Lab Purpose
Complete the implementation of IPsecVPN with simple configuration.
Lab Topology
Configuration points
R1: crypto isakmp policy 10
Hash md5
Authentication pre-share
Crypto isakmp key cisco address 23.1.1.3 255.255.255.0
Crypto ipsec transform-set ccie esp-des esp-md5-hmac
Crypto map VPN 10 ipsec-isakmp
Set peer 23.1.1.3
Set transform-set ccie
Match address 100
Interface Serial1/1
Ip address 12.1.1.1 255.255.255.0
Serial restart-delay 0
Crypto map VPN
R3: crypto isakmp policy 10
Hash md5
Authentication pre-share
Crypto isakmp key cisco address 12.1.1.1 255.255.255.0
Crypto ipsec transform-set cisco esp-des esp-md5-hmac
Crypto map VPN 10 ipsec-isakmp
Set peer 12.1.1.1
Set transform-set cisco
Match address 100
Interface Serial1/0
Ip address 23.1.1.3 255.255.255.0
Serial restart-delay 0
Crypto map VPN
Lab Verification
Enable debug on R3 to view interaction information:
R1 # ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/164 MS
R3 #
* Jul 27 20:03:31. 910: ISAKMP (0: 0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA
* Jul 27 20:03:31. 914: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500
* Jul 27 20:03:31. 914: ISAKMP: New peer created peer = 0x65B5BB30 peer_handle = 0x80000005
* Jul 27 20:03:31. 918: ISAKMP: Locking peer struct 0x65B5BB30, refcount 1 for crypto_isakmp_process_block
* Jul 27 20:03:31. 922: ISAKMP: local port 500, remote port 500
* Jul 27 20:03:31. 926: insert sa successfully sa = 65B77620
* Jul 27 20:03:31. 930: ISAKMP :( 0): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* Jul 27 20:03:31. 930: ISAKMP :( 0): Old State = IKE_READY New State = IKE_R_MM1
IKE's first stage, the first Packet Exchange
* Jul 27 20:03:31. 946: ISAKMP :( 0): processing SA payload. message ID = 0
* Jul 27 20:03:31. 950: ISAKMP :( 0): processing vendor id payload
* Jul 27 20:03:31. 950: ISAKMP :( 0): vendor ID seems Unity/DPD but major 245 mismatch
* Jul 27 20:03:31. 962: ISAKMP :( 0): found peer pre-shared key matching 12.1.1.1
* Jul 27 20:03:31. 962: ISAKMP :( 0): local preshared key found
* Jul 27 20:03:31. 962: ISAKMP: Scanning profiles for xauth...
* Jul 27 20:03:31. 962: ISAKMP :( 0): Checking ISAKMP transform 1 against priority 10 policy
* Jul 27 20:03:31. 966: ISAKMP: encryption DES-CBC
* Jul 27 20:03:31. 966: ISAKMP: hash MD5
* Jul 27 20:03:31. 966: ISAKMP: default group 1
* Jul 27 20:03:31. 966: ISAKMP: auth pre-share
* Jul 27 20:03:31. 966: ISAKMP: life type in seconds
* Jul 27 20:03:31. 966: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
* Jul 27 20:03:31. 966: ISAKMP :( 0): atts are acceptable. Next payload is 0
* Jul 27 20:03:31. 970: ISAKMP :( 0): processing vendor id payload
* Jul 27 20:03:31. 970: ISAKMP :( 0): vendor ID seems Unity/DPD but major 245 mismatch
* Jul 27 20:03:31. 970: ISAKMP :( 0): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* Jul 27 20:03:31. 970: ISAKMP :( 0): Old State = IKE_R_MM1 New State = IKE_R_MM1
* Jul 27 20:03:31. 974: ISAKMP :( 0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP send packets to PEER "13.1.1.3" Source Port: 500 target port: 500
* Jul 27 20:03:31. 974: ISAKMP :( 0): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* Jul 27 20:03:31. 978: ISAKMP :( 0): Old State = IKE_R_MM1 New State = IKE_R_MM2
* Jul 27 20:03:32. 026: ISAKMP (0: 0): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
* Jul 27 20:03:32. 026: ISAKMP :( 0): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* Jul 27 20:03:32. 026: ISAKMP :( 0): Old State = IKE_R_MM2 New State = IKE_R_MM3
* Jul 27 20:03:32. 026: ISAKMP :( 0): processing KE payload. message ID = 0
* Jul 27 20:03:32. 054: ISAKMP :( 0): processing NONCE payload. message ID = 0
* Jul 27 20:03:32. 058: ISAKMP :( 0): found peer pre-shared key matching 12.1.1.1
* Jul 27 20:03:32. 058: ISAKMP :( 1002): processing vendor id payload
* Jul 27 20:03:32. 062: ISAKMP :( 1002): vendor ID is Unity
* Jul 27 20:03:32. 062: ISAKMP :( 1002): processing vendor id payload
* Jul 27 20:03:32. 062: ISAKMP :( 1002): vendor ID is DPD
* Jul 27 20:03:32. 062: ISAKMP :( 1002): processing vendor id payload
* Jul 27 20:03:32. 062: ISAKMP: (1002): speaking to another IOS box!
* Jul 27 20:03:32. 062: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* Jul 27 20:03:32. 062: ISAKMP :( 1002): Old State = IKE_R_MM3 New State = IKE_R_MM3
* Jul 27 20:03:32. 066: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
* Jul 27 20:03:32. 066: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* Jul 27 20:03:32. 066: ISAKMP :( 1002): Old State = IKE_R_MM3 New State = IKE_R_MM4
* Jul 27 20:03:32. 122: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
* Jul 27 20:03:32. 122: ISAKMP :( 1002): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* Jul 27 20:03:32. 122: ISAKMP :( 1002): Old State = IKE_R_MM4 New State = IKE_R_MM5
* Jul 27 20:03:32. 122: ISAKMP :( 1002): processing ID payload. message ID = 0
* Jul 27 20:03:32. 122: ISAKMP (): ID payload
Next-payload: 8
Type: 1
Address: 12.1.1.1
Protocol: 17
Port: 500
Length: 12
* Jul 27 20:03:32. 122: ISAKMP :( 0): peer matches * none * of the profiles
* Jul 27 20:03:32. 126: ISAKMP :( 1002): processing HASH payload. message ID = 0
* Jul 27 20:03:32. 126: ISAKMP :( 1002): processing policy INITIAL_CONTACT protocol 1
Spi 0, message ID = 0, sa = 65B77620
* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA authentication status:
Authenticated
* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA has been authenticated with 12.1.1.1
* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA authentication status:
Authenticated
* Jul 27 20:03:32. 126: ISAKMP :( 1002): Process initial contact,
Bring down existing phase 1 and 2 SA's with local 23.1.1.3 remote 12.1.1.1 remote port 500
* Jul 27 20:03:32. 130: ISAKMP: Trying to insert a peer 23.1.1.3/12.1.1.1/500/, and inserted successfully 65B5BB30.
* Jul 27 20:03:32. 130: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* Jul 27 20:03:32. 130: ISAKMP :( 1002): Old State = IKE_R_MM5 New State = IKE_R_MM5
* Jul 27 20:03:32. 130: IPSEC (key_engine): got a queue event with 1 KMI message (s)
* Jul 27 20:03:32. 134: ISAKMP :( 1002): SA is doing pre-shared key authentication using id type id_00004_addr
* Jul 27 20:03:32. 134: ISAKMP (): ID payload
Next-payload: 8
Type: 1
Address: 23.1.1.3
Protocol: 17
Port: 500
Length: 12
* Jul 27 20:03:32. 134: ISAKMP :( 1002): Total payload length: 12
* Jul 27 20:03:32. 134: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
* Jul 27 20:03:32. 134: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* Jul 27 20:03:32. 134: ISAKMP :( 1002): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
The first stage is completed.
* Jul 27 20:03:32. 142: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* Jul 27 20:03:32. 142: ISAKMP :( 1002): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
* Jul 27 20:03:32. 158: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
* Jul 27 20:03:32. 158: ISAKMP: set new node-1769201649 to QM_IDLE
* Jul 27 20:03:32. 162: ISAKMP :( 1002): processing HASH payload. message ID =-1769201649
* Jul 27 20:03:32. 162: ISAKMP :( 1002): processing SA payload. message ID =-1769201649
* Jul 27 20:03:32. 162: ISAKMP :( 1002): Checking IPSec proposal 1
* Jul 27 20:03:32. 162: ISAKMP: transform 1, ESP_DES
* Jul 27 20:03:32. 162: ISAKMP: attributes in transform:
* Jul 27 20:03:32. 162: ISAKMP: encaps is 1 (Tunnel)
* Jul 27 20:03:32. 162: ISAKMP: SA life type in seconds
* Jul 27 20:03:32. 162: ISAKMP: SA life duration (basic) of 3600
* Jul 27 20:03:32. 162: ISAKMP: SA life type in kilobytes
* Jul 27 20:03:32. 162: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
* Jul 27 20:03:32. 162: ISAKMP: authenticator is HMAC-MD5
* Jul 27 20:03:32. 162: ISAKMP :( 1002): atts are acceptable. The policy matching negotiation is complete.
* Jul 27 20:03:32. 162: IPSEC (validate_proposal_request): proposal part #1
* Jul 27 20:03:32. 162: IPSEC (validate_proposal_request): proposal part #1,
(Key eng. msg.) INBOUND local = 23.1.1.3, remote = 12.1.1.1,
Local_proxy = 3.3.3.0/255.255.255.0/0/0 (type = 4 ),
Remote_proxy = 1.1.1.0/255.255.255.0/0/0 (type = 4 ),
Protocol = ESP, transform = esp-des esp-md5-hmac (Tunnel ),
Lifedur = 0 s and 0kb,
Spi = 0x0 (0), conn_id = 0, keysize = 0, flags = 0x0
* Jul 27 20:03:32. 166: Crypto mapdb: proxy_match
Src addr: 3.3.3.0
Dst addr: 1.1.1.0
Protocol: 0
Src port: 0
Dst port: 0
* Jul 27 20:03:32. 170: ISAKMP :( 1002): processing NONCE payload. message ID =-1769201649
* Jul 27 20:03:32. 170: ISAKMP :( 1002): processing ID payload. message ID =-1769201649
* Jul 27 20:03:32. 170: ISAKMP :( 1002): processing ID payload. message ID =-1769201649
* Jul 27 20:03:32. 170: ISAKMP :( 1002): QM Responder gets spi
* Jul 27 20:03:32. 170: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* Jul 27 20:03:32. 170: ISAKMP :( 1002): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
* Jul 27 20:03:32. 170: ISAKMP :( 1002): Creating IPSec SAs creates an IPsec SA
* Jul 27 20:03:32. 170: inbound SA from 12.1.1.1 to 23.1.1.3 (f/I) 0/0
(Proxy 1.1.1.0 to 3.3.3.0)
* Jul 27 20:03:32. 170: has spi 0x12160605 and conn_id 0
* Jul 27 20:03:32. 170: lifetime of 3600 seconds
* Jul 27 20:03:32. 170: lifetime of 4608000 kilobytes
* Jul 27 20:03:32. 170: outbound SA from 23.1.1.3 to 12.1.1.1 (f/I) 0/0
(Proxy 3.3.3.0 to 1.1.1.0)
* Jul 27 20:03:32. 170: has spi 0xDD947DA9 and conn_id 0
* Jul 27 20:03:32. 170: lifetime of 3600 seconds
* Jul 27 20:03:32. 170: lifetime of 4608000 kilobytes
* Jul 27 20:03:32. 170: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
* Jul 27 20:03:32. 170: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
* Jul 27 20:03:32. 174: ISAKMP :( 1002): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
* Jul 27 20:03:32. 178: IPSEC (key_engine): got a queue event with 1 KMI message (s)
* Jul 27 20:03:32. 178: Crypto mapdb: proxy_match
Src addr: 3.3.3.0
Dst addr: 1.1.1.0
Protocol: 0
Src port: 0
Dst port: 0
* Jul 27 20:03:32. 182: IPSEC (crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.1.1.1
* Jul 27 20:03:32. 182: IPSEC (policy_db_add_ident): src 3.3.3.0, dest 1.1.1.0, dest_port 0
* Jul 27 20:03:32. 182: IPSEC (create_sa): sa created,
(Sa) sa_dest = 23.1.1.3, sa_proto = 50,
Sa_spi = 0x12160605 (303433221 ),
Sa_trans = esp-des esp-md5-hmac, sa_conn_id = 3
* Jul 27 20:03:32. 182: IPSEC (create_sa): sa created,
(Sa) sa_dest = 12.1.1.1, sa_proto = 50,
Sa_spi = 0xDD947DA9 (3717496233 ),
Sa_trans = esp-des esp-md5-hmac, sa_conn_id = 4
* Jul 27 20:03:32. 210: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
* Jul 27 20:03:32. 210: ISAKMP :( 1002): deleting node-1769201649 error FALSE reason "QM done (await )"
* Jul 27 20:03:32. 210: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
* Jul 27 20:03:32. 210: ISAKMP :( 1002): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Stage 2 completed
* Jul 27 20:03:32. 214: IPSEC (key_engine): got a queue event with 1 KMI message (s)
* Jul 27 20:03:32. 214: IPSEC (key_engine_enable_outbound): rec 'd enable policy from ISAKMP
* Jul 27 20:03:32. 214: IPSEC (key_engine_enable_outbound): enable SA with spi 3717496233/50
* Jul 27 20:03:32. 214: IPSEC (update_current_outbound_sa): updated peer 12.1.1.1 current outbound sa to SPI DD947DA9
Finally, check the R2 route table:
R2 # show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2
Ia-IS inter area, *-candidate default, U-per-user static route
O-ODR, P-periodic downloaded static route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback10
23.0.0.0/24 is subnetted, 1 subnets
C 23.1.1.0 is directly connected, Serial1/1
12.0.0.0/24 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial1/0
We can see that R2 does not have the two routes at all.
I have just learned IPsecVPN, And I will discuss it all. please correct me if you have any mistakes.
This article is from the "not interested" blog