labbers_delight_rev3_vpn

Working from Sw1, I want 172.12.23.0 /24 traffic to initialize and be encrypted to the 5.5.5.5 /32 network when traffic hits R2, and vice versa from 5.5.5.5 /32 configured on R1.

I want my traffic from this switch specifically destined to network 5.5.5.5 /32 to take the path of R2 – R1 – R5 and build the tunnel there, and I’m not going to waste a lot of time messing with protocols, so I put a quick static route on SW1 to change flow of traffic and confirmed:
SW1(config)#ip route 5.5.5.5 255.255.255.255 172.12.23.2
SW1#traceroute 5.5.5.5

Type escape sequence to abort.
Tracing the route to 5.5.5.5

  1  *
    172.12.23.2 0 msec 0 msec
  2 172.12.123.1 34 msec 33 msec 26 msec
  3 172.12.15.5 34 msec *  25 msec
SW1#

Righy-Oh then.

A Crypto ACL is exactly like your normal ACL, however when used for VPN configurations, it is read by the router in both ways depending on the flow of traffic. The router simply reads it forwards and backwards depending on which way traffic is flowing, so it will need a mirrored Crypto ACL on it’s Remote Peer router.

(Do a “sh access-list” before configuring, to ensure you aren’t overwriting another ACL)

So for example on R2 I will configure the following Crypto ACL:

R2(config)#do sh access-list
Standard IP access list 11
    10 permit 4.4.4.4 (1 match)
    20 permit 172.12.34.0, wildcard bits 0.0.0.255 (1 match)
R2(config)#access-list 101 permit ip 172.12.23.0 0.0.0.255 host 5.5.5.5
R2(config)#

One important note on inbound traffic, if it arrives not encrypted by IPSec, it will be dropped, otherwise for outbound if traffic doesn’t match the source IP network / host defined it will be routed as usual.

As far as source and destination, you will want to put the source address on the router local to that network, so naturally my source in R2 is traffic entering that router to be encypted. The destination is the address(es) that are expected to be encrypted or will be dropped.

*** THE CRYPTO ACL WILL BE READ FORWARDS FOR OUTBOUND TRAFFIC, AND BACKWARDS FOR INBOUND TRAFFIC ***

There must be a mirror Crypto Map on both peers so R1 will have 5.5.5.5 src 172.12.23.0/24 dst in its Crypto ACL. Lots of bold points there, back to business.

Now I will stop with the chatter, and start off with a couple commands / notes:

R2(config)#crypto isakmp enable

The crypto isakmp service should be running be default, but if not this is the command to enable it – NOTE THAT IT IS PUT IN AT GLOBAL CONFIGURATION LEVEL.

R2(config)#do sh crypto isakmp policy

Global IKE policy
Default protection suite
        encryption algorithm:   DES – Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R2(config)#

The command to view your crypto policy (also can be reviewed in “sh run”), this is the Default crypto isakmp policy for a router, called “Default protection suite”.

 

Now this will be the entire policy configuration, with ? output to show options, and color code the output so not only can required options be seen, but also their output:

 

R2(config)#crypto isa policy 10   <— Puts into config mode of new crypto policy
R2(config-isakmp)#?
ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults

R2(config-isakmp)#authentication ?
  pre-share  Pre-Shared Key
  rsa-encr   Rivest-Shamir-Adleman Encryption
  rsa-sig    Rivest-Shamir-Adleman Signature

R2(config-isakmp)#authentication pre-share ?
  <cr>

R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption ?
  3des  Three key triple DES
  aes   AES – Advanced Encryption Standard.
  des   DES – Data Encryption Standard (56 bit keys).

R2(config-isakmp)#encryption 3des ?
  <cr>

R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash ?
  md5  Message Digest 5
  sha  Secure Hash Standard

R2(config-isakmp)#hash md5 ?
  <cr>

R2(config-isakmp)#hash md5
R2(config-isakmp)#lifetime ?
  <60-86400>  lifetime in seconds

R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#

  • Authentication – I enabled Pre-Share to use a Pre-Shared Key (PSK) to authenticate to the remote peer
  • Encryption – Of the 3 options, it goes AES>3DES>DES, I used 3DES for no real reason
  • Hash – I used MD5 encryption because I use it for all other protocols so why not
  • Lifetime in Seconds – How long the tunnel will stay Active while idle, this is the ONLY field that doesn’t need to match between VPN Peers policies! The receiver will adjust its lifetime to the initiators if the same or lower than the receivers

This is a good time to point out, VPN’s designate the router that kicks off Phase 1 of building the tunnel the “Initiator” and the remote peer then becomes the “Receiver” so that you are familiar (yes you Dave who does this every day at work) with those terms.

With policies each Router will attempt to match policies with each other until a match is found, and it starts with the lowest # policy and goes up so the policy # is not exactly arbitrary. As mentioned the Lifetime is the only field that does not have to match, and this policy is considered part of Phase 1, just need a PSK for authentication.

So first to verify the new policy:

R2(config)#do sh crypto isa policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES – Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R2(config)#

There it is, and while in global configuration mode we can configure a PSK as that is where it is entered on router VPN’s:

R2(config)#crypto isakmp key ?
  0  Specifies an UNENCRYPTED password will follow
  6  Specifies an ENCRYPTED password will follow

R2(config)#crypto isakmp key 6 ?
% Unrecognized command
R2(config)#crypto isakmp key 6

W, T, F??? This has got to be a glitch, I go to R1 to check as well and get this:

R1(config)#crypto isakmp key 6 ?
% Unrecognized command
R1(config)#crypto isakmp key 6

I knew this was a bug, and upon a little google fu and logging into Cisco’s website I found this brilliant explanation / workaround for my IOS that is effected:

bug_found

What??? So the work around is to configure the command that is bugged, brilliant, ok well option unencrypted isn’t bugged on my IOS’s on my 2611’s so I guess we will work with that. I just wanted to share what a worthless workaround was posted to Cisco *facepalm*

R2(config)#crypto isakmp key 0 CCNP address 172.12.123.1

That article still kind of ticks me off, it’s that kind of crap documentation that makes Cisco engineers look incompetent, why would you not put a patched IOS image description in the work around rather than how the command is supposed to work. How stupid.

Now comes a pretty important to configuration, as this determines whether you are using AH or ESP for your VPN, as can be seen here in my configuration:

R2(config)#crypto ipsec transform-set TRANS-SET ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

I used the ? to show all the output, for this I am going to stick with just good old AH for my encryption along with md5 and whatever hmac is which will:

R2(config)#crypto ipsec transform-set TRANS-SET ah-md5-hmac
R2(cfg-crypto-trans)#mode ?
  transport  transport (payload encapsulation) mode
  tunnel     tunnel (datagram encapsulation) mode

R2(cfg-crypto-trans)#mode tunnel
R2(cfg-crypto-trans)#exit
R2(config)#

That dropped me into crypto trans set mode, which I selected my tunnel type, and wanted to demonstrate that is where you’d choose whether to define Tunnel or Transport.

You can also set the “Lifetime” for the IPSec SA too, which defaults to 86400 as well, but for the sake of showing the command:

R2(config)#crypto ipsec security-association life
R2(config)#crypto ipsec security-association lifetime ?
  kilobytes  Volume-based key duration
  seconds    Time-based key duration

R2(config)#crypto ipsec security-association lifetime seconds ?
  <120-86400>  Security association duration in seconds

R2(config)#crypto ipsec security-association lifetime seconds 86400
R2(config)#

This shows that you can choose the lifetime in seconds or by KB of data transmission, I just chose the default 86400.

NOW ON TO THE FINAL PART OF THIS SEEMINGLY NEVER ENDING CONFIG!

And now to build a crypto-map, apply it to the interface pointing toward your peer, and off to the races we should go:

R2(config)#crypto map CCNPLAB 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)# set peer 172.12.123.1
R2(config-crypto-map)# set transform-set TRANS-SET
R2(config-crypto-map)# match address 101
R2(config-crypto-map)#exit
R2(config)#int s0/0
R2(config-if)#crypto map CCNPLAB
R2(config-if)#
*Mar  1 20:15:31.612: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#

That little error when dropping into crypto map configuration is normal, just telling you the map won’t work until a peer and Crypto ACL are defined.

Now as can be seen we have set this thing up for success, ISAKMP is ON, we are ready to rock. Now I will remove the interface level crypto map CCNPLAB, and start a continuous ping on SW1 to 5.5.5.5, so we can watching the debug of the formation of the tunnel (hopefully) AND THIS WILL BE A LOT OF OUTPUT SO BRACE YOURSELF:

R2(config-if)#no crypto map CCNPLAB
R2(config-if)#
*Mar  1 20:16:30.148: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R2(config-if)#
ASR#6
[Resuming connection 6 to sw1 … ]

SW1#ping 5.5.5.5 repeat 100000

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
..
ASR#2
[Resuming connection 2 to r2 … ]

R2(config-if)#crypto map CCNPLAB
R2(config-if)#
*Mar  1 20:20:20.574: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#
*Mar  1 20:20:20.927: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.12.123.2, remote= 172.12.123.1,
    local_proxy= 172.12.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 5.5.5.5/255.255.255.255/0/0 (type=1),
    protocol= AH, transform= NONE  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar  1 20:20:21.572: IPSEC(validate_proposal_request): proposal part #1
*Mar  1 20:20:21.572: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.12.123.2, remote= 172.12.123.1,
    local_proxy= 172.12.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 5.5.5.5/255.255.255.255/0/0 (type=1),
    protocol= AH, transform= ah-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar  1 20:20:21.572: Crypto mapdb : proxy_match
        src addr     : 172.12.23.0
        dst addr     : 5.5.5.5
        protocol     : 0
        src port     : 0
        dst port     :
R2(config-if)#0
*Mar  1 20:20:21.588: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar  1 20:20:21.588: Crypto mapdb : proxy_match
        src addr     : 172.12.23.0
        dst addr     : 5.5.5.5
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar  1 20:20:21.588: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.12.123.1
*Mar  1 20:20:21.592: IPSEC(policy_db_add_ident): src 172.12.23.0, dest 5.5.5.5, dest_port 0

*Mar  1 20:20:21.592: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.12.123.2, sa_proto= 51,
    sa_spi= 0xD8B415B9(3635680697),
    sa_trans= ah-md5-hmac , sa_conn_id= 1
*Mar  1 20:20:21.592: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.12.123.1, sa_proto= 51,
    sa_spi= 0x69407184(1765831044),
    sa_trans= ah-md5-hmac , sa_conn_id= 2
*Mar  1 20:20:21.596: IPSEC(update_current_outbound_sa): updated peer 172.12.123.1 current outbound sa to SPI 69407184
R2(config-if)#
R2(config-if)#
ASR#6
[Resuming connection 6 to sw1 … ]
..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 93 percent (172/184), round-trip min/avg/max = 92/92/109 ms
SW1#

I am way too tired to go through what all of the debug output means, but I wanted to post the output to view what the tunnel formation looks like from a debug perspective, and I highlighted in red where I removed the command / started the ping / applied the command / ended the ping with ctrl + 6 twice and the tunnel debug output in blue.

One thing I wanted to point out, it began with a failed ping from SW1 because the interface on R1 had the crypto map CCNPLAB enabled on it’s S0/0 interface, so if that were not on there it would have been processed like normal traffic.

BONUS MATERIAL BEFORE I FALL OVER BRAIN DEAD ON THE KEYBOARD:

“sh crypto isakmp sa” to see if you have phase 1 connectivity to your peer:

R2#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
172.12.123.1    172.12.123.2    QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#

QM_IDLE is good, ACTIVE is what we want to see to the far right, got source and destination IP’s of your peers – Lots of great info. But I know you must be asking, there HAS to be better info, and there is! :

R2#sh crypto ipsec sa

interface: Serial0/0
    Crypto map tag: CCNPLAB, local addr 172.12.123.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.12.23.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)
   current_peer 172.12.123.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 173, #pkts encrypt: 173, #pkts digest: 173
    #pkts decaps: 173, #pkts decrypt: 173, #pkts verify: 173
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.12.123.2, remote crypto endpt.: 172.12.123.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x69407184(1765831044)

     inbound esp sas:

     inbound ah sas:
      spi: 0xD8B415B9(3635680697)
        transform: ah-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: AIM-VPN/BPII:1, crypto map: CCNPLAB
        sa timing: remaining key lifetime (k/sec): (4426638/85730)
        replay detection support: Y
        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:
      spi: 0x69407184(1765831044)
        transform: ah-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: AIM-VPN/BPII:2, crypto map: CCNPLAB
        sa timing: remaining key lifetime (k/sec): (4426638/85726)
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas:
R2#

A lot of good information there, I’ve highlighted again some of the important parts, it looks like 173 packets encap’d and decap’d, with 1 send error which was likely the first ping that initialized the tunnel setup to network 5.5.5.5 /32 – All other traffic destined for R5 will not be encrypted unless defined by the Crypto ACL being used.

And just for good measure, a ping to 5.5.5.5 from R3 just to show the interface doesn’t just block traffic to 5.5.5.5 if there aren’t VPN settings present:

R3#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/69 ms
R3#

I am now way too fried to go any further with this, but that is the complete basic configuration of a VPN tunnel, debug / show commands to troubleshoot it, and more information than one person could ever want for a single night.

Next up, DMVPN Theory and explanation (unfortunately no configuration in that post)