PG1X WIKI

My Knowledge Base

User Tools

Site Tools

You are here: PG1X WIKI » Technology » Networking » Cisco Systems » vpn » encryption » Cisco: IPsec-VPN
Trace: Cisco: IPsec-VPN
tech:network:cisco:vpn:encryption:ipsec:ipsec

Table of Contents

Cisco: IPsec-VPN

, , , , , ,

Topology

wnoguchi/network-config-generator: Network Configuration Generator 

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\wnogu\Documents\github\network-config-generator> python ip-skel.py | clip

IP

Project name: ccna-vpn-ipsec-0001-ipsec

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 100.0.0.1 255.255.0.0
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.200.0.2 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.2 255.255.0.0
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 100.0.0.3 255.255.0.0
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.4 255.255.0.0
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.100 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.200 255.255.255.0 10.200.0.2
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R1
configure terminal
!
ip route 0.0.0.0 0.0.0.0 100.0.0.3
!
end
  • R2
configure terminal
!
ip route 0.0.0.0 0.0.0.0 200.0.0.4
!
end
  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
network 100.0.0.0 mask 255.255.0.0
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
network 200.0.0.0 mask 255.255.0.0
exit
!
end
R1#ping 200.0.0.2 source 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms

Configure IKE Phase 1 ISAKMP SA

  • R1
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash sha
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime
 lifetime 43200
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 200.0.0.2
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
end
  • R2
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash sha
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime
 lifetime 43200
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
end

Configure IKE Phase 2 IPsec SA

HMAC(Keyed-hsasing Message Authentication Code)

  • R1
configure terminal
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 mode tunnel
exit
!
! Configure IPsec SA lifetime
crypto ipsec security-association lifetime seconds 3600
!
! Define IPsec encryption target traffic
access-list 101 permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255
!
access-list 102 permit esp host 200.0.0.2 host 100.0.0.1
access-list 102 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 match address 101
 set transform-set IPSEC
 set peer 200.0.0.2
exit
!
interface GigabitEthernet 0/1
 crypto map M-ipsec
 ip access-group 102 in
exit
!
end
  • R2
configure terminal
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 mode tunnel
exit
!
! Configure IPsec SA lifetime
crypto ipsec security-association lifetime seconds 3600
!
! Define IPsec encryption target traffic
access-list 101 permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255
!
access-list 102 permit esp host 100.0.0.1 host 200.0.0.2
access-list 102 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 match address 101
 set transform-set IPSEC
 set peer 100.0.0.1
exit
!
interface GigabitEthernet 0/1
 crypto map M-ipsec
 ip access-group 102 in
exit
!
end
PC-1> ping 10.200.0.200
10.200.0.200 icmp_seq=1 timeout
10.200.0.200 icmp_seq=2 timeout
10.200.0.200 icmp_seq=3 timeout
10.200.0.200 icmp_seq=4 timeout
10.200.0.200 icmp_seq=5 timeout


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

R1#
*Mar 28 06:10:49.740: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.0.0.2
PC-1> ping 10.200.0.200
10.200.0.200 icmp_seq=1 timeout
10.200.0.200 icmp_seq=2 timeout
10.200.0.200 icmp_seq=3 timeout
10.200.0.200 icmp_seq=4 timeout
10.200.0.200 icmp_seq=5 timeout


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
200.0.0.2       100.0.0.1       MM_NO_STATE          0 ACTIVE

IPv6 Crypto ISAKMP SA


R1#
*Mar 28 06:07:07.415: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.0.0.2
R1#sh run | s crypto
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key pg1xpsk address 200.0.0.2      
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
 mode tunnel
crypto map M-ipsec 1 ipsec-isakmp 
 set peer 200.0.0.2
 set transform-set IPSEC 
 match address 101
 crypto map M-ipsec
R2#sh run | s crypto
crypto isakmp policy 1
 encr 3des
 group 2
 lifetime 43200
crypto isakmp key pg1xpsk address 100.0.0.1      
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
 mode tunnel
crypto map M-ipsec 1 ipsec-isakmp 
 set peer 100.0.0.1
 set transform-set IPSEC 
 match address 101
 crypto map M-ipsec

IKE phase 1 ISAKMP SA pre-share authentication missing on R2 … 

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#cryp
R2(config)#crypto isa
R2(config)#crypto isakmp po
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#^Z
R2#
*Mar 28 06:14:39.112: %SYS-5-CONFIG_I: Configured from console by console

PC-1> ping 10.200.0.200
10.200.0.200 icmp_seq=1 timeout
10.200.0.200 icmp_seq=2 timeout
10.200.0.200 icmp_seq=3 timeout
84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=12.124 ms
84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=10.759 ms


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
200.0.0.2       100.0.0.1       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA


PC-1> ping 10.200.0.200
84 bytes from 10.200.0.200 icmp_seq=1 ttl=62 time=11.085 ms
84 bytes from 10.200.0.200 icmp_seq=2 ttl=62 time=10.075 ms
84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=13.185 ms
84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=11.984 ms
84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=10.882 ms


R1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 100.0.0.3 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 100.0.0.3
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.100.0.0/24 is directly connected, GigabitEthernet0/0
L        10.100.0.1/32 is directly connected, GigabitEthernet0/0
      100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        100.0.0.0/16 is directly connected, GigabitEthernet0/1
L        100.0.0.1/32 is directly connected, GigabitEthernet0/1

IPsec-VPN on PPPoE

PPPoE

  • MTU 1454
  • MSS 1414

PPPoE + IPsec(ESP, Tunnel mode)

  • MSS 1356
  • 1414 - 1356 = 58
    • = IP(20) + ESP Header(SPI 4 + Seq 4) + IV (8 (3des: Part of Payload Data)) + ESP Footer(8 (Padding 0 ~ 7 + Pad Length 1 + Next Header 1) + SHA1 12(Authentication Data))
    • = 20 + 4 + 4 + 8 + 8 + 12 = 56

Padding Must be times 8

?

IP

Project name: ccna-vpn-ipsec-0002-ipsec-pppoe

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 100.0.0.1 255.255.0.0
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.200.0.2 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.2 255.255.0.0
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.100 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.200 255.255.255.0 10.200.0.2
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
network 100.0.0.1 mask 255.255.255.255
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
network 200.0.0.2 mask 255.255.255.255
exit
!
end

Configure PPPoE Server, Client

  • R1
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 100.0.0.1 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 200.0.0.2 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R3
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 100.0.0.1
!
interface Loopback1
ip address 100.1.3.3 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R4
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 200.0.0.2
!
interface Loopback1
ip address 200.2.4.4 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
R1#ping 200.0.0.2 source 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms

Configure IPsec-VPN over PPPoE

  • R1
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 200.0.0.2
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 !(Default)
 !mode tunnel
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 100.0.0.1 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1356
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 10
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255
exit
!
ip access-list extended A-security
 permit esp host 200.0.0.2 host 100.0.0.1
 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 !permit icmp any any
exit
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 !(Default)
 !mode tunnel
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 100.0.0.1
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 200.0.0.2 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1356
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 10
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255
exit
!
ip access-list extended A-security
 permit esp host 100.0.0.1 host 200.0.0.2
 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
 !permit icmp any any
exit
!
dialer-list 20 protocol ip permit
!
end

Configure IPsec-VPN over PPPoE

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
200.0.0.2       100.0.0.1       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA


R1(config)#no crypto isakmp keepalive 30 per

R2(config)#no crypto isakmp keepalive 30 periodic

R1#clear crypto isakmp 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.0.0.1       200.0.0.2       QM_IDLE           1002 ACTIVE
200.0.0.2       100.0.0.1       QM_IDLE           1003 ACTIVE
200.0.0.2       100.0.0.1       MM_NO_STATE       1001 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA


PC-1> ping 10.200.0.200 -c 100
10.200.0.200 icmp_seq=1 timeout
10.200.0.200 icmp_seq=2 timeout
84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=12.339 ms
84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=11.275 ms
^C
PC-1> 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.0.0.1       200.0.0.2       QM_IDLE           1002 ACTIVE
200.0.0.2       100.0.0.1       QM_IDLE           1003 ACTIVE

IPv6 Crypto ISAKMP SA


R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.0.0.1       200.0.0.2       MM_NO_STATE       1002 ACTIVE (deleted)
200.0.0.2       100.0.0.1       MM_NO_STATE       1003 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

for a while 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.0.0.1       200.0.0.2       QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA


R1#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: M-ipsec, local addr 100.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.100.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
   current_peer 200.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72
    #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
     plaintext mtu 1398, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0x45A01B3D(1168120637)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBC213362(3156292450)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4261867/1574)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x45A01B3D(1168120637)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4261867/1574)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:

R1#show crypto engine connections active 
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   3DES+MD5                  0       72       72 100.0.0.1
    2  IPsec   3DES+MD5                 72        0        0 100.0.0.1
 1004  IKE     MD5+3DES                  0        0        0 100.0.0.1


R2#sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: M-ipsec, local addr 200.0.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.100.0.0/255.255.255.0/0/0)
   current_peer 100.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
    #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.0.0.2, remote crypto endpt.: 100.0.0.1
     plaintext mtu 1398, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0xBC213362(3156292450)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x45A01B3D(1168120637)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4147942/1303)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBC213362(3156292450)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4147942/1303)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:
R2#sh crypto engine connections active 
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   3DES+MD5                  0      145      145 200.0.0.2
    2  IPsec   3DES+MD5                146        0        0 200.0.0.2
 1004  IKE     MD5+3DES                  0        0        0 200.0.0.2


R1#show crypto isakmp policy 

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
R1#show crypto ipsec transform-set 
Transform set default: { esp-aes esp-sha-hmac  } 
   will negotiate = { Transport,  }, 
   
Transform set IPSEC: { esp-3des esp-md5-hmac  } 
   will negotiate = { Tunnel,  }, 
   

R1#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Dialer1
Uptime: 00:44:59
Session status: UP-ACTIVE     
Peer: 200.0.0.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 200.0.0.2
      Desc: (none)
  Session ID: 0  
  IKEv1 SA: local 100.0.0.1/500 remote 200.0.0.2/500 Active 
          Capabilities:(none) connid:1004 lifetime:23:45:06
  IPSEC FLOW: permit ip 10.100.0.0/255.255.255.0 10.200.0.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 156 drop 0 life (KB/Sec) 4261856/900
        Outbound: #pkts enc'ed 156 drop 0 life (KB/Sec) 4261856/900

IPsec-VPN on PPPoE, Internet connection, Firewall by CBAC

keyword

  • CBAC(Context-Based Access Control)
  • Stateful Inspection

reference

  1. CBAC(Context-Based Access Control)とは
  2. Reflexive ACL(再帰ACL)- コンフィグ設定

configuration

  • R1
configure terminal
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC icmp
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 200.0.0.2
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 !(Default)
 !mode tunnel
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 100.0.0.1 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1356
 ip nat inside
 ip inspect CBAC in
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 10
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 ip nat outside
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
ip nat inside source list A-nat interface Loopback 1 overload
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255
exit
!
ip access-list extended A-security
 permit esp host 200.0.0.2 host 100.0.0.1
 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 permit icmp any any
exit
!
ip access-list extended A-nat
 deny ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255
 permit ip 10.100.0.0 0.0.0.255 any
exit
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC icmp
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 periodic
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 !(Default)
 !mode tunnel
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 100.0.0.1
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 200.0.0.2 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1356
 ip nat inside
 ip inspect CBAC in
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 10
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 ip nat outside
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
ip nat inside source list A-nat interface Loopback 1 overload
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255
exit
!
ip access-list extended A-security
 permit esp host 100.0.0.1 host 200.0.0.2
 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
 permit icmp any any
exit
!
ip access-list extended A-nat
 deny ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255
 permit ip 10.200.0.0 0.0.0.255 any
exit
!
dialer-list 20 protocol ip permit
!
end
  • R4
configure terminal
!
username admin1 password cisco1
!
line vty 0 15
 exec-timeout 0 0
 password ciscotel
 login local
 logging synchronous
 ! this required by default IOSv for remote access
 transport input telnet ssh
exit
!
ip domain-name pg1x.net
!
end

Cisco: IPv6 ACL

Verification

ping to world 

PC-1> ping 200.0.0.2
84 bytes from 200.0.0.2 icmp_seq=1 ttl=252 time=12.863 ms
84 bytes from 200.0.0.2 icmp_seq=2 ttl=252 time=12.085 ms
^C

ping over vpn 

PC-1> ping 10.200.0.200
10.200.0.200 icmp_seq=1 timeout
84 bytes from 10.200.0.200 icmp_seq=2 ttl=62 time=30.486 ms
84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=19.197 ms
84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=20.302 ms
84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=20.438 ms

PC-1> 

ifconfig eth0 10.100.0.103 netmask 255.255.255.0 broadcast 10.100.0.255
route add default gw 10.100.0.1 eth0

telnet to R4 

root@PC-3:~# ping 34.0.0.4  
PING 34.0.0.4 (34.0.0.4) 56(84) bytes of data.
64 bytes from 34.0.0.4: icmp_seq=1 ttl=253 time=9.55 ms
64 bytes from 34.0.0.4: icmp_seq=2 ttl=253 time=5.95 ms
64 bytes from 34.0.0.4: icmp_seq=3 ttl=253 time=5.65 ms
64 bytes from 34.0.0.4: icmp_seq=4 ttl=253 time=5.40 ms
64 bytes from 34.0.0.4: icmp_seq=5 ttl=253 time=6.47 ms
64 bytes from 34.0.0.4: icmp_seq=6 ttl=253 time=6.35 ms
64 bytes from 34.0.0.4: icmp_seq=7 ttl=253 time=5.58 ms
64 bytes from 34.0.0.4: icmp_seq=8 ttl=253 time=4.80 ms
64 bytes from 34.0.0.4: icmp_seq=9 ttl=253 time=5.75 ms
64 bytes from 34.0.0.4: icmp_seq=10 ttl=253 time=5.30 ms
64 bytes from 34.0.0.4: icmp_seq=11 ttl=253 time=5.97 ms
64 bytes from 34.0.0.4: icmp_seq=12 ttl=253 time=4.80 ms
64 bytes from 34.0.0.4: icmp_seq=13 ttl=253 time=5.46 ms
64 bytes from 34.0.0.4: icmp_seq=14 ttl=253 time=4.98 ms
64 bytes from 34.0.0.4: icmp_seq=15 ttl=253 time=4.74 ms
64 bytes from 34.0.0.4: icmp_seq=16 ttl=253 time=6.07 ms
64 bytes from 34.0.0.4: icmp_seq=17 ttl=253 time=4.44 ms
64 bytes from 34.0.0.4: icmp_seq=18 ttl=253 time=4.66 ms
^C
--- 34.0.0.4 ping statistics ---
18 packets transmitted, 18 received, 0% packet loss, time 17021ms
rtt min/avg/max/mdev = 4.446/5.666/9.555/1.112 ms
root@PC-3:~# ping 34.0.0.4
PING 34.0.0.4 (34.0.0.4) 56(84) bytes of data.
64 bytes from 34.0.0.4: icmp_seq=1 ttl=253 time=12.7 ms
64 bytes from 34.0.0.4: icmp_seq=2 ttl=253 time=4.56 ms
^C
--- 34.0.0.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.563/8.656/12.750/4.094 ms
root@PC-3:~# telnet 34.0.0.4
Trying 34.0.0.4...
Connected to 34.0.0.4.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: admin1
Password: 
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

R1#ping 34.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/11 ms
R1#sh
R1#show ip ins
R1#show ip inspect se
R1#show ip inspect sessions 
Established Sessions
 Session FD64AA8 (10.100.0.103:48140)=>(34.0.0.4:23) tcp SIS_OPEN
R1#show ip inspect al       
R1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface GigabitEthernet0/0
  Inbound inspection rule is CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

Established Sessions
 Session FD64AA8 (10.100.0.103:48140)=>(34.0.0.4:23) tcp SIS_OPEN
R1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface GigabitEthernet0/0
  Inbound inspection rule is CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

R1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface GigabitEthernet0/0
  Inbound inspection rule is CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

Established Sessions
 Session FD64AA8 (10.100.0.103:8)=>(34.0.0.4:0) icmp SIS_OPEN
R1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface GigabitEthernet0/0
  Inbound inspection rule is CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

Established Sessions
 Session FD64AA8 (10.100.0.103:8)=>(34.0.0.4:0) icmp SIS_OPEN
R1#telnet 34.0.0.4
Trying 34.0.0.4 ... 
% Connection timed out; remote host not responding

R1#telnet 34.0.0.4
Trying 34.0.0.4 ... 
% Connection timed out; remote host not responding

R1#telnet 34.0.0.4
Trying 34.0.0.4 ... 
% Connection timed out; remote host not responding

R1#show ip inspect all 
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface GigabitEthernet0/0
  Inbound inspection rule is CBAC
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    ftp alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set

Established Sessions
 Session FD64888 (10.100.0.103:48142)=>(34.0.0.4:23) tcp SIS_OPEN
R1#conf t                   
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip tel
R1(config)#ip telnet sour
R1(config)#ip telnet source-interface Gig
R1(config)#ip telnet source-interface GigabitEthernet 0/0
R1(config)#^Z
R1#show ip inspect all 
*Apr  3 23:11:27.820: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 34.0.0.4     
Trying 34.0.0.4 ... 
% Connection timed out; remote host not responding

R1#telnet 34.0.0.4
Trying 34.0.0.4 ... 
% Connection timed out; remote host not responding

References

  1. IPsec IKE Phase1 - Ciscoコンフィグ
  2. IPsec IKE Phase2 - Ciscoコンフィグ
  3. IPsec - Ciscoコンフィグ - PPPoE上のIPsec-VPNの設定
  4. IPsec - Ciscoコンフィグ - PPPoE上のIPsec-VPNの設定 その2
tech/network/cisco/vpn/encryption/ipsec/ipsec.txt · Last modified: 2019/04/04 08:17 by wnoguchi

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki