Drawing up IPSec Profiles to secure the DMVPN Network is honestly as easy as pictured above, though in modern networks there would be much stronger passwords, and most likely multiple profiles that would be deployed at different branches in the event one IPSec Profile were to become compromised.
While troubleshooting my branch office deployment I also found NHRP Authentication somewhere configured on a Tunnel interface in a forum, so I wanted to explore that as well, to further secure the DMVPN Network.
Without further ado we can dissect the IPSec Profile into Phase 1 and Phase 2
This is the same with ASA Firewall Site-to-Site IPSec VPN Tunnel configurations, that there is a Phase 1 of the IPSec Tunnel which is the Authentication portion, and Phase 2 which determines the ciphers that will be used for Encryption and Decryption of traffic.
Phase 1 consists of these two components
crypto isakmp policy 1
encr aes
auth pre-share
group 12
This chunk of Phase 1 can be a bit confusing at first, as dozens of the isakmp policy #’s can be configured on a device, and the two VPN Peers have to find one common policy between themselves to move onto the pre-shared key / authentication for Phase 1.
crypto isakmp key LoopedBack!!! address 0.0.0.0
This will be the pre-shared key that each router will match against, with a wildcard address of 0.0.0.0 as the neighbors will be Dynamic being DMVPN, once the two neighbors authenticate they will move on to Phase 2 of how to encrypt / decrypt the DMVPN Traffic between their endpoints.
If Authentication fails, the VPN Tunnel will break or never come up originally, and will not even attempt to negotiate Phase 2 (encryption) to send traffic.
Phase 2 consists of these two components
crypto ipsec transform-set CCIE esp-aes esp-sha-hmac
mode transport
I’ve made a single transform-set named CCIE here, however generally Routers / Firewalls will have every transform-set combination configured and available, and the naming convention looks exactly the same as the actual encryption ciphers.
Transport mode is used over “mode tunnel” with DMVPN as GRE does the Tunnel Encapsulation of traffic, and the IPSec Profile provides the encryption.
crypto ipsec profile ProtectTheTunnel
set transform-set CCIE
This is where you create the IPSec Profiles which are applied to the Tunnel Interface itself, the exact ciphers used must match on both sides of the VPN, if they do not match the routers will show the Tunnel as up but traffic encryption / decryption will fail.
Then apply the IPSec Profile to the Tunnel Interface
int tu0
tunnel protection ipsec profile ProtectTheTunnel
Once Phase 1 and Phase 2 are configured, you apply it to your Tunnel Interface, and you now have IPSec encryption running on your DMVPN Tunnel!
I will walk through a sample IPSec Profile config step by step on the NHS (PHX1)
Step by step on the NHS to begin with:
PHX1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PHX1(config)#cry isa pol 1
PHX1(config-isakmp)#encr aes
PHX1(config-isakmp)#auth pre-share
PHX1(config-isakmp)#group 12
^
% Invalid input detected at ‘^’ marker.
PHX1(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
19 Diffie-Hellman group 19 (256 bit ecp)
2 Diffie-Hellman group 2 (1024 bit)
20 Diffie-Hellman group 20 (384 bit ecp)
21 Diffie-Hellman group 21 (521 bit ecp)
24 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)
5 Diffie-Hellman group 5 (1536 bit)
PHX1(config-isakmp)#group 14
PHX1(config-isakmp)#exit
PHX1(config)#crypto isa key LoopedBack!!! address 0.0.0.0
PHX1(config)#cry ipsec transform-set CCIE esp-aes esp-sha-hmac
PHX1(cfg-crypto-trans)#mode transport
PHX1(cfg-crypto-trans)#exit
PHX1(config)#cry ipsec profile ProtectTheTunnel
PHX1(ipsec-profile)#set transform-set CCIE
PHX1(ipsec-profile)#exit
PHX1(config)#int tu0
PHX1(config-if)#tunnel protection ipsec profile ProtectTheTunnel
PHX1(config-if)#
*Dec 5 19:59:26.130: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
PHX1(config-if)#
*Dec 5 19:59:26.210: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.9, prot= 47
PHX1(config-if)#
I stumbled on the Group # in my Phase 1 policy, and decided to leave it in there, to show off all the different group #’s and what they represent. 2048 seemed like a pretty solid # so I went with Group 14 for this IPSec template.
Also note that once applied to the Tunnel Interface, ISAKMP TURNED ON and DOWN goes the Tunnel Interface almost instantly, followed by the rest of the tunnels dropping:
PHX1(config-if)#
*Dec 5 19:59:36.270: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.2 (Tunnel0) is down: holding time expired
PHX1(config-if)#
*Dec 5 19:59:37.746: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.3 (Tunnel0) is down: holding time expired
PHX1(config-if)#
*Dec 5 19:59:39.314: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.1 (Tunnel0) is down: holding time expired
PHX1(config-if)#
*Dec 5 20:00:26.214: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.13, prot= 47
PHX1(config-if)#
*Dec 5 20:01:26.582: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.13, prot= 47
PHX1(config-if)#
*Dec 5 20:02:26.598: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.9, prot= 47
PHX1(config-if)#
*Dec 5 20:03:26.946: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.13, prot= 47
PHX1(config-if)#
So one bad actor will not drop the NHS for every other DMVPN Peer, it will only lock out VPN Peers that cannot Authenticate, this has nothing to do with Encryption of traffic / Phase 2 of the IPSec Profile as that specifically relates to traffic encryption.
I will slap this template on all other Branches now and spare the CLI of it all, but will see how the console messages come back up on PHX1 as they are applied!
PHX1 as the IPSec Profiles are pasted into the Branch WAN Routers:
*Dec 5 20:07:33.334: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.123.1, src_addr= 172.16.123.9, prot= 47
PHX1(config-if)#
*Dec 5 20:07:47.294: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency
PHX1(config-if)#
*Dec 5 20:07:54.022: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency
PHX1(config-if)#
*Dec 5 20:08:00.398: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.3 (Tunnel0) is up: new adjacency
PHX1(config-if)#
All the tunnels come right back up as the same IPSec profile is copy / pasted into all of their configurations, the exact template being:
conf t
crypto isakmp policy 1
encr aes
auth pre-share
group 14
exit
crypto isakmp key LoopedBack!!! address 0.0.0.0
crypto ipsec transform-set CCIE esp-aes esp-sha-hmac
mode transport
exit
crypto ipsec profile ProtectTheTunnel
set transform-set CCIE
exit
int tu0
tunnel protection ipsec profile ProtectTheTunnel
Now that I have beaten that topic over the head as much as is necessary for this DMVPN discussion, I’d like to check out the NHRP Authentication option I’ve seen in forum discussions on Tunnel Interface outputs within the discussion.
NHRP Authentication (separate from IPSec Profile) to further secure the DMVPN
Lets take a look on the CLI here to see if I can figure this out freestyle:
PHX1(config-if)#ip nhrp auth ?
WORD authentication string
PHX1(config-if)#ip nhrp auth TotallySecure!!! ?
<cr>
PHX1(config-if)#ip nhrp auth TotallySecure!!!
% Authentication string exceeds 8 character maximum
PHX1(config-if)#
Ironically the word “Authentication” itself is more characters than this absolutely abismall configuration apparently is in this IOS release, I am leaving it on here on the off chance this has improved in later version that 15.2 IOS for 7200 series routers but that is so terrible I wanted to actually demonstrate how worthless this is.
I suppose it does impose some kind of extra security to the configuration, but given the IPSec Authentication piece, I won’t even waste my time configuring this on the lab.
I guess it may be worthwhile on a production network because yay more security, but for my lab purpose I won’t bother with it, I don’t know what I expected but that is pretty awful for NHRP Authentication on a Tunnel Interface!
Tunnel verification commands for both Phase 1 and Phase 2
Other than how to configure it, worth mentioning is the two commands that I use to verify different phases of the IPSec Tunnel are functioning properly:
MPLS1#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.123.1 172.16.123.5 QM_IDLE 1001 ACTIVE
172.16.123.5 172.16.123.1 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
MPLS1#
This shows the Underlay or Public IP Addressing of the local and remote peer, state of IDLE is good to go, status of “Active” is also what you want to see here.
This confirms Phase 1 to these two VPN Peers has Authenticated, and its on to Phase 2:
“sh cry ipsec sa”
Due to formatting I just grabbed a screen snip, what I focus on here is if a Tunnel shows as Up in Phase 1 but a site is not receiving traffic on the VPN, this usually indicates that Phase 2 is mis-matched or sometimes just becomes hosed and stops talking on one side.
This will be seen in “pkts encaps: #” and “pkts decaps: #” fields, if you see one side incrementing but not the other, that means there is one-way communication which might as well be the Tunnel being completely down.
I will generally clear this with “clear cry ipsec sa (ip address)” or “clear cry isa sa” to clear all Tunnels entirely if its really jammed up to make them all re-authenticate, it sounds drastic but its barely a blip in traffic – Though not advised without customer permission!
One command I didn’t hardly remember existed specifically for DMVPN can also provide some general or GREAT detail about a routers DMVPN Peers:
“sh dmvpn”
A moderate amount of detail, again formatting so screen snip, then there is the very verbose “sh dmvpn detail” command that shows you EVERYTHING about your peer:
“sh dmvpn det”
Basically the same information of the first two general VPN troubleshooting commands, except this is specifically for DMVPN, whereas the “sh cry isa sa” and “sh cry ipsec sa x.x.x.x” works on both Routers and ASA Firewalls as edge devices / VPN Endpoints.
That wraps up securing DMVPN with IPSec Profiles
Not much to it, troubleshooting VPN Tunnels can sometimes be more of an art than a straight forward process, especially if the VPN Peer is different vendor equipment or IOS flavor as some firewalls or edge devices have more bells and whistles than others.
That all being said, until next time!
The DEVNET GRIND! 