Implementation of IPsecVPN

Last Update:2013-11-19 Source: Internet

Author: User

Tags hmac

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Lab Purpose

Complete the implementation of IPsecVPN with simple configuration.

Lab Topology

Configuration points

R1: crypto isakmp policy 10

Hash md5

Authentication pre-share

Crypto isakmp key cisco address 23.1.1.3 255.255.255.0

Crypto ipsec transform-set ccie esp-des esp-md5-hmac

Crypto map VPN 10 ipsec-isakmp

Set peer 23.1.1.3

Set transform-set ccie

Match address 100

Interface Serial1/1

Ip address 12.1.1.1 255.255.255.0

Serial restart-delay 0

Crypto map VPN

R3: crypto isakmp policy 10

Hash md5

Authentication pre-share

Crypto isakmp key cisco address 12.1.1.1 255.255.255.0

Crypto ipsec transform-set cisco esp-des esp-md5-hmac

Crypto map VPN 10 ipsec-isakmp

Set peer 12.1.1.1

Set transform-set cisco

Match address 100

Interface Serial1/0

Ip address 23.1.1.3 255.255.255.0

Serial restart-delay 0

Crypto map VPN

Lab Verification

Enable debug on R3 to view interaction information:

R1 # ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/57/164 MS

R3 #

* Jul 27 20:03:31. 910: ISAKMP (0: 0): received packet from 12.1.1.1 dport 500 sport 500 Global (N) NEW SA

* Jul 27 20:03:31. 914: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500

* Jul 27 20:03:31. 914: ISAKMP: New peer created peer = 0x65B5BB30 peer_handle = 0x80000005

* Jul 27 20:03:31. 918: ISAKMP: Locking peer struct 0x65B5BB30, refcount 1 for crypto_isakmp_process_block

* Jul 27 20:03:31. 922: ISAKMP: local port 500, remote port 500

* Jul 27 20:03:31. 926: insert sa successfully sa = 65B77620

* Jul 27 20:03:31. 930: ISAKMP :( 0): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* Jul 27 20:03:31. 930: ISAKMP :( 0): Old State = IKE_READY New State = IKE_R_MM1

IKE's first stage, the first Packet Exchange

* Jul 27 20:03:31. 946: ISAKMP :( 0): processing SA payload. message ID = 0

* Jul 27 20:03:31. 950: ISAKMP :( 0): processing vendor id payload

* Jul 27 20:03:31. 950: ISAKMP :( 0): vendor ID seems Unity/DPD but major 245 mismatch

* Jul 27 20:03:31. 962: ISAKMP :( 0): found peer pre-shared key matching 12.1.1.1

* Jul 27 20:03:31. 962: ISAKMP :( 0): local preshared key found

* Jul 27 20:03:31. 962: ISAKMP: Scanning profiles for xauth...

* Jul 27 20:03:31. 962: ISAKMP :( 0): Checking ISAKMP transform 1 against priority 10 policy

* Jul 27 20:03:31. 966: ISAKMP: encryption DES-CBC

* Jul 27 20:03:31. 966: ISAKMP: hash MD5

* Jul 27 20:03:31. 966: ISAKMP: default group 1

* Jul 27 20:03:31. 966: ISAKMP: auth pre-share

* Jul 27 20:03:31. 966: ISAKMP: life type in seconds

* Jul 27 20:03:31. 966: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

* Jul 27 20:03:31. 966: ISAKMP :( 0): atts are acceptable. Next payload is 0

* Jul 27 20:03:31. 970: ISAKMP :( 0): processing vendor id payload

* Jul 27 20:03:31. 970: ISAKMP :( 0): vendor ID seems Unity/DPD but major 245 mismatch

* Jul 27 20:03:31. 970: ISAKMP :( 0): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* Jul 27 20:03:31. 970: ISAKMP :( 0): Old State = IKE_R_MM1 New State = IKE_R_MM1

* Jul 27 20:03:31. 974: ISAKMP :( 0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP send packets to PEER "13.1.1.3" Source Port: 500 target port: 500

* Jul 27 20:03:31. 974: ISAKMP :( 0): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* Jul 27 20:03:31. 978: ISAKMP :( 0): Old State = IKE_R_MM1 New State = IKE_R_MM2

* Jul 27 20:03:32. 026: ISAKMP (0: 0): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

* Jul 27 20:03:32. 026: ISAKMP :( 0): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* Jul 27 20:03:32. 026: ISAKMP :( 0): Old State = IKE_R_MM2 New State = IKE_R_MM3

* Jul 27 20:03:32. 026: ISAKMP :( 0): processing KE payload. message ID = 0

* Jul 27 20:03:32. 054: ISAKMP :( 0): processing NONCE payload. message ID = 0

* Jul 27 20:03:32. 058: ISAKMP :( 0): found peer pre-shared key matching 12.1.1.1

* Jul 27 20:03:32. 058: ISAKMP :( 1002): processing vendor id payload

* Jul 27 20:03:32. 062: ISAKMP :( 1002): vendor ID is Unity

* Jul 27 20:03:32. 062: ISAKMP :( 1002): processing vendor id payload

* Jul 27 20:03:32. 062: ISAKMP :( 1002): vendor ID is DPD

* Jul 27 20:03:32. 062: ISAKMP :( 1002): processing vendor id payload

* Jul 27 20:03:32. 062: ISAKMP: (1002): speaking to another IOS box!

* Jul 27 20:03:32. 062: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* Jul 27 20:03:32. 062: ISAKMP :( 1002): Old State = IKE_R_MM3 New State = IKE_R_MM3

* Jul 27 20:03:32. 066: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

* Jul 27 20:03:32. 066: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* Jul 27 20:03:32. 066: ISAKMP :( 1002): Old State = IKE_R_MM3 New State = IKE_R_MM4

* Jul 27 20:03:32. 122: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH

* Jul 27 20:03:32. 122: ISAKMP :( 1002): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* Jul 27 20:03:32. 122: ISAKMP :( 1002): Old State = IKE_R_MM4 New State = IKE_R_MM5

* Jul 27 20:03:32. 122: ISAKMP :( 1002): processing ID payload. message ID = 0

* Jul 27 20:03:32. 122: ISAKMP (): ID payload

Next-payload: 8

Type: 1

Address: 12.1.1.1

Protocol: 17

Port: 500

Length: 12

* Jul 27 20:03:32. 122: ISAKMP :( 0): peer matches * none * of the profiles

* Jul 27 20:03:32. 126: ISAKMP :( 1002): processing HASH payload. message ID = 0

* Jul 27 20:03:32. 126: ISAKMP :( 1002): processing policy INITIAL_CONTACT protocol 1

Spi 0, message ID = 0, sa = 65B77620

* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA authentication status:

Authenticated

* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA has been authenticated with 12.1.1.1

* Jul 27 20:03:32. 126: ISAKMP :( 1002): SA authentication status:

Authenticated

* Jul 27 20:03:32. 126: ISAKMP :( 1002): Process initial contact,

Bring down existing phase 1 and 2 SA's with local 23.1.1.3 remote 12.1.1.1 remote port 500

* Jul 27 20:03:32. 130: ISAKMP: Trying to insert a peer 23.1.1.3/12.1.1.1/500/, and inserted successfully 65B5BB30.

* Jul 27 20:03:32. 130: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* Jul 27 20:03:32. 130: ISAKMP :( 1002): Old State = IKE_R_MM5 New State = IKE_R_MM5

* Jul 27 20:03:32. 130: IPSEC (key_engine): got a queue event with 1 KMI message (s)

* Jul 27 20:03:32. 134: ISAKMP :( 1002): SA is doing pre-shared key authentication using id type id_00004_addr

* Jul 27 20:03:32. 134: ISAKMP (): ID payload

Next-payload: 8

Type: 1

Address: 23.1.1.3

Protocol: 17

Port: 500

Length: 12

* Jul 27 20:03:32. 134: ISAKMP :( 1002): Total payload length: 12

* Jul 27 20:03:32. 134: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

* Jul 27 20:03:32. 134: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* Jul 27 20:03:32. 134: ISAKMP :( 1002): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

The first stage is completed.

* Jul 27 20:03:32. 142: ISAKMP :( 1002): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* Jul 27 20:03:32. 142: ISAKMP :( 1002): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

* Jul 27 20:03:32. 158: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

* Jul 27 20:03:32. 158: ISAKMP: set new node-1769201649 to QM_IDLE

* Jul 27 20:03:32. 162: ISAKMP :( 1002): processing HASH payload. message ID =-1769201649

* Jul 27 20:03:32. 162: ISAKMP :( 1002): processing SA payload. message ID =-1769201649

* Jul 27 20:03:32. 162: ISAKMP :( 1002): Checking IPSec proposal 1

* Jul 27 20:03:32. 162: ISAKMP: transform 1, ESP_DES

* Jul 27 20:03:32. 162: ISAKMP: attributes in transform:

* Jul 27 20:03:32. 162: ISAKMP: encaps is 1 (Tunnel)

* Jul 27 20:03:32. 162: ISAKMP: SA life type in seconds

* Jul 27 20:03:32. 162: ISAKMP: SA life duration (basic) of 3600

* Jul 27 20:03:32. 162: ISAKMP: SA life type in kilobytes

* Jul 27 20:03:32. 162: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

* Jul 27 20:03:32. 162: ISAKMP: authenticator is HMAC-MD5

* Jul 27 20:03:32. 162: ISAKMP :( 1002): atts are acceptable. The policy matching negotiation is complete.

* Jul 27 20:03:32. 162: IPSEC (validate_proposal_request): proposal part #1

* Jul 27 20:03:32. 162: IPSEC (validate_proposal_request): proposal part #1,

(Key eng. msg.) INBOUND local = 23.1.1.3, remote = 12.1.1.1,

Local_proxy = 3.3.3.0/255.255.255.0/0/0 (type = 4 ),

Remote_proxy = 1.1.1.0/255.255.255.0/0/0 (type = 4 ),

Protocol = ESP, transform = esp-des esp-md5-hmac (Tunnel ),

Lifedur = 0 s and 0kb,

Spi = 0x0 (0), conn_id = 0, keysize = 0, flags = 0x0

* Jul 27 20:03:32. 166: Crypto mapdb: proxy_match

Src addr: 3.3.3.0

Dst addr: 1.1.1.0

Protocol: 0

Src port: 0

Dst port: 0

* Jul 27 20:03:32. 170: ISAKMP :( 1002): processing NONCE payload. message ID =-1769201649

* Jul 27 20:03:32. 170: ISAKMP :( 1002): processing ID payload. message ID =-1769201649

* Jul 27 20:03:32. 170: ISAKMP :( 1002): QM Responder gets spi

* Jul 27 20:03:32. 170: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

* Jul 27 20:03:32. 170: ISAKMP :( 1002): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

* Jul 27 20:03:32. 170: ISAKMP :( 1002): Creating IPSec SAs creates an IPsec SA

* Jul 27 20:03:32. 170: inbound SA from 12.1.1.1 to 23.1.1.3 (f/I) 0/0

(Proxy 1.1.1.0 to 3.3.3.0)

* Jul 27 20:03:32. 170: has spi 0x12160605 and conn_id 0

* Jul 27 20:03:32. 170: lifetime of 3600 seconds

* Jul 27 20:03:32. 170: lifetime of 4608000 kilobytes

* Jul 27 20:03:32. 170: outbound SA from 23.1.1.3 to 12.1.1.1 (f/I) 0/0

(Proxy 3.3.3.0 to 1.1.1.0)

* Jul 27 20:03:32. 170: has spi 0xDD947DA9 and conn_id 0

* Jul 27 20:03:32. 170: lifetime of 3600 seconds

* Jul 27 20:03:32. 170: lifetime of 4608000 kilobytes

* Jul 27 20:03:32. 170: ISAKMP :( 1002): sending packet to 12.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE

* Jul 27 20:03:32. 170: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

* Jul 27 20:03:32. 174: ISAKMP :( 1002): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

* Jul 27 20:03:32. 178: IPSEC (key_engine): got a queue event with 1 KMI message (s)

* Jul 27 20:03:32. 178: Crypto mapdb: proxy_match

Src addr: 3.3.3.0

Dst addr: 1.1.1.0

Protocol: 0

Src port: 0

Dst port: 0

* Jul 27 20:03:32. 182: IPSEC (crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.1.1.1

* Jul 27 20:03:32. 182: IPSEC (policy_db_add_ident): src 3.3.3.0, dest 1.1.1.0, dest_port 0

* Jul 27 20:03:32. 182: IPSEC (create_sa): sa created,

(Sa) sa_dest = 23.1.1.3, sa_proto = 50,

Sa_spi = 0x12160605 (303433221 ),

Sa_trans = esp-des esp-md5-hmac, sa_conn_id = 3

* Jul 27 20:03:32. 182: IPSEC (create_sa): sa created,

(Sa) sa_dest = 12.1.1.1, sa_proto = 50,

Sa_spi = 0xDD947DA9 (3717496233 ),

Sa_trans = esp-des esp-md5-hmac, sa_conn_id = 4

* Jul 27 20:03:32. 210: ISAKMP (): received packet from 12.1.1.1 dport 500 sport 500 Global (R) QM_IDLE

* Jul 27 20:03:32. 210: ISAKMP :( 1002): deleting node-1769201649 error FALSE reason "QM done (await )"

* Jul 27 20:03:32. 210: ISAKMP :( 1002): Node-1769201649, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

* Jul 27 20:03:32. 210: ISAKMP :( 1002): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Stage 2 completed

* Jul 27 20:03:32. 214: IPSEC (key_engine): got a queue event with 1 KMI message (s)

* Jul 27 20:03:32. 214: IPSEC (key_engine_enable_outbound): rec 'd enable policy from ISAKMP

* Jul 27 20:03:32. 214: IPSEC (key_engine_enable_outbound): enable SA with spi 3717496233/50

* Jul 27 20:03:32. 214: IPSEC (update_current_outbound_sa): updated peer 12.1.1.1 current outbound sa to SPI DD947DA9

Finally, check the R2 route table:

R2 # show ip route

Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP

D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area

N1-ospf nssa external type 1, N2-ospf nssa external type 2

E1-OSPF external type 1, E2-OSPF external type 2

I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2

Ia-IS inter area, *-candidate default, U-per-user static route

O-ODR, P-periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Loopback10

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, Serial1/1

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial1/0

We can see that R2 does not have the two routes at all.

I have just learned IPsecVPN, And I will discuss it all. please correct me if you have any mistakes.

This article is from the "not interested" blog

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More