAdefault group 1auth pre-share

ISAKMP (62): atts are acceptable. Next payload is 0ISAKMP (62): SA is doing pre-shared key authenticationISAKMP (62): processing KE payload. message ID = 0ISAKMP (62): processing NONCE payload. message ID = 0ISAKMP (62): SKEYID state generatedISAKMP (62); processing vendor id payloadISAKMP (62): speaking to another IOS box!

ISAKMP: reserved not zero on ID payload!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 209.165.200.227

failed its sanity check or is malformed



Incompatible IPSec Transform Set

If the ipsec transform-set is not compatible or mismatched on the two IPSec devices, the IPSec negotiation will fail, with the router complaining about atts not acceptable for the IPSec proposal

ISAKMP (0:2): Checking IPSec proposal 1ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supportedISAKMP (0:2): atts not acceptable. Next payload is 0ISAKMP (0:2): SA not acceptable!

IPSec mode (tunnel or transport)Encryption algorithmAuthentication algorithmPFS groupIPSec SA LifetimeACL - traffic definition

Phase II ParametersPhase II Parameters



Incompatible or Incorrect Access Lists

If the access lists on the two routers dont match proxy identities not supported will result

It is recommended that access lists on the two routers be a mirror of each other

It is also highly recommended that the key word any not be used in match address access lists


1w6d: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227,

local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

1w6d: IPSEC(validate_transform_proposal): proxy identities not supported1w6d: ISAKMP (0:2): IPSec policy invalidated proposal1w6d: ISAKMP (0:2): phase 2 SA not acceptable!

Access List at 209.165.200.227: access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Access List at 209.165.201.4: access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255

Incompatible or Incorrect Access Lists



Crypto Map on the Wrong Interface

The crypto map needs to be applied to the outgoing interface of the router

IPSEC(validate_proposal): invalid local address 209.165.201.4ISAKMP (0:4): atts not acceptable. Next payload is 0ISAKMP (0:4): phase 2 SA not acceptable!

If you dont want to use the outside interfaces IP as the local ID, use the command crypto map local-address , to specify the correct interface

If there are physical as well as logical interfaces involved in carrying outgoing traffic, the crypto map needs to be applied to both; however, this restriction has been taken off in the latest Cisco IOS


Overlapping ACLs

If there are multiple peers to a router, make sure that the match address access-lists for each of the peers are mutually exclusive from the match address access-list for the other peers

If this is not done, the router will choose the wrong crypto map to try and establish a tunnel with one of the other peers



Incorrect SA Selection by the Router

IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 209.165.202.149 not foundISAKMP (0:2): IPSec policy invalidated proposalISAKMP (0:2): phase 2 SA not acceptable!

Access list for 209.165.201.4:Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255

Access list for 209.165.202.149:Access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255


Routing Issues

A packet needs to be routed to the interface which has the crypto map configured on it before IPSec kicks in

Routes need to be there for:The router to reach its peers address

The IP subnets of the destination host before the packets are encrypted

The IP subnets of the destination host once the packets are decrypted

Use the debug ip packet detailed to see if the routing is occurring correctly (be careful on the busy networks!!!)



Possible Caveats in Switching Paths

Symptom: Only see encryption or decryption counter incrementing from show crypto eng conn active

Caveats in the switching paths might cause IPSec encryption/decryption failures

Workaround: Try different switch paths (CEF, fast switching, process switching)

Process switching can cause Performance issues!!!


Quiz Time

1. Phase 2 Hashing is mismatched

2. Access-List is mismatched

3. Phase 2 Encryption type is mismatched

4. DH group is mismatched

PROXY IDS NOT SUPPORTED.. Debug Message Means:

Agenda

Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling and IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers



Layout

Encrypted

Internet

PIX 1

PrivatePublic

Private

209.165.200.226

PIX 2

209.165.202.129

10.1.2.0/2410.1.1.0/24


access-list bypassnat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list bypassnat

access-list encrypt permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

ip address outside 209.165.202.129 255.255.255.0ip address inside 10.1.1.1 255.255.255.0route outside 0.0.0.0 0.0.0.0 209.165.202.158 1

sysopt connection permit-ipsec

PIX-to-PIX VPN Configuration

Access-List bypassnat Defines Interesting Traffic to bypass NAT for VPN

NAT 0 Command Bypasses NAT for the Pkts Destined over the IPSec Tunnel

Access-list encrypt Defines VPN Interesting Traffic

IP Addresses on the outside and inside Interfaces

Sysopt Command Bypasses Conduits or ACLs Checking to Be Applied on the Inbound VPN Packets after Decryption



Standard Site-to-Site VPN Configuration Highlight

crypto ipsec transform-set mysetdes esp-des esp-md5-hmac crypto map encryptmap 20 ipsec-isakmpcrypto map encryptmap 20 match address encryptcrypto map encryptmap 20 set peer 209.165.200.226crypto map encryptmap 20 set transform-set mysetdescrypto map encryptmap interface outsideisakmp enable outsideisakmp key cisco123 address 209.165.200.226netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 1isakmp policy 10 lifetime 86400

crypto map.. Commands Define the IPSec SA (Phase II SA) Parameters

crypto IPSec.. Command Defines IPSec Encryption and authen algo

isakmp key.. Command Defines the Pre-Shared Key for the Peer Address

isakmp policy.. Defines the Phase 1 SA Parameters


Common Issues

Bypassing NAT

Enabling ISAKMP

Missing sysopt commands

Combining PIX-PIX and PIX-VPN client issues



Bypassing NAT

Nat needs to be bypassed on the PIX in order for the remote side to access the private network behind the PIX seamlessly

Use the NAT 0 command with an access list to achieve that


Enabling ISAKMP

Unlike the router, ISAKMP is not enabled by default on the PIX

Use the command isakmp enable to enable it on an interface

Pix(config)# isakmp enable outside



Missing Sysopt Commands

After decryption, PIX will check the access-lists or conduits against the decrypted IP packets

Access-lists or conduits need to be configured to permit decrypted IP traffic

Enable sysopt connection permit-ipsec to bypass the access-list/conduit checking against VPN traffic after decryption


Combining PIX-PIX and PIX-Client Issues

If you are doing mode config or x-auth for the VPN clients you would need to disable them for the site-to-site VPN connections

Use the no-config-mode and no x-auth tags at the end of the pre-shared key definitions to disable mode config and x-auth

isakmp peer fqdn fqdn no-xauth no-config-mode in case rsa-sig is used as IKE authentication method



Agenda

Introduction Router IPSec VPNs PIX IPSec VPNs Cisco EasyVPN Clients NAT with IPSec Firewalling And IPSec MTU Issues GRE over IPSec Loss of Connectivity of IPSec Peers


172.18.124.96

Layout

VPN ClientWINS

DNS

209.165.200.227

10.1.1.0/24

Router

209.165.201.2PIX

14.38.1.0/24

14.38.2.0/24

209.165.201.4

Internet

EasyVPN Clients

Router



Cisco VPN Clients to a Router

aaa new-modelaaa authentication login userauthen localaaa authorization network groupauthor localusername cisco password 0 cisco123username pix password 0 cisco123!crypto isakmp policy 3encr 3desauthentication pre-sharegroup 2

!

crypto isakmp client configuration group vpnclientkey cisco123dns 10.1.1.10wins 10.1.1.20domain cisco.compool ippoolacl 100

aaa Commands Enable User Authentication and Group Authorization

ISAKMP Policy Defines Phase 1 Parameters

Crypto isakmp client configuration Commands Define Mode-configuration Parameters To Be Passed to the VPN Clients

209.165.200.227 172.18.124.96

VPN ClientRouter



crypto IPSec.. Command Defines IPSec Encryption and Authentication Algorithm

crypto map Commands Define the Actual Map which Would Be Applied to the Outbound Interface for the Data Encryption

crypto dynamic-map Defines a Dynamic Map which Would Be Included in the Actual Map

crypto IPSec transform-set myset esp-3des esp-sha-hmac!

crypto dynamic-map dynmap 10set transform-set myset

!

crypto map clientmap client authentication list userauthencrypto map clientmap isakmp authorization list groupauthorcrypto map clientmap client configuration address respondcrypto map clientmap 10 IPsec-isakmp dynamic dynmap

209.165.200.227 172.18.124.96

VPN ClientRouter




access-list Defines Split-Tunneling

crypto map Is then Applied to the Outbound Interface

ip local pool Command Defines a Pool of Addresses to Be Assigned Back to the VPN Client

ip local pool ippool 14.1.1.1 14.1.1.254!

access-list 100 permit ip 10.1.1.0 0.0.0.255 14.1.1.0 0.0.0.255access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.1.0 0.0.0.255access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.2.0 0.0.0.255!

interface FastEthernet2/0ip address 209.165.200.227 255.255.255.0crypto map clientmap

209.165.200.227 172.18.124.96

VPN ClientRouter


172.18.124.96

Layout

VPN ClientWINS

DNS

209.165.200.226

10.1.1.0/24

Router

209.165.201.2PIX

14.38.1.0/24

14.38.2.0/24

209.165.201.4

Internet

EasyVPN Clients

PIX



Cisco VPN Client to a PIX

Define an Access-List, that Would Be Used to Bypass NAT for the IPSec Traffic

Define IP Address on the Interfaces

ISAKMP Policy Defines Phase 1 Parameters

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.1.0 255.255.255.0access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.2.0 255.255.255.0

nat (inside) 0 access-list 101

ip address outside 209.165.200.226 255.255.255.224ip address inside 10.1.1.1 255.255.255.0

isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400

209.165.200.226 172.18.124.96

VPN ClientPIX


Cisco VPN Client to a PIX

sysopt connection permit-IPsec

vpngroup vpnclient address-pool ippoolvpngroup vpnclient dns-server 10.1.1.2vpngroup vpnclient wins-server 10.1.1.2vpngroup vpnclient default-domain cisco.comvpngroup vpnclient split-tunnel 101vpngroup vpnclient idle-time 1800vpngroup vpnclient password ********

crypto IPSec transform-set myset esp-des esp-md5-hmaccrypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 IPsec-isakmp dynamic dynmapcrypto map mymap interface outside

Sysopt Command Bypasses Conduits or ACLs

vpngroup Commands Enable Group Authorization; You Can Pass Down Mode-Configuration Parameters Within This Section Back to the VPN Client; Note That Access-List 101 Can Be Used Again for Split-Tunneling

crypto map Commands Defines the Actual Map which Would Be Applied to an Interface for the Data Encryption

Crypto ipsec transform-set Command Defines Phase 2 Negotiation Parameters

209.165.200.226 172.18.124.96

VPN ClientPIX

ip local pool ippool 10.1.2.1-10.1.2.254 Define a Pool of Addresses To Be Assigned Back to the VPN Client



To Launch the VPN client, click:Start | Programs | Cisco Systems VPN client | VPN Client

Software VPN Client Configuration


Cisco IOS EasyVPN Client

crypto ipsec client ezvpn ezvpnclientconnect autogroup vpnclient key cisco123mode network-extensionpeer 209.165.200.227

interface Ethernet0ip address 14.38.1.1 255.255.255.0crypto ipsec client ezvpn ezvpnclient insidehold-queue 100 out

interface Ethernet1ip address 209.165.201.4 255.255.255.224crypto ipsec client ezvpn ezvpnclient

crypto ipsec client Commands Define the Connection Parameters to Establish an EasyVPN tunnel

crypto ipsec client inside Command Defines the Private Subnet for the IPSec Encryption

crypto ipsec client Command Is then Applied to an Outbound Interface

209.165.200.227 209.165.201.4

EZVPN ClientRouter

14.38.1.0/24



hostname vpn-pix501bdomain-name cisco.com

vpnclient server 209.165.200.227vpnclient mode network-extension-modevpnclient vpngroup vpnclient password ********vpnclient username cisco password ********vpnclient enable

route outside 0.0.0.0 0.0.0.0 209.165.201.1 1

ip address outside 209.165.201.2 255.255.255.224ip address inside 14.38.2.1 255.255.255.0

PIX EasyVPN

vpnclient Commands Define the Connection Parameters to Establish an EasyVPN Tunnel

209.165.200.227 209.165.201.2

EZVPN ClientRouter

14.38.2.0/24


Cisco IOS Debugs: Phase I Negotiation

Debug crypto isakmpDebug crypto isakmpDebug crypto ipsecDebug crypto ipsecDebug crypto ipsec client ezvpn ( on EZVPN client )Debug crypto ipsec client ezvpn ( on EZVPN client )

ISAKMP (0:0): received packet from 172.18.124.96 (N) NEW SAISAKMP: local port 500, remote port 500ISAKMP (0:10): Checking ISAKMP transform 1 against priority 3

policyISAKMP: encryption 3DES-CBCISAKMP: hash SHAISAKMP: default group 2ISAKMP: auth XAUTHInitPreSharedISAKMP: life type in secondsISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9BISAKMP (0:10): atts are acceptable. Next payload is 3Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

Router Is Trying to Match the Received Proposal #1 with the Configured Proposal #3

Received Proposal Is Acceptable

This Message Indicates That This Router Received an isakmpMessage from the EZVPN client on src port 500, dst port=500

Since the VPN Client Uses Aggressive Mode, the New State Is IKE_R_AM_AAA_AWAIT



Cisco IOS Debugs: Xauth

ISAKMP (0:10): Need XAUTH

ISAKMP/xauth: request attribute XAUTH_TYPE_V2

ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2

ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

...

ISAKMP: Config payload REPLYISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected

ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

Router Is Requesting the VPN Client for User Authentication

Router Is Receiving the x-auth Attributes from the VPN Client


Cisco IOS Debugs: Mode ConfigurationISAKMP (0:10): checking request:ISAKMP: IP4_ADDRESSISAKMP: IP4_NETMASKISAKMP: IP4_DNSISAKMP: IP4_NBNSISAKMP: ADDRESS_EXPIRYISAKMP: APPLICATION_VERSIONISAKMP: UNKNOWN Unknown Attr: 0x7000ISAKMP: Sending private address: 14.1.1.3ISAKMP: Unknown Attr: IP4_NETMASK (0x2)ISAKMP: Sending IP4_DNS server address: 14.36.1.10ISAKMP: Sending IP4_NBNS server address: 14.36.1.20ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the

address: 86395ISAKMP: Sending APPLICATION_VERSION string: Cisco

Internetwork OperatingSystem SoftwareIOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T,

RELEASE SOFTWARE (fc1)ISAKMP: Unknown Attr: UNKNOWN (0x7000)

Received Mode Configuration Request from the VPN Client

Router Is Sending the Mode-Configuration Parameters Back to the VPN Client

Unknown attr: Is Not an Error; It Just Means that Router Does Not Support This Mode-ConfigAttribute Requested by the VPN Client



Cisco IOS Debugs: Phase II Negotiation

Router Is Checking and Validating the IPSec Proposals

After Validating the Phase II, the IPSec SAs Are Created; One SA for Inbound Traffic and the Other SA for the Outbound Traffic

ISAKMP (0:11): Checking IPSec proposal 4ISAKMP: transform 1, ESP_3DESISAKMP: attributes in transform:ISAKMP: authenticator is HMAC-SHAISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9BISAKMP (0:11): atts are acceptable.ISAKMP (0:11): Creating IPSec SAs

inbound SA from 172.18.124.96 to 14.36.100.101(proxy 14.1.1.4 to 14.36.100.101)has spi 0x962A493B and conn_id 2000 and flags 4lifetime of 2147483 secondsoutbound SA from 14.36.100.101 to 172.18.124.96 (proxy

14.36.100.101 to 14.1.1.4)has spi -2145675534 and conn_id 2001 and flags Clifetime of 2147483 seconds


Common Issues

VPN clients only propose DH group 2 and 5 Configure DH group 2 or 5 on Cisco IOS or PIX

Configure isakmp identity hostname if rsa-sig is used as an IKE authentication method

aaa authorization needs to be enabled on the router, so that router can accept/send mode-configuration attributes

On, Cisco IOS EasyVPN client, for X-Auth, you have to manually type crypto ipsec client ezvpn xauth; However, this restriction has been lifted in the latest version of code



Quiz Time

1. To bypass conduits or ACL checking against the decrypted VPN traffic

2. To bypass NAT for the IPSec traffic

3. To bypass the assignment of IP address to the VPN client

4. To bypass X-Auth for the VPN clients

The Purpose of sysopt connection permit-IPsec Is:

Agenda



Common Problems

Bypassing NAT entries

NAT in the middle of an IPSec tunnel



Bypassing NAT Entries

Bypassing dynamic NAT entries

ip nat inside source route-map nonat interface Ethernet1/0 overloadaccess list 150 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 150 permit ip 10.1.2.0 0.0.0.255 anyroute-map nonat permit 10

match ip address 150

Static NAT entries can be bypassed using a loopback interface and policy routing for Cisco IOS images prior to 12.2.4T; Starting from 12.2.4T a route-map can be used with static NAT to bypass NAT

Tools to debug this setup are:show ip nat translationdebug ip natdebug ip policy


Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmpset peer 209.165.201.4set transform-set myset match address 101

interface Loopback1 ip address 10.2.2.2 255.255.255.252

interface Ethernet0/3ip address 209.165.200.227 255.255.255.0ip nat outsidecrypto map vpn

interface Ethernet0/2ip address 10.1.1.3 255.255.255.0 ip nat insideip policy route-map nonat

ip nat inside source list 1 interface Ethernet0/3 overloadip nat inside source static 10.1.1.1 209.165.200.230

access list 1 permit 10.0.0.0 0.255.255.255access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

route-map nonat permit 10 match ip address 120 set ip next-hop 10.2.2.1

e0/2nat in

e0/3nat out

crypto map

lo1

Be Careful:Be Careful:Packets Get PROCESS SWITCHEDPackets Get PROCESS SWITCHED



Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmpset peer 209.165.201.4set transform-set myset match address 101

interface Ethernet0/3ip address 209.165.200.227 55.255.255.0ip nat outsidecrypto map vpn

interface Ethernet0/2ip address 10.1.1.3 255.255.255.0 ip nat inside

ip nat inside source list 1 interface Ethernet0/3 overloadip nat inside source static 10.1.1.1 209.165.200.230 route-map nonataccess-list 1 permit 10.1.1.0 255.255.255.0access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255access-list 120 permit ip 10.1.1.0 0.0.0.255 any

route-map nonat permit 10match ip address 120

e0/2nat in

e0/3nat out

crypto map


NAT in the Middle of an IPSec Tunnel

In many cases, VPN clients are behind NAT/PAT devices

IPSec over NAT (NAT-T) support was first introduced in 12.2.15T for routers and version 6.3 for PIX

IPSec pass-thru feature is supported on certain NAT/PAT devices; ISAKMP cookie and ESP SPI are used to build translation table

NAT-T is turned on by default on Cisco IOS Use isakmp nat-traversal to turn on

NAT-T on PIX Turn on IPSec over UDP or IPSec over TCP feature

in case of VPN 3000 Concentrator



Agenda



Firewall in the Middle

ESP (IP protocol type 50) or/and AH (IP/51)

UDP port 500 (ISAKMP), and/or UDP port 4500 (NAT-T)

PrivateEncrypted

Internet

Private

Public

Router



Firewalling and IPSec (Current Behavior)

Firewall on the IPSec endpoint router:ESP or/andAH

UDP port 500 (IKE) and 4500 (NAT-T)

Decrypted packet IP addresses (incoming access group is applied twice)

Firewall on the IPSec endpoint PIX:Sysopt connection permit-IPsec(no conduit or access-list is needed)

Use of conduits or access-list(no sysopt connection permit-ipsec is neededgives you more security for the decrypted pkts)


IPSec and Packet Filtering (New Behavior)

Functionality first introduced in 12.3(8)T

No need to permit clear text traffic through the interface access-list.

New set ip access-group command under crypto map, if clear traffic packet filtering is required

ESP and/or AH packets have to be allowed if outbound ACLs are being used; this was not required in the pre-12.3(8)T code



IPSec and Packet Filtering (New Behavior) (Cont.)

crypto map vpnmap 10 ipsec-isakmpset peer 192.168.2.1set transform-set trans1match address 101set ip access-group 171 inset ip access-group 181 out

interface Ethernet0/0ip address 10.1.1.1 255.255.255.0

interface Serial1/0ip address 192.168.1.1 255.255.255.0ip access-group 150 inip access-group 160 outcrypto map vpnmap


access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500access-list 150 permit esp host 192.168.2.1 host 192.168.1.1

access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500access-list 160 permit esp host 192.168.1.1 host 192.168.2.1

access-list 171 permit tcp 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq telnetaccess-list 181 permit tcp 10.1.1.0 0.0.0.255 eq telnet 10.1.2.0 0.0.0.255

set ip access-group Commands Are Optional; They Are Used for Clear-Text Packet Filtering

Optional: Access List Permitting Telnet Access


Agenda




IPSec MTU Issues

Overhead introduced by IPSec encapsulation (~60 bytes)

Possible fragmentation after encryption leads to reassembly on the VPN peer router (process-switched, performance degradation)

IPSec and Path MTU discovery (PMTU)IPSec copies Dont Fragment (DF) bit from original data packets IP headerIPSec dynamically update Path MTU in the SADB if router receives PMTU ICMP messageThe MTU hint in the PMTU ICMP message is physical MTU- ipsec_overhead (calculated based on transform-set)


IPSec and PMTU

1500 DF=1

ICMP Type3 Code 4

(1454)

1454 DF=1 1500 DF copied

Path 1500Media 1500

IPSec Tunnel

MTU 1500 MTU 1500

MTU1500

MTU1400

MTU1500

Path 1500Media 1500

10.1.1.2 10.1.2.2

e1/1 e1/0

172.16.172.20/28172.16.172.10/28

ICMP (1400)

IPSec SPI copied

1454 DF=1

ICMP Type3 Code 4

(1354)

1400 1354 14001354 DF=1

ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11Adjust path MTU on corresponding IPSec SA

path mtu 1400, media mtu 1500current outbound spi: EB84DC85

ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to

10.1.1.2 (debug ip icmp output)



Common Problem

PMTU ICMP packets lost or blocked Debug ip icmp on router to verify if ICMP packets are sent or received

Use sniffer to verify if ICMP packets are lost

Work arounds Reduce MTU or disable PMTU on end host

Adjust TCP MSS on router to fine tune TCP windows

Configure router to clear DF bit of data packetsLook-ahead fragmentation


MTU Issues Work Around: Adjusting TCP MSS

Adjust TCP MSS (maximum send segment) under ingress interface:

ip tcp adjust-mss

Router will sniff on the incoming TCP SYN packets and tweak the TCP MSS field to configured number

Remote host will use adjusted MSS value correspondingly

Choose MSS to avoid fragmentationMSS



MTU Issues Work Around: Policy Routing

crypto map vpn 10 IPsec-isakmpset peer 172.16.172.10set transform-set mysetmatch address 101

interface Ethernet1/0ip address 172.16.172.20 255.255.255.240crypto map vpn

interface Ethernet1/1ip address 10.1.2.1 255.255.255.0ip policy route-map ClearDF

route-map ClearDF permit 10match ip address 101set ip df 0


Use policy routing to set DF bit of the

interesting traffic to 0


MTU Issues Work Around: DF Bit Override Feature

DF bit override feature with IPSec allows router to set, copy or clear the DF bit from the IPSec encapsulated header

Router(config)#crypto ipsec df-bit clear

First introduced in 12.2(2)T

Only works for IPSec tunnel mode

With df-bit clear option, large packets will be fragmented after encryption



MTU Issues Work Around: Look ahead Fragmentation

Fragment large packets before IPSec encryption to avoid performance issues

Works for IPSec tunnel mode only

Depends on crypto ipsec df-bit config

First introduced in 12.1(11)E; the feature was integrated in 12.2.(13)T and 12.2(14)S

Crypto ipsec df-bit clearCrypto ipsec fragmentation before-encryption


Quiz Time

1. To adjust the TCP-MSS value in the syn packets 2. To help the router in doing Path MTU Discovery3. To drop the IPSec packets if dont fragment bit is

set4. To remove the dont fragment bit

The Purpose of crypto ipsec df-bit clear Is:

Agenda




GRE over IPSec

InternetInternet

TCP hdrTCP hdr DataData

TCP hdrGRE hdrESP hdrESP hdr

TCP hdrGRE hdrESP hdrESP hdr

a. Original Packetb. GRE Encapsulationc. GRE over IPSec Transport Moded. GRE over IPSec Tunnel Mode

a

b

c

d

IPSecIPSec

GRE

DataDataTCP hdrTCP hdrIP Hdr 1IP Hdr 1

IP Hdr 1

IP Hdr 1

GRE hdrGRE hdr

IP hdr 2

Data

Data

IP Hdr 1IP Hdr 1

IP hdr 2IP hdr 2

IP hdr 3IP hdr 3

IP hdr 2IP hdr 2


GRE over IPSec(Common Configuration Issues)

Apply crypto map on both the tunnel interfaces and the physical interfaces; However, this restriction has been taken off in the latest Cisco IOS

Specify GRE traffic as IPSec interesting traffic access-list 101 permit gre host 200.1.1.1 host 150.1.1.1

Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted



GRE over IPSec (Avoid Recursive Routing)

Use different routing protocols or separate routing protocol identifiers

Keep tunnel IP address and actual IP network addresses ranges distinct

For tunnel interface IP address, dont use unnumbered to loopback interface when the loopbacks IP address resides in the ISP address space

To Avoid GRE Tunnel Interface Flapping Due to Recursive Routing, Keep Transport and Passenger Routing Information Separate:


GRE over IPSec (MTU Issues)

Overhead calculation of GRE over IPSec (assume ESP-DES and ESP-MD5-HMAC):

ESP overhead (with authentication): 3138 bytesGRE header: 24 bytes

IP header: 20 bytes

GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead




After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0

The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets

The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation



To avoid fragementation and reassembly of IPSec packets:

1. Set ip mtu 1420 (GRE/IPsec tunnel mode), ip mtu 1440 (GRE/IPsec transport mode) under tunnel interface

2. Enable tunnel path-mtu-discovery (DF bit copied after GRE encapsulation) under tunnel interface

3. Turn on Look-Ahead Fragmentation feature

Use show int switching to verify switching path




Workarounds in case PMTU ICMP packets are lost or blocked

Incoming big size packets with DF=1 will not be dropped by GRE tunnel due to larger MTU setting

The IPSec packets after GRE encapsulation (DF=0) will be fragmented before they leave the router

Performance affects due to reassembly of the packets

int tunnel 0ip mtu 1500


DMVPN Configuration

interface Tunnel0ip address 192.1.1.1 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 90

ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 1ip nhrp holdtime 360

no ip split-horizon eigrp 90tunnel source 192.168.1.1tunnel mode gre multipointtunnel key 652560tunnel protection ipsec profile cisco

interface Tunnel0ip address 192.1.1.2 255.255.255.0no ip redirectsip mtu 1400no ip next-hop-self eigrp 90

ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp map 192.1.1.1 192.168.1.1ip nhrp map multicast 192.168.1.1ip nhrp network-id 1ip nhrp holdtime 360ip nhrp nhs 192.1.1.1

no ip split-horizon eigrp 90tunnel source 192.168.1.2tunnel mode gre multipointtunnel key 652560tunnel protection ipsec profile cisco

Hub Router Spoke Router

AddressesAddresses

NHRPNHRP

MGRE TunnelMGRE Tunnel



DMVPN TroubleshootingCrypto debugs

Debug crypto isakmpDebug crypto ipsec

Debug crypto socketDebug tunnel Protection

NHRP debugsDebug nhrp

Debug nhrp packetDebug nhrp cache

NHRP: Encapsulation succeeded. Tunnel IP addr 192.168.1.1NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 84src: 192.1.1.2, dst: 192.1.1.1NHRP: 84 bytes out Tunnel0

...NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 104

...

NHRP: Sending packet to NHS 192.1.1.1 on Tunnel0NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 84

src: 192.1.1.2, dst: 192.1.1.1NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 84NHRP: Send Resolution Reply via Tunnel0 vrf 0, packet size: 112

Registration ProcessRegistration Process

Resolution ProcessResolution Process


Agenda




SPIPeerLocal_idRemote_idTransform


IPSec SA IPSec SA

Internet



IPSec SA IPSec SA

00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xB1D1EA3F(-1311643073)

00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=172.16.172.28, prot=50, spi=0xB1D1EA3F(-1311643073)


ESP SPI=0xB1D1EA3F



Use ISAKMP keepalives to detect loss of connectivity of Cisco IOS IPSec peers

crypto isakmp keepalive

ISAKMP keepalives might cause performance degradation for large deployments, choose keepalive parameters carefully

In latest Cisco IOS and PIX versions, ISAKMP keepalives are replaced by DPD (Dead Peer Detection) for lower CPU overhead



Complete Your Online Session Evaluation!

WHAT: Complete an online session evaluation and your name will be entered into a daily drawing

WHY: Win fabulous prizes! Give us your feedback!

WHERE: Go to the Internet stations located throughout the Convention Center

HOW: Winners will be posted on the onsiteNetworkers Website; four winners per day

108108108 2004 Cisco Systems, Inc. All rights reserved.SEC-30109825_05_2004_c1

Documents

TroublesCisco IOS Firewallhooting Cisco IOS Firewall-Based and Cisco Secure PIX Firewall-Based IPSec VPNs