Enabling the debug commands

20 Mar

Listing 6.3: Enabling the debug commands and the Ping request.

#debug crypto ipsec
Crypto IPSEC debugging is on
#debug crypto isakmp
Crypto ISAKMP debugging is on
#debug crypto engine
Crypto Engine debugging is on
#ping ip
Target IP address: 192.168.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.11.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100−byte ICMP Echos to 192.168.10.1, −
timeout is 2 seconds:

After the Ping request sends the first packet, Router B determines that the packet matches the access list—in this case, access list 120, configured under the IPSec crypto map—and begins the security association setup by offering to Router A all of its configured transform sets. This can be verified by displaying the output of the debug crypto ipsec command. Listing 6.4 shows the security association request.

Listing 6.4: Security association request.

: IPSEC(sa_request): ,
(key eng. msg.) src= 10.0.30.201, dest= 10.0.30.200,
src_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp−des esp−md5−hmac,
lifedur= 120s and 4608000kb,
spi= 0×0(0), conn_id= 0, keysize= 0, flags= 0×4004

The debug output in Listing 6.4 shows that, upon security association setup, Router B offers to Router A all of its configured transform sets. It is at this point that the final verification of the IKE security association takes place. The IKE security association verification messages can be seen by displaying the output of the debug crypto isakmp command. Listing 6.5 shows the IKE verification process.

Listing 6.5: IKE verification process.

!
: ISAKMP (6): beginning Main Mode exchange
: ISAKMP (6): sending packet to 10.0.30.200 (I) MM_NO_STATE
: ISAKMP (6): received packet from 10.0.30.200 (I) MM_NO_STATE
: ISAKMP (6): processing SA payload. message ID = 0
: ISAKMP (6): Checking ISAKMP transform 1 against priority 10 −
policy
: ISAKMP: encryption DES−CBC
: ISAKMP: hash MD5
: ISAKMP: default group 2
: ISAKMP: auth pre−share
: ISAKMP: Open
: ISAKMP: life duration (basic) of 120
: ISAKMP (6): atts are acceptable. Next payload is 0
: ISAKMP (6): SA is doing pre−shared key authentication using
id type ID_IPV4_ADDR
: ISAKMP (6): sending packet to 10.0.30.200 (I) MM_SA_SETUP
: ISAKMP (6): received packet from 10.0.30.200 (I) MM_SA_SETUP
: ISAKMP (6): processing KE payload. message ID = 0
: ISAKMP (6): processing NONCE payload. message ID = 0
: ISAKMP (6): SKEYID state generated
: ISAKMP (6): processing vendor id payload
: ISAKMP (6): speaking to another IOS box!
: ISAKMP (6): ID payload
next−payload : 8
type : 1
protocol : 17
port : 500
length : 8
: ISAKMP (6): Total payload length: 12
: ISAKMP (6): sending packet to 10.0.30.200 (I) MM_KEY_EXCH
: ISAKMP (6): received packet from 10.0.30.200 (I) MM_KEY_EXCH
: ISAKMP (6): processing ID payload. message ID = 0
: ISAKMP (6): processing HASH payload. message ID = 0
: ISAKMP (6): SA has been authenticated with 10.0.30.200
!

After the security associations are set up, IKE begins IPSec negotiation. You can see the process of IKE negotiation of IPSec by again viewing the output of the debug crypto ipsec and debug crypto isakmp commands. Listing 6.6 displays the IKE negotiation.

Listing 6.6: IKE negotiation.

!
: IPSEC(key_engine): got a queue event…
: IPSEC(spi_response): getting spi 559422693 for SA
from 10.0.30.200 to 10.0.30.201 for prot 3
!
: ISAKMP (6): beginning Quick Mode exchange, M−ID of 121737022
: ISAKMP (6): sending packet to 10.0.30.200 (I) QM_IDLE
: ISAKMP (6): received packet from 10.0.30.200 (I) QM_IDLE
: ISAKMP (6): processing SA payload. message ID = 121737022
: ISAKMP (6): Checking IPSec proposal 1
: ISAKMP: transform 1, ESP_DES
: ISAKMP: attributes in transform:
: ISAKMP: encaps is 1
: ISAKMP: SA life type in seconds
: ISAKMP: SA life duration (basic) of 120
: ISAKMP: SA life type in kilobytes
: ISAKMP: SA life duration (VPI) of 0×0 0×46 0×50 0×0
: ISAKMP: authenticator is HMAC−MD5
: ISAKMP (6): atts are acceptable.
!

The final display shows the security association completing the setup process. When the security association setup process is complete, traffic can begin to flow from source to destination using the security services of IPSec. Listing 6.7 displays the completion of the security association setup process.

Listing 6.7: Completion of security association setup process.

(key eng. msg.) dest= 10.0.30.200, src= 10.0.30.201,
dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp−des esp−md5−hmac,
lifedur= 0s and 0kb,
spi= 0×0(0), conn_id= 0, keysize= 0, flags= 0×4
: IPSEC(key_engine): got a queue event…
: IPSEC(initialize_sas): ,
(key eng. msg.) dest= 10.0.30.201, src= 10.0.30.200,
dest_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp−des esp−md5−hmac,
lifedur= 120s and 4608000kb,
spi= 0×21581CE5(559422693), conn_id= 2, keysize= 0, −
flags= 0×4
: IPSEC(initialize_sas): ,
(key eng. msg.) src= 10.0.30.201, dest= 10.0.30.200,
: ISAKMP (6): processing NONCE payload. message ID = 121737022
: ISAKMP (6): processing ID payload. message ID = 121737022
: ISAKMP (6): unknown error extracting ID
: ISAKMP (6): processing ID payload. message ID = 121737022
: ISAKMP (6): unknown error extracting ID
: ISAKMP (6): Creating IPSec SAs
: inbound SA from 10.0.30.200 to 10.0.30.201 −
(proxy 192.168.10.0 to 192.168.11.0)
: has spi 331813658 and conn_id 7 and flags 4
: lifetime of 120 seconds
: lifetime of 4608000 kilobytes
: outbound SA from 10.0.30.201 to 10.0.30.200 −
(proxy 192.168.11.0 to 192.168.10.0)
: has spi 306250407 and conn_id 8 and flags 4
: lifetime of 120 seconds
: lifetime of 4608000 kilobytes
: ISAKMP (6): sending packet to 10.0.30.200 (I) QM_IDLE
: src_proxy= 192.168.11.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp−des esp−md5−hmac,
lifedur= 120s and 4608000kb,
spi= 0×1472092E(343017774), conn_id= 3, keysize= 0, −
flags= 0×4
: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.0.30.201, sa_prot= 50,
sa_spi= 0×21581CE5(559422693),
sa_trans= esp−des esp−md5−hmac, sa_conn_id= 2
: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.0.30.200, sa_prot= 50,
sa_spi= 0×1472092E(343017774),
sa_trans= esp−des esp−md5−hmac , sa_conn_id= 3

After the security association is set up and complete, you can view the settings of each security association within the database (SAD) by issuing the show crypto ipsec sa command. Listing 6.8 displays the output of the security association database of Router B.

Listing 6.8: Security association database on Router B.

Router−B#sh crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: encrypt, local addr. 10.0.30.201
local ident (addr/mask/prot/port): −
(192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): −
(192.168.10.0/255.255.255.0/0/0)
current_peer: 10.0.30.200
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 5, #recv errors 0
local crypto endpt.: 10.0.30.201, remote crypto endpt.: −
10.0.30.200
path mtu 1500, media mtu 1500
current outbound spi: 20DB2311
!
inbound esp sas:
spi: 0×22900598(579863960)
transform: esp−des esp−md5−hmac,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: encrypt
sa timing: remaining key lifetime (k/sec): (4607999/71)
IV size: 8 bytes
replay detection support: Y
!
inbound ah sas:
!
outbound esp sas:
spi: 0×20DB2311(551232273)
transform: esp−des esp−md5−hmac,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: encrypt
sa timing: remaining key lifetime (k/sec): (4607999/71)
IV size: 8 bytes
replay detection support: Y
!
outbound ah sas:
Router−B#

It appears that Router B has two security associations; however, in “In Brief” earlier in this chapter, it was mentioned that security associations are unidirectional. This causes Router B to set up two security associations, one for inbound ESP packets and one for outbound ESP packets. The Security Association Database (SAD) for IKE can be viewed as well by issuing the show crypto isakmp sa command. Issuing the command on Router B displays the output seen in Listing 6.9.

Listing 6.9: IKE security association database.

#show crypto isakmp sa
dst src state conn−id slot
10.0.30.200 10.0.30.201 QM_IDLE 16 0
!

The connection state of an IKE security association, displayed in state field, can vary depending on which Phase and mode the security association was negotiated over. All security association states for each entry contained within the database are listed in Table 6.2.

The entire security association setup can take up to a minute or longer to complete, which caused the Ping request in Listing 6.3 fail. After the security associations are complete, the Ping, or any traffic that matched an entry in the access list, would flow as normal.

The network in Figure 6.7 displays three routers connected to each other using a WAN connection. The layer 2 media of exchange is configured as a full mesh, allowing full communication between each host within each network. Hosts in the 192.168.10.0 network behind Router A are configured to communicate with the hosts in both the 192.168.11.0 network behind Router B and the 192.168.12.0 network behind Router C. Hosts within the 192.168.11.0 and 192.168.12.0 networks are configured in the same manner. The company that owns these routers has determined that all traffic between hosts that is exchanged via the WAN is to be protected by the services of IKE and IPSec. To meet the requirements of the company, a creative configuration of IPSec must be used.

Figure 6.7: Full mesh IPSec network
Both IPSec and IKE permit the configuration of multiple crypto policies and maps. This is accomplished through the effective use of the sequence−number parameter. Listing 6.10 through Listing 6.12 display the configuration of each router to the requirements outlined earlier.

Listing 6.10: IPSec configuration of Router A.

hostname Router−A
!
username ipsec privilege 15 password 0 ipsec
memory−size iomem 10
ip subnet−zero
ip tcp synwait−time 10

no ip domain−lookup
!
crypto isakmp policy 10
hash md5
encryption des
groups 2
authentication pre−share
!
crypto isakmp key AandBkey address 10.0.30.201
crypto isakmp key AandCkey address 10.0.30.202
!
crypto ipsec transform−set routerb esp−des esp−md5−hmac
crypto ipsec transform−set routerc esp−des esp−md5−hmac
!
crypto map mesh 10 ipsec−isakmp
set peer 10.0.30.201
set transform−set routerb
match address 100
!
crypto map mesh 11 ipsec−isakmp
set peer 10.0.30.202
set transform−set routerc
match address 101
!
interface Ethernet0/1
ip address 192.168.10.1 255.255.255.0
no ip directed−broadcast
ip nat inside
!
interface Serial0
ip address 10.0.30.200 255.255.255.0
no ip directed−broadcast
ip nat outside
no ip mroute−cache
no fair−queue
crypto map mesh
!
ip nat inside source route−map donotnat interface Serial0 −
overload
ip classless ip route 192.168.11.0 255.255.255.0 10.0.30.201
ip route 192.168.12.0 255.255.255.0 10.0.30.202
no ip http server
!
access−list 100 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 −
0.0.0.255
access−list 101 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 −
0.0.0.255
access−list 102 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 −
0.0.0.255
access−list 102 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 −
0.0.0.255
access−list 102 permit ip 192.168.10.0 0.0.0.255 any
!
route−map donotnat permit 10
match ip address 102

Listing 6.11: IPSec configuration of Router B.

hostname Router−B
!
username ipsec privilege 15 password 0 ipsec
ip subnet−zero

ip tcp synwait−time 10
no ip domain−lookup
!
crypto isakmp policy 11
hash md5
encryption des
groups 2
authentication pre−share
!
crypto isakmp key AandBkey address 10.0.30.200
crypto isakmp key BandCkey address 10.0.30.202
!
crypto ipsec transform−set routera esp−des esp−md5−hmac
crypto ipsec transform−set routerc esp−des esp−md5−hmac
!
crypto map mesh 11 ipsec−isakmp
set peer 10.0.30.200
set transform−set routera
match address 100
!
crypto map mesh 12 ipsec−isakmp
set peer 10.0.30.202
set transform−set routerc
match address 101
!
interface Ethernet0/1
ip address 192.168.11.1 255.255.255.0
no ip directed−broadcast
ip nat inside
!
interface Serial0/0
ip address 10.0.30.201 255.255.255.0
no ip directed−broadcast
ip nat outside
no ip mroute−cache
no fair−queue
crypto map mesh
!
ip nat inside source route−map donotnat interface Serial0/0 –
overload
ip classless
ip route 192.168.10.0 255.255.255.0 10.0.30.200
ip route 192.168.12.0 255.255.255.0 10.0.30.202
no ip http server
!
access−list 100 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 –
0.0.0.255
access−list 101 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 –
0.0.0.255
access−list 102 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 –
0.0.0.255
access−list 102 deny ip 192.168.11.0 0.0.0.255 192.168.12.0 –
0.0.0.255
access−list 102 permit ip 192.168.11.0 0.0.0.255 any
!
route−map donotnat permit 11
match ip address 102

Listing 6.12: IPSec configuration of Router C.

hostname Router−C
!
username ipsec privilege 15 password 0 ipsec
memory−size iomem 10
ip subnet−zero
ip tcp synwait−time 10
no ip domain−lookup
!
crypto isakmp policy 12
hash md5
encryption des
groups 2
authentication pre−share
!
crypto isakmp key BandCkey address 10.0.30.201
crypto isakmp key AandCkey address 10.0.30.200
!
crypto ipsec transform−set routera esp−des esp−md5−hmac
crypto ipsec transform−set routerb esp−des esp−md5−hmac
!
crypto map mesh 12 ipsec−isakmp
set peer 10.0.30.200
set transform−set routera
match address 110
!
crypto map mesh 13 ipsec−isakmp
set peer 10.0.30.201
set transform−set routerb
match address 111
!
interface Ethernet1
ip address 192.168.12.1 255.255.255.0
no ip directed−broadcast
ip nat inside
!
interface Serial1/0
ip address 10.0.30.202 255.255.255.0
no ip directed−broadcast
ip nat outside no ip mroute−cache
no fair−queue
crypto map mesh
!
ip nat inside source route−map donotnat interface Serial1/0 –
overload
ip classless
ip route 192.168.10.0 255.255.255.0 10.0.30.200
ip route 192.168.11.0 255.255.255.0 10.0.30.201
no ip http server
!
access−list 110 permit ip 192.168.12.0 0.0.0.255 192.168.10.0 −
0.0.0.255
access−list 111 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 −
0.0.0.255
access−list 112 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 −
0.0.0.255
access−list 112 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 −
0.0.0.255
access−list 112 permit ip 192.168.12.0 0.0.0.255 any
!
route−map donotnat permit 12
match ip address 112

These configurations define multiple crypto maps with different sequence numbers defined for each

crypto map. This allows each router to configure IPSec parameters accordingly on a per−host basis. To view the security associations that IKE has set up for each router, issue the show crypto isakmp sa command on each router. Issuing the command on Router B displays the following output.

#show crypto isakmp sa
dst src state conn−id slot
10.0.30.200 10.0.30.201 QM_IDLE 16 0
10.0.30.202 10.0.30.201 QM_IDLE 17 0
!



Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.