Site 2 Site VPNs

Advanced
CCIESECURITYv3
LABWORKBOOK
SitetoSiteVPN
NarbikKocharians
CCIE#12410
R&S,Security,SP
PiotrMatusiak
CCIE#19860
R&S,Security
www.MicronicsTraining.com
CCIESecurityLabWorkbook
TableofContents
LAB2.1.
BASICSITETOSITEIPSECVPNMAINMODE(IOSIOS) ................................................ 3
LAB2.2.
BASICSITETOSITEIPSECVPNAGGRESSIVEMODE(IOSIOS)................................ 21
LAB2.3.
BASICSITETOSITEVPNWITHNAT(IOSIOS).............................................................. 32
LAB2.4.
IOSCERTIFICATEAUTHORITY........................................................................................ 43
LAB2.5.
SITETOSITEIPSECVPNUSINGPKI(ASAASA) ........................................................... 50
LAB2.6.
SITETOSITEIPSECVPNUSINGPKI(IOSIOS) ............................................................. 59
LAB2.7.
SITETOSITEIPSECVPNUSINGPKI(STATICIPIOSASA)......................................... 66
LAB2.8.
SITETOSITEIPSECVPNUSINGPKI(DYNAMICIPIOSASA) .................................... 79
LAB2.9.
SITETOSITEIPSECVPNUSINGPSK(IOSASAHAIRPINNING)................................. 93
LAB2.10. SITETOSITEIPSECVPNUSINGEASYVPNNEM(IOSIOS)...................................... 103

LAB2.11. SITETOSITEIPSECVPNUSINGEASYVPNNEM (IOSASA).................................... 109
LAB2.12. SITETOSITEIPSECVPNUSINGEASYVPNWITHISAKMPPROFILES(IOSIOS)141
LAB2.13. GREOVERIPSEC................................................................................................................ 153
LAB2.14. DMVPNPHASE1 ................................................................................................................. 165
LAB2.15. DMVPNPHASE2(WITHEIGRP) ...................................................................................... 176
LAB2.16. DMVPNPHASE2(WITHOSPF)......................................................................................... 189
LAB2.17. DMVPNPHASE3(WITHEIGRP) ...................................................................................... 202
LAB2.18. DMVPNPHASE3(WITHOSPF)......................................................................................... 215
LAB2.19. DMVPNPHASE2DUALHUB(SINGLECLOUD) ........................................................... 231
LAB2.20. DMVPNPHASE2DUALHUB(DUALCLOUD)............................................................... 251
LAB2.21. GETVPN(PSK) .................................................................................................................... 278
LAB2.22. GETVPN(PKI)..................................................................................................................... 292
LAB2.23. GETVPNCOOP(PKI) ......................................................................................................... 304
CCIESecurity
AdvancedCCIESecurityv3.0
2010 MicronicsNetworking&TrainingInc.Allrightsreserved
Page2 of322
Lab2.1.
BasicSitetoSiteIPSecVPN
MainMode(IOSIOS)
LabSetup:
R1sF0/0andR2sG0/0interfaceshouldbeconfiguredinVLAN120
ConfigureTelnetonallroutersusingpasswordcisco
ConfigurestaticroutingonR1andR2tobeabletoreachLoopbackIP
addresses
IPAddressing:
Device
R1
Interface
Lo0
F0/0
F0/0
Lo0
R2
IPaddress
1.1.1.1/32
10.1.12.1/24
10.1.12.2/24
2.2.2.2/32
Task1
Configure basic Site to Site IPSec VPN to protect traffic between IP addresses
1.1.1.1and2.2.2.2usingthefollowingpolicy:
ISAKMPPolicy
Authentication:Preshared
Encryption:3DES
Hash:MD5
DHGroup:2
PSK:cisco123
IPSecPolicy
Encrytpion:ESP3DES
Hash:MD5
ProxyID:1.1.1.12.2.2.2
ISAKMP(InternetSecurity Associationand Key ManagementProtocol) isdefinedinRFC2408 and

itsaframeworkwhichdefinesthefollowing:
procedurestoauthenticateacommunicatingpeer
howtocreateandmanageSAs(SecurityAssociations)
keygenerationtechniques
threatmitigation(likeDoSandreplayattacks)
ISAKMPdoesnotspecify anydetailsofkeymanagementorkeyexchangeandisnotboundtoany
key generation technique. Inside of ISAKMP, Cisco uses Oakley for the key exchange protocol.
OakleyenablesyoutochoosebetweendifferentwellknownDH(DiffieHellman)groups.
CCIESecurity
Page3 of322
ISAKMPandOakleycreateanauthenticated,securetunnelbetweentwoentities,andthennegotiate
the SA for IPSec. Both peers must authenticate each other and establish shared key. There are
three authentication methods available: (1) RSA signatures (PKI), (2) RSA encrypted pseudo
random numbers (NONCES), and preshared keys (PSK). The DH protocol is used to agree on a
commonsessionkey.
IPSec usesadifferent shared keyfromISAKMP and Oakley.TheIPSecshared key can be derived
by using DH again to ensure PFS (Perfect Forward Secrecy) or by refreshing the shared secret
derivedfromtheoriginalDHexchange.
IKE is a hybrid protocol which establishes a shared security policy and authenticated keys for
servicesthatrequirekeys,suchasIPSec.BeforeIPSectunnelisestablished,eachdevicemust be
abletoidentify its peer.ISAKMP andIKE are both usedinterchangeably,however these two items
aresomewhatdifferent.
IKEPhase1 twoISAKMPpeersestablishasecure,authenticatedchannel.Thischannelis known
astehISAKMPSA.TherearetwomodesdefinedbyISAKMP:MainModeandAggressiveMode.
IKE Phase2 SAsare negotiated on behalf ofservicessuch asIPSec thatneeds keying material.
ThisphaseiscalledQuickMode.
To configure IKE Phase 1 you needto createISAKMP policies.Itispossible to configure multiple
policy statements with different configuration statements, and then let the two hosts come to an
agreement.
YoucanusetwomethodstoconfigureISAKMP(IKEPhase1):
I.UsingPSK:
1.
ConfigureISAKMPprotectionsuite(policy)
Specify what size modulus to use for DH calculation (group1: 768bits group2:
1024bitsgroup5:1536bits)
2.
Specifyahashingalgorithm(MD5orSHA)
SpecifythelifetimeoftheSA(inseconds)
Specifytheauthenticationmethod(PSK)
Specifyencryptionalgorithm(DES,3DES,AES)
ConfiguretheISAKMPpresharedkey(oneperpeer)
II.UsingPKI
1.
CreateanRSAkeyfortherouter
2.
RequestcertificateoftheCA
3.
Enrollcertificatesfortheclienrouter(certifyyourkeys)
4.
Configure ISKMP protection suite (policy) lak it is for PSK but specify rsasig as the
authenticationmethod
ToconfigureIPSec(IKEPhase2)dothefollowing:
1.
Create an extended ACL (determines interesting traffic the traffic that should be
2.
CreateIPSectransformsetlikeISAKMP policies,transformsetsarethesettingsuitesto
3.
Createcryptomaptobindallcomponentstogether:
protectedbyIPSec)
choosefrom
4.
CCIESecurity
SpecifypeerIPaddress
SpecifySAlifetime(forIPSecSAs)
Specifytransformsets
SpecifytheACLtomatchinterestingtraffic
Applythecryptomaptoanegressinterface
Page4 of322
OnR1
R1(config)#cryptoisakmppolicy10
R1(configisakmp)#encr3des
R1(configisakmp)#hashmd5
R1(configisakmp)#authenticationpreshare
R1(configisakmp)#group2
R1(configisakmp)#cryptoisakmpkeycisco123address10.1.12.2
Becarefulofusingleadingspacesinpresharedkeyvalue.
Itmaycomplicateseriouslyyourlabexam.Rememberthatthepresharedkeyvaluemust
bethesameatthebothsideofaIPSECtunnel.
R1(config)#cryptoipsectransformsetTSETesp3desespmd5hmac
R1(cfgcryptotrans)#cryptomapCMAP10ipsecisakmp
%NOTE:Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
R1(configcryptomap)#setpeer10.1.12.2
R1(configcryptomap)#settransformsetTSET
R1(configcryptomap)#matchaddress120
R1(configcryptomap)#accesslist120permitiphost1.1.1.1host2.2.2.2
R1(config)#intf0/0
R1(configif)#cryptomapCMAP
R1(configif)#exi
R1(config)#
%CRYPTO6ISAKMP_ON_OFF:ISAKMPisON
ISAKMPisenabledandworking.TherouterwillbeprocessingIKEpackets
(UDPprotocol,port500)forestablishingISAKMPauxiliarytunnelwhichwillbeused
tonegotiatesecurelyparametersofanIPSectunnel.
R1(config)#
OnR2
R2(config)#intg0/0
R2(configif)#exi
R2(config)#
DetailedverificationonR1
LetsperformsomedebugingtoseewhatsexactlygoingonduringIPSectunnel
establishment.Thebesttwodebugsare:debugcryptoisakmpanddebugcryptoipsec.
Toactuallyseesomethingweneedtopassinterestingtraffic(definedbycryptoACL)
whichwilltriggerISAKMPprocess.
R1#debcryptoisakmp
CryptoISAKMPdebuggingison
R1#debcryptoipsec
CryptoIPSECdebuggingison
CCIESecurity
Page5 of322
R1#ping2.2.2.2solo0
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto2.2.2.2,timeoutis2seconds:
Packetsentwithasourceaddressof1.1.1.1
.!!!!
Successrateis80percent(4/5),roundtripmin/avg/max=1/3/4ms
R1#
ThefirstICMPpackettriggersISAKMPprocessasthisisourinterestingtraffic
matchingourACL.BeforeactuallystartsendingIKEpacketstothepeertherouter
firstchecksifthereisanylocalSA(SecurityAssociation)matchingthattraffic.
NotethatthischeckisagainstIPSecSAnotIKESA.
OK,noSAmeanstheremustbeIKEpacketsendout.
IPSEC(sa_request):,
(keyeng.msg.)OUTBOUNDlocal=10.1.12.1,remote=10.1.12.2,
local_proxy=1.1.1.1/255.255.255.255/0/0(type=1),
remote_proxy=2.2.2.2/255.255.255.255/0/0(type=1),
protocol=ESP,transform=esp3desespmd5hmac(Tunnel),
lifedur=3600sand4608000kb,
spi=0x0(0),conn_id=0,keysize=0,flags=0x0
ISAKMP:(0):SArequestprofileis(NULL)
TherouterhastriedtofindanyIPSecSA
matchingoutgoingconnectionbutnovalid
SAhasbeenfoundinSecurityAssociation
Database(SADB)ontherouter.
ISAKMP:Createdapeerstructfor10.1.12.2,peerport500
ISAKMP:Newpeercreatedpeer=0x49E25A08peer_handle=0x80000003
ISAKMP:Lockingpeerstruct0x49E25A08,refcount1forisakmp_initiator
ISAKMP:localport500,remoteport500
ISAKMP:setnewnode0toQM_IDLE
IKEPhase1(MainMode)message1
Bydefault, IKE MainModeisused so weshouldexpect6packetsfor PhaseI.Thereis amessage
sayingthatAggressiveModecannotstart,howeveritdoesnotmeanthatthereissomeerror,itjust
meansthatAggressiveMOdeisnotconfiguredonthelocalrouter.
Then, the router checks ISAKMP policy configured and sees that there is PSK (PreShared Key)
authenticationconfigured.Itmustcheckifthereisakeyforthepeerconfiguredaswell.
Afterthatthe1stIKEpacketissendouttothepeer'sIPaddressonportUDP500whichisdefault.
The packet contains locally configured ISAKMP policy (or policies if many) to be chosen by the
peer.
ISAKMP:(0):insertsasuccessfullysa=48C5EC5C
ISAKMP:(0):CannotstartAggressivemode,tryingMainmode.
ISAKMP:(0):foundpeerpresharedkeymatching10.1.12.2
TherouterhasstartedIKE
MainMode(itisa
default)
Presharedkeyforremote
peerhasbeenfound.ISKMP
willuseitto
authenticatethepeer
duringoneofthelast
stagesofIKEPhase1.
ISAKMP:(0):constructedNATTvendorrfc3947ID
ISAKMP:(0):constructedNATTvendor07ID
ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM
ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_MM1
ISAKMP:(0):beginningMainModeexchange
ISAKMP:(0):sendingpacketto10.1.12.2my_port500peer_port500(I)MM_NO_STATE
TherouterinitiatingIKEexchangeiscalledtheinitiator.
TherouterrespondingtoIKErequestiscalledtheresponder.
Theinitiator(R1)hassentISAKMPpolicyalongwithvendorspecific
IDswhichareapartofIKEpacketpayload.MM_NO_STATEindicates
thatISAKMPSAhasbeencreated,butnothingelsehashappenedyet.
CCIESecurity
Page6 of322
ISAKMP:(0):SendinganIKEIPv4Packet.
OK,seemseverytingisgoingsmooth,wehavegotaresponsepacketfromthepeer.Thisisthefirst
place where something could go wrong and this is most common issue when configuring VPNs.
ThereceivedpacketcontainsSAchosenbythepeerandsomeotheusefulinformationlikeVendor
IDs. Those vendor specific payloads are used to discover NAT along the path and maintain
keepalives (DPD). The routermatches ISAKMP policy from the packet to one locally configured. If
there is a match, the tunnel establishment process continues. If the policy configured on both
routersisnotthesame,thecrosscheckprocessfailsandthetunnelisdown.
ISAKMP(0):receivedpacketfrom10.1.12.2dport500sport500Global(I)MM_NO_STATE
Theresponder(R2)hasrespondedwithIKEpacketthatcontainsnegotiated
ISAKMPpolicyalongwithitsvendorspecificIDs.NotethattheIKEMainMode
stateisstillMM_NO_STATE.
ISAKMP:(0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCH
ISAKMP:(0):OldState=IKE_I_MM1NewState=IKE_I_MM2
ISAKMP:(0):processingSApayload.messageID=0
ISAKMP:(0):processingvendoridpayload
ISAKMP:(0):vendorIDseemsUnity/DPDbutmajor69mismatch
ISAKMP(0):vendorIDisNATTRFC3947
ISAKMP:(0):localpresharedkeyfound
ISAKMP:Scanningprofilesforxauth...
ISAKMP:(0):CheckingISAKMPtransform1againstpriority10policy
ISAKMP:encryption3DESCBC
ISAKMP:hashMD5
ISAKMP:defaultgroup2
ISAKMP:authpreshare
ISAKMP:lifetypeinseconds
ISAKMP:lifeduration(VPI)of0x00x10x510x80
ISAKMP:(0):attsareacceptable.Nextpayloadis0
TherouterisprocessingISAKMPparametersthathavebeensentasthereply.
VendorIDsareprocessedtodetermineifpeersupportse.g.NATTraversal,Dead
PeerDetectionfeature.ISAKMPpolicyischeckedagainstpoliciesdefined
locally.
attsareacceptableindicatesthatISAKMPpolicymatcheswithremotepeer.
Rememberthatcomparingthepolicythathasbeenobtainedfromremotepeerwith
locallydefinedpolicesstartingfromthelowestindex(number)ofpolicy
definedintherunningconfig.
ISAKMP:(0):Acceptableatts:actuallife:0
ISAKMP:(0):Acceptableatts:life:0
ISAKMP:(0):Fillattsinsavpi_length:4
ISAKMP:(0):Fillattsinsalife_in_seconds:86400
ISAKMP:(0):ReturningActuallifetime:86400
ISAKMP:(0)::Startedlifetimetimer:86400.
Thelifetimetimerhasbeenstarted.Notethatdefaultvalueoflifetimeis
used(86400seconds).ThisislifetimeforISKMPSA.NotethatIPSECSAshave
theirownlifetimeparameterswhichmaybedefinedasnumberofsecondsor
kilobytesoftrasmittedtraffic.
ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_MAIN_MODE
CCIESecurity
Page7 of322
The third message is sent out containing KE (Key Exchange) information for DH (DiffieHellman)
securekeyexchangeprocess.
ISAKMP:(0):sendingpacketto10.1.12.2my_port500peer_port500(I)MM_SA_SETUP
ISAKMP:(0):Input=IKE_MESG_INTERNAL,IKE_PROCESS_COMPLETE
4thmessagehasbeenreceivedfromthepeer.ThismessagecontainsKEpayloadandbaseonthat
information both peers can generate a common session key to be used in securing further
communication.Thepresharedkeyconfiguredlocallyforthepeerisusedinthiscalculation.
AfterreceivingthismessagepeerscanalsobeabletodetermineifthereisaNATalongthepath.
ISAKMP(0):receivedpacketfrom10.1.12.2dport500sport500Global(I)MM_SA_SETUP
MM_SA_SETUPidicatesthatthepeershaveagreedonparametersfortheISAKMPSA.
ISAKMP:(0):processingKEpayload.messageID=0
ISAKMP:(0):processingNONCEpayload.messageID=0
ISAKMP:(1002):vendorIDisUnity
ISAKMP:(1002):vendorIDisDPD
ISAKMP:(1002):speakingtoanotherIOSbox!
ISAKMP:receivedpayloadtype20
ISAKMP(1002):HishashnomatchthisnodeoutsideNAT
ISAKMP(1002):NoNATFoundforselforpeer
Fifth message is used for sending out authentication information the peer. This information is
transmittedundertheprotectionofthecommonsharedsecret.
ISAKMP:(1002):Sendinitialcontact
ISAKMP:(1002):SAisdoingpresharedkeyauthenticationusingidtypeID_IPV4_ADDR
ISAKMP(1002):IDpayload
nextpayload:8
type:1
address:10.1.12.1
protocol:17
port:500
length:12
ISAKMP:(1002):Totalpayloadlength:12
ISAKMP:(1002):sendingpacketto10.1.12.2my_port500peer_port500(I)MM_KEY_EXCH
MM_KEY_EXCHindicatesthatthepeershaveexchangedDiffieHellmanpublickeys
andhavegeneratedasharedsecret.TheISAKMPSAremainsunauthenticated.Note
thattheprocessofauthenticationhasbeenjuststarted.
CCIESecurity
Page8 of322
ThepeeridentityisverifiedbythelocalrouterandSAisestablished.
This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.
ISAKMP(1002):receivedpacketfrom10.1.12.2dport500sport500Global(I)MM_KEY_EXCH
Notethattheprocessofpeerauthenticatonisstillinprogress(MM_KEY_EXCH).
RememberthatthereisalsooneIKEMainModestatewhichisnotvisibleinthe
debugoutput.ItisMM_KEY_AUTHwhichindicatesthattheISAKMPSAhasbeen
authenticated.Iftherouterinitiatedthisexchange,thisstatetransitions
immediatelytoQM_IDLEandaQuickmodeexchangebegins.
ISAKMP:(1002):processingIDpayload.messageID=0
nextpayload:8
type:1
address:10.1.12.2
protocol:17
port:500
length:12
ISAKMP:(0)::peermatches*none*oftheprofiles
ISAKMP:(1002):processingHASHpayload.messageID=0
ISAKMP:(1002):SAauthenticationstatus:
authenticated
ISAKMP:(1002):SAhasbeenauthenticatedwith10.1.12.2
ISAKMP:Tryingtoinsertapeer10.1.12.1/10.1.12.2/500/,andinsertedsuccessfully49E25A08.
Thepeerhasbeenauthenticatednow.NotethatSAnumberhasbeengeneratedand
insertedintoSADBalongwiththeinformationrelevanttothepeerwhichhasbeen
agreedduringIKEMainMode.
ISAKMP:(1002):OldState=IKE_I_MM6 NewState=IKE_P1_COMPLETE
IKEPhase2(QuickMode)message1
Now its time for Phase II which is Quick Mode (QM). The router sends out the packet containing
localProxyIDs(network/hosts addresses tobeprotectedbytheIPSectunnel) andsecurity policy
defindebytheTransformSet.
ISAKMP:(1002):beginningQuickModeexchange,MIDof680665262
ISAKMP:(1002):QMInitiatorgetsspi
ISAKMP:(1002):sendingpacketto10.1.12.2my_port500peer_port500(I)QM_IDLE
ISAKMP:(1002):Node680665262,Input=IKE_MESG_INTERNAL,IKE_INIT_QM
ISAKMP:(1002):OldState=IKE_QM_READYNewState=IKE_QM_I_QM1
ISAKMP:(1002):Input=IKE_MESG_INTERNAL,IKE_PHASE1_COMPLETE
ISAKMP:(1002):OldState=IKE_P1_COMPLETENewState=IKE_P1_COMPLETE
Second QMmessageisaresponsefromthepeer.ItcontainsIPSecpolicychosenbythepeerand
peersproxyID.ThisisanextplacewheresomethingcangowrongiftheProxyIDsaredifferenton
bothsidesofthetunnel.TheroutercrosschecksifitsProxyIDisamirroredpeersProxyID.
ISAKMP(1002):receivedpacketfrom10.1.12.2dport500sport500Global(I)QM_IDLE
CCIESecurity
Page9 of322
ThestateofIKEisQM_IDLE.ThisindicatesthattheISAKMPSAisidle.It
remainsauthenticatedwithitspeerandmaybeusedforsubsequentquickmode
exchanges.Itisinaquiescentstate.
ISAKMP:(1002):CheckingIPSecproposal1
ISAKMP:transform1,ESP_3DES
ISAKMP:attributesintransform:
ISAKMP:encapsis1(Tunnel)
ISAKMP:SAlifetypeinseconds
ISAKMP:SAlifeduration(basic)of3600
ISAKMP:SAlifetypeinkilobytes
ISAKMP:SAlifeduration(VPI)of0x00x460x500x0
ISAKMP:authenticatorisHMACMD5
ISAKMP:(1002):attsareacceptable.
TheroutersarenegotiatingparametersforIPSectunnelwhichwillbeusedfor
traffictransmission.Theseparametersaredefinedbycryptoipsectransformset
command.NotethatlifetimevaluesofIPSecSAarevisibleatthismoment.Youare
abletosetitboth:globallyorinthecryptomapentry.
AttrareacceptableindicatesthatIPSecparametersdefinedasIPSectransform
setmatchatthebothsides.
IPSEC(validate_proposal_request):proposalpart#1
IPSEC(validate_proposal_request):proposalpart#1,
(keyeng.msg.)INBOUNDlocal=10.1.12.1,remote=10.1.12.2,
local_proxy=1.1.1.1/255.255.255.255/0/0(type=1),
protocol=ESP,transform=NONE(Tunnel),
lifedur=0sand0kb,
Cryptomapdb:proxy_match
srcaddr:1.1.1.1
dstaddr:2.2.2.2
protocol:0
srcport:0
dstport:0
Thelocalandremoteproxyaredefined.Thisindicatessourcesanddestinationsset
incryptoACLwhichdefinestheinterestingtrafficfortheIPSectunnel.Remember
thatthecryptoACLatthebothsidesofthetunnelmustbemirrored.Ifnot,you
maygetthefollowingentryinthedebugoutput:IPSEC(initialize_sas):invalid
proxyIDs.
ISAKMP:(1002):CreatingIPSecSAs
inboundSAfrom10.1.12.2to10.1.12.1(f/i)0/0
(proxy2.2.2.2to1.1.1.1)
hasspi0xB7629AFDandconn_id0
lifetimeof3600seconds
lifetimeof4608000kilobytes
outboundSAfrom10.1.12.1to10.1.12.2(f/i)0/0
(proxy1.1.1.1to2.2.2.2)
hasspi0xC486083Candconn_id0
TheIPSecSAhavebeencreatedandinsertedintherouterssecurityassociations
database(SADB).SAsaredistingusthedbySPIvalueswhicharealsousedto
differentiatemanytunnelsterminatedonthesamerouter.NotethattwoSPIvaluesare
generatedforonetunnel:oneSPIforinboundSAandoneSPIforoutboundSA.SPI
valueisinsertedintheESPheaderofthepacketleavingtherouter.Atthesecond
sideofthetunnel,SPIvalueinsertedintotheESPheaderenablestheroutertoreach
parametersandkeyswhichhavebeendynamicalyagreedduringIKEnegotiationsor
sessionkeyrefreshmentincaseoflifetimetimeout.TheSPIvalueisanindexof
entitiesintheroutersSADB.
CCIESecurity
Page10of322
ThelastmessagefinishesQM.UponcompletionofPhaseIIIPsec sessionkeyisderivedfromnew
DHsharedsecret.ThissessionkeywillbeusedforencryptionuntilIPSectimerexpires.
ISAKMP:(1002):deletingnode680665262errorFALSEreason"NoError"
ISAKMP:(1002):Node680665262,Input=IKE_MESG_FROM_PEER,IKE_QM_EXCH
ISAKMP:(1002):OldState=IKE_QM_I_QM1NewState=IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine):gotaqueueeventwith1KMImessage(s)
srcaddr:1.1.1.1
dstaddr:2.2.2.2
protocol:0
srcport:0
dstport:0
IPSEC(crypto_ipsec_sa_find_ident_head):reconnectingwiththesameproxiesandpeer10.1.12.2
IPSEC(policy_db_add_ident):src1.1.1.1,dest2.2.2.2,dest_port0
IPSEC(create_sa):sacreated,
(sa)sa_dest=10.1.12.1,sa_proto=50,
sa_spi=0xB7629AFD(3076692733),
sa_trans=esp3desespmd5hmac,sa_conn_id=2003
sa_lifetime(k/sec)=(4449173/3600)
sa_spi=0xC486083C(3297118268),
IPSEC(update_current_outbound_sa):updatedpeer10.1.12.2currentoutboundsatoSPIC486083C
R1#
Allthenegotiationshavebeencompleted.Thetunnelisupandreadytopassthe
traffic.
FirstISAKMPpackethitstherouter.Itcomesfromport500totheport500.ThetransportisUDP.
This packet contains ISAKMP policy (or policies) which are configured on remote peer. The local
router needs to choose one which matches locally configured policy. This process is going until
first match, so from a security perspective it is important to put more secure policy suites at the
beginning(thecryptoisakmppolicy<ID>determinestheorder).
ThisdebugoutputpresentstheIKEnegotiationfromtheresponderpointofview.Only
themostinterestingentiresornonpresentindebugoftheinitiatorareremarkedand
commented.
ISAKMP(0):receivedpacketfrom10.1.12.1dport500sport500Global(N)NEWSA
ISAKMP:Newpeercreatedpeer=0x48AE852Cpeer_handle=0x80000002
ISAKMP:Lockingpeerstruct0x48AE852C,refcount1forcrypto_isakmp_process_block
ISAKMP:(0):insertsasuccessfullysa=487BE048
ISAKMP:(0):OldState=IKE_READYNewState=IKE_R_MM1
ISAKMP(0):vendorIDisNATTv7
CCIESecurity
Page11of322
ISAKMP:(0):vendorIDisNATTv3
ISAKMP:hashMD5
ISAKMP:authpreshare
ISAKMP:(0):OldState=IKE_R_MM1NewState=IKE_R_MM1
The router sends back ISAKMP packet containing chosen ISAKMP policy. There are also other
payloadsattachedtothatmessagelikeVendorID(DPD,NATT).
ISAKMP:(0):sendingpacketto10.1.12.1my_port500peer_port500(R)MM_SA_SETUP
Nowrouterreceives packetcontainingKEpayload.Thisis DiffieHellmanexchangetakingplaceto
generate session key in secure manner. After receviing this packet the routers knows if there is
NATTraversalawaredeviceontheotherendandifNAThasbeendiscoveredalongthepath.
ISAKMP(0):receivedpacketfrom10.1.12.1dport500sport500Global(R)MM_SA_SETUP
CCIESecurity
Page12of322
VendorspecificIDsintheIKEpacketpayloadtelltherouterthatitisnegotiating
theISAKMPSAwithIOSrouter.
ISAKMP:(1001):vendorIDisXAUTH
NATDpayloadsexchangedduringNATDiscoveryprocesstelltheroutersattheboth
endsthatnoNATdevicehasbeenfoundbetweenthepeers.
LocalroutersendsoutmessagewithitsKEpayloadtofinishDHexchange.
ISAKMP:(1001):sendingpacketto10.1.12.1my_port500peer_port500(R)MM_KEY_EXCH
th
Peerauthenticationtakingplaceuponreceiving5 message.
ISAKMP(1001):receivedpacketfrom10.1.12.1dport500sport500Global(R)MM_KEY_EXCH
nextpayload:8
type:1
address:10.1.12.1
protocol:17
port:500
length:12
ISAKMP:(1001):processingNOTIFYINITIAL_CONTACTprotocol1
spi0,messageID=0,sa=487BE048
authenticated
authenticated
ISAKMP:(1001):Processinitialcontact,
bringdownexistingphase1and2SA'swithlocal10.1.12.2remote10.1.12.1remoteport500
ISAKMP:Tryingtoinsertapeer10.1.12.2/10.1.12.1/500/,andinsertedsuccessfully48AE852C.
CCIESecurity
Page13of322
ThepeeridentityisverifiedbythelocalrouterandSAisestablished.
This message finishes ISAKMP Main Mode (Phase I) and the status is changed to
IKE_P1_COMPLETE.
nextpayload:8
type:1
address:10.1.12.2
protocol:17
port:500
length:12
ISAKMP:(1001):OldState=IKE_R_MM5NewState=IKE_P1_COMPLETE
AftercompletingPhase1therouterreceivesfirstpacketforQuickMode(Phase2).
The packet contains peers Proxy IDs (network/hosts addresses to be protected by the IPSec
tunnel) and security policy defined by the Transform Set. This must be checked agains local
configuration. If there is a match (crypto ACLs are mirrored and the IPSec encryption and
authenticationalgorithmsareagreed)theroutercontinuesPhase2.
ISAKMP(1001):receivedpacketfrom10.1.12.1dport500sport500Global(R)QM_IDLE
local_proxy=2.2.2.2/255.255.255.255/0/0(type=1),
lifedur=0sand0kb,
srcaddr:2.2.2.2
dstaddr:1.1.1.1
protocol:0
srcport:0
dstport
:0
ISAKMP:(1001):QMRespondergetsspi
ISAKMP:(1001):OldState=IKE_QM_READYNewState=IKE_QM_SPI_STARVE
(proxy1.1.1.1to2.2.2.2)
CCIESecurity
Page14of322
hasspi0xE272C715andconn_id0
(proxy2.2.2.2to1.1.1.1)
hasspi0x3E8C462andconn_id0
ThelocalroutersendsoutitsProxyIDsandIPSecpolicytotheremotepeer.
ISAKMP:(1001):sendingpacketto10.1.12.1my_port500peer_port500(R)QM_IDLE
ISAKMP:(1001):Node584676094,Input=IKE_MESG_INTERNAL,IKE_GOT_SPI
ISAKMP:(1001):OldState=IKE_QM_SPI_STARVENewState=IKE_QM_R_QM2
srcaddr:2.2.2.2
dstaddr:1.1.1.1
protocol:0
srcport:0
dstport:0
sa_spi=0xE272C715(3799172885),
sa_spi=0x3E8C462(65586274),
ThelastmessagefinishesQM.UponcompletionofPhaseIIIPsec sessionkeyisderivedfromnew
DHsharedsecret.ThissessionkeywillbeusedforencryptionuntilIPSectimerexpires.
ISAKMP:(1001):deletingnode584676094errorFALSEreason"QMdone(await)"
ISAKMP:(1001):OldState=IKE_QM_R_QM2NewState=IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine_enable_outbound):rec'denablenotifyfromISAKMP
IPSEC(key_engine_enable_outbound):enableSAwithspi65586274/50
IPSEC(update_current_outbound_sa):updatedpeer10.1.12.1currentoutboundsatoSPI3E8C462
R2#
Verification
After establishing IPSec tunnel, we should see one ISAKMP SA and two IPSec SAs. This can be
easily seen when entering the command show crypto engine connections active. There
aretwousefulcommandstoverifyIPSecVPNs:
showcryptoisakmpsa displaysISAKMMP SA andgivesusinformationaboutstateofthe
tunnelestablishment.QM_IDLEstatemeansQuickMode(Phase2)hasbeenfininshed.Ifsomething
CCIESecurity
Page15of322
goeswrong,thestateshouldgiveusinformationwhatphaseormessagehasgeneratedanerror.
show crypto ipsec sa displays IPSec SAs (inbound and outbound) and gives us
information about Proxy IDs and number of packets being encrypted/decrypted. Inboud and
outbound SA are describedbySPI(SecurityParametersIndex)whichiscarried inESP/AHheader
and allows router to differentiate between IPSec tunnels. Inbound SPI must be the same as
OutboundSPIonthepeerrouter.
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconnidstatus
10.1.12.2
10.1.12.1QM_IDLE1002ACTIVE
ThisisthenormalstateofestablishedIKEtunnel.
IPv6CryptoISAKMPSA
R1#shcryptoisakmpsadetail
Codes:CIKEconfigurationmode,DDeadPeerDetection
KKeepalives,NNATtraversal
TcTCPencapsulation,XIKEExtendedAuthentication
pskPresharedkey,rsigRSAsignature
rencRSAencryption
IPv4CryptoISAKMPSA
CidLocalRemoteIVRFStatusEncrHashAuthDHLifetimeCap.
100210.1.12.110.1.12.2ACTIVE3desmd5psk2 23:57:08
Engineid:Connid=SW:2
NegotiatedISAKMPpolicyisvisible.Thiscommandisusefultofigureoutwhichpolicy
hasbeenusedforestablishingtheIKEtunnelwhenthereareseveralpolicesmatching
atthebothsides.
IPv6CryptoISAKMPSA
R1#shcryptoipsecsa
interface:FastEthernet0/0
Cryptomaptag:CMAP,localaddr10.1.12.1
Thiscommandshowsinformationregardingtheinterfacesanddefinedcrypto.
protectedvrf:(none)
localident(addr/mask/prot/port):(1.1.1.1/255.255.255.255/0/0)
remoteident(addr/mask/prot/port):(2.2.2.2/255.255.255.255/0/0)
current_peer10.1.12.2port500
Theproxies(sourceanddestinationofinteresitngtraffic)aredisplayed.0/0after
IPaddressandnetmaskindicatesthatIPprotocolistransportedinthetunnel.
PERMIT,flags={origin_is_acl,}
#pktsencaps:4,#pktsencrypt:4,#pktsdigest:4
#pktsdecaps:4,#pktsdecrypt:4,#pktsverify:4
VeryimportantoutputusefullfortheIPSecdebuggingandtroubleshooting.
Thisindicatesthatoutgoingpacketsare:encapsulatedbyESP,encryptedanddigested
(thehashhasbeenmadetodiscoveranyalterations).Thesecondmarkedlineindicates
thatincommingpacketsare:decapsulated(theIPSecheaderhavebeenextracted),
decryptedandhash/digesthasbeenverified.
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors1,#recverrors0
ThisoutputisrelevantonlywhencompressionofIPSecpacketsisenabledinthe
transformset.
localcryptoendpt.:10.1.12.1,remotecryptoendpt.:10.1.12.2
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/0
currentoutboundspi:0xC486083C(3297118268)
PFS(Y/N):N,DHgroup:none
CCIESecurity
Page16of322
IfPFS(PerfectForwardSecrecy)hasbeenenabledthenthelineaboveindicatesthat
alongwithconfiguredDiffieHellmangroup.
inboundespsas:
spi:0xB7629AFD(3076692733)
transform:esp3desespmd5hmac,
inusesettings={Tunnel,}
connid:2003,flow_id:NETGX:3,sibling_flags80000046,cryptomap:CMAP
satiming:remainingkeylifetime(k/sec):(4449172/3420)
IVsize:8bytes
replaydetectionsupport:Y
Status:ACTIVE
ThisoutputcontainsusefulinformationrelevanttounidirectionalSA.Thisshowsthe
following:usedIPSecprotocol(ESP),SPIvalue,usedtransformset(encryption
algorithmalongwithhashfunction),ESPmode(tunnelortransport),connectionID,
cryptomapandlifetimevaluesinsecondandkilobyteswhichremainstosessionkey
refreshment(tunnelwillbeterminatedinsteadofkeyrefreshmentifnopacketsneed
tobetransportedviatunnelwhenSAexpired).
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xC486083C(3297118268)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R1#shcryptoipsecsaidentity
protectedvrf:(none)
current_peer(none)port500
DENY,flags={ident_is_root,}
protectedvrf:(none)
R1#shcryptoipsecsaaddress
fvrf/address:(none)/10.1.12.1
protocol:ESP
spi:0xB7629AFD(3076692733)
CCIESecurity
Page17of322
IVsize:8bytes
Status:ACTIVE
protocol:ESP
spi:0xC486083C(3297118268)
IVsize:8bytes
Status:ACTIVE
R1#shcryptoengineconnectionsactive
CryptoEngineConnections
IDType
AlgorithmEncryptDecryptIPAddress
1002IKEMD5+3DES0010.1.12.1
2003 IPsec3DES+MD50410.1.12.1
2004 IPsec3DES+MD54010.1.12.1
OneIPSectunnelhasthreeSAoneofIKEtunnelandtwoofIPSectunnelusedfor
trafficencryption.
R1#shcryptoengineconnectionsdh
NumberofDH'spregenerated=2
DHlifetime=86400seconds
SoftwareCryptoEngine:
ConnStatusGroupTimeleft
1Used
Group2
85948
TheDiffieHellmangroupandthetimethatremainstonextDHkeygeneration.
VerificationperformedonR2(Theresponder).
R2#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.210.1.12.1QM_IDLE1002ACTIVE
IPv6CryptoISAKMPSA
rencRSAencryption
IPv4CryptoISAKMPSA
100210.1.12.2
10.1.12.1ACTIVE3desmd5psk2 23:55:03
IPv6CryptoISAKMPSA
R2#shcryptoipsecsa
protectedvrf:(none)
CCIESecurity
Page18of322
currentoutboundspi:0xB7629AFD(3076692733)
inboundespsas:
spi:0xC486083C(3297118268)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB7629AFD(3076692733)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protocol:ESP
spi:0xC486083C(3297118268)
IVsize:8bytes
Status:ACTIVE
protocol:ESP
spi:0xB7629AFD(3076692733)
IVsize:8bytes
Status:ACTIVE
protectedvrf:(none)
CCIESecurity
Page19of322
protectedvrf:(none)
IDTypeAlgorithmEncryptDecryptIPAddress
1002IKEMD5+3DES0010.1.12.2
2003 IPsec3DES+MD50410.1.12.2
2004 IPsec3DES+MD54010.1.12.2
CCIESecurity
Page20of322
Lab2.2.
BasicSitetoSiteIPSecVPN
AggressiveMode(IOSIOS)
LabSetup:
ConfigurestaticroutingonR1andR2tobeabletoreachLoopbackIP
addresses
IPAddressing:
Device
R1
Interface
Lo0
F0/0
F0/0
Lo0
R2
IPaddress
1.1.1.1/32
10.1.12.1/24
10.1.12.2/24
2.2.2.2/32
Task1
Configure basic Site to Site IPSec VPN to protect traffic between IP addresses
ISAKMPPolicy
Encryption:3DES
Hash:MD5
DHGroup:2
IPSecPolicy
Encrytpion:ESP3DES
Hash:MD5
ProxyID:1.1.1.12.2.2.2
Your solution must use only three messages during IKE Phase 1 SA establisment.
PeerauthenticationshouldusepasswordofAggressive123.
AggressiveModesqueezestheIKESA negotiationintothreepackets,withalldatarequiredforthe
SA passed by the initiator. The responder sends the proposal, key material and ID, and
authenticates the session in the next packet. The initiator replies by authenticating the session.
Negotiationisquicker,andtheinitiatorandresponderIDpassintheclear.
OnR1
CCIESecurity
Page21of322
R1(config)#cryptoisakmppeeraddress10.1.12.2
R1(configisakmppeer)#setaggressivemodeclientendpointipv4address10.1.12.2
R1(configisakmppeer)#setaggressivemodepasswordAggressive123
ThetunnelpasswordandtheclientendpointtypeIDforIKEAggressiveMode.
Theclientendpointparametermaybethefollowing:ipv4address(theipaddress,
ID:ID_IPV4),fqdn(thefullyqualifieddomainname,ID:ID_FQDN),userfqdn(email
address,ID:ID_USER_FQDN).ThesetypesofclientendpointIDsaretranslatedtothe
correspondingIDtypeintheInternetKeyExchange(IKE).
R1(configisakmppeer)#cryptoipsectransformsetTSETesp3desespmd5hmac
R1(config)#intf0/0
R1(configif)#exi
OnR2
R2(config)#cryptoisakmppeeraddress10.1.12.1
R2(configisakmppeer)#setaggressivemodeclientendpointipv4address10.1.12.1
R2(configisakmppeer)#setaggressivemodepasswordAggressive123
R2(configisakmppeer)#cryptoipsectransformsetTSETesp3desespmd5hmac
R2(config)#intg0/0
R2(configif)#exi
Verification
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.2
IPv6CryptoISAKMPSA
ISAKMPSAhasbeennegotiatedandIKEtunnelissetupandactive.
R1#shcryptoipsecsa
protectedvrf:(none)
CCIESecurity
Page22of322
currentoutboundspi:0xD18E8F5F(3515780959)
inboundespsas:
spi:0xE40153C8(3825292232)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD18E8F5F(3515780959)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
IPSecSAshavebeennegotiated.Thetunnelisup.
protectedvrf:(none)
protectedvrf:(none)
CCIESecurity
Page23of322
protocol:ESP
spi:0xE40153C8(3825292232)
IVsize:8bytes
Status:ACTIVE
protocol:ESP
spi:0xD18E8F5F(3515780959)
IVsize:8bytes
Status:ACTIVE
1001IKEMD5+3DES0010.1.12.1
2001 IPsec3DES+MD50410.1.12.1
2002 IPsec3DES+MD54010.1.12.1
R2#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.210.1.12.1QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.12.210.1.12.1ACTIVE3desmd5psk2 23:52:03
IPv6CryptoISAKMPSA
R2#shcryptoipsecsa
protectedvrf:(none)
currentoutboundspi:0xE40153C8(3825292232)
inboundespsas:
spi:0xD18E8F5F(3515780959)
CCIESecurity
Page24of322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE40153C8(3825292232)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
protectedvrf:(none)
protocol:ESP
spi:0xD18E8F5F(3515780959)
IVsize:8bytes
Status:ACTIVE
protocol:ESP
spi:0xE40153C8(3825292232)
IVsize:8bytes
CCIESecurity
Page25of322
Status:ACTIVE
1001IKEMD5+3DES
0010.1.12.2
2001 IPsec3DES+MD50410.1.12.2
2002 IPsec3DES+MD54010.1.12.2
R1#debcryisak
R1#debcryips
CryptoIPSECdebuggingison
R1#
R1#ping2.2.2.2solo0
.!!!!
R1#
IPSEC(sa_request):,
(keyeng.msg.)OUTBOUNDlocal=10.1.12.1,remote=10.1.12.2,
local_proxy=1.1.1.1/255.255.255.255/0/0(type=1),
protocol=ESP,transform=esp3desespmd5hmac(Tunnel),
lifedur=3600sand4608000kb,
ISAKMP:Newpeercreatedpeer=0x48AAB8D0peer_handle=0x80000004
ISAKMP:Lockingpeerstruct0x48AAB8D0,refcount1forisakmp_initiator
ISAKMP:(0):insertsasuccessfullysa=49F4F45C
ISAKMP:(0):SAhastunnelattributesset.
ISAKMP(0):IDpayload
nextpayload:13
type:1
address:10.1.12.2
protocol:17
port:0
length:12
ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_AM
ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_AM1
ISAKMP:(0):beginningAggressiveModeexchange
ISAKMP:(0):sendingpacketto10.1.12.2my_port500peer_port500(I)AG_INIT_EXCH
IKEAggressiveModehasbeenstarted.ThestateofISAKMPSAisAG_INIT_EXCHwhich
indicatesthatthepeershavedonethefirstexchangeinaggressivemode,butthe
SAisnotyetauthenticated.
ISAKMP(0):receivedpacketfrom10.1.12.2dport500sport500Global(I)AG_INIT_EXCH
Theremotepeer(R2)respondswithIKEpacketthatcontainsthefollowing:itsISAKMP
policy(proposal),keymaterialanditsID.ThestateofISAKMPSAisstill
AG_INIT_EXCH.
CCIESecurity
Page26of322
ISAKMP(0):IDpayload
nextpayload:10
type:1
address:10.1.12.2
protocol:0
port:0
length:12
ISAKMP:(0):SAusingtunnelpasswordaspresharedkey.
ISAKMP:hashMD5
ISAKMP:authpreshare
Thepasswordconfiguredforthepeerasaggressivemodepasswordhasbeenusedfor
thepeerauthentication.ISAKMPproposalhasbeencheckedagainstlocallydefined
ISAKMPpolicies.
authenticated
ISAKMP:Tryingtoinsertapeer10.1.12.1/10.1.12.2/500/,andinsertedsuccessfully48AAB8D0.
ISAKMP:(1001):sendingpacketto10.1.12.2my_port500peer_port500(I)AG_INIT_EXCH
TheISAKMPSAhasbeennegotiated,authenticatedandinstertedintoSADB.Thepeerhas
beeninformedthattheconnectionhasbeenauthenticated.Phase1iscompleted.The
ISAKMPSAstatewillbetransitedtoQM_IDLE.TheIKEtunnelisestablishedandready
forIPSecparametersandSAsnegotiations.
ISAKMP:(1001):Input=IKE_MESG_FROM_PEER,IKE_AM_EXCH
ISAKMP:(1001):OldState=IKE_I_AM1NewState=IKE_P1_COMPLETE
ISAKMP:(1001):OldState=IKE_QM_READYNewState=IKE_QM_I_QM1
ISAKMP:(1001):OldState=IKE_P1_COMPLETE NewState=IKE_P1_COMPLETE
CCIESecurity
Page27of322
IPSecparametershavebeenagreedupon.
local_proxy=1.1.1.1/255.255.255.255/0/0(type=1),
lifedur=0sand0kb,
srcaddr:1.1.1.1
dstaddr:2.2.2.2
protocol:0
srcport:0
dstport:0
(proxy2.2.2.2to1.1.1.1)
(proxy1.1.1.1to2.2.2.2)
hasspi0xD18E8F5Fandconn_id0
ISAKMP:(1001):OldState=IKE_QM_I_QM1 NewState=IKE_QM_PHASE2_COMPLETE
srcaddr
:1.1.1.1
dstaddr:2.2.2.2
protocol:0
srcport:0
dstport:0
sa_spi=0xE40153C8(3825292232),
sa_spi=0xD18E8F5F(3515780959),
IPSEC(update_current_outbound_sa):updatedpeer10.1.12.2currentoutboundsatoSPID18E8F5F
ISAKMP:(1001):nooutgoingphase1packettoretransmit.QM_IDLE
IKEPhase2(QuickMode)hasbeencompleted.ESPtunnelhasbeenestablished.
DetailedverificatinonR2
TheresponderhasreceivedtheinitialIKEpacketfromtheinitiator(R1).Thepayload
containsISAKMPproposal,keymaterialandID.
ISAKMP:Newpeercreatedpeer=0x49BD96B8peer_handle=0x80000003
CCIESecurity
Page28of322
ISAKMP:Lockingpeerstruct0x49BD96B8,refcount1forcrypto_isakmp_process_block
ISAKMP:(0):insertsasuccessfullysa=48B8E45C
ISAKMP(0):IDpayload
nextpayload:13
type:1
address:10.1.12.2
protocol:17
port:0
length:12
ISAKMP:hashMD5
ISAKMP:authpreshare
TheproposalhasbeenprocessedbytheresponderandISAKMPpolicyhasbeenaccepted.
ISAKMP:(1001):claimedIOSbutfailedauthentication
nextpayload:10
type:1
address:10.1.12.2
protocol:0
port:0
length:12
CCIESecurity
Page29of322
ISAKMP:(1001):sendingpacketto10.1.12.1my_port500peer_port500(R)AG_INIT_EXCH
Thereplyhasbeensenttotheinitiator.ISAKMPSAstateisstillAG_INIT_EXCH.
ISAKMP:(1001):OldState=IKE_READYNewState=IKE_R_AM2
ISAKMP(1001):receivedpacketfrom10.1.12.1dport500sport500Global(R)AG_INIT_EXCH
TheresponderhasgottheinformationthatSAhasbeenauthenticated
IthasbeendeterminedbyNATdiscoveryprocessthatthereisnoNATbetweenthe
peers.
spi0,messageID=0,sa=48B8E45C
authenticated
authenticated
ISAKMP:Tryingtoinsertapeer10.1.12.2/10.1.12.1/500/,andinsertedsuccessfully49BD96B8.
ISAKMP:(1001):OldState=IKE_R_AM2 NewState=IKE_P1_COMPLETE
IKEPhase1completed,SAisnegotiated.TheISAKMPSAstatehasbeenchangedto
QM_IDLE.
local_proxy=2.2.2.2/255.255.255.255/0/0(type=1),
lifedur=0sand0kb,
srcaddr:2.2.2.2
dstaddr:1.1.1.1
protocol:0
srcport:0
dstport:0
(proxy1.1.1.1to2.2.2.2)
hasspi0xD18E8F5Fandconn_id0
CCIESecurity
Page30of322
(proxy2.2.2.2to1.1.1.1)
srcaddr:2.2.2.2
dstaddr:1.1.1.1
protocol:0
srcport:0
dstport:0
sa_spi=0xD18E8F5F(3515780959),
sa_spi=0xE40153C8(3825292232),
ISAKMP:(1001):OldState=IKE_QM_R_QM2 NewState=IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine_enable_outbound):rec'denablenotifyfromISAKMP
IPSEC(key_engine_enable_outbound):enableSAwithspi3825292232/50
IPSEC(update_current_outbound_sa):updatedpeer10.1.12.1currentoutboundsatoSPIE40153C8
ISAKMP:(1001):purgingnode1329820426
TheIPSectunnelhasbeenestablished.
CCIESecurity
Page31of322
Lab2.3. BasicSitetoSiteVPNwithNAT
(IOSIOS)
LabSetup:
R2sG0/1andR4sF0/0interfaceshouldbeconfiguredinVLAN240
ConfigureRIPv2onallrouterstoestablishfullconnectivity
IPAddressing:
Device
R1
R2
R4
Interface
Lo0
F0/0
G0/0
G0/1
F0/0
Lo0
IPaddress
1.1.1.1/32
10.1.12.1/24
10.1.12.2/24
10.1.24.2/24
10.1.24.4/24
4.4.4.4/32
Task1
Configurestatic NAT translationonR2so that IP addressof 10.1.12.1 will beseen
onR4as10.1.24.1.
Configure basic Site to Site IPSec VPN to protect IP traffic between IP addresses
ISAKMPPolicy
Encryption:3DES
Hash:MD5
DHGroup:2
PSK:cisco123
IPSecPolicy
Encryption:ESP3DES
Hash:MD5
ProxyID:1.1.1.14.4.4.4
OnR2
R2(config)#ipnatinsidesourcestatic10.1.12.110.1.24.1
%LINEPROTO5UPDOWN:LineprotocolonInterfaceNVI0,changedstatetoup
Staticnetworkaddresstranslation(R1sFa0/0:10.1.12.1>10.1.24.1)
R2(config)#intg0/0
R2(configif)#ipnatinside
CCIESecurity
Page32of322
R2(configif)#intg0/1
R2(configif)#ipnatoutside
OnR1
FromR1sperspectivethepeer(R4)isseenas10.1.24.4.
R1(configcryptomap)#accesslist140permitiphost1.1.1.1ho4.4.4.4
R1(config)#intf0/0
R1(configif)#exi
R1(config)#
OnR4
FromR4sperspectivethepeer(R1)isseenas10.1.24.1(thisaddressR1sFa0/0is
translatedtobyR2)
R4(configcryptomap)#accesslist140permitipho4.4.4.4host1.1.1.1
R4(config)#intf0/0
R4(configif)#exi
R4(config)#
Verification
R1#tel10.1.24.4
Trying10.1.24.4...Open
UserAccessVerification
Password:
R4>shusers
LineUserHost(s)IdleLocation
CCIESecurity
Page33of322
0con0idle00:01:03
*514vty0idle00:00:0010.1.24.1
Translationisworking.
InterfaceUserMode
IdlePeerAddress
R4>exit
[Connectionto10.1.24.4closedbyforeignhost]
R2#shipnattranslations
ProInsideglobalInsidelocalOutsidelocalOutsideglobal
tcp10.1.24.1:1308310.1.12.1:1308310.1.24.4:2310.1.24.4:23
10.1.24.110.1.12.1
Translationisworking.
R1#ping4.4.4.4solo0rep4
.!!!
Interestingtraffichasstartedthetunnelnegotiation.
R2#shipnattranslations
ProInsideglobalInsidelocalOutsidelocalOutsideglobal
udp10.1.24.1:50010.1.12.1:50010.1.24.4:50010.1.24.4:500
udp10.1.24.1:450010.1.12.1:450010.1.24.4:450010.1.24.4:4500
10.1.24.110.1.12.1
NotethatIKEtraffic(UDPport500)hasbeentranslated.DuringIKEPhase1NAT
discoveryhasdeterminedthattraficbetweenthepeeristranslated,sothatit
enforcesNATTraversal.FromthismomentthepeerstransmitESPpacketsencapsulated
intoUDPpackets.TheNATTtrafficusesUDPport4500.
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.24.410.1.12.1QM_IDLE1003ACTIVE
IPv6CryptoISAKMPSA
rencRSAencryption
IPv4CryptoISAKMPSA
100310.1.12.110.1.24.4ACTIVE3desmd5psk2 23:57:11N
IPv6CryptoISAKMPSA
R1#shcryptoipsecsa
protectedvrf:(none)
CCIESecurity
Page34of322
currentoutboundspi:0xE1815114(3783348500)
inboundespsas:
spi:0x65D0096B(1708132715)
inusesettings={TunnelUDPEncaps,}
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE1815114(3783348500)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
protectedvrf:(none)
protocol:ESP
spi:0x65D0096B(1708132715)
IVsize:8bytes
Status:ACTIVE
CCIESecurity
Page35of322
protocol:ESP
spi:0xE1815114(3783348500)
IVsize:8bytes
Status:ACTIVE
1003IKEMD5+3DES0010.1.12.1
2005IPsec3DES+MD50310.1.12.1
2006IPsec3DES+MD53010.1.12.1
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.24.410.1.24.1QM_IDLE1001ACTIVE
NotethatR4sISAKMPSAisnegotiatedwithtranslatedR1sIPaddress.
IPv6CryptoISAKMPSA
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.24.410.1.24.1ACTIVE3desmd5psk2 23:49:57N
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
protectedvrf:(none)
currentoutboundspi:0x65D0096B(1708132715)
inboundespsas:
spi:0xE1815114(3783348500)
IVsize:8bytes
CCIESecurity
Page36of322
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x65D0096B(1708132715)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
1001IKEMD5+3DES0010.1.24.4
2001 IPsec3DES+MD50310.1.24.4
2002IPsec3DES+MD53010.1.24.4
R1#debcryisak
R1#pi4.4.4.4solo0
ISAKMP:Newpeercreatedpeer=0x489472CCpeer_handle=0x8000000A
ISAKMP:Lockingpeerstruct0x489472CC,refcount1forisakmp_initiator
ISAKMP:(0):insertsasuccessfullysa=483BFC34
ISAKMP:(0):CannotstartAggressivemode,tryingMainmode.
ISAKMP:(0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MM
ISAKMP:(0):OldState=IKE_READYNewState=IKE_I_MM1
ISAKMP:(0):beginningMainModeexchange
ISAKMP:(0):sendingpacketto10.1.24.4my_port500peer_port500(I)MM_NO_STATE
ISAKMP(0):receivedpacketfrom10.1.24.4dport500sport500Global(I)MM_NO_STATE
ISAKMP:hashMD5
ISAKMP:authpreshare
CCIESecurity
Page37of322
ISAKMP:(0):Acceptable.!!!!
R1#atts:life:0
ISAKMP:(0):sendingpacketto10.1.24.4my_port500peer_port500(I)MM_SA_SETUP
ISAKMP(0):receivedpacketfrom10.1.24.4dport500sport500Global(I)MM_SA_SETUP
ISAKMP(1005):NATfound,bothnodesinsideNAT
ISAKMP(1005):Myhashnomatch thisnodeinsideNAT
R1hasanalyzedtheresultsofNATdiscovery.IthasdeterminedthatitsIPaddressis
NATedinthepathbecausereceivedhash(NATDpayload)doesnotmatchthelocaly
calculatedhash.
nextpayload:8
type:1
address:10.1.12.1
protocol:17
port:0
length:12
ISAKMP:(1005):sendingpacketto10.1.24.4my_port4500peer_port4500(I)MM_KEY_EXCH
NotethatfromthismomentthepeersareexchangingthepacketsusingUDPprotocoland
port4500(NATT).
ISAKMP(1005):receivedpacketfrom10.1.24.4dport4500sport4500Global(I)MM_KEY_EXCH
nextpayload:8
type:1
address:10.1.24.4
protocol:17
port:0
length:12
CCIESecurity
Page38of322
authenticated
ISAKMP:(1005):SettingUDPENCpeerstruct0x49383A9Csa=0x483BFC34
ISAKMP:Tryingtoinsertapeer10.1.12.1/10.1.24.4/4500/,andinsertedsuccessfully
489472CC.
ISAKMP:(1005):OldState=IKE_I_MM6NewState=IKE_P1_COMPLETE
ISAKMP:(1005):OldState=IKE_QM_READY NewState=IKE_QM_I_QM1
ISAKMP:encapsis3(TunnelUDP)
NotethatthisinidactesthattunnelisencaplustatedintoUDP
ISAKMP:
authenticatorisHMACMD5
(proxy4.4.4.4to1.1.1.1)
hasspi0xE219E9BBandconn_id0
(proxy1.1.1.1to4.4.4.4)
hasspi0xE481597andconn_id0
ISAKMP:(1005):OldState=IKE_QM_I_QM1NewState=IKE_QM_PHASE2_COMPLETE
R1#
R1#unall
Allpossibledebugginghasbeenturnedoff
R4#debcryisak
ISAKMP:Newpeercreatedpeer=0x49CEE97Cpeer_handle=0x80000004
ISAKMP:Lockingpeerstruct0x49CEE97C,refcount1forcrypto_isakmp_process_block
ISAKMP:(0):insertsasuccessfullysa=489FDD70
ISAKMP:(0):OldState=IKE_READYNewState=IKE_R_MM1
CCIESecurity
Page39of322
ISAKMP:(0):processingvend
R4#oridpayload
ISAKMP:hashMD5
ISAKMP:authpreshare
ISAKMP:(0):sendingpacketto10.1.24.1my_port500peer_port500(R)MM_SA_SETUP
ISAKMP(0):receivedpacketfrom10.1.24.1dport500sport500Global(R)MM_SA_SETUP
ISAKMP:(0):OldState=IKE_R_MM2 NewState=IKE_R_MM3
CCIESecurity
Page40of322
R4hasanalyzedtheresultsofNATdiscovery.IthasdeterminedthatR1sIPaddress
isNATedinthepathbecausereceivedhash(NATDpayload)doesnotmatchthelocaly
calculatedhash.
ISAKMP(1003):receivedpacketfrom10.1.24.1dport4500sport4500Global(R)MM_KEY_EXCH
nextpayload:8
type:1
address:10.1.12.1
protocol:17
port:0
length:12
spi0,messageID=0,sa=489FDD70
authenticated
ISAKMP:(1003):Detectedportfloatingtoport=4500
ISAKMP:Tryingtofindexistingpeer10.1.24.4/10.1.24.1/4500/
authenticated
49CEE97C.
nextpayload:8
type:1
address:10.1.24.4
protocol:17
port:0
length:12
ISAKMP:(1003):OldState=IKE_R_MM5NewState=IKE_P1_COMPLETE
ISAKMP:encapsis3(TunnelUDP)
CCIESecurity
Page41of322
(proxy1.1.1.1to4.4.4.4)
hasspi0xE481597andconn_id0
(proxy4.4.4.4to1.1.1.1)
hasspi0xE219E9BBandconn_id0
R4#
R4#unall
Allpossibledebugginghasbeenturnedoff
CCIESecurity
Page42of322
Lab2.4.
IOSCertificateAuthority
LabSetup:
R1sF0/0andASA1sE0/1interfaceshouldbeconfiguredinVLAN101
R2sG0/0andASA1sE0/0interfaceshouldbeconfiguredinVLAN102
ConfiguredefaultroutingonR1,R4andR5pointingtotherespectiveASAs
interface
ConfiguredefaultroutingonbothASAspointingtotherespectiveR2interface
IPAddressing:
Device
R1
R2
R4
CCIESecurity
Interface/ifname/seclevel
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
Page43of322
R5
Lo0
F0/0
E0/0,Outside,Security0
E0/1,Inside,Security100
E0/1,Inside_US,Security100
E0/2,Inside_CA,Security100
ASA1
ASA2
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
ConfigureIOSCertificateAuthorityserveronR1.Theservershouldhaveselfsigned
certificatewithalifetimeof5yearsandgrantcertificatestotheclientswithalifetime
of 3 years. Store all certificates on the flash using PEM 64base excryption with
password of Cisco_CA. The server should service all certificate requests
automatically.
OnR1
R1(config)#iphttpserver
HTTPservermustbeenabled.Itwillbeusedfortheautomaticcertificateenrollment.
ThisfeatureusesSCEP(SimpleCertificateEnrollmentProtocol).
R1(config)#cryptopkiserverIOS_CA
R1(csserver)#lifetimecertificate1095
Thelifetimeofclientcertificates(3years).
R1(csserver)#lifetimecacertificate1825
R1(csserver)#databasearchivepempasswordCisco_CA
R1(csserver)#databaseurlpemflash:/IOS_CA
R1(csserver)#grantauto
%PKI6CS_GRANT_AUTO:Allenrollmentrequestswillbeautomaticallygranted.
R1(csserver)#noshutdown
Certificateserver'noshut'eventhasbeenqueuedforprocessing.
R1(csserver)#
%SomeserversettingscannotbechangedafterCAcertificategeneration.
%Generating1024bitRSAkeys,keyswillbenonexportable...[OK]
%SSH5ENABLED:SSH1.99hasbeenenabled
%ExportingCertificateServersigningcertificateandkeys...
%PKI6CS_ENABLED:Certificateservernowenabled.
R1(csserver)#exit
CAisupafterissuingnoshutdowncommand.Rememberthatatthelabexam.
Verification
R1#shcryptopkiserver
CertificateServerIOS_CA:
Status:enabled
State:enabled
Server'sconfigurationislocked(enter"shut"tounlockit)
Issuername:CN=IOS_CA
CAcertfingerprint:2CCFEC448B1FA2164B9CA190024184A0
Grantingmodeis:auto
Lastcertificateissuedserialnumber:0x1
CAcertificateexpirationtimer:21:37:39UTCOct192014
CRLNextUpdatetimer:03:37:40UTCOct212009
Currentprimarystoragedir:nvram:
Currentstoragedirfor.pemfiles:flash:/IOS_CA
DatabaseLevel:Minimumnocertdatawrittentostorage
CCIESecurity
Page44of322
R1#shflash|inIOS_CA
221714Oct20200921:37:42+00:00IOS_CA_00001.pem
Thepasswordprotectedcertificatestorehasbeencreatedontherouterflash.
Task2
ToensurealldevicesinthenetworkhavethesametimeconfigureNTPserveronR1
with a stratum of 4. The server should authenticate the clients with a password of
Cisco_NTP.ConfigurerestofdevicesasNTPclientstotheR1sNTPsource.
OnR1
R1(config)#ntpauthenticationkey1md5Cisco_NTP
R1(config)#ntptrustedkey1
R1(config)#ntpauthenticate
R1(config)#ntpmaster4
OnASA1
ASA1(config)#ntpauthenticationkey1md5Cisco_NTP
ASA1(config)#ntpauthenticate
ASA1(config)#ntptrustedkey1
ASA1(config)#ntpserver10.1.101.1key1
ASA1(config)#accesslistOUTSIDE_INpermitudpanyhost10.1.101.1eq123
ASA1(config)#accessgroupOUTSIDE_INininterfaceOutside
TheaccessfromtheNTPpeerstoNTPmaster(R1).
OnASA2
ASA2(config)#ntpauthenticationkey1md5Cisco_NTP
ASA2(config)#ntpauthenticate
ASA2(config)#ntptrustedkey1
ASA2(config)#ntpserver10.1.101.1key1
OnR2
R2(config)#ntpserver10.1.101.1key1
R2(config)#iproute10.1.101.0255.255.255.0192.168.1.10
R2(config)#iproute10.1.105.0255.255.255.0192.168.2.10
R2(config)#iproute10.1.104.0255.255.255.0192.168.2.10
OnR4
OnR5
Verification
R1#shntpstatus
Clockissynchronized,stratum4,referenceis127.127.7.1
CCIESecurity
Page45of322
nominalfreqis250.0000Hz,actualfreqis250.0000Hz,precisionis2**18
referencetimeisCE88ADA8.1FB35E7B(21:44:08.123UTCTueOct202009)
clockoffsetis0.0000msec,rootdelayis0.00msec
rootdispersionis0.02msec,peerdispersionis0.02msec
NotethatR1(themaster)issynchronizedwith127.127.7.1.Thisisainternaly
createdIPaddressofinternalNTPserverwhichinstancehasbeencreatedafter
issuingntpmastercommand.WiththisinternaladdresstheR1sclockis
synchronized.Remember,ifyouwouldbeaskedtoenableapeerauthenticationonNTP
masterthanyouhavetoconfigureanpeerACLsandpermit127.127.7.1.Withoutdoing
thattheNTPserverwillbealwaysoutofsync.
R1#shntpassociations
addressrefclockstwhenpollreachdelayoffsetdisp
*~127.127.7.1
127.127.7.132643770.00.000.0
*master(synced),#master(unsynced),+selected,candidate,~configured
ASA1(config)#shntpstatus
referencetimeisce88af37.bc6be95a(21:50:47.736UTCTueOct202009)
NotethatASAisassiociatedwithR1.
ASA1(config)#shntpassociations
*~10.1.101.1
127.127.7.1
4506471.0 0.603890.7
R1istheNTPmasterandASAissyncedwithit.Theasteriskindicatesthat.
AddressfieldcontainsanIPaddressoftheNTPpeer.Refclockfield(reference
clock)containsanIPaddressofreferenceclockofpeer.Notethatstratumforthis
peeris5(everynextNTPpeerintheNTPpathwillresultsofincreasedstratum
value).
ASA2(config)#shntpstatus
referencetimeisce88b2ee.eb59aae0(22:06:38.919UTCTueOct202009)
ASA2(config)#shntpassociations
*~10.1.101.1
127.127.7.14116431.30.607890.7
R2#shntpstatus
referencetimeisCE88B210.397BFBDE(22:02:56.224UTCTueOct202009)
*~10.1.101.1
127.127.7.14286411.81.3115875.
R4#shntpstatus
referencetimeisCE8B342F.39971B35(19:42:39.224UTCThuOct222009)
*~10.1.101.1
127.127.7.14266412.21.5915875.
CCIESecurity
Page46of322
*master(synced),#master(unsynced),+selected,candidate,~configure
R5#shntpstatus
referencetimeisCE88B28F.63FAD3D2(22:05:03.390UTCTueOct202009)
*~10.1.101.1
127.127.7.14246472.12.523875.4
Task3
On both ASAs enroll a certificate for IPSec peer authentication. Ensure thatFQDN
andcertificateattributeslikeCommonNameandCountryareused.Certificateuses
for IPSec authentication should have at least 1024 bytes keys. Configure domain
nameofMicronicsTraining.com
OnASA1
ASA1(config)#domainnameMicronicsTraining.com
ASA1(config)#cryptokeygeneratersamodulus1024
WARNING:YouhaveaRSAkeypairalreadydefinednamed<DefaultRSAKey>.
Doyoureallywanttoreplacethem?[yes/no]:yes
Keypairgenerationprocessbegin.Pleasewait...
ASA1(config)#cryptocatrustpointIOS_CA
ASA1(configcatrustpoint)#idusagesslipsec
ThecertificatewillbeusedforSSLorIPSecauthentication.
ASA1(configcatrustpoint)#subjectnameCN=ASA1,C=US
ASA1(configcatrustpoint)#fqdnASA1.MicronicsTraining.com
ASA1(configcatrustpoint)#enrollmenturlhttp://10.1.101.1
ASA1(configcatrustpoint)#exit
ASA1(config)#cryptocaauthenticateIOS_CA
INFO:Certificatehasthefollowingattributes:
Fingerprint:2ccfec448b1fa2164b9ca190024184a0
Doyouacceptthiscertificate?[yes/no]:yes
TrustpointCAcertificateaccepted.
TheCAconfiguredat10.1.101.1hasbeenauthenticated.AuthenticationoftheCA
resultsoftherootCAcertificateretrievalandwritingitintherouters
configurationaftertheacceptance.
ASA1(config)#cryptocaenrollIOS_CA
%
%Startcertificateenrollment..
%Createachallengepassword.Youwillneedtoverballyprovidethis
passwordtotheCAAdministratorinordertorevokeyourcertificate.
Forsecurityreasonsyourpasswordwillnotbesavedintheconfiguration.
Pleasemakeanoteofit.
Password:********
Reenterpassword:********
%Thesubjectnameinthecertificatewillbe:CN=ASA1,C=US
%Thefullyqualifieddomainnameinthecertificatewillbe:ASA1.MicronicsTraining.com
%Includethedeviceserialnumberinthesubjectname?[yes/no]:no
RequestcertificatefromCA?[yes/no]:yes
%CertificaterequestsenttoCertificateAuthority
ASA1(config)#ThecertificatehasbeengrantedbyCA!
Thecertificatehasbeenissuedautomaticaly.Autoenrollmentisworking
CCIESecurity
Page47of322
ASA1(config)#accesslistOUTSIDE_INpermittcphost192.168.2.10host10.1.101.1eq80
SCEP(itusesHTTPprotocol)forASA2shouldbeallowed.
OnASA2
Fingerprint:2ccfec448b1fa2164b9ca190024184a0
%
Password:********
Verification
ASA1(config)#shcryptocatrustpoints
TrustpointIOS_CA:
SubjectName:
cn=IOS_CA
SerialNumber:01
Certificateconfigured.
CEPURL:http://10.1.101.1
ASA1(config)#shcryptocacertificates
Certificate
Status:Available
CertificateSerialNumber:02
CertificateUsage:GeneralPurpose
PublicKeyType:RSA(1024bits)
IssuerName:
cn=IOS_CA
SubjectName:
hostname=ASA1.MicronicsTraining.com
cn=ASA1
c=US
ValidityDate:
startdate:22:14:31UTCOct202009
enddate:22:14:31UTCOct192012
AssociatedTrustpoints:IOS_CA
CCIESecurity
Page48of322
CACertificate
Status:Available
CertificateUsage:Signature
IssuerName:
cn=IOS_CA
SubjectName:
cn=IOS_CA
ValidityDate:
ThisistheCArootcertificateacceptedduringthetrustpointauthentication.
ASA2(config)#shcryptocatrustpoints
TrustpointIOS_CA:
SubjectName:
cn=IOS_CA
SerialNumber:01
Certificateconfigured.
CEPURL:http://10.1.101.1
ASA2(config)#shcryptocacertificates
Certificate
Status:Available
IssuerName:
cn=IOS_CA
SubjectName:
hostname=ASA2.MicronicsTraining.com
cn=ASA2
c=US
ValidityDate:
CACertificate
Status:Available
IssuerName:
cn=IOS_CA
SubjectName:
cn=IOS_CA
ValidityDate:
CCIESecurity
Page49of322
Lab2.5.
SitetoSiteIPSecVPNusingPKI
(ASAASA)
Thislabisbasedonthepreviouslabconfiguration.
Task1
ConfigureSitetoSiteIPSecVPNbetweenASA1andASA2.Ensurethatonlytraffic
betweenhosts1.1.1.1and5.5.5.5 getsencrypted.UseCertificateAuthorityand
keys/certificatesenrolledinthepreviouslab.
UsethefollowingsettingforbuildingtheVPN:
ISAKMPPolicy:
Authentincation:RSAsignatures
Encryption3DES
HashMD5
DHGroup2
IPSecPolicy:
Encryption3DES
HashMD5
EnablePFS.
CCIESecurity
Page50of322
OnASA1
ASA1(config)#cryptoisakmpenableoutside
ASA1(config)#accesslistCRYPTO_ACLpermitiphost1.1.1.1host5.5.5.5
ASA1(config)#tunnelgroup192.168.2.10typeipsecl2l
ASA1(config)#tunnelgroup192.168.2.10ipsecattributes
ASA1(configtunnelipsec)#trustpointIOS_CA
ThespecialarrangementsforIPSeconASAareconfiguredinthetunnelgroup
configuration.ThetunnelgrouphasbeenpointedtovalidCA.ThisCAwillbeusedfor
peerauthentication.
ASA1(configtunnelipsec)#cryptoisakmppolicy10
ASA1(configisakmppolicy)#authrsasig
ForpeerauthenticationbasedonX509v3certificatestheauthenticationwithRSA
signatureshastobeenabledintheISAKMPpolicy.
ASA1(configisakmppolicy)#encry3des
ASA1(configisakmppolicy)#hashmd5
ASA1(configisakmppolicy)#group2
ASA1(configisakmppolicy)#cryptoipsectransformsetTSETesp3desespmd5hmac
ASA1(config)#cryptomapENCRYPT_OUT1matchaddressCRYPTO_ACL
ASA1(config)#cryptomapENCRYPT_OUT1setpeer192.168.2.10
ASA1(config)#cryptomapENCRYPT_OUT1setpfsgroup2
ThePerfectForwardSecrecywillbeusedalongwith1024bitsRSAkeys(DHGroup2).
ASA1(config)#cryptomapENCRYPT_OUT1settransformsetTSET
ASA1(config)#cryptomapENCRYPT_OUT1settrustpointIOS_CA
ASA1(config)#cryptomapENCRYPT_OUTinterfaceOutside
ASA1(config)#routeinside1.1.1.1255.255.255.25510.1.101.1
OnASA2
ASA2(config)#accesslistCRYPTO_ACLpermitiphost5.5.5.5host1.1.1.1
ASA2(configtunnelipsec)#cryptoisakmppolicy10
ASA2(configisakmppolicy)#encry3des
ASA2(configisakmppolicy)#cryptoipsectransformsetTSETesp3desespmd5hmac
ASA2(config)#cryptomapENCRYPT_OUT1matchaddressCRYPTO_ACL
ASA2(config)#cryptomapENCRYPT_OUT1settransformsetTSET
ASA2(config)#routeInside_US5.5.5.5255.255.255.25510.1.105.5
Verification
R1#ping5.5.5.5solo0
CCIESecurity
Page51of322
.!!!!
ASA1(config)#shcryptoisakmp
ActiveSA:1
RekeySA:0(Atunnelwillreport1Activeand1RekeySAduringrekey)
TotalIKESA:1
1IKEPeer:192.168.2.10
Type:L2LRole:initiator
Rekey:noState:MM_ACTIVE
IKEtunnelhasbeenestablished.NotethatcommandoutputsonASAdifferfromcommand
outputfromIOSrouter.TheASAdistinguishestheroleofthedeviceinISAKMPSA
negotiation.AlsoMainModestateisnameddifferently.InthiscaseMM_ACTIVEhasthe
samemeaningasQM_IDLEontherouter.
GlobalIKEStatistics
ActiveTunnels:1
PreviousTunnels:4
InOctets:9216
InPackets:50
InDropPackets:3
InNotifys:27
InP2Exchanges:0
InP2ExchangeInvalids:0
InP2ExchangeRejects:0
InP2SaDeleteRequests:0
OutOctets:9724
OutPackets:53
OutDropPackets:0
OutNotifys:54
OutP2Exchanges:4
OutP2ExchangeInvalids:0
OutP2ExchangeRejects:0
OutP2SaDeleteRequests:3
InitiatorTunnels:4
InitiatorFails:0
ResponderFails:0
SystemCapacityFails:0
AuthFails:0
DecryptFails:0
HashValidFails:0
NoSaFails:0
GlobalIPSecoverTCPStatistics
Embryonicconnections:0
Activeconnections:0
Previousconnections:0
Inboundpackets:0
Inbounddroppedpackets:0
Outboundpackets:0
Outbounddroppedpackets:0
RSTpackets:0
ReceviedACKheartbeatpackets:0
Badheaders:0
Badtrailers:0
Timerfailures:0
Checksumerrors:0
Internalerrors:0
ASA1(config)#shcryptoisakmpsa
ActiveSA:1
TotalIKESA:1
1IKEPeer:192.168.2.10
Type
:L2LRole:initiator
ASA1(config)#shcryptoipsecsa
interface:Outside
Cryptomaptag:ENCRYPT_OUT,seqnum:1,localaddr:192.168.1.10
CCIESecurity
Page52of322
accesslistCRYPTO_ACLpermitiphost1.1.1.1host5.5.5.5
current_peer:192.168.2.10
#pktsnotcompressed:4,#pktscompfailed:0,#pktsdecompfailed:0
#prefragsuccesses:0,#prefragfailures:0,#fragmentscreated:0
#PMTUssent:0,#PMTUsrcvd:0,#decapsulatedfrgsneedingreassembly:0
#senderrors:0,#recverrors:0
pathmtu1500,ipsecoverhead58,mediamtu1500
currentoutboundspi:5C4F95C0
inboundespsas:
spi:0x1AC28131(448954673)
transform:esp3desespmd5hmacnocompression
inusesettings={L2L,Tunnel,PFSGroup2,}
slot:0,conn_id:16384,cryptomap:ENCRYPT_OUT
satiming:remainingkeylifetime(kB/sec):(3914999/28641)
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0x5C4F95C0(1548719552)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
ASA1(config)#shvpnsessiondb
ActiveSessionSummary
Sessions:
Active:Cumulative:PeakConcurrent:Inactive
SSLVPN
:0:0:0
Clientlessonly:0:0:0
Withclient:0:0:0:0
EmailProxy:0:0:
0
IPsecLANtoLAN:1:4:1
IPsecRemoteAccess:0:0:0
VPNLoadBalancing:0:0:0
Totals:1:4
LicenseInformation:
IPsec:250Configured:250Active:1Load:0%
SSLVPN:2Configured:2Active:0Load:0%
Active:Cumulative:PeakConcurrent
IPsec:
1:4:1
SSLVPN:0:0:0
AnyConnectMobile:0:0:0
LinksysPhone:0:0:0
Totals
:1:4
Tunnels:
IKE:1:4:1
IPsec:1:4:1
Totals:2:8
ActiveNACSessions:
NoNACsessionstodisplay
ActiveVLANMappingSessions:
NoVLANMappingsessionstodisplay
CCIESecurity
Page53of322
ASA1(config)#shvpnsessiondbl2l
SessionType:LANtoLAN
Connection:192.168.2.10
Index:4IPAddr:5.5.5.5
Protocol:IKEIPsec
Encryption:3DESHashing:MD5
BytesTx:400BytesRx:400
LoginTime:10:03:25UTCSunJul182010
Duration:0h:06m:18s
ASA2(config)#shcryptoisakmp
ActiveSA:1
TotalIKESA:1
1IKEPeer:192.168.1.10
Type:L2LRole:responder
GlobalIKEStatistics
ActiveTunnels:1
PreviousTunnels:4
InOctets:12112
InPackets:82
InDropPackets:3
InNotifys:55
InP2Exchanges:4
OutOctets:11028
OutPackets:71
OutDropPackets:0
OutNotifys:104
OutP2Exchanges:0
InitiatorTunnels:0
InitiatorFails:0
ResponderFails:0
AuthFails:0
DecryptFails:0
HashValidFails:0
NoSaFails:0
Activeconnections:0
Inboundpackets:0
Outboundpackets:0
RSTpackets:0
Badheaders:0
Badtrailers:0
Timerfailures:0
Checksumerrors:0
Internalerrors:0
ActiveSA:1
TotalIKESA:1
1IKEPeer:192.168.1.10
CCIESecurity
Page54of322
interface:Outside
accesslistCRYPTO_ACLpermitiphost5.5.5.5host1.1.1.1
currentoutboundspi:1AC28131
inboundespsas:
spi:0x5C4F95C0(1548719552)
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0x1AC28131(448954673)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
ASA2(config)#shvpnsessiondbdetail
Sessions:
SSLVPN:0:0:0
Withclient:0:0:0:0
EmailProxy:0:0:0
IPsecLANtoLAN:1:4:1
Totals:1:4
LicenseInformation:
IPsec:1:4:1
SSLVPN:0:0:0
LinksysPhone:
0:0:0
Totals:1:4
Tunnels:
IKE:1:4:1
IPsec:1:4:1
Totals:2:8
ActiveNACSessions:
CCIESecurity
Page55of322
Protocol:IKEIPsec
Duration:0h:06m:34s
Verification(detailed)
ASA1(config)#debcryisakmp9
ASA1(config)#
ASA1(config)#Jul1810:03:25[IKEv1DEBUG]:Pitcher:receivedakeyacquiremessage,spi0x0
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKEInitiator:NewPhase1,IntfInside,IKEPeer
192.168.2.10localProxyAddress1.1.1.1,remoteProxyAddress5.5.5.5,Cryptomap
(ENCRYPT_OUT)
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingISAKMPSApayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingNATTraversalVIDver02
payload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingNATTraversalVIDver03
payload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingNATTraversalVIDverRFC
payload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingFragmentationVID+extended
capabilitiespayload
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKE_DECODESENDINGMessage(msgid=0)withpayloads
:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength
:168
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKE_DECODERECEIVEDMessage(msgid=0)with
payloads:HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:128
LayoutofIKEpacketpayloadspresented(theboth:sentandreceived)
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingSApayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,Oakleyproposalisacceptable
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingVIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedNATTraversalver02VID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedFragmentationVID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,IKEPeerincludedIKEfragmentation
capabilityflags:MainMode:TrueAggressiveMode:True
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingkepayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingnoncepayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingcertreqpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingCiscoUnityVIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingxauthV6VIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,SendIOSVID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ConstructingASAspoofingIOSVendorID
payload(version:1.0.0,capabilities:20000001)
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingVIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,SendAltiga/CiscoVPN3000/CiscoASAGWVID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingNATDiscoverypayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,computingNATDiscoveryhash
NATDpayloadhasbeenprepared.
:HDR+KE(4)+NONCE(10)+CERT_REQ(7)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR
(13)+NATD(130)+NATD(130)+NONE(0)totallength:320
payloads:HDR+KE(4)+NONCE(10)+CERT_REQ(7)+VENDOR(13)+VENDOR(13)+VENDOR(13)
+VENDOR(13)+NATD(130)+NATD(130)+NONE(0)totallength:320
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingkepayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingISA_KEpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingnoncepayload
CCIESecurity
Page56of322
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingcertrequestpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedCiscoUnityclientVID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedxauthV6VID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ProcessingVPN3000/ASAspoofingIOSVendor
IDpayload(version:1.0.0,capabilities:20000001)
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedAltiga/CiscoVPN3000/CiscoASAGW
VID
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingNATDiscoverypayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,GeneratingkeysforInitiator...
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingcertpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingRSAsignature
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ComputinghashforISAKMP
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ConstructingIOSkeepalivepayload:
proposal=32767/32767sec.
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,constructingdpdvidpayload
:HDR+ID(5)+CERT(6)+SIG(9)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)total
length:865
Jul1810:03:25[IKEv1]:IP=192.168.2.10,AutomaticNATDetectionStatus:Remoteendis
NOTbehindaNATdeviceThisendisNOTbehindaNATdevice
NATDiscoveryprocesshasbeenperformed.ThedevicesarenotbehindtheNAT.
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,Rcv'dfragmentfromanewfragmentationset.
Deletinganyoldfragments.
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,Successfullyassembledanencryptedpktfrom
rcv'dfragments!
payloads:HDR+ID(5)+CERT(6)+SIG(9)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)
totallength:865
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingIDpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingcertpayload
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,processingRSAsignature
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ProcessingIOSkeepalivepayload:
Jul1810:03:25[IKEv1DEBUG]:IP=192.168.2.10,ReceivedDPDVID
Jul1810:03:25[IKEv1]:IP=192.168.2.10,TryingtofindgroupviaOU...
Jul1810:03:25[IKEv1]:IP=192.168.2.10,NoGroupfoundbymatchingOU(s)fromIDpayload:
Unknown
Jul1810:03:25[IKEv1]:IP=192.168.2.10,TryingtofindgroupviaIKEID...
Jul1810:03:25[IKEv1]:IP=192.168.2.10,NoGroupfoundbymatchingOU(s)fromIDpayload:
Unknown
Jul1810:03:25[IKEv1]:IP=192.168.2.10,TryingtofindgroupviaIPADDR...
TheASAhassearchedtheIDforidentifylocalyconfiguredtunnelgroup.TheIP
addresshasbeenchosen.
Jul1810:03:25[IKEv1]:IP=192.168.2.10,Connectionlandedontunnel_group192.168.2.10
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,peerIDtype9
received(DER_ASN1_DN)
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,Oakleybeginquick
mode
Jul1810:03:25[IKEv1]:Group=192.168.2.10,IP=192.168.2.10,PHASE1COMPLETED
Jul1810:03:25[IKEv1]:IP=192.168.2.10,Keepalivetypeforthisconnection:DPD
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,StartingP1rekey
timer:73440seconds.
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,IKEgotSPIfromkey
engine:SPI=0x1ac28131
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,oakleyconstucting
quickmode
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingblank
hashpayload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingIPSecSA
payload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingIPSec
noncepayload
CCIESecurity
Page57of322
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingpfske
payload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingproxyID
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,TransmittingProxyId:
Localhost:1.1.1.1Protocol0Port0
Remotehost:5.5.5.5Protocol0Port0
Localandremoteproxies.Theipprotocolbetween1.1.1.1and5.5.5.5willbe
encrypted.
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingqmhash
payload
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKE_DECODESENDINGMessage(msgid=a0018003)with
payloads:HDR+HASH(8)+SA(1)+NONCE(10)+KE(4)+ID(5)+ID(5)+NOTIFY(11)+
NONE(0)totallength:320
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKE_DECODERECEIVEDMessage(msgid=a0018003)with
payloads:HDR+HASH(8)+SA(1)+NONCE(10)+KE(4)+ID(5)+ID(5)+NONE(0)total
length:292
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processinghash
payload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingSApayload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingnonce
payload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingkepayload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingISA_KEfor
PFSinphase2
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingIDpayload
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,loadingallIPSECSAs
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,GeneratingQuickMode
Key!
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,NPencryptrulelook
upforcryptomapENCRYPT_OUT1matchingACLCRYPTO_ACL:returnedcs_id=d7cf5238
rule=d79baf10
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,GeneratingQuickMode
Key!
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,NPencryptrulelook
upforcryptomapENCRYPT_OUT1matchingACLCRYPTO_ACL:returnedcs_id=d7cf5238
rule=d79baf10
Jul1810:03:25[IKEv1]:Group=192.168.2.10,IP=192.168.2.10,Securitynegotiation
completeforLANtoLANGroup(192.168.2.10)Initiator,InboundSPI=0x1ac28131,Outbound
SPI=0x5c4f95c0
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,oakleyconstructing
finalquickmode
Jul1810:03:25[IKEv1]:IP=192.168.2.10,IKE_DECODESENDINGMessage(msgid=a0018003)with
payloads:HDR+HASH(8)+NONE(0)totallength:72
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,IKEgotaKEY_ADDmsg
forSA:SPI=0x5c4f95c0
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,Pitcher:received
KEY_UPDATE,spi0x1ac28131
Jul1810:03:25[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,StartingP2rekey
timer:24480seconds.
(msgid=a0018003)
Jul1810:03:40[IKEv1]:IP=192.168.2.10,IKE_DECODERECEIVEDMessage(msgid=30705dbc)with
payloads:HDR+HASH(8)+NOTIFY(11)+NONE(0)totallength:80
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processinghash
payload
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,processingnotify
payload
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,Receivedkeepaliveof
typeDPDRUTHERE(seqnumber0x3990fdb6)
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,Sendingkeepaliveof
typeDPDRUTHEREACK(seqnumber0x3990fdb6)
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingblank
hashpayload
Jul1810:03:40[IKEv1DEBUG]:Group=192.168.2.10,IP=192.168.2.10,constructingqmhash
payload
Jul1810:03:40[IKEv1]:IP=192.168.2.10,IKE_DECODESENDINGMessage(msgid=f34536d8)with
ASA1(config)#unall
ASA1(config)#
CCIESecurity
Page58of322
Lab2.6.
(IOSIOS)
ThislabisbasedontheLAB2.4configuration.Youneedtoperformactions
fromTask1(IOSCAconfiguration)andTask2(NTPconfiguration)before
goingthroughthislab.
LabSetup:
interface
CCIESecurity
Page59of322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
ConfigureSitetoSiteIPSecTunnelbetweenR4andR5toencrypttrafficflowsgoing
betweenIPaddressof4.4.4.4andIPaddressof5.5.5.5.
Usethefollowingparametersforthetunnel:
ISAKMPParameters
o Authentication:RSACertificate
o Encryption:3DES
o Group:2
o Hash:MD5
IPSecParameters
o Encryption:ESP/3DES
o Authentication:ESP/MD5
UseIOSCAserverconfiguredonR1forcertificateenrollment.Configuredomain
nameofMicronicsTraining.comandensurethatFQDNandCountry(US)are
includedinthecertificaterequest.
OnR5
R5(config)#ipdomainnameMicronicsTraining.com
R5(config)#cryptokeygeneratersamodulus1024
Thenameforthekeyswillbe:R5.MicronicsTraining.com
%Thekeymodulussizeis1024bits
R5(config)#
R5(config)#cryptocatrustpointIOS_CA
R5(catrustpoint)#usageike
Theusageofthecertificatehasbeendefined.Thecertificateisintendedtousefor
IKEpeerauthentication.
R5(catrustpoint)#subjectnameCN=R5,C=US
R3(catrustpoint)#enrollmenturlhttp://10.1.101.1
R5(catrustpoint)#exit
R5(config)#cryptocaauthenticateIOS_CA
%ErrorinreceivingCertificateAuthoritycertificate:status=FAIL,certlength=0
%PKI3SOCKETSEND:FailedtosendoutmessagetoCAserver.
CCIESecurity
Page60of322
TheaboveerrorindicatesthatthereisaproblemwithconnectiontotheCA.Itseems
likeASAisblockingthatconnection.LetsconfigureappropriateACEinaccesslist
ofOUTSIDE_IN(forR4andR5)
OnASA1
TheSCEPhasbeenallowedthroughASA1.
OnR5
Certificatehasthefollowingattributes:
FingerprintMD5:01973E0CA51F6B10CB074127C07C60BC
FingerprintSHA1:24A0175051D02F6B9BB419DEB6F40C72B9E43EDD
%Doyouacceptthiscertificate?[yes/no]:yes
R5(config)#cryptocaenrollIOS_CA
%
Password:
Reenterpassword:
%Thesubjectnameinthecertificatewillinclude:CN=R5,C=US
%Thesubjectnameinthecertificatewillinclude:R5.MicronicsTraining.com
%Includetherouterserialnumberinthesubjectname?[yes/no]:no
%IncludeanIPaddressinthesubjectname?[no]:no
%The'showcryptocacertificateIOS_CAverbose'commandwillshowthefingerprint.
R5(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:05D7E98FE04055D7AA68622DB48D6C92
CRYPTO_PKI:CertificateRequestFingerprintSHA1:302D643E69C6FECF71984DF1D29DB5ED
C110B64F
R5(config)#
%PKI6CERTRET:CertificatereceivedfromCertificateAuthority
R5(configisakmp)#authenticationrsasig
R5(configisakmp)#cryptoipsectransformsetTSETesp3desespmd5hmac
R5(cfgcryptotrans)#exit
R5(config)#accesslist120permitiphost5.5.5.5host4.4.4.4
R5(config)#cryptomapENCRYPT10ipsecisakmp
R5(configcryptomap)#exit
R5(config)#intf0/0
R5(configif)#cryptomapENCRYPT
OnR4
CCIESecurity
Page61of322
R4(config)#
Oct2219:45:14.441:%SSH5ENABLED:SSH1.99hasbeenenabled
R4(catrustpoint)#subjectnameCN=R4,C=CA
%
Password:
Reenterpassword:
%Thesubjectnameinthecertificatewillinclude:CN=R4,C=CA
R4(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:D709C725A0D9081AD8FA55B4EAF866C6
CRYPTO_PKI:CertificateRequestFingerprintSHA1:A82A637370FEA31EAE3B19334965B8C0
41695706
R4(config)#
R4(cfgcryptotrans)#accesslist120permitiphost4.4.4.4host5.5.5.5
R4(configcryptomap)#intf0/0
OnASA2
SinceIPSectunnelneedstobeestablishedbetweentwopeerswhichareondifferent
interfacesofASAbutwiththesamesecuritylevelof100,thismustbeexplicitly
allowed.
CCIESecurity
Page62of322
ASA2(config)#samesecuritytrafficpermitinterinterface
Verification
RunpingfromR5sloopback0towardsR4sloopback0.
R5#pi4.4.4.4solo0
.!!!!
R5#shcryengineconnact
1001IKEMD5+3DES0010.1.105.5
2001IPsec3DES+MD5
0410.1.105.5
2002IPsec3DES+MD54010.1.105.5
Thetunnelshavebeenestablished.
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.104.410.1.105.5QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
Cryptomaptag:ENCRYPT,localaddr10.1.105.5
protectedvrf:(none)
PERMIT,flags={origin_is_acl,ipsec_sa_request_sent}
currentoutboundspi:0xF1BDE182(4055753090)
inboundespsas:
spi:0xF37CEB79(4085050233)
connid:2001,flow_id:NETGX:1,sibling_flags80000046,cryptomap:ENCRYPT
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF1BDE182(4055753090)
IVsize:8bytes
CCIESecurity
Page63of322
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#shcryptosession
Cryptosessioncurrentstatus
Interface:FastEthernet0/0
Sessionstatus:UPACTIVE
Peer:10.1.104.4port500
IKESA:local10.1.105.5/500remote10.1.104.4/500Active
IPSECFLOW:permitiphost5.5.5.5host4.4.4.4
ActiveSAs:2,origin:cryptomap
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.104.410.1.105.5QM_IDLE1004ACTIVE
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
protectedvrf:(none)
currentoutboundspi:0xF37CEB79(4085050233)
inboundespsas:
spi:0xF1BDE182(4055753090)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF37CEB79(4085050233)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shcryptosession
CCIESecurity
Page64of322
Peer:10.1.105.5port500
CCIESecurity
Page65of322
Lab2.7.
(StaticIPIOSASA)
LabSetup:
interface
CCIESecurity
Page66of322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
There is Companys Headquarters in US consists of ASA1 and R1. The Company
has two branch offices: one in US (R5) and other in Canada (R4). All routers use
staticIPwhileconnectingtotheInternet.
ConfigurethefollowingSitetoSiteIPSecTunnels:
Tunnel
Endpoint
SRC
DST
ISAKMPPolicy
Network Network
R5ASA1 5.5.5.5
1.1.1.1
Authentication:RSA
Encryption:3DES
Group:2
Hash:MD5
R4ASA1 4.4.4.4
1.1.1.1
Authentication:RSA
Encryption:DES
Group:2
Hash:SHA
IPSecPolicy
Encryption:
ESP/3DES
Authentication:
ESP/MD5
Encryption:ESP/DES
Authentication:
ESP/SHA
Use IOS CA server configured on R1 for certificate enrollment. Configure domain

name of MicronicsTraining.com and ensure thatFQDN and Countryare included in
thecertificaterequest.EnablePerfectForwardSecrecyfeature.
OnASA1
CCIESecurity
Page67of322
Fingerprint:01973e0ca51f6b10cb074127c07c60bc
%
Password:********
ASA1(config)#cryptoisakmppolicy10
ASA1(configisakmppolicy)#enc3des
ASA1(configisakmppolicy)#hasmd5
ASA1(configisakmppolicy)#gr2
ASA1(configisakmppolicy)#cryptoisakmppolicy20
ASA1(configisakmppolicy)#encdes
ASA1(configisakmppolicy)#hasha
ASA1(configisakmppolicy)#exit
ASA1(config)#tunnelgroup10.1.105.5ipsecattr
ASA1(configtunnelipsec)#peeridvalidatenocheck
Thepeeridvalidatecommandhasthreeoptions:
*Required=Enable theIKEpeeridentity validationfeature.Ifapeer's certificate doesnot provide
sufficientinformationtoperformanidentitycheck,dropthetunnel.
* If supported by certificate = Enable the IKE peeridentity validation feature. If a peer's certificate
doesnotprovidesufficientinformationtoperformanidentitycheck,allowthetunnel.
*Donotcheck=Donotcheckthepeer'sidentityatall.Selectingthisoptiondisablesthefeature.
The defaultoptionisrequired, meaning thatifthe remotepeerdoesnotprovide correct identity

information during IKE Phase 1, the tunnel will fail. What does the ASA do? It checks if peers
identity(defaultisanIPaddress)isincludedincertificatesSubjectAltName.
Hence,wehavetwooptionshere:
(1) Disable this feature on the ASA by issuing peeridvalidate
nocheckcommand
(2) Sendcorrectidentityinfofrompeers,byissuingcryptoisakmp
identitydncommandonR4andR5
CCIESecurity
Page68of322
ASA1(configtunnelipsec)#tunnelgroup10.1.104.4typeipsecl2l
ASA1(config)#tunnelgroup10.1.104.4ipsecattr
ASA1(configtunnelipsec)#exit
ASA1(config)#cryptoipsectransformsetTSET_USesp3desespmd5hmac
ASA1(config)#cryptoipsectransformsetTSET_CAespdesespshahmac
ASA1(config)#accesslistACL_USpermitipho1.1.1.1ho5.5.5.5
ASA1(config)#accesslistACL_CApermitipho1.1.1.1ho4.4.4.4
The crypto ACLs that enable the ASA and its peers to traffic encryption thoughout
tunnelsterminatedonASAsoutsideinterface.
ASA1(config)#cryptomapENCRYPT_OUT1matchaddressACL_US
ASA1(config)#cryptomapENCRYPT_OUT1settransformTSET_US
ASA1(config)#cryptomapENCRYPT_OUT2matchaddressACL_CA
ASA1(config)#cryptomapENCRYPT_OUT2settransformTSET_CA
ASA1(config)#routeInside1.1.1.1255.255.255.25510.1.101.1
TheSCEPfromR5andR4hasbeenallowedtoinside(R1).
OnASA2
We need to take care of ESP traffic going through ASA2 from both branches. As ESP is
notStatefulweeitherneedtoallowitintheoutsideACLorjustenableinspection.
ASA2(config)#policymapglobal_policy
ASA2(configpmap)#classinspection_default
ASA2(configpmapc)#inspectipsecpassthru
ASA2(configpmapc)#exit
ASA2(configpmap)#exit
OnR5
R5(catrustpoint)#fqdnR5.MicronicsTraining.com
%
CCIESecurity
Page69of322
Password:
Reenterpassword:
%IncludeanIPaddressinthesubjectname?[no]:
R5(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:CB51F487829E24AB160BA244F0256E9B
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 362D19EC 4865EC2E 06915FC0 A45A9551
3B7F4A58
R5(config)#
R5(configcryptomap)#setpfsgroup2
R5(configif)#
OnR4
R4(config)#
CCIESecurity
Page70of322
%
Password:
Reenterpassword:
R4(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:C37B49A539B606473928452DCB501CFF
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7E096059 984DF493 DC68F185 4325FDDF
5C9D9F7C
R4(config)#
R4(configisakmp)#encrdes
R4(configisakmp)#hasha
R4(configisakmp)#cryptoipsectransformsetTSETespdesespshahmac
R4(configif)#
Verification
R4#ping1.1.1.1solo0
.!!!!
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstate
connidstatus
192.168.1.1010.1.104.4QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
CCIESecurity
Page71of322
protectedvrf:(none)
currentoutboundspi:0xF2B4FC1B(4071947291)
PFS(Y/N):Y,DHgroup:group2
inboundespsas:
spi:0xE63FC84A(3862939722)
transform:espdesespshahmac,
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF2B4FC1B(4071947291)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shcryptosession
Peer:192.168.1.10port500
R5#ping1.1.1.1solo0
.!!!!
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
192.168.1.1010.1.105.5QM_IDLE1002ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
protectedvrf:(none)
CCIESecurity
Page72of322
currentoutboundspi:0x89B0F77C(2310076284)
inboundespsas:
spi:0xB4192B2C(3021548332)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x89B0F77C(2310076284)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#shcryptosession
Peer:192.168.1.10port500
ASA1(config)#unall
ActiveSA:2
TotalIKESA:2
1IKEPeer:10.1.105.5
2IKEPeer:10.1.104.4
interface:Outside
accesslistACL_CApermitiphost1.1.1.1host4.4.4.4
CCIESecurity
Page73of322
currentoutboundspi:E63FC84A
inboundespsas:
spi:0xF2B4FC1B(4071947291)
transform:espdesespshahmacnocompression
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0xE63FC84A(3862939722)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
accesslistACL_USpermitiphost1.1.1.1host5.5.5.5
currentoutboundspi:B4192B2C
inboundespsas:
spi:0x89B0F77C(2310076284)
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0xB4192B2C(3021548332)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
ASA1(config)#shvpnsessiondb
CCIESecurity
Page74of322
Sessions:
SSLVPN:0:0:0
Withclient:0:0:0:0
EmailProxy:0:0:0
IPsecLANtoLAN:2:6:2
Totals:2:6
LicenseInformation:
IPsec:2:6:2
SSLVPN:0:0:0
LinksysPhone:0:0:0
Totals:2:6
Tunnels:
IKE:2:6:2
IPsec:2:6:2
Totals:4:12
ActiveNACSessions:
Protocol:IKEIPsec
Duration:0h:02m:27s
Protocol:IKEIPsec
Encryption:DES
Hashing:SHA1
Duration:0h:01m:03s
ASA1(config)#
ASA1(config)#debcryisak9
ASA1(config)#Jul18 11:18:19 [IKEv1]: IP =10.1.105.5, IKE_DECODERECEIVEDMessage (msgid=0)
withpayloads: HDR + SA(1)+ VENDOR (13) +VENDOR(13)+ VENDOR (13) +VENDOR (13)+ NONE
(0)totallength:164
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,ReceivedNATTraversalRFCVID
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,processingIKESApayload
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,IKESAProposal#1,Transform#1acceptable
MatchesglobalIKEentry#3
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,constructingNATTraversalVIDver02payload
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, constructing Fragmentation VID + extended
capabilitiespayload
CCIESecurity
Page75of322
Jul1811:18:19[IKEv1]:IP=10.1.105.5,IKE_DECODESENDINGMessage(msgid=0)withpayloads:
HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:128
Jul1811:18:19[IKEv1]:IP=10.1.105.5,IKE_DECODERECEIVEDMessage(msgid=0)withpayloads
:HDR+KE(4)+NONCE(10)+CERT_REQ(7)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NATD
(130)+NATD(130)+NONE(0)totallength:300
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,ProcessingIOS/PIXVendorIDpayload(version:
1.0.0,capabilities:00000f6f)
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing ASA spoofing IOS Vendor ID
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,GeneratingkeysforResponder...
HDR+ KE (4) +NONCE (10) +CERT_REQ(7) + VENDOR (13) +VENDOR(13)+ VENDOR (13) +VENDOR
:HDR+ID(5)+CERT(6)+SIG(9)+NOTIFY(11)+NONE(0)totallength:766
Jul1811:18:19[IKEv1DEBUG]:IP=10.1.105.5,processingnotifypayload
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, Automatic NAT Detection Status: Remote end is
Jul1811:18:19[IKEv1]:IP=10.1.105.5,TryingtofindgroupviaOU...
Jul 18 11:18:19 [IKEv1]: IP = 10.1.105.5, No Group found by matching OU(s) from ID payload:
Unknown
Jul1811:18:19[IKEv1]:IP=10.1.105.5,TryingtofindgroupviaIKEID...
Jul1811:18:19[IKEv1]:IP=10.1.105.5,TryingtofindgroupviaIPADDR...
Jul1811:18:19[IKEv1]:IP=10.1.105.5,Connectionlandedontunnel_group10.1.105.5
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, peer ID type 2 received
(FQDN)
Jul1811:18:19[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,PeerIDcheckbypassed
Jul1811:18:19[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,constructingIDpayload
Jul1811:18:19[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,constructingcertpayload
Jul1811:18:19[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,constructingRSAsignature
Jul1811:18:19[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,ComputinghashforISAKMP
Jul 18 11:18:19 [IKEv1 DEBUG]: IP = 10.1.105.5, Constructing IOS keep alive payload:
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing dpd vid
payload
HDR+ID(5)+CERT(6)+SIG(9)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength
:818
Jul 18 11:18:19 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P1 rekey timer:
64800seconds.
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed) with
payloads: HDR +HASH (8) +SA (1) +NONCE (10) + KE(4)+ ID (5) +ID (5) + NONE (0) total
length:292
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processinghashpayload
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processingSApayload
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processingnoncepayload
CCIESecurity
Page76of322
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processingkepayload
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processingISA_KEforPFS
inphase2
Jul1811:18:20[IKEv1]:Group=10.1.105.5,IP=10.1.105.5,ReceivedremoteProxyHostdata
inIDPayload:Address5.5.5.5,Protocol0,Port0
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Received local Proxy Host data
inIDPayload:Address1.1.1.1,Protocol0,Port0
Jul1811:18:20[IKEv1]:Group=10.1.105.5,IP=10.1.105.5,QMIsRekeyedoldsanotfoundby
addr
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check,
checkingmap=ENCRYPT_OUT,seq=1...
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Static Crypto Map check, map
ENCRYPT_OUT,seq=1isasuccessfulmatch
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, IKE Remote Peer configured for
cryptomap:ENCRYPT_OUT
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, processing IPSec SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IPSec SA Proposal # 1,
Transform#1acceptableMatchesglobalIPSecSAentry#1
Jul1811:18:20[IKEv1]:Group=10.1.105.5,IP=10.1.105.5,IKE:requestingSPI!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, IKE got SPI from key
engine:SPI=0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, oakley constucting quick
mode
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing blank hash
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec SA
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing IPSec nonce
payload
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing pfs ke
payload
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,constructingproxyID
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,TransmittingProxyId:
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, constructing qm hash
payload
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=64bdc5ed) with
length:292
Jul 18 11:18:20 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=64bdc5ed) with
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,loadingallIPSECSAs
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,GeneratingQuickModeKey!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule look up
forcryptomapENCRYPT_OUT1matchingACLACL_US:returnedcs_id=d7cb38c0rule=d7c9fc68
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,GeneratingQuickModeKey!
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, NP encrypt rule look up
forcryptomapENCRYPT_OUT1matchingACLACL_US:returnedcs_id=d7cb38c0rule=d7c9fc68
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, Security negotiation complete
for LANtoLAN Group (10.1.105.5) Responder, Inbound SPI = 0x89b0f77c, Outbound SPI =
0xb4192b2c
Jul1811:18:20[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,IKEgotaKEY_ADDmsgfor
SA:SPI=0xb4192b2c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Pitcher: received
KEY_UPDATE,spi0x89b0f77c
Jul 18 11:18:20 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Starting P2 rekey timer:
3420seconds.
Jul 18 11:18:20 [IKEv1]: Group = 10.1.105.5, IP = 10.1.105.5, PHASE 2 COMPLETED
(msgid=64bdc5ed)
Jul1811:18:38[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,Sendingkeepaliveoftype
DPDRUTHERE(seqnumber0x22ad78e5)
payload
payload
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=81cb2dd5) with
Jul 18 11:18:38 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=6e139995) with
Jul1811:18:38[IKEv1DEBUG]:Group=10.1.105.5,IP=10.1.105.5,processingnotifypayload
CCIESecurity
Page77of322
Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keepalive of

typeDPDRUTHEREACK(seqnumber0x22ad78e5)
payload
payload
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=530ce865) with
Jul 18 11:18:48 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=11faf851) with
payload
payload
Jul 18 11:18:58 [IKEv1]: IP = 10.1.105.5, IKE_DECODE SENDING Message (msgid=d1cf7f74) with
Jul 18 11:18:58 [IKEv1]: IP = 10.1.105.5, IKE_DECODE RECEIVED Message (msgid=fcf96857) with
ASA1(config)#unall
CCIESecurity
Page78of322
Lab2.8.
(DynamicIPIOSASA)
LabSetup:
interface
CCIESecurity
Page79of322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
hastwobranchoffices:oneinUS(R5)andotherinCanada(R4).Tocutleasedlines
costyoudecidedtomigratefromstaticIProutersatbranchestodynamicIPDSLs.
TheIPaddressofDSLmodemsinbranchesischangingeveryday.
ConfigurethefollowingSitetoSiteIPSecTunnels:
Tunnel
Endpoint
SRC
DST
ISAKMPPolicy
Network Network
R5ASA1 5.5.5.5 1.1.1.1 Authentication:RSA
Encryption:3DES
Group:2
Hash:MD5
R4ASA1 4.4.4.4 1.1.1.1 Authentication:RSA
Encryption:DES
Group:2
Hash:SHA
IPSecPolicy
Encryption:
ESP/3DES
Authentication:
ESP/MD5
Encryption:ESP/DES
Authentication:
ESP/SHA
Use IOS CA server configured on R1 for certificate enrollment. Configure domain

name of MicronicsTraining.com and ensure thatFQDN and Country are included in
thecertificate request. Enable Perfect Forward Secrecy feature. You should assign
proper IPSec Profile for every branch peer using Country field in the peers
Certificate.
OnASA1
CCIESecurity
Page80of322
Fingerprint:
2ccfec448b1fa2164b9ca190024184a0
%
Password:********
ASA1(configisakmppolicy)#enc3des
ASA1(configisakmppolicy)#hasmd5
ASA1(configisakmppolicy)#encdes
ASA1(configisakmppolicy)#hasha
ASA1(config)#tunnelgroupUS_VPNtypeipsecl2l
WARNING:L2LtunnelgroupsthathavenameswhicharenotanIP
addressmayonlybeusedifthetunnelauthentication
methodisDigitialCertificatesand/orThepeeris
configuredtouseAggressiveMode
ASA1(config)#tunnelgroupUS_VPNipsecattr
ASA1(config)#tunnelgroupCA_VPNtypeipsecl2l
WARNING:L2LtunnelgroupsthathavenameswhicharenotanIP
addressmayonlybeusedifthetunnelauthentication
methodisDigitialCertificatesand/orThepeeris
configuredtouseAggressiveMode
ASA1(config)#tunnelgroupCA_VPNipsecattr
We use namedtunnel group(insteadofIP address). Thisis because our branchrouters
have dynamic IP addresses and we cannot rely on them. Hence, we use certificates for
authentication.Bydefault,theASAusesOUfieldfromthecertificatetomatch(pick)
the correct tunnel group, hoever, we use certificate maps later in the configuration
toachivethesame.
ASA1(config)#cryptoipsectransformsetTSET_USesp3desespmd5hmac
ASA1(config)#cryptoipsectransformsetTSET_CAespdesespshahmac
ASA1(config)#accesslistACL_USpermitipho1.1.1.1ho5.5.5.5
ASA1(config)#accesslistACL_CApermitipho1.1.1.1ho4.4.4.4
ASA1(config)#cryptodynamicmapUS_VPN1matchaddressACL_US
ASA1(config)#cryptodynamicmapUS_VPN1settransformTSET_US
ASA1(config)#cryptodynamicmapUS_VPN1setpfsgroup2
CCIESecurity
Page81of322
ASA1(config)#cryptodynamicmapCA_VPN2matchaddressACL_CA
ASA1(config)#cryptodynamicmapCA_VPN2settransformTSET_CA
ASA1(config)#cryptodynamicmapCA_VPN2setpfsgroup2
ThisconfigurationisbasedondynamiccryptomapswhichareusedwhenpeerIPaddress
isunknownorotherIPSecparametersareintendedtobenegotiated(i.e.EasyVPN).
ASA1(config)#cryptomapCRYPTO_OUT1ipsecisakmpdynamicUS_VPN
ASA1(config)#cryptomapCRYPTO_OUT2ipsecisakmpdynamicCA_VPN
ASA1(config)#cryptomapCRYPTO_OUTinterfaceOutside
The crypto map has been attached to the outside interface. Note that the peer IP
addressehasnotbeenspecifiedinthecryptomap.
ASA1(config)#tunnelgroupmapenablerules
ASA1(config)#cryptocacertificatemapCERT_MAP10
ASA1(configcacertmap)#subjectnameattrCeqUS
ASA1(configcacertmap)#cryptocacertificatemapCERT_MAP20
ASA1(configcacertmap)#subjectnameattrCeqCA
ASA1(configcacertmap)#exit
ASA1(config)#tunnelgroupmapCERT_MAP10US_VPN
ASA1(config)#tunnelgroupmapCERT_MAP20CA_VPN
Thetunnelgroupmapshavetiedrespectivecryptomapsandcertificatemapsthatallow
to fullfilingthetask requirements(Countryfield in the certificatemustbepresent
andset).
OnASA2
ASA2(configpmapc)#exit
ASA2(configpmap)#exit
OnR5
%
CCIESecurity
Page82of322
Password:
Reenterpassword:
R5(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:CB51F487829E24AB160BA244F0256E9B
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 362D19EC 4865EC2E 06915FC0 A45A9551
3B7F4A58
R5(config)#
R5(configif)#
OnR4
R4(config)#
CCIESecurity
Page83of322
%
Password:
Reenterpassword:
R4(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:C37B49A539B606473928452DCB501CFF
CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7E096059 984DF493 DC68F185 4325FDDF
5C9D9F7C
R4(config)#
R4(configisakmp)#encrdes
R4(configisakmp)#hasha
R4(configisakmp)#cryptoipsectransformsetTSETespdesespshahmac
R4(configif)#
Verification
R4#pin1.1.1.1solo0
.!!!!
R5#ping1.1.1.1solo0
.!!!!
R4#shcryisaksadet
CCIESecurity
Page84of322
rencRSAencryption
IPv4CryptoISAKMPSA
Cid Local Remote IVRF Status Encr Hash Auth DH Lifetime
Cap.
100110.1.104.4192.168.1.10ACTIVEdessharsig2 23:58:20
Engineid:Connid= SW:1
Thepeershavebeenauthenticatedbyusingcertificatesrsigindicatesthat.show
crypto isakmpsadetail may be used to determine whichISAKMP policyhasbeen chosen
bythepeers.
IPv6CryptoISAKMPSA
R4#shcryengconnac
1001IKESHA+DES0010.1.104.4
2001IPsecDES+SHA0410.1.104.4
2002IPsecDES+SHA4010.1.104.4
R4#shcrysess
Peer:192.168.1.10port500
This command shows the peers, status of the tunnel and definition of interesting
traffic.
R4#shcryipssa
protectedvrf:(none)
local ident(addr/mask/prot/port):(4.4.4.4/255.255.255.255/0/0)
currentoutboundspi:0x21D3F08A(567537802)
inboundespsas:
spi:0x13B6803F(330727487)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x21D3F08A(567537802)
CCIESecurity
Page85of322
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#shcryisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
100510.1.105.5192.168.1.10ACTIVE3desmd5rsig2 23:58:54
IPv6CryptoISAKMPSA
R5#shcryengconnac
1005IKEMD5+3DES0010.1.105.5
2003IPsec3DES+MD50410.1.105.5
2004IPsec3DES+MD54010.1.105.5
R5#shcrysess
Peer:192.168.1.10port500
R5#shcryipssa
protectedvrf:(none)
currentoutboundspi:0xF539870C(4114188044)
inboundespsas:
spi:0x5FF3F295(1609822869)
IVsize:8bytes
Status:ACTIVE
CCIESecurity
Page86of322
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF539870C(4114188044)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
ASA1(config)#shcryisak
ActiveSA:2
TotalIKESA:2
1
IKEPeer:10.1.104.4
IKEPeer:10.1.105.5
GlobalIKEStatistics
ActiveTunnels:2
PreviousTunnels:6
InOctets:73056
InPackets:501
InDropPackets:54
InNotifys:376
InP2Exchanges:6
OutOctets:50884
OutPackets:472
OutDropPackets:0
OutNotifys:768
OutP2Exchanges:0
InitiatorTunnels:1
InitiatorFails:1
ResponderFails:21
AuthFails:5
DecryptFails:0
HashValidFails:1
NoSaFails:10
Activeconnections:0
Inboundpackets:0
Outboundpackets:0
RSTpackets:0
Badheaders:0
Badtrailers:0
Timerfailures:0
Checksumerrors:0
Internalerrors:0
CCIESecurity
Page87of322
ASA1(config)#shcryisaksadetail
ActiveSA:2
TotalIKESA:2
1IKEPeer:10.1.104.4
Type:L2L
Role:responder
Encrypt:desHash:SHA
Auth:rsaLifetime:86400
LifetimeRemaining:86029
2IKEPeer:10.1.105.5
Type:L2L
Role:responder
Rekey:no
State:MM_ACTIVE
Encrypt:3desHash:MD5
Auth:rsaLifetime:86400
ASA1(config)#shcryipssa
interface:Outside
Cryptomaptag:CA_VPN,seqnum:2,localaddr:192.168.1.10
accesslistACL_CApermitiphost1.1.1.1host4.4.4.4
currentoutboundspi:13B6803F
inboundespsas:
spi:0x21D3F08A(567537802)
slot:0,conn_id:36864,cryptomap:CA_VPN
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0x13B6803F(330727487)
slot:0,conn_id:36864,cryptomap:CA_VPN
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
Cryptomaptag:US_VPN,seqnum:1,localaddr:192.168.1.10
accesslistACL_USpermitiphost1.1.1.1host5.5.5.5
CCIESecurity
Page88of322
currentoutboundspi:5FF3F295
inboundespsas:
spi:0xF539870C(4114188044)
slot:0,conn_id:40960,cryptomap:US_VPN
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000001F
outboundespsas:
spi:0x5FF3F295(1609822869)
slot:0,conn_id:40960,cryptomap:US_VPN
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
Connection:CA_VPN
Protocol:IKEIPsec
Encryption:DESHashing:SHA1
LoginTime:03:43:19UTCFriJul232010
Duration:0h:06m:34s
Connection:US_VPN
Protocol:IKEIPsec
Duration:0h:05m:11s
ASA1(config)#Jul23 03:43:19 [IKEv1]: IP =10.1.104.4, IKE_DECODERECEIVEDMessage (msgid=0)
withpayloads: HDR + SA(1)+ VENDOR (13) +VENDOR(13)+ VENDOR (13) +VENDOR (13)+ NONE
(0)totallength:164
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,processingIKESApayload
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,IKESAProposal#1,Transform#1acceptable
MatchesglobalIKEentry#5
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,constructingNATTraversalVIDver02payload
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, constructing Fragmentation VID + extended
capabilitiespayload
HDR+SA(1)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:128
:HDR+KE(4)+NONCE(10)+CERT_REQ(7)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NATD
(130)+NATD(130)+NONE(0)totallength:308
CCIESecurity
Page89of322
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,ProcessingIOS/PIXVendorIDpayload(version:
1.0.0,capabilities:00000f6f)
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Constructing ASA spoofing IOS Vendor ID
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,GeneratingkeysforResponder...
HDR+ KE (4) +NONCE (10) +CERT_REQ(7) + VENDOR (13) +VENDOR(13)+ VENDOR (13) +VENDOR
:HDR+ID(5)+CERT(6)+SIG(9)+NOTIFY(11)+NONE(0)totallength:766
Jul2303:43:19[IKEv1DECODE]:IP=10.1.104.4,ID_FQDNIDreceived,len24
0000:52342E4D6963726F6E69637354726169
R4.MicronicsTrai
0010:6E696E672E636F6D
ning.com
Note that ID_FQDN ID type has been received by the ASA. ID_FQDN is written in the
certificateusedforpeerauthentication.
Jul2303:43:19[IKEv1DECODE]:DumpofreceivedSignature,len128:
0000:31F1AF7C7B26690892DFF3ABC547EEAE1..|{&i......G..
0010:AF8853FFF4082F912D78869CA38BBF41..S.../.x.....A
0020:63185454A7E6B25000BFBF6A36F1EACDc.TT...P...j6...
0030:849CA235908F61FAEC4D8BBE0D7ADBBA...5..a..M...z..
0040:0A83E0237E22EEB6677034C2D17E04ED...#~"..gp4..~..
0050:97621F2613A12C1C1497D0B92AE52E03.b.&..,.....*...
0060:532B7B904F67F6F43C954E8E2D9E0B66S+{.Og..<.N...f
0070:A85A1EEE216F86A91CDF4EFA81FE317C.Z..!o....N...1|
Jul2303:43:19[IKEv1DEBUG]:IP=10.1.104.4,processingnotifypayload
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, Automatic NAT Detection Status: Remote end is
Jul2303:43:19[IKEv1]:IP=10.1.104.4,Tryingtofindgroupviacertrules...
Jul2303:43:19[IKEv1]:IP=10.1.104.4,Connectionlandedontunnel_groupCA_VPN
tunnelgroupmap has caused that the connection has been properly assigned to the
configured tunnelgroup. This assignement has been based on certificatemap which
examinesthecertificatesfieldvalues.
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,peerIDtype2received(FQDN)
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,PeerIDcheckbypassed
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingIDpayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingcertpayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingRSAsignature
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,ComputinghashforISAKMP
Jul2303:43:19[IKEv1DECODE]:ConstructedSignatureLen:128
Jul2303:43:19[IKEv1DECODE]:ConstructedSignature:
0000:09458DE0978EE65FFA3A707514E03532.E....._.:pu..52
0010:73AD3FFF2820C9124EF30FB1A48A91F7s.?.(..N.......
CCIESecurity
Page90of322
0020:8D042A8B884D571CD1FED0FB53271E43..*..MW.....S'.C
0030:29217A90C9BDC3E3BAE510EE9CCEA703)!z.............
0040:673D0A25DCE4A48EFF73B4A48C0B963Fg=.%.....s.....?
0050:389C842A83C2ADB41153CACCE3E246C88..*.....S....F.
0060:7C0F8A22F4E4365460CDD30AD16BD027|.."..6T`....k.'
0070:A5A9497999F6B8FE4920B5DA0C95A677..Iy....I.....w
Jul 23 03:43:19 [IKEv1 DEBUG]: IP = 10.1.104.4, Constructing IOS keep alive payload:
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingdpdvidpayload
HDR+ID(5)+CERT(6)+SIG(9)+IOSKEEPALIVE(128)+VENDOR(13)+NONE(0)totallength
:818
Jul2303:43:19[IKEv1]:Group=CA_VPN,IP=10.1.104.4,PHASE1COMPLETED
Phase1completedtheQuickModehasbegun.
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,StartingP1rekeytimer:64800
seconds.
Jul2303:43:19[IKEv1DECODE]:IP=10.1.104.4,IKEResponderstartingQM:msgid=9b5f88d8
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with
length:296
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processinghashpayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingSApayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingnoncepayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingkepayload
Jul23 03:43:19 [IKEv1 DEBUG]:Group =CA_VPN,IP = 10.1.104.4,processing ISA_KEforPFSin
phase2
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingIDpayload
Jul2303:43:19[IKEv1DECODE]:Group=CA_VPN,IP=10.1.104.4,ID_IPV4_ADDRIDreceived
4.4.4.4
Jul23 03:43:19 [IKEv1]: Group= CA_VPN, IP =10.1.104.4, Received remoteProxy Host datain
IDPayload:Address4.4.4.4,Protocol0,Port0
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingIDpayload
Jul2303:43:19[IKEv1DECODE]:Group=CA_VPN,IP=10.1.104.4,ID_IPV4_ADDRIDreceived
1.1.1.1
Jul2303:43:19[IKEv1]:Group=CA_VPN,IP=10.1.104.4,ReceivedlocalProxyHostdatainID
Payload:Address1.1.1.1,Protocol0,Port0
Local and remote proxies presented by the remote peer match locally configured
proxies.
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, QM IsRekeyed old sa not found by
addr
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Mismatch: P1 Authentication
algorithminthecryptomapentrydifferentfromnegotiatedalgorithmfortheL2Lconnection
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, IKE Remote Peer configured for
cryptomap:CA_VPN
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processingIPSecSApayload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, IPSec SA Proposal # 1,
Jul2303:43:19[IKEv1]:Group=CA_VPN,IP=10.1.104.4,IKE:requestingSPI!
Jul23 03:43:19 [IKEv1 DEBUG]:Group =CA_VPN, IP = 10.1.104.4, IKE got SPI fromkeyengine:
SPI=0x21d3f08a
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,oakleyconstuctingquickmode
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing blank hash
payload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingIPSecSApayload
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, constructing IPSec nonce
payload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingpfskepayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingproxyID
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,TransmittingProxyId:
TheASAhaspresenteditsproxytotheremotepeer(R4).
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,constructingqmhashpayload
Jul2303:43:19[IKEv1DECODE]:Group=CA_VPN,IP=10.1.104.4,IKERespondersending2ndQM
pkt:msgid=9b5f88d8
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE SENDING Message (msgid=9b5f88d8) with
payloads: HDR +HASH(8) +SA (1) +NONCE (10) + KE(4)+ ID (5) +ID (5) + NONE (0) total
length:296
CCIESecurity
Page91of322
Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with

Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,processinghashpayload
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,loadingallIPSECSAs
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,GeneratingQuickModeKey!
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, NP encrypt rule look up for
cryptomapCA_VPN2matchingACLACL_CA:returnedcs_id=d7beba18rule=d7bef8f8
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,GeneratingQuickModeKey!
Jul 23 03:43:19 [IKEv1 DEBUG]: Group = CA_VPN, IP = 10.1.104.4, NP encrypt rule look up for
cryptomapCA_VPN2matchingACLACL_CA:returnedcs_id=d7beba18rule=d7bef8f8
Jul 23 03:43:19 [IKEv1]: Group = CA_VPN, IP = 10.1.104.4, Security negotiation complete for
LANtoLANGroup(CA_VPN)Responder,InboundSPI=0x21d3f08a,OutboundSPI=0x13b6803f
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,IKEgotaKEY_ADDmsgforSA:
SPI=0x13b6803f
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,Pitcher:receivedKEY_UPDATE,
spi0x21d3f08a
Jul2303:43:19[IKEv1DEBUG]:Group=CA_VPN,IP=10.1.104.4,StartingP2rekeytimer:3420
seconds.
Jul2303:43:19[IKEv1]:Group=CA_VPN,IP=10.1.104.4,PHASE2COMPLETED(msgid=9b5f88d8)
ASA1(config)#unall
CCIESecurity
Page92of322
Lab2.9.
SitetoSiteIPSecVPNusingPSK
(IOSASAHairpinning)
LabSetup:
interface
CCIESecurity
Page93of322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
has two branch offices: one in US(R5) andotherin Canada (R4).All routershave
staticIPaddresses.ConfigurethefollowingSitetoSiteIPSecTunnels:
Tunnel
Endpoint
SRC
DST
ISAKMPPolicy
Network Network
R5ASA1 5.5.5.5
1.1.1.1
Authentication:PSK
Encryption:3DES
Group:2
Hash:MD5
Key:R5ASA
R4ASA1 4.4.4.4
1.1.1.1
Authentication:PSK
Encryption:DES
Group:2
Hash:SHA
Key:R4ASA
IPSecPolicy
Encryption:
ESP/3DES
Authentication:
ESP/MD5
Encryption:ESP/DES
Authentication:
ESP/SHA
ConfiguretheaboveIPSectunnelsandensurebranchnetworkscancommunincate
betweeneachotherusingHeadquartershubdevice.
OnASA1
ASA1(configisakmppolicy)#authenticationpreshare
ASA1(configisakmppolicy)#encryption3des
ASA1(configisakmppolicy)#authenticationpreshare
ASA1(configisakmppolicy)#encryptiondes
ASA1(configisakmppolicy)#hashsha
CCIESecurity
Page94of322
ASA1(configtunnelipsec)#presharedkeyR5ASA
ASA1(configtunnelipsec)#exi
ASA1(configtunnelipsec)#presharedkeyR4ASA
ASA1(configtunnelipsec)#exi
ASA1(config)#accesslistCRYPTOACLR5extendedpermitiphost1.1.1.1host5.5.5.5
AdditionalACEsallowtocommunicateIPSecprotectedIPaddressesofR4andR5
throughouthairpinnedtunnelsonASAsoutsideinterface.
ASA1(config)#cryptoipsectransformsetESP3DESMD5esp3desespmd5hmac
ASA1(config)#cryptoipsectransformsetESPDESSHAespdesespshahmac
ASA1(config)#cryptomapENCRYPT_OUT1matchaddressCRYPTOACLR5
ASA1(config)#cryptomapENCRYPT_OUT1settransformsetESP3DESMD5
ASA1(config)#cryptomapENCRYPT_OUT2matchaddressCRYPTOACLR4
ASA1(config)#cryptomapENCRYPT_OUT2settransformsetESPDESSHA
ASA1(config)#samesecuritytrafficpermitintrainterface
Thecapabilitytorouteatrafficinandoutofthesameinterfacehasbeenenabled
OnR5
R5(configisakmp)#cryptoisakmpkeyR5ASAaddress192.168.1.10
R5(cfgcryptotrans)#exi
R5(configcryptomap)#exi
R5(config)#intf0/0
R5(configif)#exi
OnR4
CCIESecurity
Page95of322
R4(configisakmp)#cryptoisakmpkeyR4ASAaddress192.168.1.10
R4(config)#cryptoipsectransformsetTSETespdesespshahmac
R4(config)#intf0/0
OnASA2
ASA2(config)#accesslistOUTSIDE_INpermitudphost192.168.1.10eq500host10.1.104.4eq
500
ASA2(config)#accesslistOUTSIDE_INpermitudphost192.168.1.10eq500host10.1.105.5eq
500
ASA2(config)#accessgroupOUTSIDE_INininterfaceoutside
TheaboveACLiscreatedtoallowIKEtunnelsetupfromASA1toR4/R5becausethere
maybeacasewhereR4issendingsomethingbehindR5andthereisnotunnelbetween
R5andASA1alreadyestablished.Inthatcase,theASA1mustbeabletoestablisha
tunneltoR5tohandlethattraffic.
Verification
R4#pi1.1.1.1solo0
!!!!!
R4#pi5.5.5.5solo0
!!!!!
R4#shcryisasadet
rencRSAencryption
IPv4CryptoISAKMPSA
100210.1.104.4192.168.1.10ACTIVEdesshapsk2 23:41:30
IPv6CryptoISAKMPSA
R4#shcryengconnac
CCIESecurity
Page96of322
1002IKESHA+DES0010.1.104.4
2003IPsecDES+SHA0510.1.104.4
2004IPsecDES+SHA5010.1.104.4
2005IPsecDES+SHA0510.1.104.4
2006IPsecDES+SHA
19010.1.104.4
NotethattwoIPSecSAs(inboundandoutbound)havebeencreatedforeverylocal
remoteproxypair.
R4#shcrysess
Peer:192.168.1.10port500
TwoactiveSAsforeveryIPSecflowmentionedabovearevisiblewhencrytosessions
havebeendisplayed.
R4#shcryipssa
protectedvrf:(none)
currentoutboundspi:0x880857A4(2282248100)
inboundespsas:
spi:0x55652A60(1432693344)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x880857A4(2282248100)
IVsize:8bytes
Status:ACTIVE
OnepairofSAshavebeencreatedfor4.4.4.4/32and1.1.1.1/32.
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page97of322
currentoutboundspi:0xAFFA8D8D(2952433037)
inboundespsas:
spi:0xFC97ED38(4237815096)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xAFFA8D8D(2952433037)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
ThesecondpairofSAshavebeencreatedfor4.4.4.4/32and5.5.5.5/32.
R5#shcryisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.105.5192.168.1.10ACTIVE3desmd5psk2 23:57:07
IPv6CryptoISAKMPSA
R5#shcrysess
Peer:192.168.1.10port500
R5#shcryipssa
CCIESecurity
Page98of322
protectedvrf:(none)
Notrafficforthatflowyet
currentoutboundspi:0x0(0)
inboundespsas:
inboundahsas:
inboundpcpsas:
outboundespsas:
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x8689FE2F(2257190447)
inboundespsas:
spi:0xD396C0D5(3549872341)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x8689FE2F(2257190447)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page99of322
ASA1(config)#shcryisasadet
ActiveSA:2
TotalIKESA:2
1IKEPeer:10.1.104.4
Encrypt:desHash:SHA
Auth:presharedLifetime:86400
2IKEPeer:10.1.105.5
Type:L2LRole:initiator
Encrypt:3desHash:MD5
NotethatbecauseR4pingedR5theASA1isanInitiatorforthesecondL2Ltunnel.
interface:Outside
accesslistCRYPTOACLR4permitiphost1.1.1.1host4.4.4.4
currentoutboundspi:55652A60
inboundespsas:
spi:0x880857A4(2282248100)
inusesettings={L2L,Tunnel,}
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000003F
outboundespsas:
spi:0x55652A60(1432693344)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
CCIESecurity
Page100 of 322
currentoutboundspi:FC97ED38
inboundespsas:
spi:0xAFFA8D8D(2952433037)
IVsize:8bytes
Antireplaybitmap:
0x000000000x000FFFFF
outboundespsas:
spi:0xFC97ED38(4237815096)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
currentoutboundspi:D396C0D5
inboundespsas:
spi:0x8689FE2F(2257190447)
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000003F
outboundespsas:
spi:0xD396C0D5(3549872341)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
Index
:11IPAddr:4.4.4.4
Protocol:IKEIPsec
CCIESecurity
Page101 of 322
Encryption:DESHashing:SHA1
Duration:0h:20m:54s
Protocol:IKEIPsec
Duration:0h:04m:08s
CCIESecurity
Page102 of 322
Lab2.10. SitetoSiteIPSecVPNusing
EasyVPNNEM(IOSIOS)
LabSetup:
interface
CCIESecurity
Page103 of 322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
ConfigureIPSecVPNtunnelbetweenbranchrouterswiththefollowingparameters:
Tunnel
SRC
DST
ISAKMPPolicy
IPSecPolicy
Endpoint Network Network
R5R4
5.5.5.5 4.4.4.4
Authentication:PSK Encryption:
Encryption:3DES
ESP/3DES
Group:2
Authentication:
Hash:SHA
ESP/SHA
UseEasyVPNtoconfigurethetunnelinnetworkextensionmode.RouterR3should
actasEasyVPNRemoteandrouterR4shouldbeEasyVPNServer.Usegroupname
of BRANCH_US with the password of cisco123. Configure a new user name of
easy with password of vpn123 in R4s local database and use it for extended
authentication.
OnR4
R4(config)#usernameeasypasswordvpn123
R4(config)#aaanewmodel
R4(config)#aaaauthenticationloginUSERAUTHlocal
R4(config)#aaaauthorizationnetworkGRAUTHlocal
AAAontheroutermustbeenabledbecauseEasyVPNfeaturemayuseadditionalpeer
authenticationwhichisnamedXAUTH(Extendedauthentication).Authorizationlist
(network)specifieswheresessionparameterswhichshouldbepopulatedtoaclientare
stored.
R4(configisakmp)#exit
R4(config)#cryptoisakmpclientconfigurationgroupBRANCH_US
R4(configisakmpgroup)#keycisco123
R4(configisakmpgroup)#exit
Thisisaconfigurationitemwhichenablestospecifyparameterswhicharepopulated
totheclientduringConfigMode.ConfigMode(oftencalledIKEPhase1.5)isa
specialstageofIKEduringwhichclientrequestsconfigurationparametersforthe
CCIESecurity
Page104 of 322
sessionthatisbeingnegotiated.TheEasyVPNServerpopulatestheseparametersto
EasyVPNclient.
R4(config)#cryptoipsectransformsetTSETesp3desespshahmac
R4(config)#cryptodynamicmapDYNCMAP10
ThepeerIPaddressandotherIPSecparametersareunknownatthemomentofcryptomap
configuration.Dynamiccryptomapenablestonegotiatepropervaluesduringtunnel
establishment.
R4(config)#cryptomapEASYVPNclientauthenticationlistUSERAUTH
R4(config)#cryptomapEASYVPNisakmpauthorizationlistGRAUTH
R4(config)#cryptomapEASYVPN10ipsecisakmpdynamicDYNCMAP
R4(config)#interfacef0/0
R4(configif)#cryptomapEASYVPN
R4(configif)#
OnR5
R5(config)#cryptoipsecclientezvpnEZ
R5(configcryptoezvpn)#connectauto
Theconnectionwillbeinitiatedautomatically.
R5(configcryptoezvpn)#groupBRANCH_USkeycisco123
EasyVPNgroupauthenticationitissimilartopeerauthenticationinL2Ltunnel
negotiations.Thisisadeviceauthentication.
R5(configcryptoezvpn)#modenetworkextension
NEM(NetworkExtensionMode)enablesEasyVPNclienttopreserveitsIPaddressas
tunnelendpoint.ThetrafficinitiatedfromtheclientinsidenetworkisnotNATedso
thatitallowstoconnecttothisnetworkfromthenetworksbehindtheEasyVPNserver.
R5(configcryptoezvpn)#peer10.1.104.4
EasyVPNServerIPaddress.
R5(configcryptoezvpn)#xauthuseridmodeinteractive
InteractiveenteringoftheusercredentialthatwillbeusedduringExtended
Authentication(XAUTH).ThesecredentialshavetobeenteredduringeveryIKE
negotaitions.ThecredentialstorageintheEasyVPNclientconfigurationhavetobe
exclusivelyenabledintheEasyVPNServerconfiguration(savepasswordcommandinthe
groupconfiguration).
R5(configcryptoezvpn)#exi
R5(config)#intlo0
R5(configif)#cryptoipsecclientezvpnEZinside
R5(configif)#exit
R5(config)#intf0/0
R5(configif)#cryptoipsecclientezvpnEZoutside
R5(configif)#
ThesecommandsdefinetheinsideandoutsideinterfacesoftheEasyVPNClient.Outside
interfaceisusedforIPSectunneltermination.
AfterawhilethefollowingerrormessageappearsonR5.SinceIPSectunnelneedsto
beestablishedbetweentwopeerswhoareondifferentinterfacesofASAbutwiththe
samesecuritylevelof100.ThismustbeexplicitlyallowedontheASA.
%CRYPTO6EZVPN_CONNECTION_DOWN:(Client)User=Group=BRANCH_US
Client_public_addr=10.1.105.5 Server_public_addr=10.1.104.4
CCIESecurity
Page105 of 322
OnASA2
OnR5
R5#
EZVPN(EZ):PendingXAuthRequest,Pleaseenterthefollowingcommand:
EZVPN:cryptoipsecclientezvpnxauth
R5#
R5#cryptoipsecclientezvpnxauth
Username:easy
Password:
R5#
%CRYPTO6EZVPN_CONNECTION_UP:(Client)User=Group=BRANCH_USClient_public_addr=10.1.105.5
Server_public_addr=10.1.104.4NEM_Remote_Subnets=5.5.5.0/255.255.255.0
TheuserandthepasswordhavebeenprovidedforXAUTH.NotethatEasyVPNconnection
isup.Theclientinformstheserveraboutitsinsidenetworks.Thesenetworksmaybe
injectedintotheserversroutingtablewhenreverseroutefeatureis.
Verification
R5#ping4.4.4.4solo0
!!!!!
Theconnectionisestablished.R5isabletopingR4sloopbackthroughtheIPSec
tunnel.
R5#shcryptoipsecclientezvpn
EasyVPNRemotePhase:8
Tunnelname:EZ
Insideinterfacelist:Loopback0
Outsideinterface:FastEthernet0/0
CurrentState:IPSEC_ACTIVE
LastEvent:MTU_CHANGED
SavePassword:Disallowed
CurrentEzVPNPeer:10.1.104.4
EasyVPNsessionstatus.NotethatsavingXAUTHpasswordisdisabled(thisisadefault
setting).
R5#shcryptoisakmpsadet
rencRSAencryption
IPv4CryptoISAKMPSA
100210.1.105.510.1.104.4ACTIVE3dessha
2 23:59:10CX
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
Cryptomaptag:FastEthernet0/0head0,localaddr10.1.105.5
protectedvrf:(none)
CCIESecurity
Page106 of 322
Notethatremoteproxyidentityis0.0.0.0/0thatmeansany.BydefaultEasyVPN
disallowtheclienttotransmitunencryptedtrafficapartfromestablishedIPSec
tunnel.ThismaybechangedwhensplittunnelfeatureisenabledontheEasyVPN
server.
currentoutboundspi:0xB33E0E9(187949289)
inboundespsas:
spi:0x428A6416(1116365846)
transform:esp3desespshahmac,
connid:2001,flow_id:NETGX:1,sibling_flags80000046,cryptomap:FastEthernet0/0
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB33E0E9(187949289)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#pi5.5.5.5solo0
!!!!!
Notethatinsidenetworkoftheclientisaccessiblefromtheserverinsidenetwork.
Itisanadvantageofnetworkextensionmode.Incaseofusingtheclientmode
accessingtheinsideclientnetworkisnotfeasibleduetoPATenabledontheIPSec
tunnelendpointthattranslatestheclientinsidenetwork.
R4#shcryisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
100210.1.104.410.1.105.5ACTIVE3dessha2 23:58:35CX
IPv6CryptoISAKMPSA
CCIESecurity
Page107 of 322
R4#shcryptoipsecsa
Cryptomaptag:EASYVPN,localaddr10.1.104.4
protectedvrf:(none)
PERMIT,flags={}
currentoutboundspi:0x428A6416(1116365846)
inboundespsas:
spi:0xB33E0E9(187949289)
R4#shcryptomap
CryptoMap"EASYVPN"10ipsecisakmp
Dynamicmaptemplatetag:DYNCMAP
CryptoMap"EASYVPN"65536ipsecisakmp
Peer=10.1.105.5
ExtendedIPaccesslist
accesslistpermitipany5.5.5.00.0.0.255
dynamic(createdfromdynamicmapDYNCMAP/10)
Notethatdefinitionofinterestingtraffichasbeenconfigureddynamicallyby
dynamiccryptomap.Informationrelevanttotheclientinsidenetworksispassedto
theserverduringIKEnegotiation.
Currentpeer:10.1.105.5
Securityassociationlifetime:4608000kilobytes/3600seconds
ResponderOnly(Y/N):N
PFS(Y/N):N
Transformsets={
TSET:{esp3desespshahmac},
}
InterfacesusingcryptomapEASYVPN:
FastEthernet0/0
CCIESecurity
Page108 of 322
EasyVPNNEM(IOSASA)
LabSetup:
interface
CCIESecurity
Page109 of 322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
Configure IPSec VPN tunnel between ASA1 and R5/R4 with the following
parameters:
Tunnel
SRC
DST
ISAKMPPolicy
IPSecPolicy
ASA1 1.1.1.1 5.5.5.5
R5/R4
4.4.4.4
Encryption:3DES
ESP/3DES
Group:2
Authentication:
Hash:SHA
ESP/SHA
UseEasyVPNtoconfigurethetunnelinnetworkextensionmode.R5shouldactas
EasyVPN Remote and ASA1 should be an EasyVPN Server. Use group name of
BRANCHESwiththepasswordofcisco123.
Do not use extended authentication, the branch routers should connect using only
groupcredentials. Ensure that branch routers will tunnel traffic only destined to the
networkof1.1.1.0/24.
OnASA1
ASA1(config)#accesslistEZVPNTRAFFICpermitiphost1.1.1.1host5.5.5.5
ASA1(config)#accesslistEZVPNTRAFFICpermitiphost1.1.1.1host4.4.4.4
ASA1(config)#accesslistSTstandardpermit1.1.1.0255.255.255.0
ASA1(config)#grouppolicyEZPOLICYinternal
Thegrouppolicycontainsparametersthatarepasseddowntotheclientorsuch
parametersmayberequirementsthattheclienthavetofullfilbeforeIPSecsessionis
established.Notethatthisisaninternallyconfiguredgrouppolicy.Grouppolicies
maybeprovidedfromACSServer.Notethatgrouppolicydefinitionisbasedon
AttributeValuepairs.
ASA1(config)#grouppolicyEZPOLICYattributes
ASA1(configgrouppolicy)#splittunnelpolicytunnelspecified
ASA1(configgrouppolicy)#splittunnelnetworklistvalueST
ASA1(configgrouppolicy)#nemenable
NetworkExtensionModehasbeenenabled.Thispolicyincludesalsothedefinitionof
splittunneling.Thisfeatureenablestheservertodefinetheexceptionsofdefault
rulethatenforcingfulltrafficencryptionbetweentheclientandtheserver.The
trafficdefinitionismadebyanACLwhichistiedtogrouppolicybythecommandof
splittunnelnetworklist.
CCIESecurity
Page110 of 322
splittunnelpolicydefinesthepolicywhichisappliedforatrafficchosenbythe
splittunnelACL.Thetrafficmaybeencryptediftunnelspecifiedisenabledorthe
trafficisexcludedfromencryptionifexcludespecifiedisenabled.Atunnelall
optionmayalsobeusedbutencryptionofallthetrafficisthedefault.Notethat
fromtheclientperspectivethenetworkdefinedbytheACLinsplittunnelinginfact
definesadestinationofthetrafficratherthanthesource.
ASA1(configgrouppolicy)#exit
ASA1(config)#isakmpenableOutside
ASA1(config)#cryptoisakmppolicy1authenticationpreshare
ASA1(config)#cryptoisakmppolicy1encryption3des
ASA1(config)#cryptoisakmppolicy1hashsha
ASA1(config)#cryptoisakmppolicy1group2
ASA1(config)#tunnelgroupBRANCHEStyperemoteaccess
ASA1(config)#tunnelgroupBRANCHESgeneralattributes
ASA1(configtunnelgeneral)#defaultgrouppolicyEZPOLICY
ASA1(configtunnelgeneral)#exit
TunnelgroupforEasyVPNclientshasbeendefined.Notethatgrouppolicyhasbeen
tiedtotunnelgroupasitsgeneralattribute.
ASA1(config)#tunnelgroupBRANCHESipsecattributes
ASA1(configtunnelipsec)#presharedkeycisco123
ASA1(configtunnelipsec)#isakmpikev1userauthenticationnone
XAUTHhasbeendisabled(bydefaultASArequiresXAUTH).Onlythepeerauthenticaton
willbeperformed.
ASA1(config)#cryptoipsectransformsetTSETesp3desespshahmac
ASA1(config)#cryptodynamicmapDYNMAP5settransformsetTSET
ASA1(config)#cryptomapENCRYPT_OUT1ipsecisakmpdynamicDYNMAP
OnASA2
TheIPSecrelatedtrafficthroughASA2hasbeenallowed.
OnR5
R5(config)#cryptoipsecclientezvpnHQ
R5(configcryptoezvpn)#groupBRANCHESkeycisco123
R5(configcryptoezvpn)#intf0/0
R5(configif)#cryptoipsecclientezvpnHQoutside
R5(configif)#intlo0
R5(configif)#cryptoipsecclientezvpnHQinside
R5(configif)#
%CRYPTO6EZVPN_CONNECTION_UP:(Client)User=Group=BRANCHESClient_public_addr=10.1.105.5
Thetunnelhasbeenestablished.Notethatenteringtheuserandpassword
interactivelyisnolongerneeded.
OnR4
R4(config)#cryptoipsecclientezvpnHQ
R4(configcryptoezvpn)#groupBRANCHESkeycisco123
CCIESecurity
Page111 of 322
R4(configcryptoezvpn)#exit
R4(config)#intf0/0
R4(configif)#cryptoipsecclientezvpnHQoutside
R4(configif)#intlo0
R4(configif)#cryptoipsecclientezvpnHQinside
R4(configif)#
%CRYPTO6EZVPN_CONNECTION_UP:(Client)User=Group=BRANCHESClient_public_addr=10.1.104.4
Verification
R4#ping1.1.1.1solo0
!!!!!
R4#shcryisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
100310.1.104.4192.168.1.10ACTIVE3desshapsk2 23:57:23C
Notethatauthenticationbyusingtunnelgroupnameandthepasswordistreatedas
presharedISAKMPpeerauthentication.
IPv6CryptoISAKMPSA
R4#shcryipssa
protectedvrf:(none)
currentoutboundspi:0x63FABD04(1677376772)
inboundespsas:
spi:0xD3631C04(3546487812)
head0
IVsize:8bytes
CCIESecurity
Page112 of 322
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x63FABD04(1677376772)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shcrysess
Peer:192.168.1.10port500
IPSECFLOW:permitip4.4.4.0/255.255.255.01.1.1.0/255.255.255.0
Tunnelname:HQ
SplitTunnelList:1
Address:1.1.1.0
Mask:255.255.255.0
Protocol:0x0
SourcePort:0
DestPort:0
TheclienthasobtainedsplittunnelconfigurationfromtheserverduringModeConfig.
Protocolvalue0x0meansthatallIPtrafficto1.1.1.0/24willbeencrypted.
R5#ping1.1.1.1solo0
!!!!!
R5#shcryisasadet
rencRSAencryption
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R5#shcryipssa
CCIESecurity
Page113 of 322
protectedvrf:(none)
currentoutboundspi:0x8AD193D1(2328990673)
inboundespsas:
spi:0xDAA2BC9A(3668098202)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x8AD193D1(2328990673)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#shcrysess
Peer:192.168.1.10port500
IPSECFLOW:permitip5.5.5.0/255.255.255.01.1.1.0/255.255.255.0
Tunnelname:HQ
SplitTunnelList:1
Address:1.1.1.0
Mask:255.255.255.0
Protocol :0x0
SourcePort:0
DestPort:0
CCIESecurity
Page114 of 322
ASA1(config)#shcryisaksadet
ActiveSA:2
TotalIKESA:2
1IKEPeer:10.1.105.5
Type:userRole:responder
Rekey:noState:AM_ACTIVE
Encrypt:3desHash:SHA
2IKEPeer:10.1.104.4
Type:userRole:responder
Rekey:noState:AM_ACTIVE
Encrypt:3desHash:SHA
NotethatASAplaystheroleofresponderforthebothconnectonbecausethetunnels
havebeeninitiatedfromtheclientside.
interface:Outside
Cryptomaptag:DYNMAP,seqnum:5,localaddr:192.168.1.10
current_peer:10.1.104.4,username:BRANCHES
dynamicallocatedpeerip:0.0.0.0
currentoutboundspi:D3631C04
inboundespsas:
spi:0x63FABD04(1677376772)
transform:esp3desespshahmacnocompression
inusesettings={RA,Tunnel,}
slot:0,conn_id:73728,cryptomap:DYNMAP
satiming:remainingkeylifetime(sec):28659
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000003F
outboundespsas:
spi:0xD3631C04(3546487812)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
Cryptomaptag:DYNMAP,seqnum:5,localaddr:192.168.1.10
current_peer:10.1.105.5,username:BRANCHES
dynamicallocatedpeerip:0.0.0.0
CCIESecurity
Page115 of 322
currentoutboundspi:DAA2BC9A
inboundespsas:
spi:0x8AD193D1(2328990673)
IVsize:8bytes
Antireplaybitmap:
0x000000000x0000003F
outboundespsas:
spi:0xDAA2BC9A(3668098202)
IVsize:8bytes
Antireplaybitmap:
0x000000000x00000001
ASA1(config)#shvpnsessiondbraprotocol
FilterGroup:All
TotalActiveTunnels:4
CumulativeTunnels:29
ProtocolTunnelsPercent
IKE250%
IPsec250%
IPsecLAN2LAN00%
IPsecLAN2LANOverNatT00%
IPsecOverNatT00%
IPsecOverTCP00%
IPsecOverUDP00%
L2TPOverIPsec00%
L2TPOverIPsecOverNatT00%
Clientless0
0%
PortForwarding00%
IMAP4S00%
POP3S00%
SMTPS00%
SSLTunnel00%
DTLSTunnel
00%
Notethatvpnsessiondatabaseindicatedthattherearefouractivetunnels:twoofIKE
andtwoofIPSec.
ASA1(config)#shvpnsessiondbremote
SessionType:IPsec
Username:BRANCHES
Index:16
AssignedIP :5.5.5.0PublicIP:10.1.105.5
Protocol:IKEIPsec
License:IPsec
Encryption:3DESHashing:SHA1
GroupPolicy:EZPOLICYTunnelGroup:BRANCHES
Duration:0h:03m:26s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Username:BRANCHES
AssignedIP:4.4.4.0
Protocol:IKEIPsec
License:IPsec
CCIESecurity
Index:18
PublicIP:10.1.104.4
Page116 of 322
Encryption:3DESHashing:SHA1
GroupPolicy:EZPOLICYTunnelGroup:BRANCHES
Duration:0h:03m:05s
NACResult:Unknown
VLANMapping:N/AVLAN:none
Showvpnsessiondbremotedisplaysinformationrelevattotunnelsestablishedwith
remotepeers.NotethatNetworkExtensionModemakesinsideclientnetworkvisible.
:HDR+SA(1)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+KE(4)+NONCE(10)+
ID(5)+VENDOR(13)+VENDOR(13)+VENDOR(13)+VENDOR(13)+NONE(0)totallength:1140
Jul2306:15:33[IKEv1DEBUG]:IP=10.1.105.5,ClaimstobeIOSbutfailedauthentication
Jul2306:15:33[IKEv1DEBUG]:IP=10.1.105.5,ReceivedCiscoUnityclientVID
Jul2306:15:33[IKEv1]:IP=10.1.105.5,Connectionlandedontunnel_groupBRANCHES
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,Novalidauthenticationtypefound
forthetunnelgroup
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingIKESApayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKESAProposal#1,
Transform#17acceptableMatchesglobalIKEentry#3
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingISAKMPSA
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingkepayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingnoncepayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,Generatingkeysfor
Responder...
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingIDpayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructinghashpayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,ComputinghashforISAKMP
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingCiscoUnityVID
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingxauthV6VID
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingdpdvidpayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingNATTraversal
VIDver02payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingNATDiscovery
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,computingNATDiscoveryhash
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingNATDiscovery
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingFragmentation
VID+extendedcapabilitiespayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingVIDpayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,SendAltiga/Cisco
VPN3000/CiscoASAGWVID
HDR+SA(1)+KE(4)+NONCE(10)+ID(5)+HASH(8)+VENDOR(13)+VENDOR(13)+VENDOR
(13)+VENDOR(13)+NATD(130)+NATD(130)+VENDOR(13)+VENDOR(13)+NONE(0)total
length:440
CCIESecurity
Page117 of 322
:HDR+HASH(8)+NATD(130)+NATD(130)+NOTIFY(11)+NONE(0)totallength:128
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processinghashpayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,ComputinghashforISAKMP
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingNATDiscovery
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingNATDiscovery
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingnotifypayload
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,AutomaticNATDetectionStatus:
RemoteendisNOTbehindaNATdeviceThisendisNOTbehindaNATdevice
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEGetUserAttributes:
primaryDNS=cleared
secondaryDNS=cleared
primaryWINS=cleared
secondaryWINS=cleared
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEGetUserAttributes:split
tunnelinglist=ST
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEGetUserAttributes:IP
Compression=disabled
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEGetUserAttributes:Split
TunnelingPolicy=SplitNetwork
BrowserProxySetting=nomodify
BrowserProxyBypassLocal=disable
Thesessionparametershavebeensetandpreparedforpassingthemtotheclient.Note
thatsplittunnelnetworklistandpolicyarevisible.Undefinedparametersinthe
grouppolicyhavebeenmarkedascleared.
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODERECEIVEDMessage(msgid=a776bd6d)with
payloads:HDR+HASH(8)+ATTR(14)+NONE(0)totallength:380
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,process_attr():Enter!
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,ProcessingcfgRequest
attributes
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,Receivedunknowntransactionmode
attribute:28692
attribute:28693
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,MODE_CFG:Receivedrequest
forDNSserveraddress!
forDNSserveraddress!
forWINSserveraddress!
forWINSserveraddress!
forSplitTunnelList!
forSplitDNS!
forDefaultDomainName!
forSavePWsetting!
forLocalLANInclude!
forPFSsetting!
forbackupipsecpeerlist!
forApplicationVersion!
ModeConfighasbeenstarted.Theclienthasrequestedasetofparameterswhichwill
bepasseddownfromtheserver.Theclienthasrequestedthefollowing:DNSserver,
WINSserver,Splittunnellist,SplittunnelDNS(theDNSserverwhichwillbeused
forinquiringaboutnamesthroughthetunnel),allowanceforsavingtheXAUTHpassword
locallyontheclient,allowanceforcommunicationwithlocallanwithoutan
encryption,PFSsettingsandthelistofbackuppeers(EasyVPNservers).
CCIESecurity
Page118 of 322
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,ClientType:IOSClient
ApplicationVersion:12.4(24)T2
forBanner!
attribute:28695
forDHCPhostnameforDDNSis:R5!
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingblankhash
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingqmhashpayload
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODESENDINGMessage(msgid=a776bd6d)with
payloads:HDR+HASH(8)+ATTR(14)+NONE(0)totallength:172
Jul2306:15:33[IKEv1DECODE]:IP=10.1.105.5,IKEResponderstartingQM:msgid=9196d7a4
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,DelayQuickModeprocessing,
Cert/TransExch/RMDSIDinprogress
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,ResumeQuickMode
processing,Cert/TransExch/RMDSIDcompleted
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,PHASE1COMPLETED
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,StartingP1rekeytimer:
82080seconds.
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,sendingnotifymessage
payload
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODESENDINGMessage(msgid=94a8c6f)with
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODERECEIVEDMessage(msgid=9196d7a4)with
payloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NONE(0)totallength:
1280
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingSApayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingnoncepayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingIDpayload
Jul2306:15:33[IKEv1DECODE]:Group=BRANCHES,IP=10.1.105.5,ID_IPV4_ADDR_SUBNETID
received5.5.5.0255.255.255.0
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,ReceivedremoteIPProxySubnet
datainIDPayload:Address5.5.5.0,Mask255.255.255.0,Protocol0,Port0
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingIDpayload
Jul2306:15:33[IKEv1DECODE]:Group=BRANCHES,IP=10.1.105.5,ID_IPV4_ADDR_SUBNETID
received1.1.1.0255.255.255.0
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,ReceivedlocalIPProxySubnet
datainIDPayload:Address1.1.1.0,Mask255.255.255.0,Protocol0,Port0
Theclienthasinformedtheserveraboutitsinsidenetworktoestablishidentityof
localandremoteIPSecproxy.
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,QMIsRekeyedoldsanotfoundby
addr
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,IKERemotePeerconfiguredfor
cryptomap:DYNMAP
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingIPSecSApayload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IPSecSAProposal#11,
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,IKE:requestingSPI!
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEgotSPIfromkeyengine:
SPI=0x592ce8c6
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,oakleyconstuctingquick
mode
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingIPSecSA
payload
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,OverridingInitiator'sIPSec
rekeyingdurationfrom2147483to28800seconds
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingIPSecnonce
payload
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,constructingproxyID
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,TransmittingProxyId:
Remotesubnet:5.5.5.0Mask255.255.255.0Protocol0Port0
Localsubnet:1.1.1.0mask255.255.255.0Protocol0Port0
TheserverhasinformedtheclientaboutremoteandlocalproxyID.
CCIESecurity
Page119 of 322
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,SendingRESPONDERLIFETIME
notificationtoInitiator
Jul2306:15:33[IKEv1DECODE]:Group=BRANCHES,IP=10.1.105.5,IKERespondersending2nd
QMpkt:msgid=9196d7a4
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODESENDINGMessage(msgid=9196d7a4)with
payloads:HDR+HASH(8)+SA(1)+NONCE(10)+ID(5)+ID(5)+NOTIFY(11)+NONE(0)
totallength:196
Jul2306:15:33[IKEv1]:IP=10.1.105.5,IKE_DECODERECEIVEDMessage(msgid=9196d7a4)with
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,loadingallIPSECSAs
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,GeneratingQuickModeKey!
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,NPencryptrulelookupfor
cryptomapDYNMAP5matchingACLUnknown:returnedcs_id=d791a4b0rule=00000000
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,GeneratingQuickModeKey!
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,NPencryptrulelookupfor
cryptomapDYNMAP5matchingACLUnknown:returnedcs_id=d791a4b0rule=00000000
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,Securitynegotiationcompletefor
User(BRANCHES)Responder,InboundSPI=0x592ce8c6,OutboundSPI=0xf1e42b1c
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,IKEgotaKEY_ADDmsgfor
SA:SPI=0xf1e42b1c
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,Pitcher:received
KEY_UPDATE,spi0x592ce8c6
Jul2306:15:33[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,StartingP2rekeytimer:
27360seconds.
Jul2306:15:33[IKEv1]:Group=BRANCHES,IP=10.1.105.5,PHASE2COMPLETED(msgid=9196d7a4)
Jul2306:15:34[IKEv1]:IP=10.1.105.5,IKE_DECODERECEIVEDMessage(msgid=2468295b)with
Jul2306:15:34[IKEv1DEBUG]:Group=BRANCHES,IP=10.1.105.5,processingnotifypayload
Jul2306:15:34[IKEv1DECODE]:OBSOLETEDESCRIPTORINDEX1
Jul2306:15:34[IKEv1DECODE]:0000:000000007534000352352E7532000A43....u4..R5.u2..C
0010:6973636F20323831317535000B46484Bisco2811u5..FHK
0020:303834394631424175300009323537350849F1BAu0..2575
0030:3430303936753100093133303135383540096u1..1301585
0040:3932753600093232383538393536387592u6..228589568u
0050:39000836333031393630387533002E669..63019608u3..f
0060:6C6173683A63323830306E6D2D616476lash:c2800nmadv
0070:656E74657270726973656B392D6D7A2Eenterprisek9mz.
0080:3132342D32342E54322E62696E12424.T2.bin
ASA1(config)#unall
Verification(deepdive)
AlternativelyyoucanuseISAKMPcapuretogetallIKEpacketsandanalizetheir
content.Theoutputisprettylongbutitsworthtoseeit.
ASA1(config)#captureIKEtypeisakmpinterfaceoutside
ASA1(config)#shocaptureIKE
18packetscaptured
1:06:37:20.4718426010.1.105.5.500>192.168.1.10.500:udp1140
2:06:37:20.47184270192.168.1.10.500>10.1.105.5.500:udp440
3:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp132
4:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp132
5:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp388
6:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp388
7:06:37:20.47184320192.168.1.10.500>10.1.105.5.500:udp172
8:06:37:20.47184320192.168.1.10.500>10.1.105.5.500:udp172
9:06:37:20.4718435010.1.105.5.500>192.168.1.10.500:udp1284
10:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp92
11:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp92
12:06:37:20.4718435010.1.105.5.500>192.168.1.10.500:udp1284
13:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp196
14:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp196
15:06:37:20.4718436010.1.105.5.500>192.168.1.10.500:udp60
16:06:37:20.4718436010.1.105.5.500>192.168.1.10.500:udp60
17:06:37:21.4718502010.1.105.5.500>192.168.1.10.500:udp212
18:06:37:21.4718502010.1.105.5.500>192.168.1.10.500:udp212
18packetsshown
CCIESecurity
Page120 of 322
Note:18packetshasbeencaptured.Letsseewhattheycontain.
ASA1(config)#shocaptureIKEdecode
18packetscaptured
SeethatR5sendsIKEpacketinAggressiveMode.Itcontainsalmostallrequired
informationlikeSAProposals,Groupname,KeyExchange,andidentityinfoseegreyed
fields.RememberthattheaggressivemodeinEasyVPNisusedwhenISAKMPpeer
authenticationisbasedonpresharedkey.
1:06:37:20.4718426010.1.105.5.500>192.168.1.10.500:udp1140
ISAKMPHeader
InitiatorCOOKIE:783b9bea4d010b3f
ResponderCOOKIE:0000000000000000
NextPayload:SecurityAssociation
Version:1.0
ExchangeType:AggressiveMode
Flags:(none)
MessageID:00000000
Length:1140
PayloadSecurityAssociation
NextPayload:VendorID
Reserved:00
PayloadLength:788
DOI:IPsec
Situation:(SIT_IDENTITY_ONLY)
PayloadProposal
NextPayload:None
Reserved:00
PayloadLength:776
Proposal#:1
ProtocolId:PROTO_ISAKMP
SPISize:0
#oftransforms:20
PayloadTransform
NextPayload:Transform
Reserved:00
PayloadLength:40
Transform#:1
TransformId:KEY_IKE
Reserved2:0000
EncryptionAlgorithm:AESCBC
KeyLength:128
HashAlgorithm:SHA1
GroupDescription:Group2
AuthenticationMethod:XAUTH_INIT_PRESHRD
LifeType:seconds
LifeDuration(Hex):0020c49b
ThisandthenextPayloadTransformsareISAKMPpolicieshardcodedintotheEasyVPN
clientsoftware.
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:2
TransformId:KEY_IKE
Reserved2:0000
KeyLength:128
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:3
TransformId:KEY_IKE
Reserved2:0000
KeyLength:192
CCIESecurity
Page121 of 322
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:4
TransformId:KEY_IKE
Reserved2:0000
KeyLength:192
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:5
TransformId:KEY_IKE
Reserved2:0000
KeyLength:256
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:6
TransformId:KEY_IKE
Reserved2:0000
KeyLength:256
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:7
TransformId:KEY_IKE
Reserved2:0000
KeyLength:128
HashAlgorithm:SHA1
AuthenticationMethod:Presharedkey
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:8
TransformId:KEY_IKE
Reserved2:0000
KeyLength:128
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
CCIESecurity
Page122 of 322
Reserved:00
PayloadLength:40
Transform#:9
TransformId:KEY_IKE
Reserved2:0000
KeyLength:192
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:10
TransformId:KEY_IKE
Reserved2:0000
KeyLength:192
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:11
TransformId:KEY_IKE
Reserved2:0000
KeyLength:256
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:40
Transform#:12
TransformId:KEY_IKE
Reserved2:0000
KeyLength:256
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:13
TransformId:KEY_IKE
Reserved2:0000
EncryptionAlgorithm:3DESCBC
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:14
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:MD5
CCIESecurity
Page123 of 322
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:15
TransformId:KEY_IKE
Reserved2:0000
EncryptionAlgorithm:DESCBC
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:16
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:17
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:18
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:MD5
LifeType:seconds
PayloadTransform
Reserved:00
PayloadLength:36
Transform#:19
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:SHA1
LifeType:seconds
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:20
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:MD5
CCIESecurity
Page124 of 322
LifeType:seconds
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
4a131c81070358455c5728f20e95452f
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
439b59f8ba676c4c7737ae22eab8f582
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
7d9419a65310ca6f2c179d9215529d56
PayloadVendorID
NextPayload:KeyExchange
Reserved:00
PayloadLength:20
Data(InHex):
90cb80913ebb696e086381b5ec427b1f
PayloadKeyExchange
NextPayload:Nonce
Reserved:00
PayloadLength:132
Data:
f02590d83f819c9add713ebb565724d0
81c76e358f6603954f576f005b8b4bfe
12554eaf01195b115560fd19d7ae5ac3
597592aa70bd135ba8cbd1a760aa3816
7465d69c15ba4cb309119348f4d5da43
edbab838c0ab1e675cc233470a9a4490
d28da90af8a98d63919de909164c0d85
7e92042efd43e43e6d8c0a1beb572af9
PayloadNonce
NextPayload:Identification
Reserved:00
PayloadLength:24
Data:
c6a14166132be4aa7f28a4694276bbd2
f60ff827
ThenouncesusedforkeygenerationarevisibleatthispartofIKEpacket.
PayloadIdentification
Reserved:00
PayloadLength:16
IDType:ID_KEY_ID(11)
ProtocolID(UDP/TCP,etc...):17
Port:0
IDData:BRANCHES
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
afcad71368a1f1c96b8696fc77570100
PayloadVendorID
Reserved:00
PayloadLength:12
Data(InHex):09002689dfd6b712
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
8dfc3cf74d000b3f5727fa9aa4837602
PayloadVendorID
CCIESecurity
Page125 of 322
NextPayload:None
Reserved:00
PayloadLength:20
Data(InHex):
12f5f28c457168a9702d9fe274cc0100
Thelastpartofthepacketareasfollows:Identificationdata(theEasyVPNgroupis
visible)andvendorspecificIDswhichdefineIPSecfeaturessupportedbythedevice.
SecondpacketisaresponsefromtheEasyVPNServer.Itcontainagreedtransform(only
onethatserveragreedto)anddatarequiredforKeyExchange.
2:06:37:20.47184270192.168.1.10.500>10.1.105.5.500:udp440
ISAKMPHeader
ResponderCOOKIE:dc15828efdf27fb7
Version:1.0
Flags:(none)
MessageID:00000000
Length:440
NextPayload:KeyExchange
Reserved:00
PayloadLength:56
DOI:IPsec
PayloadProposal
NextPayload:None
Reserved:00
PayloadLength:44
Proposal#:1
ProtocolId:PROTO_ISAKMP
SPISize:0
#oftransforms:1
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:17
TransformId:KEY_IKE
Reserved2:0000
HashAlgorithm:SHA1
LifeType:seconds
ChosenISAKMPpolicyhasbeensentasareplyofEasyVPNserver
PayloadKeyExchange
NextPayload:Nonce
Reserved:00
PayloadLength:132
Data:
1f6576e3817a551ed89d5b5e888dd8d9
ae69ba3a610b294f5432abfe02a91695
057aec7ec37edd50bf2b868b335f5fbf
65ef8e495c8f3848cdfa9af1ab18c74b
0cb5e866f45e9bddbbe5ee28c02a8bf3
ea006871880065d60e0f8d8530238776
acd9ca216e738ee72ed6c82dd4f76988
348d11e90e1b675bf0206a66e0fa3941
PayloadNonce
Reserved:00
PayloadLength:24
Data:
dbf319e4cbd0f82747450911feeedc12
6e8f0468
Furthersessionkeymaterialnegotiations.
NextPayload:Hash
CCIESecurity
Page126 of 322
Reserved:00
PayloadLength:12
IDType:IPv4Address(1)
Port:0
IDData:192.168.1.10
IdentityoftheEasyVPNserver.
PayloadHash
Reserved:00
PayloadLength:24
Data:
72a456ac28ff93c8f3ded17d6cfdc6a7
2e0a86fc
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
12f5f28c457168a9702d9fe274cc0100
PayloadVendorID
Reserved:00
PayloadLength:12
Data(InHex):09002689dfd6b712
PayloadVendorID
Reserved:00
PayloadLength:20
Data(InHex):
afcad71368a1f1c96b8696fc77570100
PayloadVendorID
NextPayload:NATD
Reserved:00
PayloadLength:20
Data(InHex):
90cb80913ebb696e086381b5ec427b1f
PayloadNATD
NextPayload:NATD
Reserved:00
PayloadLength:24
Data:
01986ace63c91f1b2a7b6ebc2d843890
3e656c49
PayloadNATD
Reserved:00
PayloadLength:24
Data:
eb802d652fe045a8b47e2e7a33b60cc2
c001ad51
NATDiscoveryhashes(NATDpayload)thatenablethepeertodiscovertheNATenabled
acrossthenetwork.
PayloadVendorID
Reserved:00
PayloadLength:24
Data(InHex):
4048b7d56ebce88525e7de7f00d6c2d3
c0000000
PayloadVendorID
NextPayload:None
Reserved:00
PayloadLength:20
Data(InHex):
1f07f70eaa6514d3b0fa96542a500100
3:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp132
ISAKMPHeader
NextPayload:Hash
Version:1.0
CCIESecurity
Page127 of 322
Flags:(Encryption)
MessageID:00000000
Length:132
4:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp132
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
MessageID:00000000
Length:132
PayloadHash
NextPayload:NATD
Reserved:00
PayloadLength:24
Data:
a4666129f9a526661900a4a19c7fa09d
b13b5960
PayloadNATD
NextPayload:NATD
Reserved:00
PayloadLength:24
Data:
eb802d652fe045a8b47e2e7a33b60cc2
c001ad51
PayloadNATD
NextPayload:Notification
Reserved:00
PayloadLength:24
Data:
01986ace63c91f1b2a7b6ebc2d843890
3e656c49
PayloadNotification
NextPayload:None
Reserved:00
PayloadLength:28
DOI:IPsec
ProtocolID:PROTO_ISAKMP
SpiSize:16
NotifyType:STATUS_INITIAL_CONTACT
SPI:
783b9bea4d010b3fdc15828efdf27fb7
Extradata:00000000
5:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp388
ISAKMPHeader
NextPayload:Hash
Version:1.0
ExchangeType:Transaction
Flags:(Encryption)
MessageID:021567B1
Length:388
ThirdpacketisthelastoneforAggressiveMode,butinthiscasethereisanEasyVPN
featurewhichrequiresModeConfigfortheclient.Notethatconfigrequestissent
(required)fromtheclientside.
6:06:37:20.4718432010.1.105.5.500>192.168.1.10.500:udp388
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
MessageID:021567B1
Length:388
PayloadHash
NextPayload:Attributes
Reserved:00
PayloadLength:24
CCIESecurity
Page128 of 322
Data:
5d28f7adfd6dac4adc4794b57698ec3e
07c8b820
PayloadAttributes
NextPayload:None
Reserved:00
PayloadLength:328
type:ISAKMP_CFG_REQUEST
Reserved:00
Identifier:0000
Unknown:(empty)
Unknown:(empty)
IPv4DNS:(empty)
IPv4DNS:(empty)
IPv4NBNS(WINS):(empty)
IPv4NBNS(WINS):(empty)
Ciscoextension:SplitInclude:(empty)
Ciscoextension:SplitDNSName:(empty)
Ciscoextension:DefaultDomainName:(empty)
Ciscoextension:SavePWD:(empty)
Ciscoextension:IncludeLocalLAN:(empty)
Ciscoextension:DoPFS:(empty)
Ciscoextension:BackupServers:(empty)
ApplicationVersion:
436973636f20494f5320536f66747761
72652c203238303020536f6674776172
65202843323830304e4d2d414456454e
54455250524953454b392d4d292c2056
657273696f6e2031322e342832342954
322c2052454c4541534520534f465457
4152452028666332290a546563686e69
63616c20537570706f72743a20687474
703a2f2f7777772e636973636f2e636f
6d2f74656368737570706f72740a436f
70797269676874202863292031393836
2d3230303920627920436973636f2053
797374656d732c20496e632e0a436f6d
70696c6564204d6f6e2031392d4f6374
2d30392031373a33382062792070726f
645f72656c5f7465616d
Ciscoextension:Banner:(empty)
Unknown:(empty)
Ciscoextension:DynamicDNSHostname:5235
Extradata:0000000000000000
ServeragreedsthatitsupportsClientModeConfigandsendsoutallModeConfig
informationithas.
7:06:37:20.47184320192.168.1.10.500>10.1.105.5.500:udp172
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
MessageID:021567B1
Length:172
PayloadHash
NextPayload:Attributes
Reserved:00
PayloadLength:24
Data:
73246032dc32330c8fa3571a9865a6b0
ae5fb0ad
PayloadAttributes
NextPayload:None
Reserved:00
PayloadLength:120
type:ISAKMP_CFG_REPLY
Reserved:00
Identifier:0000
Ciscoextension:SavePWD:No
Ciscoextension:SplitInclude:1.1.1.0/255.255.255.0/0/0/0
Ciscoextension:DoPFS:No
ApplicationVersion:
436973636f2053797374656d732c2049
CCIESecurity
Page129 of 322
6e632041534135353130205665727369
6f6e20382e32283129206275696c7420
6279206275696c64657273206f6e2054
75652030352d4d61792d30392032323a
3435
8:06:37:20.47184320192.168.1.10.500>10.1.105.5.500:udp172
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(Encryption)
MessageID:021567B1
Length:172
9:06:37:20.4718435010.1.105.5.500>192.168.1.10.500:udp1284
ISAKMPHeader
NextPayload:Hash
Version:1.0
ExchangeType:QuickMode
Flags:(Encryption)
MessageID:1D0E05C1
Length:1284
10:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp92
ISAKMPHeader
NextPayload:Hash
Version:1.0
ExchangeType:Informational
Flags:(none)
MessageID:8BA99D99
Length:92
PayloadHash
Reserved:00
PayloadLength:24
Data:
1bf217e74111d21f916ac190073e8065
6108643c
PayloadNotification
NextPayload:None
Reserved:00
PayloadLength:40
DOI:IPsec
SpiSize:16
NotifyType:STATUS_RESP_LIFETIME
SPI:
783b9bea4d010b3fdc15828efdf27fb7
Data:800b0001000c000400015180
11:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp92
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(Encryption)
MessageID:8BA99D99
Length:92
HereIKEPhase2(QuickMode)starts.ClientsendsouthisSAproposalsandProxyIDs.
12:06:37:20.4718435010.1.105.5.500>192.168.1.10.500:udp1284
ISAKMPHeader
NextPayload:Hash
Version:1.0
CCIESecurity
Page130 of 322
Flags:(none)
MessageID:1D0E05C1
Length:1284
PayloadHash
Reserved:00
PayloadLength:24
Data:
d95ee89175def9af3124e1125fde518c
dd6fd288
NextPayload:Nonce
Reserved:00
PayloadLength:1172
DOI:IPsec
PayloadProposal
NextPayload:Proposal
Reserved:00
PayloadLength:56
Proposal#:1
ProtocolId:PROTO_IPSEC_ESP
SPISize:4
#oftransforms:1
SPI:567c92a4
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
EncapsulationMode:Tunnel
LifeType:Seconds
LifeType:Kilobytes
LifeDuration(Hex):00465000
AuthenticationAlgorithm:SHA1
KeyLength:128
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:2
SPISize:4
#oftransforms:1
SPI:3173c5d0
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
AuthenticationAlgorithm:MD5
KeyLength:128
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:3
SPISize:4
#oftransforms:1
SPI:ce71a85c
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
CCIESecurity
Page131 of 322
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:128
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:3
ProtocolId:PROTO_IPSEC_IPCOMP
SPISize:4
#oftransforms:1
SPI:00004bff
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
TransformId:IPCOMP_LZS
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:4
SPISize:4
#oftransforms:1
SPI:bddcb8ab
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:128
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:4
SPISize:4
#oftransforms:1
SPI:0000fe00
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:56
CCIESecurity
Page132 of 322
Proposal#:5
SPISize:4
#oftransforms:1
SPI:3506a3cb
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:192
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:6
SPISize:4
#oftransforms:1
SPI:902c9979
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:192
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:7
SPISize:4
#oftransforms:1
SPI:de8291dd
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:256
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:8
SPISize:4
#oftransforms:1
SPI:03ded80a
PayloadTransform
NextPayload:None
Reserved:00
CCIESecurity
Page133 of 322
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:256
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:9
SPISize:4
#oftransforms:1
SPI:40545e23
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
KeyLength:256
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:9
SPISize:4
#oftransforms:1
SPI:000081e8
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:56
Proposal#:10
SPISize:4
#oftransforms:1
SPI:3f5557df
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:44
Transform#:1
TransformId:ESP_AES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
CCIESecurity
Page134 of 322
KeyLength:256
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:10
SPISize:4
#oftransforms:1
SPI:0000d881
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:52
Proposal#:11
SPISize:4
#oftransforms:1
SPI:e849670b
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
TransformId:ESP_3DES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:52
Proposal#:12
SPISize:4
#oftransforms:1
SPI:ac857d5f
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:52
Proposal#:13
SPISize:4
#oftransforms:1
SPI:06325441
PayloadTransform
NextPayload:None
CCIESecurity
Page135 of 322
Reserved:00
PayloadLength:40
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:13
SPISize:4
#oftransforms:1
SPI:000074a5
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:52
Proposal#:14
SPISize:4
#oftransforms:1
SPI:e35b48e2
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
Reserved:00
PayloadLength:48
Proposal#:14
SPISize:4
#oftransforms:1
SPI:00005ac2
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:36
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
CCIESecurity
Page136 of 322
Reserved:00
PayloadLength:52
Proposal#:15
SPISize:4
#oftransforms:1
SPI:657536ff
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
TransformId:ESP_DES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadProposal
NextPayload:None
Reserved:00
PayloadLength:52
Proposal#:16
SPISize:4
#oftransforms:1
SPI:c036b56f
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
TransformId:ESP_DES
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadNonce
Reserved:00
PayloadLength:24
Data:
c99c0790289cf0c6105401f20efaba4e
37740e99
Reserved:00
PayloadLength:16
IDType:IPv4Subnet(4)
Port:0
IDData:5.5.5.0/255.255.255.0
NextPayload:None
Reserved:00
PayloadLength:16
Port:0
IDData:1.1.1.0/255.255.255.0
Extradata:00000000
TheEasyVPNServerresponseswithchosenSAproposalanditsProxyIDs.
13:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp196
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
CCIESecurity
Page137 of 322
MessageID:1D0E05C1
Length:196
PayloadHash
Reserved:00
PayloadLength:24
Data:
d9ac1c492b2c55ccdea052705efce753
6031f388
NextPayload:Nonce
Reserved:00
PayloadLength:64
DOI:IPsec
PayloadProposal
NextPayload:None
Reserved:00
PayloadLength:52
Proposal#:1
SPISize:4
#oftransforms:1
SPI:59084715
PayloadTransform
NextPayload:None
Reserved:00
PayloadLength:40
Transform#:1
Reserved2:0000
LifeType:Seconds
LifeType:Kilobytes
PayloadNonce
Reserved:00
PayloadLength:24
Data:
38d50b1f1ec41593d2ea3c96ec67ef28
557f976f
Reserved:00
PayloadLength:16
Port:0
IDData:5.5.5.0/255.255.255.0
Reserved:00
PayloadLength:16
Port:0
IDData:1.1.1.0/255.255.255.0
PayloadNotification
NextPayload:None
Reserved:00
PayloadLength:24
DOI:IPsec
ProtocolID:PROTO_IPSEC_ESP
SpiSize:4
NotifyType:STATUS_RESP_LIFETIME
SPI:59084715
Data:8001000180027080
14:06:37:20.47184350192.168.1.10.500>10.1.105.5.500:udp196
ISAKMPHeader
NextPayload:Hash
Version:1.0
CCIESecurity
Page138 of 322
Flags:(Encryption)
MessageID:1D0E05C1
Length:196
15:06:37:20.4718436010.1.105.5.500>192.168.1.10.500:udp60
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(Encryption)
MessageID:1D0E05C1
Length:60
16:06:37:20.4718436010.1.105.5.500>192.168.1.10.500:udp60
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
MessageID:1D0E05C1
Length:60
PayloadHash
NextPayload:None
Reserved:00
PayloadLength:24
Data:
827afe77fa454d45681fc9d43f9915d6
b7ba0753
Extradata:0000000000000000
17:06:37:21.4718502010.1.105.5.500>192.168.1.10.500:udp212
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(Encryption)
MessageID:DD36CA24
Length:212
18:06:37:21.4718502010.1.105.5.500>192.168.1.10.500:udp212
ISAKMPHeader
NextPayload:Hash
Version:1.0
Flags:(none)
MessageID:DD36CA24
Length:212
PayloadHash
Reserved:00
PayloadLength:24
Data:
0d61fc2a9301d7a011ddceb567696e91
60cd23bb
PayloadNotification
NextPayload:None
Reserved:00
PayloadLength:153
DOI:IPsec
SpiSize:0
NotifyType:Unknown
Data:
000000007534000352352e7532000a43
6973636f20323831317535000b46484b
30383439463142417530000932353735
34303039367531000931333031353835
39327536000932323835383935363875
CCIESecurity
Page139 of 322
39000836333033333335367533002e66
6c6173683a63323830306e6d2d616476
656e74657270726973656b392d6d7a2e
3132342d32342e54322e62696e
Extradata:00000000000000
18packetsshown
CCIESecurity
Page140 of 322
EasyVPNwithISAKMPProfiles
(IOSIOS)
LabSetup:
interface
CCIESecurity
Page141 of 322
IPAddressing:
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
ConfigureIPSecVPNtunnelbetweenR5andR4withthefollowingparameters:
Tunnel
SRC
DST
ISAKMPPolicy
IPSecPolicy
R5R4
5.5.5.5 4.4.4.4
Encryption:3DES
ESP/3DES
Group:2
Authentication:
Hash:SHA
ESP/SHA
UseEasyVPNtoconfigurethetunnelinnetworkextensionmode.R5shouldactas
EasyVPNRemoteand R4shouldbeanEasyVPNServer.UsegroupnameofR5
with the password of cisco123. You should use ISAKMP profile when configuring
EasyVPNServeronR4.
OnR4
R4(config)#usernamestudent5passwordstudent5
R4(config)#aaanewmodel
R4(config)#aaaauthorizationnetworkGROUPAUTHlocal
R4(config)#cryptoisakmpclientconfigurationgroupR5
R4(configisakmpgroup)#keycisco123
R4(configisakmpgroup)#exit
R4(config)#cryptoisakmpprofileVPNCLIENTS
%Aprofileisdeemedincompleteuntilithasmatchidentitystatements
R4(confisaprof)#matchidentitygroupR5
R4(confisaprof)#isakmpauthorizationlistGROUPAUTH
ISAKMPprofileallowstospecifyanISAKMPparameterswhendefinedidentitycriteria
arematched(e.g.groupname,ipaddress,hostname,hostdomain,usernameanduser
domain).Inthiscase,foranyconnectionwherethenameofthegroup(R5)isusedas
theidentitythenconfiguration(authorization)forthisconnectionwillbeprocessed
locallyfromroutersdatabase.
R4(confisaprof)#cryptoipsectransformsetTSETesp3desespshahmac
CCIESecurity
Page142 of 322
R4(cfgcryptotrans)#cryptodynamicmapDYNCMAP10
R4(configcryptomap)#setisakmpprofileVPNCLIENTS
R4(config)#cryptomapENCRYPT10ipsecisakmpdynamicDYNCMAP
R4(config)#intf0/0
R4(configif)#
OnR5
R5(config)#cryptoipsecclientezvpnEZ
R5(configcryptoezvpn)#groupR5keycisco123
R5(configcryptoezvpn)#intf0/0
R5(configif)#cryptoipsecclientezvpnEZoutside
R5(configif)#intlo0
R5(configif)#cryptoipsecclientezvpnEZinside
R5(configif)#
%CRYPTO6EZVPN_CONNECTION_UP:(Client)User=Group=R5Client_public_addr=10.1.105.5
OnASA2
SinceIPSectunnelneedstobeestablishedbetweentwopeerswhoareondifferent
interfacesofASAbutwiththesamesecuritylevelof100.Thismustbeexplicitly
allowedonASA.
Verification
R5#ping4.4.4.4solo0
!!!!!
Tunnelname:EZ
rencRSAencryption
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
CCIESecurity
Page143 of 322
R5#shcryptoipsecsa
protectedvrf:(none)
currentoutboundspi:0xD4F8B509(3573069065)
inboundespsas:
spi:0xD5881B72(3582466930)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD4F8B509(3573069065)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#ping5.5.5.5solo0
!!!!!
rencRSAencryption
IPv4CryptoISAKMPSA
CidLocalRemote
IVRFStatusEncrHashAuthDHLifetimeCap.
IPv6CryptoISAKMPSA
CCIESecurity
Page144 of 322
R4#shcryptoipsecsa
protectedvrf:(none)
PERMIT,flags={}
currentoutboundspi:0xD5881B72(3582466930)
inboundespsas:
spi:0xD4F8B509(3573069065)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD5881B72(3582466930)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#debcryisak
R4#
ISAKMP:Newpeercreatedpeer=0x4A0B08ACpeer_handle=0x80000002
ISAKMP:Lockingpeerstruct0x4A0B08AC,refcount1forcrypto_isakmp_process_block
ISAKMP:(0):insertsasuccessfullysa=499D5A4C
ISAKMP(0):IDpayload
nextpayload:13
type:11
groupid:R5
protocol:17
port
:0
length:10
Thegroupnamehasbeensentbytheclientastheidentity.
ISAKMP:(0)::peermatchesVPNCLIENTSprofile
CCIESecurity
Page145 of 322
TheISAKMPprofilecriteriahasmatched.
ISAKMP:(0):Settingclientconfigsettings499D4FAC
ISAKMP/xauth:initializingAAArequest
ISAKMP:(0):vendorIDseemsUnity/D
R4#PDbutmajor245mismatch
ISAKMP:LookingforxauthinprofileVPNCLIENTS
ISAKMP:encryptionAESCBC
ISAKMP:keylengthof128
ISAKMP:hashSHA
ISAKMP:authXAUTHInitPreShared
ISAKMP:lifeduration(VPI)of0x00x200xC40x9B
ISAKMP:(0):Encryptionalgorithmoffereddoesnotmatchpolicy!
ISAKMP:(0):attsarenotacceptable.Nextpayloadis3
ISAKMP:hashMD5
ISAKMP:hashSHA
ISAKMP:hashMD5
ISAKMP:
defaultgroup2
ISAKMP:hashSHA
ISAKMP:hashMD5
CCIESecurity
Page146 of 322
ISAKMP:hashSHA
ISAKMP:authpreshare
ISAKMP:hashMD5
ISAKMP:authpreshare
ISAKMP:hashSHA
ISAKMP:authpreshare
ISAKMP:hashMD5
ISAKMP:authpreshare
ISAKMP:hashSHA
ISAKMP:authpreshare
ISAKMP:hashMD5
ISAKMP:authpreshare
ISAKMP:hashSHA
ISAKMP:(0):Xauthauthenticationbypresharedkeyofferedbutdoesnotmatchpolicy!
ISAKMP:hashMD5
CCIESecurity
Page147 of 322
ISAKMP:(0):Hashalgorithmoffereddoesnotmatchpolicy!
ISAKMP:encryptionDESCBC
ISAKMP:hashSHA
ISAKMP:
encryptionDESCBC
ISAKMP:hashMD5
ISAKMP:hashSHA
ISAKMP:authpreshare
ISAKMP:(0):claimedIOSbutfailedauthentication
ISAKMP:(0):OldState=IKE_READYNewState=IKE_R_AM_AAA_AWAIT
nextpayload:10
type:1
address:10.1.104.4
protocol:0
port:0
length:12
ISAKMP:(1001):sendingpacketto10.1.105.5my_port500peer_port500(R)AG_INIT_EXCH
ISAKMP:(1001):Input=IKE_MESG_FROM_AAA,PRESHARED_KEY_REPLY
ISAKMP:(1001):OldState=IKE_R_AM_AAA_AWAITNewState=IKE_R_AM2
ISAKMP(1001):receivedpacketfrom10.1.105.5dport500sport500Global(R)AG_INIT_EXCH
CCIESecurity
Page148 of 322
spi0,messageID=0,sa=499D5A4C
authenticated
authenticated
ISAKMP:(1001):returningIPaddrtotheaddresspool
4A0B08AC.
ISAKMP:(1001):SendingNOTIFYRESPONDER_LIFETIMEprotocol1
spi1234317488,messageID=1434551794
ISAKMP:(1001):purgingnode1434551794
ISAKMP:Sendingphase1responderlifetime86400
ISAKMP:(1001):OldState=IKE_R_AM2NewState=IKE_P1_COMPLETE
ISAKMP:(1001):processingtransactionpayloadfrom10.1.105.5.messageID=793798316
ISAKMP:ConfigpayloadREQUEST
ISAKMP:(1001):checkingrequest:
ISAKMP:MODECFG_CONFIG_URL
ISAKMP:MODECFG_CONFIG_VERSION
ISAKMP:IP4_DNS
ISAKMP:IP4_DNS
ISAKMP:IP4_NBNS
ISAKMP:IP4_NBNS
ISAKMP:SPLIT_INCLUDE
ISAKMP:SPLIT_DNS
ISAKMP:DEFAULT_DOMAIN
ISAKMP:MODECFG_SAVEPWD
ISAKMP:INCLUDE_LOCAL_LAN
ISAKMP:PFS
ISAKMP:BACKUP_SERVER
ISAKMP:APPLICATION_VERSION
ISAKMP:MODECFG_BANNER
ISAKMP:MODECFG_IPSEC_INT_CONF
ISAKMP:MODECFG_HOSTNAME
Theclienthasrequestedseveralparameters.
ISAKMP/author:AuthorrequestforgroupR5successfullysenttoAAA
TheclientrequesthasbeendirectedtotheroutersAAAprocessinaccordancewith
AAAauthorizationlistconfiguredintheISAKMPprofile.
ISAKMP:(1001):Input=IKE_MESG_FROM_PEER,IKE_CFG_REQUEST
ISAKMP:(1001):OldState=IKE_P1_COMPLETE NewState=IKE_CONFIG_AUTHOR_AAA_AWAIT
ISAKMP:(1001):Receiveconfigattributesrequestedbutconfigattributesnotincryptomap.
Sendingemptyreply.
ISAKMP:(1001):attributessentinmessage:
ISAKMP:SendingAPPLICATION_VERSIONstring:CiscoIOSSoftware,2800Software(C2800NM
ADVENTERPRISEK9M),Version12.4(24)T2,RELEASESOFTWARE(fc2)
TechnicalSupport:http://www.cisco.com/techsupport
Copyright(c)19862009byCiscoSystems,Inc.
CompiledMon19Oct0917:38byprod_rel_team
ISAKMP:SendingIPsecInterfaceConfigreplyvalue0
ISAKMP(1001):UnknownAttr:MODECFG_HOSTNAME(0x700A)
ISAKMP:(1001):respondingtopeerconfigfrom10.1.105.5.ID=793798316
ISAKMP:Markingnode793798316forlatedeletion
ISAKMP:(1001):sendingpacketto10.1.105.5my_port500peer_port500(R)CONF_ADDR
ISAKMP:(1001):TalkingtoaUnityClient
CCIESecurity
Page149 of 322
ISAKMP:(1001):Input=IKE_MESG_FROM_AAA,IKE_AAA_GROUP_ATTR
ISAKMP:(1001):OldState=IKE_CONFIG_AUTHOR_AAA_AWAITNewState=IKE_P1_COMPLETE
ISAKMP:FSMerrorMessagefromAAAgrp/user.
ISAKMP:transform1,ESP_AES
ISAKMP:SAlifeduration(VPI)of0x00x200xC40x9B
ISAKMP:authenticatorisHMACSHA
ISAKMP:keylengthis128
ISAKMP:(1001):IPSecpolicyinvalidatedproposalwitherror256
ISAKMP:(1001):transform1,IPPCPLZS
ISAKMP:
SAlifeduration(VPI)of0x00x460x500x0
CCIESecurity
Page150 of 322
ISAKMP:
SAlifeduration(VPI)of0x00x460x500x0
CCIESecurity
Page151 of 322
NegotiatingofIPSectranformsets(hardcodedintheclientsoftware).
(proxy5.5.5.0to0.0.0.0)
hasspi0xD4F8B509andconn_id0
(proxy0.0.0.0to5.5.5.0)
hasspi0xD5881B72andconn_id0
R4#unall
CCIESecurity
Page152 of 322
Lab2.13. GREoverIPSec
LabSetup:
interface
IPAddressing:
CCIESecurity
Page153 of 322
Device
R1
R2
R4
R5
ASA1
ASA2
Lo0
F0/0
G0/0
G0/1
Lo0
F0/0
Lo0
F0/0
IPaddress
1.1.1.1/24
10.1.101.1/24
192.168.1.2/24
192.168.2.2/24
4.4.4.4/24
10.1.104.4/24
5.5.5.5/24
10.1.105.5/24
192.168.1.10/24
10.1.101.10/24
192.168.2.10/24
10.1.105.10/24
10.1.104.10/24
Task1
Configure GREtunnel between R5 and R4.The tunnel should pass EIGRP AS 34
multicast packets exchanging information about Loopback0 networks. Use
192.168.34.x/24 as tunnel IP addresses and ensure that information passing the
tunnelisencrypted.UsethefollowingparametersforIPSecprotocol:
ISAKMPParameters
o Authentication:Preshared
o Group:1
o Encryption:DES
o Hash:SHA
o Key:ccie123
IPSecParameters
o Encryption:ESPDES
o Authentication:ESPSHAHMAC
MakeappropriatechangesonASA2firewalltoallowconnections.
OnR5
R5(config)#interfaceTunnel0
R5(configif)#ipaddress192.168.34.5255.255.255.0
R5(configif)#tunnelsourcef0/0
R5(configif)#tunneldestination10.1.104.4
DefinitionofGREtunnelinterface(tunnelmodegreipisthedefault).
R5(configif)#cryptoisakmppolicy10
R5(config)#cryptoisakmpkeycisco123address10.1.104.4
R5(config)#accesslist120permitgrehost10.1.105.5host10.1.104.4
OnlytheGREtrafficbetweenR5andR4willbeencrypted.
R5(config)#cryptomapGREIPSEC10ipsecisakmp
CCIESecurity
Page154 of 322
R5(config)#intf0/0
R5(configif)#cryptomapGREIPSEC
R5(configif)#
R5(configif)#routereigrp34
R5(configrouter)#noauto
R5(configrouter)#network192.168.34.50.0.0.0
GREallowstransportofmulticasttrafficsothatitenablesusingofdynamicrouting
protocolslikeEIGRPbetweenR5andR4.EncryptingtheGREthattransportmulitcast
packetsisthebestwayofsecuringsuchtraffic.
OnR4
R4(configif)#exit
R4(config)#accesslist120permitgrehost10.1.104.4host10.1.105.5
R4(config)#cryptomapGREIPSEC10ipsecisakmp
R4(configif)#cryptomapGREIPSEC
R4(configif)#
R4(configif)#exit
R4(config)#routereigrp34
OnASA2
ASA2(configpmapc)#exi
ASA2(configpmap)#exi
Verification
%DUAL5NBRCHANGE:IPEIGRP(0)34:Neighbor192.168.34.4(Tunnel0)isup:newadjacency
R5#
TheEIGRPisworkingbetweenR5andR4throuthGREtunnel.
R5#ping4.4.4.4solo0
CCIESecurity
Page155 of 322
!!!!!
R5#shiproute
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
E1OSPFexternaltype1,E2OSPFexternaltype2
iISIS,suISISsummary,L1ISISlevel1,L2ISISlevel2
iaISISinterarea,*candidatedefault,Uperuserstaticroute
oODR,Pperiodicdownloadedstaticroute
Gatewayoflastresortis10.1.105.10tonetwork0.0.0.0
4.0.0.0/24issubnetted,1subnets
D4.4.4.0[90/27008000]via192.168.34.4,00:00:30,Tunnel0
C5.5.5.0isdirectlyconnected,Loopback0
C10.1.105.0isdirectlyconnected,FastEthernet0/0
C192.168.34.0/24isdirectlyconnected,Tunnel0
S*0.0.0.0/0[1/0]via10.1.105.10
RoutinginformationrelatedtoR4snetworkonitsloopbackhasbeenlearntbyEIGRP.
R5#shinttu0
Tunnel0isup,lineprotocolisup
HardwareisTunnel
Internetaddressis192.168.34.5/24
MTU17916bytes,BW100Kbit/sec,DLY50000usec,
reliability255/255,txload1/255,rxload1/255
EncapsulationTUNNEL,loopbacknotset
Keepalivenotset
RememberthatifdetectionoftheIPSecprotectedGREtunnelfailureisneededthen
GREkeepalivesmustNOTbeused.DPD(DeadPeerDetection)IPSecfeatureshouldbe
usedinstead.IfGREkeepalivesonIPSecprotectedGREinterfaceareconfiguredthen
thetunnelwillbeflapping.
Tunnelsource10.1.105.5(FastEthernet0/0),destination10.1.104.4
Tunnelprotocol/transportGRE/IP
Keydisabled,sequencingdisabled
Checksummingofpacketsdisabled
TunnelTTL255
Fasttunnelingenabled
TunneltransportMTU1476bytes
Tunneltransmitbandwidth8000(kbps)
Tunnelreceivebandwidth8000(kbps)
Lastinput00:00:03,output00:00:03,outputhangnever
Lastclearingof"showinterface"countersnever
Inputqueue:0/75/0/0(size/max/drops/flushes)Totaloutputdrops:110
Queueingstrategy:fifo
Outputqueue:0/0(size/max)
5minuteinputrate0bits/sec,0packets/sec
5minuteoutputrate0bits/sec,0packets/sec
21packetsinput,1900bytes,0nobuffer
Received0broadcasts,0runts,0giants,0throttles
0inputerrors,0CRC,0frame,0overrun,0ignored,0abort
21packetsoutput,1900bytes,0underruns
0outputerrors,0collisions,0interfaceresets
0unknownprotocoldrops
0outputbufferfailures,0outputbuffersswappedout
R5#shipprotocol
RoutingProtocolis"eigrp34"
Outgoingupdatefilterlistforallinterfacesisnotset
Incomingupdatefilterlistforallinterfacesisnotset
Defaultnetworksflaggedinoutgoingupdates
Defaultnetworksacceptedfromincomingupdates
EIGRPmetricweightK1=1,K2=0,K3=1,K4=0,K5=0
EIGRPmaximumhopcount100
EIGRPmaximummetricvariance1
Redistributing:eigrp34
EIGRPNSFawarerouteholdtimeris240s
Automaticnetworksummarizationisnotineffect
CCIESecurity
Page156 of 322
Maximumpath:4
RoutingforNetworks:
5.5.5.5/32
192.168.34.5/32
RoutingInformationSources:
GatewayDistanceLastUpdate
192.168.34.49000:00:45
Distance:internal90external170
Informationrelevanttotherouteslearntandthesourceoftheinformationare
presented.
R5#shipeigrpneighbor
IPEIGRPneighborsforprocess34
HAddressInterfaceHoldUptimeSRTTRTOQSeq
(sec)(ms)CntNum
0192.168.34.4Tu0
1200:00:5811143403
R4istheEIGRPneighourofR5ontheTunnel0interface.
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.105.510.1.104.4
ACTIVEdesshapsk1 23:58:52
IPv6CryptoISAKMPSA
ISAKMPSAhasbeenestablished.
R5#shcryptoipsecsa
Cryptomaptag:GREIPSEC,localaddr10.1.105.5
protectedvrf:(none)
LocalandremoteIPSecproxies.NotethatonlyGRE(IPID47)istransportedthrough
thetunnel.
currentoutboundspi:0xD7DDE0F5(3621642485)
inboundespsas:
spi:0x3007AC1D(805809181)
connid:2001,flow_id:NETGX:1,sibling_flags80000046,cryptomap:GREIPSEC
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
CCIESecurity
Page157 of 322
outboundespsas:
spi:0xD7DDE0F5(3621642485)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#
R4#ping5.5.5.5solo0
!!!!!
R4#shiproute
D5.5.5.0[90/27008000]via192.168.34.5,00:01:34,Tunnel0
S*0.0.0.0/0[1/0]via10.1.104.10
R4#shinttu0
HardwareisTunnel
Internetaddressis192.168.34.4/24
reliability255/255,txload1/255,rxload1/255
EncapsulationTUNNEL,loopbacknotset
Keepalivenotset
Tunnelsource10.1.104.4(FastEthernet0/0),destination10.1.105.5
Tunnelprotocol/transportGRE/IP
Keydisabled,sequencingdisabled
Checksummingofpacketsdisabled
TunnelTTL255
Fasttunnelingenabled
TunneltransportMTU1476bytes
Tunneltransmitbandwidth8000(kbps)
Tunnelreceivebandwidth8000(kbps)
Lastinput00:00:04,output00:00:03,outputhangnever
Lastclearingof"showinterface"countersnever
Inputqueue:0/75/0/0(size/max/drops/flushes)Totaloutputdrops:9
Queueingstrategy:fifo
Outputqueue:0/0(size/max)
5minuteinputrate0bits/sec,0packets/sec
5minuteoutputrate0bits/sec,0packets/sec
41packetsinput,3780bytes,0nobuffer
Received0broadcasts,0runts,0giants,0throttles
0inputerrors,0CRC,0frame,0overrun,0ignored,0abort
41packetsoutput,3780bytes,0underruns
0outputerrors,0collisions,0interfaceresets
0unknownprotocoldrops
0outputbufferfailures,0outputbuffersswappedout
CCIESecurity
Page158 of 322
R4#shipprotocol
RoutingProtocolis"eigrp34"
Outgoingupdatefilterlistforallinterfacesisnotset
Incomingupdatefilterlistforallinterfacesisnotset
Defaultnetworksflaggedinoutgoingupdates
Defaultnetworksacceptedfromincomingupdates
EIGRPmetricweightK1=1,K2=0,K3=1,K4=0,K5=0
EIGRPmaximumhopcount100
EIGRPmaximummetricvariance1
Redistributing:eigrp34
EIGRPNSFawarerouteholdtimeris240s
Automaticnetworksummarizationisnotineffect
Maximumpath:4
RoutingforNetworks:
4.4.4.4/32
192.168.34.4/32
RoutingInformationSources:
GatewayDistanceLastUpdate
192.168.34.59000:01:51
Distance:internal90external170
HAddressInterfaceHoldUptimeSRTT RTOQSeq
(sec)(ms)CntNum
0192.168.34.5Tu0
1300:01:5914143403
rencRSAencryption
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
Cryptomaptag:GREIPSEC,localaddr10.1.104.4
protectedvrf:(none)
currentoutboundspi:0x3007AC1D(805809181)
inboundespsas:
spi:0xD7DDE0F5(3621642485)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
CCIESecurity
Page159 of 322
outboundespsas:
spi:0x3007AC1D(805809181)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Task2
Configure GREtunnel between R1 and R2.The tunnel should pass EIGRP AS 12
multicast packets exchanging information about R1s Loopback0 and R2s g0/1
networks.Use 192.168.12.x/24 as tunnelIP addressesand ensure that information
passingthetunnelisencryptedusingIPSecProfiles:
ISAKMPParameters
o Group:1
o Encryption:DES
o Hash:SHA
o Key:ccie123
IPSecParameters
o Encryption:ESPDES
MakeappropriatechangesonASA1firewalltoallowconnections.
OnR1
R1(configif)#!
R1(config)#!
R1(config)#!
R1(config)#
%LINEPROTO5UPDOWN:LineprotocolonInterfaceTunnel0,changedstatetoup
R1(config)#cryptoipsecprofileGREVPN
R1(ipsecprofile)#settransformsetTSET
R1(ipsecprofile)#exit
IPSecprofilehasbeenconfigured.Inthenextstepthisprofilewillbetiedtothe
Tunnel0interface.ThecryptoACLthatdefinestheGREtrafficasinterestingisno
longerrequired.GREprofilewilldefineinterestingtrafficautomatically.
R1(config)#inttu0
R1(configif)#tunnelprotectionipsecprofileGREVPN
R1(configif)#
R1(configif)#exi
R1(configrouter)#exi
CCIESecurity
Page160 of 322
OnR2
R2(configif)#tunnelsourceg0/0
R2(configif)#!
R2(config)#!
R2(config)#!
R2(config)#!
R2(config)#cryptoipsecprofileGREVPN
R2(ipsecprofile)#exit
R2(config)#!
R2(config)#inttu0
R2(configif)#tunnelprotectionipsecprofileGREVPN
R2(configif)#exit
R2(config)#!
R2(config)#
%LINEPROTO5UPDOWN:LineprotocolonInterfaceTunnel0,changedstatetodown
R2(configrouter)#exit
R2(config)#iproute10.1.101.1255.255.255.255192.168.1.10
OnASA1
ASA1(configpmapc)#exi
ASA1(configpmap)#exi
ASA1(config)#accesslistOUTSIDE_INpermitudphost192.168.1.2eq500host10.1.101.1eq500
ASA1(config)#accesslistOUTSIDE_INpermitesphost192.168.1.2host10.1.101.1
ASA1(config)#accessgroupOUTSIDE_INininterfaceOutside
Verification
R1#
R1#shcryisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R1#ping192.168.2.2
!!!!!
CCIESecurity
Page161 of 322
R1#shcryipssa
interface:Tunnel0
Cryptomaptag:Tunnel0head0,localaddr10.1.101.1
protectedvrf:(none)
ThishasbeendonebyIPSecprofile.Localandremoteproxyareavailablewithout
cryptoACL.
currentoutboundspi:0xE0102732(3759154994)
inboundespsas:
spi:0x7FF28A80(2146601600)
R1#shiproute
D192.168.2.0/24[90/26882560]via192.168.12.2,00:01:40,Tunnel0
S*0.0.0.0/0[1/0]via10.1.101.10
(sec)(ms)CntNum
0192.168.12.2Tu0
1400:01:5111143403
R2#
R2#shcryptoisaksadet
rencRSAencryption
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R2#shcryptoipsecsa
CCIESecurity
Page162 of 322
interface:Tunnel0
protectedvrf:(none)
pathmtu1500,ipmtu1500,ipmtuidbGigabitEthernet0/0
currentoutboundspi:0x7FF28A80(2146601600)
inboundespsas:
spi:0xE0102732(3759154994)
connid:2001,flow_id:OnboardVPN:1,sibling_flags80000046,cryptomap:Tunnel0
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x7FF28A80(2146601600)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R2#shiproute
Gatewayoflastresortisnotset
D1.1.1.0[90/27008000]via192.168.12.1,00:02:29,Tunnel0
10.0.0.0/8isvariablysubnetted,4subnets,2masks
S10.1.105.0/24[1/0]via192.168.2.10
S10.1.104.0/24[1/0]via192.168.2.10
S10.1.101.0/24[1/0]via192.168.1.10
S10.1.101.1/32[1/0]via192.168.1.10
C192.168.1.0/24isdirectlyconnected,GigabitEthernet0/0
ASA1(config)#shaccesslist
accesslistcachedACLlogflows:total0,denied0(denyflowmax4096)
alertinterval300
accesslistOUTSIDE_IN2elementsnamehash:0xe01d8199
CCIESecurity
Page163 of 322
accesslistOUTSIDE_INline1extendedpermitudphost192.168.1.2eqisakmphost10.1.101.1
eqisakmp(hitcnt=0)0xd890bccc Thisis0becausethetunnelwasinitiatedfromR1
accesslistOUTSIDE_INline2extendedpermitesphost192.168.1.2host10.1.101.1(hitcnt=1)
0x8ff474ec
CCIESecurity
Page164 of 322
Lab2.14. DMVPNPhase1
LabSetup:
R2sS0/1/0andR5sS0/1/0interfaceshouldbeconfiguredinaframerelay
pointtopointmanner
pointtopointmanner
ConfiguredefaultroutingonR1,R4andR5pointingtotheR2
IPAddressing:
Device
R1
R2
R4
R5
CCIESecurity
Interface
Lo0
F0/0
F0/0
S0/1/0.25
S0/1/0.24
Lo0
S0/0/0.42
Lo0
S0/1/0.52
IPaddress
192.168.1.1/24
10.1.12.1/24
10.1.12.2/24
10.1.25.2/24
10.1.24.2/24
192.168.4.4/24
10.1.24.4/24
192.168.5.5/24
10.1.25.5/24
Page165 of 322
Task1
ConfigureHubandSpokeGREtunnelsbetweenR1,R4andR5,whereR1
is acting as a Hub. Traffic originated from every Spokes loopback
interfaceshouldbetransmittedsecurelyviatheHubtotheotherspokes.
You must use EIGRP dynamic routing protocol to let other spokes know
about protected networks. Use the following settings when configuring
tunnels:
TunnelParameters
o IPaddress:172.16.145.0/24
o IPMTU:1400
o TunnelAuthenticationKey:12345
NHRPParameters
o NHRPID:12345
o NHRPAuthenticationkey:cisco123
o NHRPHub:R1
RoutingProtocolParameters
o EIGRP145
EncrypttheGREtrafficusingthefollowingparameters:
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
o PreSharedKey:cisco123
IPSecParameters
o Encryption:ESP3DES
Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by Cisco in late 2000.
ThistechnologyhasbeendevelopedtoaddressneedsforautomaticallycreatedVPNtunnelswhen
dynamicIPaddressesonthespokesareinuse.
In GRE over IPSec (described in the previous lab) both ends of the connection must have
static/unchangeable IP address. It is possible however, to create many GRE SitetoSite tunnels
from companys branches to the Headquarters. This is pure HubandSpoke topology where all
branchesmaycommunicatewitheachothersecurelythroughtheHub.
InDMVPNmay have dynamicIP addressesonthe spokes,butthere must be staticIPaddresson
the Hub. There is also an additional technology used to let the hub know what dynamic IP
addressesareinusebythespokes.ThisisNHRP(NextHopResolutionProtocol)whichworkslike
ARPbutforlayer3.Allitdoesisbuildingadynamicdatabasestoredonthehubwithaninformation
aboutspokesIPaddresses.NowtheHubknowsIPSecpeersandcanbuildthetunnelswiththem.
The Hubmustbeconnectedtomany spokesatthesametimesotherewasanotherissuetosolve:
how to configure the Hub to not have many Tunnel interfaces (each for SitetoSite tunnel with
spoke).Theansweris:useGREmultipointtypeoftunnel,wherewedonotneedtospecifytheother
endofthetunnelstatically.
Thatbeingsaid,therearethreeDMVPNmutationscalledphases:
Phase1: simple HubandSpoketopologyweredynamicIPaddresseson thespokesmay
Phase2:HubandSpokewithSpoketoSpokedirectcommunicationallowed
beused
CCIESecurity
Page166 of 322
Phase 3: Hub and Spoke with Spoke to Spoke direct communication allowed with better
scalabilityusingNHRPRedirects
Allabovephaseswillbedescribedinmoredetailinthenextfewlabs.
OnR1
FirstweneedISAKMPPolicywithpresharedkeyconfigured.NotethatinDMVPNweneed
toconfiguresocalledwildcardPSKbecausetheremaybemanypeers.Thisiswhymore
commonsulutioninDMVPNistousecertificatesandPKI.
InDMVPNPhase1thereisnoneedforwildcardPSKasthereisonlyHubtoSpoke
tunnel,sothatweknowthepeers.
R1(configisakmp)#cryptoisakmpkeycisco123address0.0.0.00.0.0.0
R1(cfgcryptotrans)#modetransport
ThemodetransportisusedfordecreasingIPSecpacketsize(anouterIPheaderwhich
ispresentintunnelmodeisnotaddedinthetransportmode).
R1(cfgcryptotrans)#cryptoipsecprofileDMVPN
R1(ipsecprofile)#exi
ThereisonlyoneinterfaceTunneloneveryDMVPNrouter.ThisisbecauseweuseGRE
multipointtypeofthetunnel.
R1(configif)#ipmtu1400
MaximumTransmissionUnitisdecreasedtoensurethatDMVPNpacketwouldnotexceedIP
MTUsetonnontunnelIPinterfacesusuallya1500bytes(Whentransportmodeis
usedthenDMVPNpacketconsistsoforiginalIPPacket,GREheader,ESPheaderandouter
IPSecIPheader.IforyginalIPpacketsizeisclosetotheIPMTUsetonrealIP
interfacethenaddingGREandIPSecheadersmayleadtoexceedingthatvalue)
R1(configif)#ipnhrpauthenticationcisco123
R1(configif)#ipnhrpmapmulticastdynamic
R1(configif)#ipnhrpnetworkid12345
TheHubworksasNHS(NextHopServer).TheNHRPconfigurationontheHubisstraight
forward.First,weneedNHRPnetworkIDtoidentifytheinstanceandauthenticatekey
tosecureNHRPregistration.ThereisaneedforNHRPstaticmappingontheHub.The
Hubmustbeabletosenddownallmulticasttrafficsothatdynamicroutingprotocols
candistributeroutesbetweenspokes.Thelineipnhrpmapmulticastdynamicsimply
tellstheNHRPservertoreplicateallmulticasttraffictoalldynamicentriesinthe
NHRPtable(entrieswithflagdynamic).
R1(configif)#noipsplithorizoneigrp145
SinceweuseEIGRPbetweentheHubandtheSpokes,weneedtodisableSplitHorizonfor
thatprotocoltobeabletosendroutesgatheredfromoneSpoketotheotherSpoke.The
SplitHorizonrulesays:informationabouttheroutingisneversentbackinthe
directionfromwhichitwasreceived.Thisisbasicruleforloopprevention.
R1(configif)#tunnelsourceFastEthernet0/0
R1(configif)#tunnelmodegremultipoint
R1(configif)#tunnelkey12345
R1(configif)#tunnelprotectionipsecprofileDMVPN
AregularGREtunnelusuallyneedssourceanddestinationofthetunneltobe
specified.HoweverintheGREmultipointtunneltype,thereisnoneedfora
destination.Thisisbecausetheremaybemanydestinations,asmanySpokesareout
there.TheactualtunneldestinationisderivedformNHRPdatabase.
Thetunnelhasakeyforidentificationpurposes,astheremaybemanytunnelsonone
routerandtheroutermustknowwhattunnelthepacketisdestinedto.
CCIESecurity
Page167 of 322
Finally,wemustencryptthetraffic.ThisisdonebyusingIPSecProfileattachedto
thetunnel.IrecommendtoleavethatcommandasideforawhilewhenconfiguringDMVPN
andaddittotheconfigurationonceweknowthetunnelsworkfine.DMVPNmaywork
withoutanyencryption,sonoworries.
R1(configif)#exi
Tunnel0haschangeditsstatetoUP.ISAKMPprotocolisenabledandoperatesonthe
router.
R1(configrouter)#network192.168.1.0
R1(configrouter)#noautosummary
Finallyweneedaroutingprotocoloverthetunnel.Remember,thisprotocolwillbe
usedtocarrytheinfoaboutnetworksbehindtheSpokes(orHub).Becarefulwhen
configuringitasthereisachancetogetintorecursiveloop.Thismeanswe
shouldntusethesamedynamicroutingprotocolinstanceforprefixesavailableover
thetunnelandtoachieveunderlayingconnectivitybetweenHubandSpokes.
OnR5
R5isourfirstSpoke.Again,weneedISAKMPPolicyconfigurationandPSK.
ThetunnelinterfaceconfigurationisslightlydifferentontheSpokethanontheHub.
ThisisbecausetheSpokeworksasNHRPClienttotheHub(NHS).Mostofbelove
commandshavebeendescribedalready.
R5(configif)#ipnhrpmap172.16.145.110.1.12.1
R5(configif)#ipnhrpholdtime360
R5(configif)#ipnhrpnhs172.16.145.1
NHRPClientconfiguration.WeneedourSpoketoregisterinNHS,sothatweneedto
configurethefollowing:
NHRPauthenticationkeytoauthenticatesuccessfullytotheNHS
NHRPNetworkIDtobeauthenticatedtocorrectNHSinstance
NHRPHoldtimetotelltheNHSforhowlongitshouldtreatthe
registeredspokessIPaddressasvalid
NHSIPaddressofNHRPServernotethisisitsPrivate(tunnel)IP
address.ToresolvethisaddresstothePublic(Phisical)IPaddressof
theNHS,weneedthelastcommandwhichis:
NHRPstaticmappingtoresolveNHSPhysicalIPaddress
ThismappingisveryimportantasitcausestheSpoketoinitiatetheGREtunneltothe
Hub.WithoutthistheSpokehasnocluehowtoregistertotheNHS.
R5(configif)#tunnelsourceSerial0/1/0.52
CCIESecurity
Page168 of 322
Thetunnelconfigurationisalsodifferent.OntheSpokethereisnoreasonforusing
GREmultipointtunnelmode.Thisisbecausethereisonlyonetunnel(SpoketoHub)in
DMVPNPhase1.Hence,weareobligatedtoprovideboth:sourceanddestinationofthe
tunnel.
R5(configif)#exi
R5(configrouter)#ex
TherouterhasestablishedEIGRPadjancencythroughthetunnel.Notethatthe
adjancencyhasbeenestablishedwiththeDMVPNhub(172.16.145.1).
OnR4
Thebeautyofthistechnologyisthatthereisexactlythesameconfigurationonall
Spokes!
R4(configif)#exi
Verification
R1#shiproute
CCIESecurity
Page169 of 322
C172.16.145.0isdirectlyconnected,Tunnel0
D192.168.4.0/24[90/27008000]via172.16.145.4,00:00:17,Tunnel0
D192.168.5.0/24[90/27008000]via172.16.145.5,00:00:55,Tunnel0
Spokeshavesentupdatesabouttheirnetworks(loopbackinterfaces)totheHub.NowHub
mustsendthatinformationdowntotheotherSpokes.TheHubmaydothataslongas
SplitHorizonruleisdisabledfortheroutingprotocol.
C192.168.1.0/24isdirectlyconnected,Loopback0
S*0.0.0.0/0[1/0]via10.1.12.2
R1#shipnhrp
172.16.145.4/32via172.16.145.4
Tunnel0created00:00:33,expire00:05:26
Type:dynamic,Flags:uniqueregistered
NBMAaddress:10.1.24.4
172.16.145.5/32via172.16.145.5
NHRPdatabasedisplayedontheDMVPNhub.Notethatshipnhrpshowsmappingbetween
Tunnel0ipaddressandipaddressofSerialinterfacewhichisusedforreachingthe
tunnelendpoint.TheentriesinNHRPdatabaseonthehubaredynamic(dynamically
obtainedfromthespokes).
(sec)(ms)CntNum
1 172.16.145.4Tu0
1100:00:3810136203
0 172.16.145.5Tu0
1100:01:1629136203
EIGRPadjacencyestablishedwiththespokes.
R1#shipeigrpinterface
IPEIGRPinterfacesforprocess145
XmitQueueMeanPacingTimeMulticastPending
InterfacePeersUn/ReliableSRTTUn/ReliableFlowTimerRoutes
Tu020/0196/227800
Lo000/00
0/100
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.25.5QM_IDLE1001ACTIVE
10.1.12.110.1.24.4QM_IDLE1002ACTIVE
IPv6CryptoISAKMPSA
R1#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
Localandremoteidentitiesusedforthetunnel.NotethatGREprotocolistransported
inthetunnel(IPprotocol47).ItisautomaticallyachievedbyassigningIPSecprofile
tothetunnelinterface(configuringcryptoACLsisnolongerneeded)
Notethattrafficisgoingthroughthetunnelestablishedbetweenthehub(R1)andthe
spoke(R4).
CCIESecurity
Page170 of 322
currentoutboundspi:0x97564348(2539012936)
inboundespsas:
spi:0x2A3D155F(708646239)
inusesettings={Transport,}
connid:2003,flow_id:NETGX:3,sibling_flags80000006,cryptomap:Tunnel0head0
IVsize:8bytes
Status:ACTIVE
InboundSPI(SecurityParameterIndex)hasbeennegotiated.
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x97564348(2539012936)
IVsize:8bytes
Status:ACTIVE
OutboundSPI(SecurityParameterIndex)hasbeennegotiated.
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Localandremoteidentitiesusedfortunnelestablishedbeetweenhub(R1)andoneof
thespokes(R5).
currentoutboundspi:0x423D37C6(1111308230)
inboundespsas:
spi:0xE65FFF26(3865050918)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x423D37C6(1111308230)
CCIESecurity
Page171 of 322
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shiproute
D192.168.5.0/24[90/28288000]via172.16.145.1,00:03:22,Tunnel0
C10.1.24.0isdirectlyconnected,Serial0/0/0.42
D192.168.1.0/24[90/27008000]via172.16.145.1,00:03:22,Tunnel0
S*0.0.0.0/0[1/0]via10.1.24.2
ThenetworksofR1andR5loopbacksarepresentintheR4sroutingtable.
Thesenetworksarereachablethroughthehub(R1)overtheDMVPNnetwork.
R4#shiproute192.168.5.0
Routingentryfor192.168.5.0/24
Knownvia"eigrp145",distance90,metric28288000,typeinternal
Redistributingviaeigrp145
Lastupdatefrom172.16.145.1onTunnel0,00:03:34ago
RoutingDescriptorBlocks:
*172.16.145.1,from172.16.145.1,00:03:34ago,viaTunnel0
NexthopIPaddressfollowedbytheinformationsource(R1thehub)
Routemetricis28288000,trafficsharecountis1
Totaldelayis105000microseconds,minimumbandwidthis100Kbit
Reliability255/255,minimumMTU1400bytes
Loading1/255,Hops2
R4#shipcef192.168.5.0
192.168.5.0/24
nexthop172.16.145.1Tunnel0
TheCEFentriesdisplayedforR5loopbacknetwork.ThisindicatesanIPaddressofnext
hopwhichhavetobeusedforreaching192.168.5.0/24.
R4#shipnhrp
172.16.145.1/32via172.16.145.1
Tunnel0created00:04:04,neverexpire
Type:static,Flags:
TheNHRPdatabaseentriesdisplayed.Thisshowsthemappingbetweenhubstunnel
interfaceIPaddressandhubsrealinterfaceIPaddressthroughwhichthetunnel
endpointisreachable.NotethatNHRPdatabaseentriesrelatedtothehubarestatic
andneverexpires(thehubmustbealwaysreachableforthespokeandcannotbe
dynamic).
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dst
srcstateconnidstatus
10.1.12.110.1.24.4QM_IDLE1001ACTIVE
CCIESecurity
Page172 of 322
ThisindicatesthatISAKMPtunnelisestablishedandactive(QM_IDLEmeansthatISAKMP
SAisauthenticatedandQuickModeIPSecPhase2isfininshed.
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
IPSecproxyIDsonthespokeindicatesthattrafficbetweentunnelendpointwillbe
encrypted/decrypted.Also,packetcountersareincrementingastherearerouting
updatescrossingthetunnel.
pathmtu1500,ipmtu1500,ipmtuidbSerial0/0/0.42
currentoutboundspi:0x2A3D155F(708646239)
inboundespsas:
spi:0x97564348(2539012936)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x2A3D155F(708646239)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#pi192.168.5.5solo0
!!!!!
NowpingtheotherspokeusingitsloopbackIPaddressassource.Thisshouldsimulate
endtoendconnectivitythroughtheDMVPNnetwork.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.24.4QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
CCIESecurity
Page173 of 322
Note:NonewISAKMPSAorNHRPmappingscreated.
R4#shipnhrp
172.16.145.1/32via172.16.145.1
Type:static,Flags:
Thesamebunchofcommandsshouldberunontheotherspoke.
R5#shiproute
D192.168.4.0/24[90/28288000]via172.16.145.1,00:01:24,Tunnel0
D192.168.1.0/24[90/27008000]via172.16.145.1,00:02:02,Tunnel0
S*0.0.0.0/0[1/0]via10.1.25.2
R5#shipcef192.168.4.0
192.168.4.0/24
nexthop172.16.145.1Tunnel0
R5#shipnhrp
172.16.145.1/32via172.16.145.1
Type:static,Flags:
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.25.5QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xE65FFF26(3865050918)
inboundespsas:
spi:0x423D37C6(1111308230)
IVsize:8bytes
CCIESecurity
Page174 of 322
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE65FFF26(3865050918)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#pi192.168.4.4solo0
!!!!!
Note:NonewISAKMPSAorNHRPmappingscreated.
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.25.5QM_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
R5#shipnhrp
172.16.145.1/32via172.16.145.1
Type:static,Flags:
CCIESecurity
Page175 of 322
Lab2.15. DMVPNPhase2(withEIGRP)
EnsureyouuseIOSversion12.4(15)Tonallrouterstoseesimilarcommand
outputs.
LabSetup:
pointtopointmanner
pointtopointmanner
IPAddressing:
Device
R1
R2
R4
R5
CCIESecurity
Interface
Lo0
F0/0
F0/0
S0/1/0.25
S0/1/0.24
Lo0
S0/0/0.42
Lo0
S0/1/0.52
IPaddress
192.168.1.1/24
10.1.12.1/24
10.1.12.2/24
10.1.25.2/24
10.1.24.2/24
192.168.4.4/24
10.1.24.4/24
192.168.5.5/24
10.1.25.5/24
Page176 of 322
Task1
interfaceshouldbetransmittedsecurelydirectlytotheotherspokes.You
mustuseEIGRPdynamicroutingprotocoltoletotherspokesknowabout
protectednetworks.Usethefollowingsettingswhenconfiguringtunnels:
TunnelParameters
o IPaddress:172.16.145.0/24
o IPMTU:1400
NHRPParameters
o NHRPID:12345
o NHRPHub:R1
o EIGRP145
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
DMVPN Phase2introduces a newfeature whichis direct SpoketoSpoke communicationthrough

the DMVPN network. It is useful for companies who have communication between branches and
wanttolessentheHubsoverhead.ThislabdescribesDMVPNPhase2whenEIGRPisinuse.This
isimportanttounderstandthedifferencebetweenroutingprotocolsusedinDMVPNsolution.They
mustbeespeciallyconfigured/tunedtoworkinmostscalableandefficientway.
However,therearesomedisadvantagesofusingoneprotocoloranother sothatIlltrytodescribe
thoseintheupcominglabs.
Asmostofthecommandshavebeenalreadydescribedinthepreviouslab,Iwillfocusonthenew
commandsandondifferenciesbetweenDMVPNPhase1and2.
OnR1
TheHubsconfigurationforDMVPNPhase2isalmostthesameasforPhase1.
CCIESecurity
Page177 of 322
R1(configif)#noipnexthopselfeigrp145
Thedifferenceisinroutingprotocolbehavior.TheDMVPNPhase2allowsfordirect
SpoketoSpokecommunication.Hence,onespokemustsendthetraffictotheotherspoke
usingitsroutingtableinformation.InDMVPNPhase1thespokesendsalltrafficupto
theHubandusestheHubforSpoketoSpokecommunication.However,inDMVPNPhase2a
spokemustpointtotheotherspokedirectly.
Thisisachievedbychangingtheroutingprotocolbehavior.TheEIGRPchangesnexthop
intheroutingupdatewhensendingitfurther.Sothat,theHubchangesthenexthopto
itselfwhensendingdowntheroutingupdatestotheSpokes.Thisbehaviorcanbe
changedbythecommandnoipnexthopselfeigrpAS.
NotethatinDMVPNPhase2theHubisinGREMultipointmodeasitwasinPhase1.
R1(configif)#exi
OnR5
R5(configif)#ipnhrpmapmulticast10.1.12.1
OneadditionalcommandontheSpokeisaboutsendingmulticasttraffictotheHub.This
isbecauseonspokesweuseGREMultipointtunneltypesothatweneedtotellthe
routerwheretosendmulticastandbroadcasttraffic.
NotethatonDMVPNPhase2weuseGREmultipointtunneltypeaswerequiremanytunnels
withmanyspokes.
CCIESecurity
Page178 of 322
R5(configif)#exi
R5(configrouter)#ex
OnR4
TheDMVPNconfigurationonallspokesisthesame.
R4(configif)#exi
Verification
R1#shiproute
D192.168.4.0/24[90/297372416]via172.16.145.4,00:00:12,Tunnel0
D192.168.5.0/24[90/297372416]via172.16.145.5,00:00:14,Tunnel0
CCIESecurity
Page179 of 322
S*0.0.0.0/0[1/0]via10.1.12.2
TheHubhasroutinginformationaboutthenetworksbehindthespokes.
R1#shipnhrp
172.16.145.4/32via172.16.145.4,Tunnel0created00:00:22,expire00:05:37
ThespokesareregisteredinNHSsuccessfully.
XIKEExtendedAuthentication
rencRSAencryption
IPv4CryptoISAKMPSA
1002 10.1.12.1
10.1.24.4
ACTIVE3desshapsk223:59:19
1001 10.1.12.110.1.25.5
IPv6CryptoISAKMPSA
TheHubsetupISAKMPSAandIPSecSAwithbothspokes.
R1#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
ThetrafficisgoingthroughthetunnelbetweentheHubandtheSpoke.Thistrafficis
anEIGRPupdatesaswehavenotinitiatedanytrafficyet.
currentoutboundspi:0x49DC5EAF(1239178927)
inboundespsas:
spi:0xF483377E(4102240126)
connid:2003,flow_id:NETGX:3,cryptomap:Tunnel0head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x49DC5EAF(1239178927)
CCIESecurity
Page180 of 322
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
ThetrafficisgoingthroughthetunnelbetweentheHubandtheSpoke.Thistrafficis
anEIGRPupdatesaswehavenotinitiatedanytrafficyet.
currentoutboundspi:0x1FB68E8D(532057741)
inboundespsas:
spi:0xE487940A(3834090506)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x1FB68E8D(532057741)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
HAddress
InterfaceHoldUptimeSRTTRTOQSeq
(sec)(ms)CntNum
1 172.16.145.5Tu0
1400:00:5034500003
0 172.16.145.4Tu0
1100:00:5083500003
EIGRPneighboradjacencyisestablishedwithbothspokesviathetunnel.
R1#shipeigrpinterface
Interface
PeersUn/ReliableSRTTUn/ReliableFlowTimerRoutes
Tu020/05871/25243200
Lo000/000/100
R5#shiproute
CCIESecurity
Page181 of 322
D192.168.4.0/24[90/310172416]via172.16.145.4,00:09:17,Tunnel0
D192.168.1.0/24[90/297372416]via172.16.145.1,00:09:17,Tunnel0
S*0.0.0.0/0[1/0]via10.1.25.2
TheSpokehasroutinginformationforthenetworksbehindotherspokeandtheHub.Note
thatinDMVPNPhase2theSpokemustpointtotheotherSpoke(nottheHub).Thisis
achievedbyconfiguringnoipnexthopselfeigrpcommandontheHub.
Loading1/255,Hops2
DetailedviewoftheprefixindicatesthatR5gotroutinginformationfromtheHubbut
hasnexthopofR4.
R5#shipcef192.168.4.4
192.168.4.0/24,version20,epoch0
0packets,0bytes
via172.16.145.4,Tunnel0,0dependencies
nexthop172.16.145.4,Tunnel0
invalidadjacency
WhenCEFisenabled(enabledbydefaultoneveryrouter)therouterusesCEFdatabase
(calledFIB)toswitchthepackets.TheFIBisbuiltupbasedontheinformationfrom
theroutingtable(RIB).TheCEFdatabaseindicatesthatnexthoprouterforthat
prefixisR4,butitalsoshowsthatthisentryisinvalid.Thisisbecausethe
routerhasnocluehowtogettothataddress(whatphysicalinterfaceusetoroutethe
trafficout).
R5#shipcef10.1.24.4
0.0.0.0/0,version18,epoch0,cachedadjacencytoSerial0/1/0.52
0packets,0bytes
via10.1.25.2,0dependencies,recursive
nexthop10.1.25.2,Serial0/1/0.52via10.1.25.0/24
validcachedadjacency
R5#shipcef172.16.145.4
172.16.145.0/24,version17,epoch0,attached,connected
0packets,0bytes
viaTunnel0,0dependencies
validpuntadjacency
NotethattherearevalidCEFentriesforlogicalandphysicaltunnelendpoint.
R5#shipnhrp
172.16.145.1/32via172.16.145.1,Tunnel0created00:10:24,neverexpire
Type:static,Flags:used
NHRPhasonlystaticentryfortheHub.Thisentryisusedtoregisterthespoketothe
NHS.
CCIESecurity
Page182 of 322
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.25.510.1.12.1
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
ThespokehasISKAMPSAandIPSecSAwiththeHub.Itdoesnothaveanytunnelswith
theotherspokeyet.
currentoutboundspi:0xE487940A(3834090506)
inboundespsas:
spi:0x1FB68E8D(532057741)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE487940A(3834090506)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
!!!!!
R5#ping192.168.4.4solo0
CCIESecurity
Page183 of 322
!!!!!
ThepingtothenetworkbehindR4issuccessful.
R5#shipnhrp
Type:dynamic,Flags:routerused
Nowaftertheping,therearedynamicNHRPmappingsandadditionalspoketospokeIPSec
SA.
R5#shipcef192.168.4.4
192.168.4.0/24,version20,epoch0
0packets,0bytes
validadjacency
NotethatCEFentryisvalidnow.
R5#shadjacencytun0det
ProtocolInterfaceAddress
IPTunnel0
172.16.145.4(5)
0packets,0bytes
4500000000000000FF2F76C40A011905
0A0118042000080000003039
Tunendptnever
Epoch:0
IPTunnel0172.16.145.1(5)
0packets,0bytes
4500000000000000FF2F82C70A011905
0A010C012000080000003039
Tunendptnever
Epoch:0
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconnidslotstatus
10.1.12.110.1.25.5QM_IDLE10010ACTIVE
10.1.25.510.1.24.4QM_IDLE10020ACTIVE
IPv6CryptoISAKMPSA
TheR5hasISAKMPSAwithR4established.NotethatR4isanInitiatorofthistunnel.
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.25.510.1.12.1
1002 10.1.25.510.1.24.4
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page184 of 322
currentoutboundspi:0xE487940A(3834090506)
inboundespsas:
spi:0x1FB68E8D(532057741)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE487940A(3834090506)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
ThisisIPSecSAwithR4.Notethatfor10pingssentonly56ofthemhavebeen
encrypted.ThisisbecausethetunnelbetweenR5andR4istakessometimetocomeup.
currentoutboundspi:0x541C9A19(1411160601)
inboundespsas:
spi:0xD15B10C(219525388)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x541C9A19(1411160601)
CCIESecurity
Page185 of 322
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shiproute
D192.168.5.0/24[90/310172416]via172.16.145.5,00:05:12,Tunnel0
D192.168.1.0/24[90/297372416]via172.16.145.1,00:05:12,Tunnel0
S*0.0.0.0/0[1/0]via10.1.24.2
R4hasroutinginformationforthenetworksbehindR5andR1.
Loading1/255,Hops2
R4#shipcef192.168.5.5
192.168.5.0/24,version20,epoch0
0packets,0bytes
validadjacency
TheCEFisvalidasithasbeenalreadyresolvedduringtunnelsetupprocessbetween
R5andR4.
R4#shipnhrp
Type:dynamic,Flags:routeruniquelocal
(nosocket)
Type:dynamic,Flags:routerimplicit
rencRSAencryption
IPv4CryptoISAKMPSA
CCIESecurity
Page186 of 322
1002 10.1.24.410.1.25.5
1001 10.1.24.410.1.12.1
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xF483377E(4102240126)
inboundespsas:
spi:0x49DC5EAF(1239178927)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xF483377E(4102240126)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
TheIPSecSAisalreadyestablishedbetweenR4andR5.Notethatthepacketcounters
arenotincrementingasthereisnosupportfordynamicroutingprotocolbetweenthe
spokesinDMVPN.
currentoutboundspi:0xD15B10C(219525388)
CCIESecurity
Page187 of 322
inboundespsas:
spi:0x541C9A19(1411160601)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD15B10C(219525388)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page188 of 322
Lab2.16. DMVPNPhase2(withOSPF)
Lo0
R2
S0/1/0
205
.2
204
10.1.245.0/24
502
Lo0
402
S0/1/0
S0/0/0
.5
Lo0
.4
R4
R5
outputs.
LabSetup:
R2sS0/1/0,R4sS0/0/0andR5sS0/1/0interfacesshouldbeconfiguredina
framerelaymannerusingphysicalinterfaces
IPAddressing:
Device
R2
R4
R5
Interface
Lo0
S0/1/0
Lo0
S0/0/0
Lo0
S0/1/0
IPaddress
192.168.2.2/24
10.1.245.2/24
192.168.4.4/24
10.1.245.4/24
192.168.5.5/24
10.1.245.5/24
Task1
mustuse OSPFdynamicroutingprotocol toletother spokes know about
protected networks. You are not allowed to use NHRP Redirects to
accomplishthistask.Usethefollowingsettingswhenconfiguringtunnels:
TunnelParameters
o IPaddress:172.16.245.0/24
CCIESecurity
Page189 of 322
o IPMTU:1400
NHRPParameters
o NHRPID:123
o NHRPHub:R2
o OSPFArea0
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
DMVPNPhase2with OSPFisvery similartoPhase2withEIGRP.WeneedtoconfigureOSPFina

specialwaytoensurethespokeshasnexthop pointingtotheotherspokes notaHub.InEIGRPit
was achieved by the command of no ip nexthopself eigrp on the Hub. Here it is achieved by
tuningOSPFnetworktype.
OnR2
R2(configif)#tunnelsources0/1/0
R2(configif)#
R2(configif)#
R2(configif)#ipospfpriority255
R2(configif)#ipospfnetworkbroadcast
CCIESecurity
Page190 of 322
WeneedtoknowthatOSPFdoesnotchangenexthopwhenoperatinginbroadcasttype
network.ThisisbecauseOSPFelectsDR/BDRonbroadcastnetworkslikeEthernet.Every
routerinthatnetworksendsroutinginformationtoDR/BDRandthenthatrouter
advertisesthatinformationtootherrouters.Since,allroutersareconnectedtothe
samemediaonbroadcastnetworks,itisassumedthattheyhaveaccesstoeachother.
Hence,thereisnoreasontochangethenexthopintheadvertisements.Thisprotocol
behaviorperfectlysuitsinthissituation.
AnotherthingisthatwestillhaveHubandSpokephysicaltopology.Since,theOSPF
mustelectDR/BDRandallroutersmusthaveadjacencywithDR/BDRrouterweneedto
ensurethisrolewillbetakenbytheHub.WeuseOSPFprioritiestodothat.The
priorityof255isthehighestand0isthelowest.Practically,havingpriorityof0
disablestherouterfromelectionprocess.Thus,weset255ontheHuband0onthe
Spokes.
R2(configif)#exit
R2(config)#routerospf1
R2(configrouter)#routerid172.16.245.2
R2(configrouter)#network172.16.245.20.0.0.0area0
OnR5
R5(configif)#tunnelsourceSerial0/1/0
R5(configif)#
R5(configif)#
R5(configif)#exi
NochangesontheSpokesbutOSPFnetworktypeandpriorityof0.Theprioritydisables
therouterparticipationinDR/BDRelection.
R5(configrouter)#net172.16.245.50.0.0.0area0
R5(configrouter)#
%OSPF5ADJCHG:Process1,Nbr172.16.245.2onTunnel0fromLOADINGtoFULL,LoadingDone
OnR4
CCIESecurity
Page191 of 322
R4(configrouter)#
R4(configrouter)#
R4(configif)#exi
NochangesontheSpokesbutOSPFnetworktypeandpriorityof0.Theprioritydisables
therouterparticipationinDR/BDRelection.
Verification
R2#shipospfneighbor
NeighborIDPriStateDeadTimeAddress
Interface
172.16.245.40FULL/DROTHER00:00:39172.16.245.4Tunnel0
172.16.245.50FULL/DROTHER00:00:34172.16.245.5Tunnel0
TheHubhasOSPFadjacencieswiththeSpokes.NotethattheSpokeshaveDROTHERroles
inthenetworkmenaingtheyarenotDR/BDR.
R2#shiproute
O192.168.4.4[110/11112]via172.16.245.4,00:01:01,Tunnel0
O192.168.5.5[110/11112]via172.16.245.5,00:00:43,Tunnel0
C10.1.245.0isdirectlyconnected,Serial0/1/0
TheHubhasroutinginformationfornetworksbehindtheSpokes.
CCIESecurity
Page192 of 322
R2#shipnhrp
TheHubworksasNHSinthenetworkandhasspokesregistered.
R2#shcryptosession
Interface:Tunnel0
Peer:10.1.245.4port500
IPSECFLOW:permit47host10.1.245.2host10.1.245.4
Interface:Tunnel0
Peer:10.1.245.5port500
rencRSAencryption
IPv4CryptoISAKMPSA
1002 10.1.245.210.1.245.4
1001 10.1.245.210.1.245.5
IPv6CryptoISAKMPSA
Forthecryptopart,theHubhasIPSectunnels(encryptingGRE)betweenallspokes.
R2#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
pathmtu1500,ipmtu1500,ipmtuidbSerial0/1/0
currentoutboundspi:0xD3CA593(222078355)
inboundespsas:
spi:0xB000E51C(2952848668)
connid:2003,flow_id:OnboardVPN:3,cryptomap:Tunnel0head0
IVsize:8bytes
Status:ACTIVE
CCIESecurity
Page193 of 322
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD3CA593(222078355)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
local ident(addr/mask/prot/port):(10.1.245.2/255.255.255.255/47/0)
currentoutboundspi:0x558438AB(1434728619)
inboundespsas:
spi:0x83D966D1(2212062929)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x558438AB(1434728619)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shipospfneighbor
NeighborIDPriStateDeadTimeAddressInterface
172.16.245.2255FULL/DR
00:00:34172.16.245.2Tunnel0
ThespokehasOSPFadjacencywiththeHub.NotethattheHubisDR(DesignatedRouter).
R4#shiproute
CCIESecurity
Page194 of 322
O192.168.5.5[110/11112]via172.16.245.5,00:01:47,Tunnel0
O192.168.2.2[110/11112]via172.16.245.2,00:02:15,Tunnel0
RoutingtothenetworkbehindotherspokesshouldbepointedtotheotherspokesIP
address.ThisisachievedbychangingOPSFnetworktypetobroadcast.
Knownvia"ospf1",distance110,metric11112,typeintraarea
R4#shipcef192.168.5.5
192.168.5.5/32,version21,epoch0
0packets,0bytes
invalidadjacency
Samesituationhere,therouterhasnoinformationaboutphysicalinterfacetoroute
thepacketoutforthatnetwork.
R4#shipcef172.16.245.5
172.16.245.0/24,version15,epoch0,attached,connected
0packets,0bytes
viaTunnel0,0dependencies
validpuntadjacency
R4#shipnhrp
R4#shcryptosession
Interface:Tunnel0
Peer:10.1.245.2port500
TherouterhasIPSectunneltotheHubonly.
R4#ping192.168.5.5solo0
!!!!!
Pingtothenetworkbehindtheotherspokeissuccessful.AfterthattheCEFentryis
validandthepacketscanbeCEFswitched.
R4#shipcef192.168.5.5
192.168.5.5/32,version21,epoch0
0packets,0bytes
validadjacency
CCIESecurity
Page195 of 322
R4#shipcef172.16.245.5
172.16.245.5/32,version22,epoch0,connected
0packets,0bytes
validadjacency
R4#shipnhrp
(nosocket)
Type:dynamic,Flags:routerused
TheroutergotNHRPinformationfromtheotherspokesothatitcanvalidateCEFentry
anduseittoswitchthepackets.
R4#shcryptosession
Interface:Tunnel0
Peer:10.1.245.2port500
Interface:Tunnel0
Peer:10.1.245.5port500
ThedirectIPSectunnelhasbeenbuiltbetweenthespokes.
rencRSAencryption
IPv4CryptoISAKMPSA
1002 10.1.245.410.1.245.5
1003 10.1.245.410.1.245.5
100110.1.245.410.1.245.2ACTIVE3desshapsk223:53:33
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page196 of 322
currentoutboundspi:0xB000E51C(2952848668)
inboundespsas:
spi:0xD3CA593(222078355)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB000E51C(2952848668)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Notethatonly2packetsoutof5hasbeenencrypted/decrypted.Thisdoesnotmean3
packetshaslost.ThosepacketshasbeensenttotheotherspokethroughtheHubinthe
firststep.Then,whenthedirecttunnelcameup,restofthepacketsusedthe
encryptedtunnel.
currentoutboundspi:0x723E68C3(1916692675)
inboundespsas:
spi:0x8C779DEA(2356649450)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x723E68C3(1916692675)
CCIESecurity
Page197 of 322
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#shiproute
O192.168.4.4[110/11112]via172.16.245.4,00:04:18,Tunnel0
O192.168.2.2[110/11112]via172.16.245.2,00:04:28,Tunnel0
Sameontheotherspoketheroutingpointstotheremotespoke.
R5#shipcef192.168.4.4
192.168.4.4/32,version17,epoch0
0packets,0bytes
validadjacency
CEFentryisvalidbecauseitwasvalidatedbythetunnelestablishmentprocess
betweenR4andR5.SameforNHRPentriesbelow.
R5#shipnhrp
Type:dynamic,Flags:router
(nosocket)
rencRSAencryption
IPv4CryptoISAKMPSA
1002 10.1.245.510.1.245.4
ACTIVE3desshapsk 223:58:30
1003 10.1.245.510.1.245.4
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
CCIESecurity
Page198 of 322
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x83D966D1(2212062929)
inboundespsas:
spi:0x558438AB(1434728619)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x83D966D1(2212062929)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Tunnelbetweenspokesworks!
currentoutboundspi:0x8C779DEA(2356649450)
inboundespsas:
spi:0x723E68C3(1916692675)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
CCIESecurity
Page199 of 322
inboundpcpsas:
outboundespsas:
spi:0x8C779DEA(2356649450)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
!!!!!
Trytopingtoseeifthetunnelstatisticsareincrementing.
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x83D966D1(2212062929)
inboundespsas:
spi:0x558438AB(1434728619)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x83D966D1(2212062929)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page200 of 322
See5morepacketsencrypted/decrypted.
currentoutboundspi:0x8C779DEA(2356649450)
inboundespsas:
spi:0x723E68C3(1916692675)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x8C779DEA(2356649450)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page201 of 322
Lab2.17. DMVPNPhase3(withEIGRP)
Lo0
R2
S0/1/0
205
.2
204
10.1.245.0/24
502
Lo0
402
S0/1/0
S0/0/0
.5
Lo0
.4
R4
R5
outputs.
LabSetup:
IPAddressing:
Device
R2
R4
R5
Interface
Lo0
S0/1/0
Lo0
S0/0/0
Lo0
S0/1/0
IPaddress
192.168.2.2/24
10.1.245.2/24
192.168.4.4/24
10.1.245.4/24
192.168.5.5/24
10.1.245.5/24
Task1
mustuseEIGRPdynamicroutingprotocoltoletotherspokesknowabout
protected networks. You must ensure that every traffic is CEF switched.
Usethefollowingsettingswhenconfiguringtunnels:
TunnelParameters
o IPaddress:172.16.245.0/24
CCIESecurity
Page202 of 322
o IPMTU:1400
NHRPParameters
o NHRPID:123
o NHRPHub:R2
o EIGRPAS245
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
DMVPN Phase 3 is the latest method of configuration. It was introduced by Cisco to fix some
disadvantagesofPhase2like:
Scalability:Phase2allowsHubsdaisychaining,OSPFsinglearea,limitednumberof
hubsduetoOSPFDR/DBRelection
Scalability:Phase2doesnotallowroutesummarizationontheHub,allprefixesmust
bedistributedtoallspokestobeabletosetupdirectspoketospoketunnels.
Performance: Phase 2 sends first packets through the Hub using processswitching
(notCEF)causingCPUspikes.
DMVPNPhase3usestwoNHRPhackstomakeithappen:
NHRP Redirect a new messages send from the Hub to the Spoke to let the Spoke
knowthatthereisabetterpathtotheotherspokethanthroughtheHub
NHRPShortcutanewwayofchanging(overwriting)CEFinformationontheSpoke
InDMVPNPhase3allSpokesmustpointtotheHubforthenetworksbehindtheotherspokes(just
likeitwasinPhase1).
OnR2
R2(config)#intTunnel0
CCIESecurity
Page203 of 322
R2(configif)#ipnhrpredirect
NHRPRedirectisaspecialNHRPmessagesentbytheHubtothespoketotellthespoke
thatthereisabetterpathtotheremotespokethanthroughtheHub.Allitdoesis
enforcesthespoketotriggeranNHRPresolutionrequesttoIPdestination.
TheipnhrpredirectcommandshouldbeconfiguredontheHubonly!
NotethatwedonotneednoipnexthopselfeigrpcommandintheDMVPNPahse3.
R2(configif)#exi
R2(configrouter)#net172.16.245.20.0.0.0
OnR4
R4(configif)#ipnhrpshortcut
TheonlydifferenceonthespokeisthatthespokehasNHRPShortcutconfigured.This
willworktogetherwithNHRPRedirectontheHubtosendanewResolutionRequestNHRP
messageandoverwriteCEFentrytousedirectspoketospoketunnelinsteadoftheHub.
Thiscommandshouldbeconfiguredonspokesonly.
OnR5
CCIESecurity
Page204 of 322
Sameconfigurationonallspokes.
R5(configif)#exi
R5(config)#
R5(config)#
R5(config)#
Verification
R2#shipeigrneighbors
H AddressInterfaceHoldUptimeSRTTRTOQSeq
(sec)(ms)CntNum
1172.16.245.5Tu01000:04:571608500003
0172.16.245.4Tu01100:05:4851136204
R2#shipeigrinterfaces
InterfacePeersUn/ReliableSRTTUn/ReliableFlowTimer Routes
Tu020/08296/2271480
Lo000/000/100
TheHubhasneighboradjacencieswiththespokes.
R2#shiproute
CCIESecurity
Page205 of 322
D192.168.4.0/24[90/27008000]via172.16.245.4,00:06:53,Tunnel0
D192.168.5.0/24[90/27008000]via172.16.245.5,00:00:07,Tunnel0
RoutinginformationfornetworkbehindthespokesisontheHub.
R2#shipnhrp
172.16.245.4/32via172.16.245.4
172.16.245.5/32via172.16.245.5
Type:dynamic,Flags:uniqueregisteredused
TheSpokesareregisteredintheNHRPdatabasesuccessfully.
R2#shcryptosession
Interface:Tunnel0
Peer:10.1.245.4port500
Interface:Tunnel0
Peer:10.1.245.5port500
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.245.210.1.245.4
1002 10.1.245.210.1.245.5
IPv6CryptoISAKMPSA
TheHubhasISAKMPSAandIPSecSAwiththespokes.ThisistoencryptGREtunnel
traffic.
R2#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page206 of 322
currentoutboundspi:0x655C5AD2(1700551378)
inboundespsas:
spi:0x9B622E0(162931424)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x655C5AD2(1700551378)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0xD73908D9(3610839257)
inboundespsas:
spi:0x2CB7F3F4(750253044)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD73908D9(3610839257)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
CCIESecurity
Page207 of 322
outboundpcpsas:
R4#shipeigrpneighbors
(sec)(ms)CntNum
0172.16.245.2Tu01300:07:4712500007
TheSpokehasneighboradjacencywiththeHub.
R4#shiproute
D192.168.5.0/24[90/298652416]via172.16.245.2,00:01:10,Tunnel0
D192.168.2.0/24[90/297372416]via172.16.245.2,00:07:57,Tunnel0
TheroutinginformationforremotenetworkispointingtotheHubsIPaddress.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
validadjacency
R4#shipcef192.168.5.5
192.168.5.0/24,version25,epoch0
0packets,0bytes
validadjacency
TheCEFentryisvalidasthespokehasallinformationhowtoreachHubsphysicalIP
address.
R4#shipnhrp
ThereisastaticentryintheNHRPdatabaseonthespoke.ThisentryisusedinNHRP
registrationprocess.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.245.210.1.245.4
QM_IDLE10010ACTIVE
IPv6CryptoISAKMPSA
TheISKAMPSAandIPSecSAsarebuiltupwiththeHubonly.TherearenospoketoSpoke
IPSectunnelsyet.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page208 of 322
currentoutboundspi:0x9B622E0(162931424)
inboundespsas:
spi:0x655C5AD2(1700551378)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x9B622E0(162931424)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#ping192.168.5.5solo0
!!!!!
Testbypingingthenetworkbehindtheotherspoke.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
validadjacency
R4#shipnhrp
Type:dynamic,Flags:routerimplicitused
(nosocket)
TheNHRPdatatbaseshowsnewdynamicentriesfortheremotespokeandthelocalentry
forR4whichiscreatedwhensendinganNHRPresolutionreply.
CCIESecurity
Page209 of 322
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.245.410.1.245.5QM_IDLE10020ACTIVE
10.1.245.510.1.245.4QM_IDLE10030ACTIVE
10.1.245.210.1.245.4QM_IDLE10010ACTIVE
IPv6CryptoISAKMPSA
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x9B622E0(162931424)
inboundespsas:
spi:0x655C5AD2(1700551378)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x9B622E0(162931424)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
NotethatonlyoneICMPpacketoutof5hasbeensentthroughthedirestSpoketoSpoke
tunnel.RestofthepacketshasbeensentthroughtheHub.
currentoutboundspi:0x3CAEA65A(1018078810)
CCIESecurity
Page210 of 322
inboundespsas:
spi:0xD962CE1F(3647131167)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x3CAEA65A(1018078810)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Sameinformationontheotherspoke.
(sec)(ms)CntNum
0172.16.245.2Tu01200:09:4320 500007
R5#shiproute
D192.168.4.0/24[90/298652416]via172.16.245.2,00:09:50,Tunnel0
D192.168.2.0/24[90/297372416]via172.16.245.2,00:09:50,Tunnel0
ThespokehasroutinginformationforremotenetworkspointingtotheHub.
R5#shipcef192.168.4.0
192.168.4.0/24,version21,epoch0
0packets,0bytes
validadjacency
R5#shipnhrp
CCIESecurity
Page211 of 322
(nosocket)
NHRPentrieshasbeenresolvedandcachedalready.
rencRSAencryption
IPv4CryptoISAKMPSA
1003 10.1.245.510.1.245.4
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x2CB7F3F4(750253044)
inboundespsas:
spi:0xD73908D9(3610839257)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x2CB7F3F4(750253044)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page212 of 322
TheIPSecSAisbuiltandusedforencryptingpacketsbetweenthespokes.
currentoutboundspi:0xD962CE1F(3647131167)
inboundespsas:
spi:0x3CAEA65A(1018078810)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD962CE1F(3647131167)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
!!!!!
Letspingtoseeifthetrafficgoesthroughthetunnel.
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x2CB7F3F4(750253044)
inboundespsas:
spi:0xD73908D9(3610839257)
CCIESecurity
Page213 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x2CB7F3F4(750253044)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Yes,thetrafficiscrossingthetunnelaswesee5morepacketsencrypted/decrypted.
currentoutboundspi:0xD962CE1F(3647131167)
inboundespsas:
spi:0x3CAEA65A(1018078810)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD962CE1F(3647131167)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page214 of 322
Lab2.18. DMVPNPhase3(withOSPF)
Lo0
R2
S0/1/0
205
.2
204
10.1.245.0/24
502
Lo0
402
S0/1/0
S0/0/0
.5
Lo0
.4
R4
R5
outputs.
LabSetup:
IPAddressing:
Device
R2
R4
R5
Interface
Lo0
S0/1/0
Lo0
S0/0/0
Lo0
S0/1/0
IPaddress
192.168.2.2/24
10.1.245.2/24
192.168.4.4/24
10.1.245.4/24
192.168.5.5/24
10.1.245.5/24
Task1
mustuse OSPFdynamicroutingprotocol toletother spokes know about
protected networks. You must ensure that every traffic is CEF switched.
TunnelParameters
o IPaddress:172.16.245.0/24
CCIESecurity
Page215 of 322
o IPMTU:1400
NHRPParameters
o NHRPID:123
o NHRPHub:R2
o OSPFArea0
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
OSPFisalwaystrickywhenusedinDMVPNscenarios.InDMVPNPhase3weneedtocareofOSPF
networktypetoensuretheSpokespointtotheHubsIPaddressforremotenetworks.
To achievethatthe OSPFnetworktypemustbechangedtopointtomultipointasthis typehasno
DR/BDRelectionprocessandchangesnexthopwhenadvertisingtheroutesfurther.
OnR2
R2(configif)#ipnhrpredirect
ThisisDMVPNPhase3,sodonotforgetofNHRPRedirect.
R2(configif)#ipospfnetworkpointtomultipoint
CCIESecurity
Page216 of 322
Heresthechange.WeneedtohavepointtomultipointOSPFnetworktypeinDMVPN
Phase3tomakeitwork.ThiswillallowtheHubsendingsummarizingroutestothe
spokes,asthespokesmustcontacttheHubinthefirststeptoroutethepacketsto
theremotenetwork.
NotethatwedonotconfigureOSPFprioritiesasthereisnoDR/BDRelectionprocessin
OSPFpointtomultipointnetworktype.Thisisalsoveryimportantinmoreadvanced
scenarioswhenwedneedmorehubsintheDMVPNPhase3network.
R2(configif)#exi
OnR4
NHRPShortcutshouldbeenabledonspokesinDMVPNPhase3.
SameonthespokesOSPFpointtomultipointnetworktype.
R4(config)#
OnR5
CCIESecurity
Page217 of 322
SameonthespokesOSPFpointtomultipointnetworktype.
R5(configif)#exi
R5(config)#
R5(config)#
Verification
R2#shipospfneighbor
172.16.245.50FULL/
00:01:59
172.16.245.5Tunnel0
172.16.245.40FULL/
00:01:49172.16.245.4Tunnel0
TheHubhasneighboradjacencywiththespokes.
R2#shipospfinterface
Loopback0isup,lineprotocolisup
InternetAddress192.168.2.2/24,Area0
ProcessID1,RouterID172.16.245.2,NetworkTypeLOOPBACK,Cost:1
LoopbackinterfaceistreatedasastubHost
ProcessID1,RouterID172.16.245.2,NetworkTypePOINT_TO_MULTIPOINT,Cost:1000
TransmitDelayis1sec,StatePOINT_TO_MULTIPOINT
Timerintervalsconfigured,Hello30,Dead120,Wait120,Retransmit5
oobresynctimeout120
Helloduein00:00:24
SupportsLinklocalSignaling(LLS)
CiscoNSFhelpersupportenabled
IETFNSFhelpersupportenabled
Index1/1,floodqueuelength0
Next0x0(0)/0x0(0)
Lastfloodscanlengthis1,maximumis1
Lastfloodscantimeis0msec,maximumis0msec
NeighborCountis2,Adjacentneighborcountis2
Adjacentwithneighbor172.16.245.5
Suppresshellofor0neighbor(s)
ThenetworktypeontheHubisPointtoMultipoint
R2#shiproute
CCIESecurity
Page218 of 322
O172.16.245.5/32[110/1000]via172.16.245.5,00:01:22,Tunnel0
O172.16.245.4/32[110/1000]via172.16.245.4,00:02:39,Tunnel0
O192.168.4.4[110/1001]via172.16.245.4,00:00:53,Tunnel0
O192.168.5.5[110/1001]via172.16.245.5,00:00:43,Tunnel0
TheHubhasremotenetworksinitsroutingtable.Notethatthosenetworksarehost
prefixes.ThisisbecausetheloopbackinterfaceshasOSPFloopbacktypeandthus,
theyareadvertisedashostroutes.Tochangethat,configureipospfnetworkpoint
topointontheloopbackinterfaces.
R2#shipnhrp
172.16.245.4/32via172.16.245.4
172.16.245.5/32via172.16.245.5
BothspokesareredisteredinNHSsuccessfully.
rencRSAencryption
IPv4CryptoISAKMPSA
CidLocalRemote
IVRFStatusEncrHashAuthDHLifetimeCap.
1001 10.1.245.210.1.245.4
1002 10.1.245.210.1.245.5
IPv6CryptoISAKMPSA
TheHubhasISAKMPSAandIPSecSAestablishedwiththespokes.
R2#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page219 of 322
currentoutboundspi:0xD90CFFE(227594238)
inboundespsas:
spi:0x6E5FC564(1851770212)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD90CFFE(227594238)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0xC52C4105(3308011781)
inboundespsas:
spi:0xFAEAE72E(4209698606)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xC52C4105(3308011781)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
CCIESecurity
Page220 of 322
outboundpcpsas:
R4#shipospfneighbor
172.16.245.20FULL/
00:01:44172.16.245.2Tunnel0
ThespokehasneighboradjacencywiththeHub.NotetheHubisNOTDR/BDRinthiscase.
oobresynctimeout120
Helloduein00:00:24
Next0x0(0)/0x0(0)
OSPFnetworktypepointtomultipointisconfigured.
R4#shiproute
O172.16.245.2/32[110/11111]via172.16.245.2,00:03:23,Tunnel0
O172.16.245.5/32[110/12111]via172.16.245.2,00:02:05,Tunnel0
O
192.168.5.5[110/12112]via172.16.245.2,00:01:27,Tunnel0
O192.168.2.2[110/11112]via172.16.245.2,00:01:48,Tunnel0
TheSpokehasroutingtothenetworksbehindotherspokesviatheHub.Thisisachieved
byconfiguredOSPFnetworktype.
R4#shipcef192.168.5.5
192.168.5.5/32,version25,epoch0
0packets,0bytes
validadjacency
CEFentryisvalidasthespokehasallinformationabouthowtogettothehub.
R4#shipnhrp
CCIESecurity
Page221 of 322
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.245.410.1.245.2
IPv6CryptoISAKMPSA
ThereisISAKMPSAandIPSecSAwiththeHubonly.ThereisnoSAswithotherspoke
yet.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x6E5FC564(1851770212)
inboundespsas:
spi:0xD90CFFE(227594238)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x6E5FC564(1851770212)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#ping192.168.5.5solo0
!!!!!
Testbypingingtheremotenetwork.Remembertosourcethatpingfromthenetwork
behindthespoke.
CCIESecurity
Page222 of 322
R4#shipnhrp
(nosocket)
NHRPhasaddeddynamicentriesfortheotherspoke.
R4#shipcef192.168.5.5
192.168.5.5/32,version25,epoch0
0packets,0bytes
validadjacency
rencRSAencryption
IPv4CryptoISAKMPSA
1003 10.1.245.410.1.245.5
1002 10.1.245.410.1.245.5
IPv6CryptoISAKMPSA
TheISAKMPandIPSecSAshasbeennegotiatedwiththeotherspoke.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
inboundespsas:
spi:0xD90CFFE(227594238)
IVsize:8bytes
CCIESecurity
Page223 of 322
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x6E5FC564(1851770212)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Notethatthistimenopacketshavebeensentthroughthedirecttunnel.Allpackets
havebeensentthroughtheHub.However,nextpacketsshouldusethedirectSpoketo
Spoketunnel.
currentoutboundspi:0xB8BE4200(3099476480)
inboundespsas:
spi:0x7ACB8793(2060158867)
IVsize:8bytes
Status:ACTIVE
spi:0x4CD42BBF(1288973247)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x81623FED(2170699757)
IVsize:8bytes
Status:ACTIVE
spi:0xB8BE4200(3099476480)
IVsize:8bytes
CCIESecurity
Page224 of 322
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#ping192.168.5.5solo0
!!!!!
Trytopingagain.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
inboundespsas:
spi:0xD90CFFE(227594238)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x6E5FC564(1851770212)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page225 of 322
currentoutboundspi:0xB8BE4200(3099476480)
SeethatallICMPpacketshavebeensentthroughthespoketospoketunnel.
inboundespsas:
spi:0x4CD42BBF(1288973247)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB8BE4200(3099476480)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Samebunchofcommandontheotherspoke.
R5#shipospfneighbor
172.16.245.20FULL/
00:01:39172.16.245.2Tunnel0
oobresynctimeout120
Helloduein00:00:23
Next0x0(0)/0x0(0)
R5#shiproute
CCIESecurity
Page226 of 322
O172.16.245.2/32[110/11111]via172.16.245.2,00:04:34,Tunnel0
O172.16.245.4/32[110/12111]via172.16.245.2,00:04:34,Tunnel0
O192.168.4.4[110/12112]via172.16.245.2,00:04:04,Tunnel0
O192.168.2.2[110/11112]via172.16.245.2,00:04:15,Tunnel0
R5#shipcef192.168.4.4
192.168.4.4/32,version21,epoch0
0packets,0bytes
validadjacency
R5#shipnhrp
(nosocket)
rencRSAencryption
IPv4CryptoISAKMPSA
1003 10.1.245.510.1.245.4
1002 10.1.245.510.1.245.4
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xFAEAE72E(4209698606)
inboundespsas:
spi:0xC52C4105(3308011781)
CCIESecurity
Page227 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xFAEAE72E(4209698606)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
ThosearepacketssentfromR4.
currentoutboundspi:0x4CD42BBF(1288973247)
inboundespsas:
spi:0xB8BE4200(3099476480)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x4CD42BBF(1288973247)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
CCIESecurity
Page228 of 322
!!!!!
TrytopingR4snetworktoseeifthepacketsgetencrypted/decrypted.
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xFAEAE72E(4209698606)
inboundespsas:
spi:0xC52C4105(3308011781)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xFAEAE72E(4209698606)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
Seemseverythingisworking!
currentoutboundspi:0x4CD42BBF(1288973247)
inboundespsas:
spi:0xB8BE4200(3099476480)
CCIESecurity
Page229 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x4CD42BBF(1288973247)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page230 of 322
Lab2.19. DMVPNPhase2DualHub
(SingleCloud)
outputs.
LabSetup:
R1sF0/0andR6sF0/0interfaceshouldbeconfiguredinVLAN16
pointtopointmanner.
pointtopointmanner.
ConfiguredefaultroutingonR1,R2,R4andR5pointingtotheR6
IPAddressing:
Device
R1
R2
CCIESecurity
Interface
F0/0
F0/1
G0/0
G0/1
IPaddress
10.1.16.1/24
192.168.12.1/24
10.1.26.2/24
192.168.12.2/24
Page231 of 322
R4
Lo0
S0/0/0.46
Lo0
S0/1/0.56
F0/0
F0/1
S0/1/0.64
S0/1/0.65
R5
R6
192.168.4.4/24
10.1.64.4/24
192.168.5.5/24
10.1.65.5/24
10.1.16.6/24
10.1.26.6/24
10.1.64.6/24
10.1.65.6/24
Task1
ConfigureHubandSpokeGREtunnelsbetweenR1,R2,R4andR5,where
R1 and R2 are acting as Hubs. High availability must be achieved by
configuringtwoNHSonthespokes.TrafficoriginatedfromeverySpokes
loopbackinterfaceandHubsF0/1(G0/1)interfaceshouldbetransmitted
securely directly to the other spokes. You must use EIGRP dynamic
routingprotocol tolet other spokes know about protected networks. Use
thefollowingsettingswhenconfiguringtunnels:
TunnelParameters
o IPaddress:172.16.145.0/24
o IPMTU:1400
NHRPParameters
o NHRPID:145
o NHRPHub:R1
o EIGRP145
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
Withafewadditionalconfigurationlinestothespokeroutersyoucansetupdual(ormultiple)hub
routers,forredundancy.TherearetwowaystoconfiguredualhubDMVPNs:
1.
A single DMVPNnetworkwitheachspoke using a singlemultipoint GRE tunnel interface

andpointingtotwodifferenthubsasitsNextHopServer(NHS). Thehubrouterswillonly
haveasinglemultipointGREtunnelinterface.
2.
DualDMVPNnetworkswitheach spokehavingtwoGREtunnelinterfaces(eitherpointto
pointormultipoint)and eachGREtunnelconnectedtoa differenthubrouter. Again,the
hubrouterswillonlyhaveasinglemultipointGREtunnelinterface.
CCIESecurity
Page232 of 322
DualHubSingleDMVPNLayout
The dualhubwith asingleDMVPNlayoutisfairlyeasyto setup,butitdoesnot giveyouasmuch
controlovertheroutingacrosstheDMVPNasthedualhubwithdualDMVPNslayoutdoes.Theidea
in this case is to have a single DMVPN "cloud" with all hubs (two in this case) and all spokes
connectedtothissingle subnet("cloud"). The static NHRP mappingsfromthespokes tothehubs
definethestaticIPsec+mGRElinksoverwhichthedynamicroutingprotocolwillrun.Thedynamic
routingprotocolwillnotrunoverthedynamicIPsec+mGRElinksbetweenspokes.Sincethespoke
routers are routing neighbors with the hub routers over the same mGRE tunnel interface, you
cannot use link or interfaces differences (like metric, cost, delay, or bandwidth) to modify the
dynamicroutingprotocolmetricstopreferonehubovertheotherhubwhentheyarebothup.Ifthis
preferenceisneeded,thentechniquesinternaltotheconfigurationoftheroutingprotocolmustbe
used. For this reason, it may be better to use EIGRP rather than OSPF for the dynamic routing
protocol.
OnR1
ThereisonlyoneTunnelinterface(GREmultipointtype)oneachHub.
R1(ipsecprofile)#interfaceTunnel0
ThisisDMVPNPhase2withEIGRPscenariosothatweneedtoturnoffSplitHorizonand
nexthopchangingontheHub.
R1(configif)#
R1(configif)#exi
OnR2
CCIESecurity
Page233 of 322
ThereisonlyoneTunnelinterface(GREmultipointtype)oneachHub.
ThisisDMVPNPhase2withEIGRPscenariosothatweneedtoturnoffSplitHorizonand
nexthopchangingontheHub.
R2(configif)#tunnelsourceGigabitEthernet0/0
R2(configif)#exi
R2(config)#
R2(config)#
R2(config)#
%DUAL5NBRCHANGE:IPEIGRP(0)145:Neighbor192.168.12.1(FastEthernet0/1)isup:new
adjacency
OnR4
Notethatalltunnelsareintehsamesubnet!
SinceweusetwoNHSesweneedtwostaticmappingsonthespoke.
CCIESecurity
Page234 of 322
Thespokehasonlyonemultipointtunnel,buttwoNHSesspecifiedintheconfiguration.
ThespoketriestoregisterinbothNHSes.WhenoneNHSisdownthespokealwayshas
anotherNHStouse.
R4(configif)#exi
R4(config)#
R4(config)#
R4(config)#
NotethattwoEIGRPadjacenciesarebuilt.
OnR5
SinceweusetwoNHSesweneedtwostaticmappingsonthespoke.
Thespokehasonlyonemultipointtunnel,buttwoNHSesspecifiedintheconfiguration.
ThespoketriestoregisterinbothNHSes.WhenoneNHSisdownthespokealwayshas
anotherNHStouse.
R5(configif)#exi
R5(config)#
R5(config)#
R5(config)#
CCIESecurity
Page235 of 322
NotethattwoEIGRPadjacenciesarebuilt.
Verification
(sec)(ms)CntNum
2 172.16.145.5Tu0
1100:00:53183500006
1 172.16.145.4Tu0
1300:03:071075000010
0 192.168.12.2
Fa0/1
1100:06:331200016
ThehubhasthreeEIGRPneighbors.TwoofthemarespokesandoneistheotherHub.
ThisisbecauseweadvertiseacommonnetworkbehindbothHubstobeaccessibletothe
Spokes.
R1#shipeigrpinterfaces
InterfacePeersUn/ReliableSRTTUn/ReliableFlowTimerRoutes
Tu020/014571/25245680
Fa0/110/010/1500
R1#shiproute
C192.168.12.0/24isdirectlyconnected,FastEthernet0/1
D192.168.4.0/24[90/27010560]via192.168.12.2,00:03:18,FastEthernet0/1
D192.168.5.0/24[90/27010560]via192.168.12.2,00:01:03,FastEthernet0/1
S*0.0.0.0/0[1/0]via10.1.16.6
NotethatR1seesremotenetworksbehindtheSpokesthroughR2.Thisisexpectedas
EIGRPmetricisbetterforthatpath.Thisiscertainlynotthebestpathandneedto
bemanuallychangedasdescribedinthenextlab.Seethebelowoutput:
R1#shinttu0|inBW
R1#shintf0/1|inBW
NotethatthedefaultbandwidthanddelayofTunnelinterfaceis9Kb/sand500000usec.
However,thedefaultvaluesontheFastEthernetinterfacearemuchbetter:100000Kb/s
and100usec.Thisiswhyweseebettermetrictothenetworkbehindthespokesthrough
theR2.
Lastupdatefrom192.168.12.2onFastEthernet0/1,00:00:14ago
*192.168.12.2,from192.168.12.2,00:00:14ago,viaFastEthernet0/1
Loading1/255,Hops2
R1#shipnhrp
CCIESecurity
Page236 of 322
FirstHubhasbothSpokesregisteredviaNHRP.
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.16.110.1.64.4
1002 10.1.16.110.1.65.5
IPv6CryptoISAKMPSA
R1hasISAKMPSAandIPSecSAssetupwithbothspokes.NoIPSecbetweentheHubs.
R1#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x56A0EB85(1453386629)
inboundespsas:
spi:0xEFBE50D1(4022227153)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x56A0EB85(1453386629)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page237 of 322
protectedvrf:(none)
currentoutboundspi:0xFAC2EC42(4207078466)
inboundespsas:
spi:0xD892939A(3633484698)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xFAC2EC42(4207078466)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
(sec)(ms)CntNum
2 172.16.145.5Tu0
1100:01:39135136207
1 172.16.145.4Tu0
1400:03:521601362010
0 192.168.12.1Gi0/1
1300:07:191200016
ThesecondHubhasneighboradjacencieswithtwoSpokesandthefirstHub.
R2#shipeigrpinterfaces
Interface
PeersUn/ReliableSRTTUn/ReliableFlowTimerRoutes
Tu020/01476/2273480
Gi0/110/010/1500
R2#shiproute
CCIESecurity
Page238 of 322
D192.168.4.0/24[90/27008000]via172.16.145.4,00:04:03,Tunnel0
D192.168.5.0/24[90/27008000]via172.16.145.5,00:01:49,Tunnel0
C10.1.26.0isdirectlyconnected,GigabitEthernet0/0
S*0.0.0.0/0[1/0]via10.1.26.6
SinceithasbettermetrictotheremotenetworksthanR1itseesthembytheTunnel
interface.
R2#shipnhrp
172.16.145.4/32via172.16.145.4
172.16.145.5/32via172.16.145.5
R2hasbothSpokesregisteredintheNHS.
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.26.210.1.64.4
1002 10.1.26.210.1.65.5
IPv6CryptoISAKMPSA
ISAKMPSAandIPSecSAsarebuiltwithbothSpokes.
R2#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x790BF682(2030827138)
inboundespsas:
spi:0x4D4D0F27(1296895783)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
CCIESecurity
Page239 of 322
inboundpcpsas:
outboundespsas:
spi:0x790BF682(2030827138)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x73CE7CBE(1942912190)
inboundespsas:
spi:0x3454DCB6(877976758)
head0
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x73CE7CBE(1942912190)
head0
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
(sec)
(ms)CntNum
1 172.16.145.2Tu0
1300:04:38225000015
0 172.16.145.1Tu0
1200:04:38715000015
R4istheSpoke.IthasEIGRPadjacencieswithbothHubs.
R4#shiproute
CCIESecurity
Page240 of 322
D192.168.12.0/24[90/297246976]via172.16.145.2,00:04:44,Tunnel0
[90/297246976]via172.16.145.1,00:04:44,Tunnel0
C
192.168.4.0/24isdirectlyconnected,Loopback0
D192.168.5.0/24[90/298652416]via172.16.145.5,00:02:29,Tunnel0
S*0.0.0.0/0[1/0]via10.1.64.6
TheSpokeseesthenetworkbehindotherSpoke(R5)throughR5.Thisisbecauseofno
ipnexthopselfeigrpcommandconfiguredontheHubs.ThenetworkbehindtheHubsis
accessibleequallyviabothHubs.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
invalidadjacency
TheCEFentryisinvalidastherouterhasnocluehowtoroutethepacketout(what
physicalinterfacetouse).
R4#shipnhrp
StaticNHRPentriesareconfiguredonthespoketomakeregistrationhappeninthe
NHSes.
rencRSAencryption
IPv4CryptoISAKMPSA
1001 10.1.64.410.1.26.2
ACTIVE3dessha psk223:54:24
1002 10.1.64.410.1.16.1
IPv6CryptoISAKMPSA
ThespokehasISAKMPSaandIPSecSAssetupwithbothHubs.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
CCIESecurity
Page241 of 322
currentoutboundspi:0xEFBE50D1(4022227153)
inboundespsas:
spi:0x56A0EB85(1453386629)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xEFBE50D1(4022227153)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x4D4D0F27(1296895783)
inboundespsas:
spi:0x790BF682(2030827138)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x4D4D0F27(1296895783)
IVsize:8bytes
Status:ACTIVE
CCIESecurity
Page242 of 322
outboundahsas:
outboundpcpsas:
R4#ping192.168.5.5solo0
!!!!!
TestitbypingingtheremotenetworkbehindtheotherSpoke.Thepingissuccessful.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
validadjacency
TheCEFentryisvalidnow,sothattheroutercanuseittoswitchthepackets
throughthedirectspoketospoketunnel.
R4#shipnhrp
(nosocket)
NHRPcachenowhasanentryfortheotherspoke.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.64.410.1.65.5QM_IDLE10030ACTIVE
10.1.26.210.1.64.4QM_IDLE10010ACTIVE
10.1.65.510.1.64.4QM_IDLE10040ACTIVE
10.1.16.110.1.64.4QM_IDLE10020ACTIVE
IPv6CryptoISAKMPSA
TheSpokehasnewISAKMPSAandIPSecSAsnegotiatedwiththeotherSpoke.
R4#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xEFBE50D1(4022227153)
inboundespsas:
spi:0x56A0EB85(1453386629)
CCIESecurity
Page243 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xEFBE50D1(4022227153)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x4D4D0F27(1296895783)
inboundespsas:
spi:0x790BF682(2030827138)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x4D4D0F27(1296895783)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page244 of 322
Twopacketsoutof5havebeensentthroughthetunnel.
currentoutboundspi:0xA576BA01(2776021505)
inboundespsas:
spi:0xBBA03823(3147839523)
IVsize:8bytes
Status:ACTIVE
spi:0x28F30861(687016033)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xA576BA01(2776021505)
IVsize:8bytes
Status:ACTIVE
spi:0x1659D9A5(374987173)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
SamebunchofcommandsontheotherSpoke.
(sec)(ms)CntNum
1172.16.145.1Tu01000:04:23695000015
0172.16.145.2Tu01300:04:238425000015
R5#shiproute
D192.168.12.0/24[90/297246976]via172.16.145.2,00:04:33,Tunnel0
CCIESecurity
Page245 of 322
[90/297246976]via172.16.145.1,00:04:33,Tunnel0
D192.168.4.0/24[90/298652416]via172.16.145.4,00:04:33,Tunnel0
S*0.0.0.0/0[1/0]via10.1.65.6
Loading28/255,Hops2
R5#shipnhrp
(nosocket)
Sincewehavealreadybuiltupthedirectspoketospoketunnel,therouterhasNHRP
mappingsandCEFentrywhichareusedtomovethepacketsthroughthattunnel.
R5#shipcef192.168.4.0
192.168.4.0/24,version23,epoch0
0packets,0bytes
validadjacency
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstate
connidslotstatus
10.1.65.510.1.64.4QM_IDLE10030ACTIVE
10.1.64.410.1.65.5QM_IDLE10040ACTIVE
10.1.26.210.1.65.5QM_IDLE10010ACTIVE
10.1.16.110.1.65.5QM_IDLE10020ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xD892939A(3633484698)
CCIESecurity
Page246 of 322
inboundespsas:
spi:0xFAC2EC42(4207078466)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD892939A(3633484698)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x3454DCB6(877976758)
inboundespsas:
spi:0x73CE7CBE(1942912190)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x3454DCB6(877976758)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page247 of 322
Notethatonlytwopacketshasbeensent.
currentoutboundspi:0xBBA03823(3147839523)
inboundespsas:
spi:0xA576BA01(2776021505)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xBBA03823(3147839523)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
!!!!!
Letspingandgeneratesometraffic.
R5#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xD892939A(3633484698)
inboundespsas:
spi:0xFAC2EC42(4207078466)
CCIESecurity
Page248 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xD892939A(3633484698)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x3454DCB6(877976758)
inboundespsas:
spi:0x73CE7CBE(1942912190)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x3454DCB6(877976758)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page249 of 322
SeetheICMPpacketsarecrossingthetunnel.
currentoutboundspi:0xBBA03823(3147839523)
inboundespsas:
spi:0xA576BA01(2776021505)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xBBA03823(3147839523)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page250 of 322
Lab2.20. DMVPNPhase2DualHub
(DualCloud)
outputs.
LabSetup:
R1sF0/0andR6sF0/0interfaceshouldbeconfiguredinVLAN16
pointtopointmanner.
pointtopointmanner.
ConfiguredefaultroutingonR1,R2,R4andR5pointingtotheR6
IPAddressing:
Device
R1
R2
CCIESecurity
Interface
F0/0
F0/1
G0/0
G0/1
IPaddress
10.1.16.1/24
192.168.12.1/24
10.1.26.2/24
192.168.12.2/24
Page251 of 322
R4
R5
R6
Lo0
S0/0/0.46
Lo0
S0/1/0.56
F0/0
F0/1
S0/1/0.64
S0/1/0.65
192.168.4.4/24
10.1.64.4/24
192.168.5.5/24
10.1.65.5/24
10.1.16.6/24
10.1.26.6/24
10.1.64.6/24
10.1.65.6/24
Task1
ConfigureHubandSpokeGREtunnelsbetweenR1,R2,R4andR5,where
R1 and R2 are acting as Hubs. High availability must be achieved by
configuringtwoDMVPNclouds,meaningeachspokehastwoconnections,
one for each hub, where tunnel to R1 has better preference than R2.
Traffic originated from every Spokes loopback interface should be
transmitted securely directly to the other spokes. You must use EIGRP
dynamic routing protocol to let other spokes know about protected
networks.
DMVPNCloud1
DMVPNCloud2
Topology
Hub:R1
Spokes:R4,R5
TunnelParameters
IPaddress:172.16.145.0/24
IPMTU:1400
TunnelAuthenticationKey:145
NHRPParameters
NHRPID:145
NHRPAuthenticationkey:cisco145
NHRPHub:R1
EIGRPAS1
Delay1000
Topology
Hub:R2
Spokes:R4,R5
TunnelParameters
IPaddress:172.16.245.0/24
IPMTU:1400
TunnelAuthenticationKey:245
NHRPParameters
NHRPID:245
NHRPAuthenticationkey:cisco245
NHRPHub:R2
EIGRPAS1
Delay2000
ISAKMPParameters
o Encryption:3DES
o Hashing:SHA
o DHGroup:2
IPSecParameters
CCIESecurity
Page252 of 322
ThedualhubwithdualDMVPNlayoutisslightlymoredifficulttosetup,butitdoesgiveyoubetter
controloftheroutingacrosstheDMVPN.TheideaistohaveatwoseparateDMVPN"clouds".Each
hub(two inthiscase)is connectedtoone DMVPNsubnet("cloud") andthe spokesare connected
to both DMVPN subnets ("clouds"). Since the spoke routers are routing neighbors with both hub
routers over the two GRE tunnel interfaces, you can use interface configuration differences (such
as bandwidth, cost and delay) to modify the dynamic routing protocol metrics to prefer one hub
overtheotherhubwhentheyarebothup.
OnR1
AlmostnothinghaschangedonthefirstHubincomparisontoDMVPNSingleCloud
scenariodescribedinthepreviouslab.
TheonedifferencehereistousedifferentIPsubnetsforTunnelinterfaceonboth
Hubs.Thisisbecausewecreatetwocloudswhichmustbeseparated.
R1(configif)#
R1(configif)#exi
NotethatweusedEIGRPAS1whichwillbesharedbetweenbothDMVPNclouds.Thismay
beachievedbyconfiguringtwoEIGRPAutonomousSystemsaswell.
OnR2
AlmostnothinghaschangedonthesecondHubincomparisontoDMVPNSingleCloud
scenariodescribedinthepreviouslab.
TheonedifferencehereistousedifferentIPsubnetsforTunnelinterfaceonboth
Hubs.Thisisbecausewecreatetwocloudswhichmustbeseparated.
CCIESecurity
Page253 of 322
R2(configif)#noipredirects
R2(configif)#exi
R2(configrouter)#
%DUAL5NBRCHANGE:IPEIGRP(0)1:Neighbor192.168.12.1(GigabitEthernet0/1)isup:new
adjacency
NotethatweusedEIGRPAS1whichwillbesharedbetweenbothDMVPNclouds.Thismay
beachievedbyconfiguringtwoEIGRPAutonomousSystemsaswell.
ThesecondHubhasbuiltneighborrelationshippwiththefirstHub.
OnR4
OnthespokesweneedtwoTunnelinterfaces:oneforeachDMVPNcloud.Thefirstcloud
willbeusingR1asaHub,thesecondcloudwillbeusingR2asaHub.
R4(configif)#tunnelprotectionipsecprofileDMVPNshared
NotethatweneeddifferentNHRPIDandTunnelKeysforbothclouds.Thisisto
separatethetraffic(asitisterminatedonthesameHub).
Although,thetunnelkeycanseparatethetrafficatGRElevel,theIPSecProfileis
sharedinthiscase.Thismeanstheoneprofileisusedtosecuretwotunnel
interfaces.Hence,theremustbesharedkeywordaddedonthespokes.
R4(configif)#exi
CCIESecurity
Page254 of 322
R4(configif)#
R4(configif)#exi
OnR5
R5(configif)#exi
CCIESecurity
Page255 of 322
R5(configrouter)#
Notethatwehavenotconfigureddelayparametersyet.Thisisjusttoshowyouwhathappen
andhowtotroubleshootthatissues.
Verification
R4#shiproute
D192.168.12.0/24[90/297246976]via172.16.245.2,00:10:28,Tunnel2
[90/297246976]via172.16.145.1,00:10:28,Tunnel1
D192.168.5.0/24[90/298652416]via172.16.245.5,00:09:03,Tunnel2
S*0.0.0.0/0[1/0]via10.1.64.6
Seethatnetwork192.168.5.0/24isaccessiblethroughR2(Tunnel2)only.Whyisthat?
LetsseewhatEIGRPtellsus.
Loading1/255,Hops2
R4#shipeigrptopology192.168.5.0
IPEIGRP(AS1):Topologyentryfor192.168.5.0/24
StateisPassive,Queryoriginflagis1,1Successor(s),FDis298652416
172.16.245.5(Tunnel2),from172.16.245.2,Sendflagis0x0
Compositemetricis(298652416/27008000),RouteisInternal
Vectormetric:
Minimumbandwidthis9Kbit
Totaldelayis555000microseconds
Reliabilityis255/255
Loadis1/255
MinimumMTUis1400
CCIESecurity
Page256 of 322
Hopcountis2
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis3
EIGRPtopologytablecontainsbothpathsto192.168.5.0/24,howeveritonlyinstalls
thefirstoneintheroutingtable.SeetheDelayparameter,itishigherforthe
secondpath(throughTunnel1).SeealsoHopparameterwhichisagainhigherforthe
secondpath.Although,theEIGRPdoesnotusethatparameterformetriccalculationit
indicatesthatthepathislonger.LetstakealookatR1:
Lastupdatefrom192.168.12.2onFastEthernet0/1,00:17:44ago
*192.168.12.2,from192.168.12.2,00:17:44ago,viaFastEthernet0/1
Loading1/255,Hops2
TheR1sees192.168.5.0/24throughR2,notthroughitsTunnelinterface.Hence,the
metriconR4ishigherasthepacketmusttraverse3hopstoreachthedestination.
172.16.245.2,from172.16.245.2,00:11:00ago,viaTunnel2
Loading1/255,Hops1
Loading1/255,Hops1
R4#shinttu1|inBW
R4#shinttu2|inBW
R5#shiproute
D192.168.12.0/24[90/297246976]via172.16.245.2,00:10:31,Tunnel2
[90/297246976]via172.16.145.1,00:10:31,Tunnel1
D192.168.4.0/24[90/298652416]via172.16.245.4,00:10:31,Tunnel2
S*0.0.0.0/0[1/0]via10.1.65.6
CCIESecurity
Page257 of 322
Loading1/255,Hops2
Samesituationhere.The192.168.4.0/24isaccessiblethroughTunnel2interfaceratherthat
Tunnel1.
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis2
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis3
172.16.245.2,from172.16.245.2,00:11:00ago,viaTunnel2
Loading1/255,Hops1
Loading1/255,Hops1
R5#shinttu1|inBW
R5#shinttu2|inBW
Configuration
TooptimizethatweneedtoreconfigureDelayparameterontunnelinterfaces.It
affectsEIGRPprotocolalgorithmsothatthebetterpathwillalwaysbethroughR1(as
longasR1isupandrunning).WecouldalsoaffectEIGRPdecisionbyreconfiguring
BandwidthparametersbutthisshouldbedoneoneveryinterfaceasBWparameterisNOT
cumulative.Thismeanstheminimumbandwidthonthepathistakenformetric
calculation.Delayiscumulativesothatlessdelayononeinterfaceaffectsevery
EIGRProuter.
OnR1
CCIESecurity
Page258 of 322
R1(configif)#delay1000
R1(configif)#exi
OnR2
R2(configif)#exi
OnR4
R4(configif)#exi
R4(configif)#exi
OnR5
R5(configif)#exi
R5(configif)#exi
Verification
R1#shipro
C192.168.12.0/24isdirectlyconnected,FastEthernet0/1
D172.16.245.0
[90/284958976]via192.168.12.2,00:11:23,FastEthernet0/1
D192.168.4.0/24[90/284828416]via172.16.145.4,00:11:37,Tunnel0
D192.168.5.0/24[90/284828416]via172.16.145.5,00:11:37,Tunnel0
S*0.0.0.0/0[1/0]via10.1.16.6
Nowbothspokesareaccessiblethroughthetunnelinterface(notthroughR2).
R1#shipnhrp
BothspokesareregisteredinNHS.
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.16.110.1.65.5QM_IDLE1001
0ACTIVE
10.1.16.110.1.64.4QM_IDLE10020ACTIVE
IPv6CryptoISAKMPSA
CCIESecurity
Page259 of 322
TheHubhasISAKMPSAandIPSecSAssetupwiththespokes.
R1#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0xE5EB2CDE(3857394910)
inboundespsas:
spi:0x84A95ADB(2225691355)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE5EB2CDE(3857394910)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x34369DE1(875994593)
inboundespsas:
spi:0x2E6FCA3E(779078206)
IVsize:8bytes
Status:ACTIVE
CCIESecurity
Page260 of 322
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x34369DE1(875994593)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R2#shiproute
D172.16.145.0
[90/284702976]via192.168.12.1,00:13:06,GigabitEthernet0/1
C
172.16.245.0isdirectlyconnected,Tunnel0
D192.168.4.0/24
D192.168.5.0/24
S*0.0.0.0/0[1/0]via10.1.26.6
NowthesecondHubislesspreffered.Ithasnetworksbehindthespokesaccessiblevia
R1.ThisisbecauseEIGRPmetricwasaffectedandrecalculated.
R2#shipeigrtop192.168.4.0
192.168.12.1(GigabitEthernet0/1),from192.168.12.1,Sendflagis0x0
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis2
Vectormetric:
Loadis28/255
MinimumMTUis1400
Hopcountis3
Vectormetric:
Loadis1/255
CCIESecurity
Page261 of 322
MinimumMTUis1400
Hopcountis1
R2#shipnhrp
BothspokesareregisteredintheNHS.
R2#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.26.210.1.65.5QM_IDLE10020ACTIVE
10.1.26.210.1.64.4QM_IDLE1001
0ACTIVE
IPv6CryptoISAKMPSA
ItalsomaintainsISAKMPSAnadIPSecSAswiththespokes.
R2#shcryptoipsecsa
interface:Tunnel0
protectedvrf:(none)
currentoutboundspi:0x6A0C9367(1779209063)
inboundespsas:
spi:0x77BC473A(2008827706)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x6A0C9367(1779209063)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page262 of 322
currentoutboundspi:0xE70EAE04(3876498948)
inboundespsas:
spi:0xE97C1EE8(3917225704)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xE70EAE04(3876498948)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#shiproute
D192.168.12.0/24[90/284702976]via172.16.145.1,00:13:53,Tunnel1
D192.168.5.0/24[90/285084416]via172.16.145.5,00:13:53,Tunnel1
S*0.0.0.0/0[1/0]via10.1.64.6
TheSpokepreffersR1for192.168.12.0/24networkanditpointstoR5for
192.168.5.0/24network.
Vectormetric:
Loadis1/255
CCIESecurity
Page263 of 322
MinimumMTUis1400
Hopcountis2
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis3
R4#shipnhrp
IthasstaticNHRPentriestoreachandregisterinbothNHSes.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
invalidadjacency
CEFentryisinvalidasexpectedinDMVPNPhase2.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.26.210.1.64.4QM_IDLE10020ACTIVE
10.1.16.110.1.64.4QM_IDLE10010ACTIVE
IPv6CryptoISAKMPSA
ISKAMPSAandIPSecSAsaresetupwithbothHubs.NoIPSectunnelwiththeotherspoke
yet.
R4#shcryptoipsecsa
interface:Tunnel1
Cryptomaptag:DMVPNhead1,localaddr10.1.64.4
protectedvrf:(none)
currentoutboundspi:0x84A95ADB(2225691355)
inboundespsas:
spi:0xE5EB2CDE(3857394910)
connid:2001,flow_id:NETGX:1,cryptomap:DMVPNhead1
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
CCIESecurity
Page264 of 322
outboundespsas:
spi:0x84A95ADB(2225691355)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0x77BC473A(2008827706)
inboundespsas:
spi:0x6A0C9367(1779209063)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x77BC473A(2008827706)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
interface:Tunnel2
protectedvrf:(none)
CCIESecurity
Page265 of 322
inboundespsas:
spi:0xE5EB2CDE(3857394910)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x84A95ADB(2225691355)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
inboundespsas:
spi:0x6A0C9367(1779209063)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x77BC473A(2008827706)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page266 of 322
!!!!.!!!!!
Pingbetweenthespokesissuccessful.Notethatthereisonepacketmissedinthe
middleoftheping.Thisistheexactmomentwhenthetrafficswitchedovertothe
directspoketospoketunnel.
R4#shipcef192.168.5.0
192.168.5.0/24,version25,epoch0
0packets,0bytes
validadjacency
CEFentryisvalidnow.
R4#shipnhrp
(nosocket)
NHRPdatabasehasinformationaboutotherspoke.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.65.510.1.64.4QM_IDLE10040ACTIVE
10.1.26.210.1.64.4QM_IDLE10020ACTIVE
10.1.64.410.1.65.5QM_IDLE10030ACTIVE
10.1.16.110.1.64.4QM_IDLE10010ACTIVE
IPv6CryptoISAKMPSA
ISAKMPSAandIPSecSAsarenegotiatedbetweenthespokes.
R4#shcryptoipsecsa
interface:Tunnel1
protectedvrf:(none)
inboundespsas:
spi:0xE5EB2CDE(3857394910)
IVsize:8bytes
CCIESecurity
Page267 of 322
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x84A95ADB(2225691355)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
inboundespsas:
spi:0x6A0C9367(1779209063)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x77BC473A(2008827706)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
CCIESecurity
Page268 of 322
currentoutboundspi:0xBEABEE07(3198938631)
inboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xBEABEE07(3198938631)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
interface:Tunnel2
protectedvrf:(none)
inboundespsas:
spi:0xE5EB2CDE(3857394910)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x84A95ADB(2225691355)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
CCIESecurity
Page269 of 322
outboundpcpsas:
protectedvrf:(none)
inboundespsas:
spi:0x6A0C9367(1779209063)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x77BC473A(2008827706)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
protectedvrf:(none)
currentoutboundspi:0xBEABEE07(3198938631)
inboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
CCIESecurity
Page270 of 322
spi:0xBEABEE07(3198938631)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Samebunchofcommandsontheotherspoke.
R5#shiproute
D192.168.12.0/24[90/284702976]via172.16.145.1,00:17:10,Tunnel1
D192.168.4.0/24[90/285084416]via172.16.145.4,00:17:10,Tunnel1
S*0.0.0.0/0[1/0]via10.1.65.6
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis2
Vectormetric:
Loadis1/255
MinimumMTUis1400
Hopcountis3
R5#shipcef192.168.4.0
192.168.4.0/24,version25,epoch0
0packets,0bytes
validadjacency
CEFentryisvalidandNHRPdatabasehasinformationaboutR4.
R5#shipnhrp
CCIESecurity
Page271 of 322
(nosocket)
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.65.510.1.64.4QM_IDLE10030ACTIVE
10.1.26.210.1.65.5QM_IDLE
10020ACTIVE
10.1.16.110.1.65.5QM_IDLE10010ACTIVE
10.1.64.410.1.65.5QM_IDLE10040ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsapeer10.1.64.4
interface:Tunnel2
protectedvrf:(none)
currentoutboundspi:0xB554FCF8(3042245880)
inboundespsas:
spi:0xBEABEE07(3198938631)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
interface:Tunnel1
protectedvrf:(none)
CCIESecurity
Page272 of 322
inboundespsas:
spi:0xBEABEE07(3198938631)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Onceagainpingtheremotespoketoseeitthetrafficgetencrypted.
R5#ping192.168.4.4solo0
!!!!!
interface:Tunnel2
protectedvrf:(none)
inboundespsas:
spi:0xBEABEE07(3198938631)
CCIESecurity
Page273 of 322
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
interface:Tunnel1
protectedvrf:(none)
inboundespsas:
spi:0xBEABEE07(3198938631)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB554FCF8(3042245880)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
TEST:shutdownR1stunnel0interface
ThebesttestinthisscenarioistoshutdownR1stunnel0interfaceandseeif
everythingisworkingfine.
CCIESecurity
Page274 of 322
R1(config)#inttu0
R1(configif)#shut
R1(configif)#
%CRYPTO6ISAKMP_ON_OFF:ISAKMPisOFF
R1(configif)#
%DUAL5NBRCHANGE:IPEIGRP(0)1:Neighbor172.16.145.5(Tunnel0)isdown:interfacedown
%DUAL5NBRCHANGE:IPEIGRP(0)1:Neighbor172.16.145.4(Tunnel0)isdown:interfacedown
R1(configif)#
%LINK5CHANGED:InterfaceTunnel0,changedstatetoadministrativelydown
%LINEPROTO5UPDOWN:LineprotocolonInterfaceTunnel0,changedstatetodown
R4#shiproute
D192.168.12.0/24[90/284958976]via172.16.245.2,00:01:32,Tunnel2
D192.168.5.0/24[90/285596416]via172.16.245.5,00:01:32,Tunnel2
S*0.0.0.0/0[1/0]via10.1.64.6
Now,theTunnel2(tothesecondHub)ispreffered.
R4#shipcef192.168.5.0
192.168.5.0/24,version28,epoch0
0packets,0bytes
invalidadjacency
TheCEFentryisinvalidagain,asthenexthopchanged.
R4#shipnhrp
Nodynamicentries,astheoldentrieshasbeenflushed.
!!!!.!!!!!
Pingissuccessful.
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.65.510.1.64.4QM_IDLE10060ACTIVE
10.1.26.2
10.1.64.410.1.65.5QM_IDLE10050ACTIVE
10.1.16.110.1.64.4MM_NO_STATE00ACTIVE
10.1.16.110.1.64.4MM_NO_STATE00ACTIVE(deleted)
IPv6CryptoISAKMPSA
TheR4triestosetupanIPSectunnelwithR1(whichisdown).
CCIESecurity
Page275 of 322
interface:Tunnel1
protectedvrf:(none)
currentoutboundspi:0xD165CD2A(3513109802)
inboundespsas:
spi:0x25118EF2(621907698)
IVsize:8bytes
Status:ACTIVE
spi:0xAAB232EA(2863805162)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB43D28C4(3023907012)
IVsize:8bytes
Status:ACTIVE
spi:0xD165CD2A(3513109802)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
interface:Tunnel2
protectedvrf:(none)
CCIESecurity
Page276 of 322
currentoutboundspi:0xD165CD2A(3513109802)
inboundespsas:
spi:0x25118EF2(621907698)
IVsize:8bytes
Status:ACTIVE
spi:0xAAB232EA(2863805162)
IVsize:8bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xB43D28C4(3023907012)
IVsize:8bytes
Status:ACTIVE
spi:0xD165CD2A(3513109802)
IVsize:8bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
CCIESecurity
Page277 of 322
Lab2.21. GETVPN(PSK)
LabSetup:
pointtopointmanner
pointtopointmanner
IPAddressing:
Device
R1
R2
R4
R5
CCIESecurity
Interface
Lo0
F0/0
F0/0
S0/1/0.25
S0/1/0.24
Lo0
S0/0/0.42
Lo0
S0/1/0.52
IPaddress
192.168.1.1/24
10.1.12.1/24
10.1.12.2/24
10.1.25.2/24
10.1.24.2/24
192.168.4.4/24
10.1.24.4/24
192.168.5.5/24
10.1.25.5/24
Page278 of 322
Task1
Configure GET VPN solution for traffic going between 192.168.0.0/16 networks
(LANs behind R4 and R5). R1 must be used as Key Server and R5 and R4 are
GroupMembers.
UsethefollowingparametersforKSconfiguration:
Groupname:
Server:
Rekey:
Authorization:
IPSecSA:
ISAKMPPolicy
GETVPN
Identity1
IPaddress10.1.12.1
Unicast
2retransmits,every10seconds
RSAkeynameR1.micronicstraining.com
OnlyR5andR4GMrouters
Timebasedantireplaywindow:64
Policy:192.168.0.0/16,donotencryptGDOI
Encryption:AES128
Integrity:SHA
Authentication:PSK
Encryption:DES
Hashing:SHA
Presharedkey:GETVPNR5(forR5),GETVPNR4(forR4)
DonotencryptSSHtrafficbetween192.168.5.0/24and192.168.4.0/24networks.
ThisexceptionmustbeconfiguredonGMsonly.
GET VPN is a technology used to encrypt traffic going through unsecured networks. It laverages
IPSec protocol suite to enforce Integrity and Confidentiality of data. Typical GET deployment
consistsaroutercalledKeyServer(KS)andacoupleofrouterscalledGroupMembers(GMs).The
KSisusedtocreate,maintainandsendapolicytoGMs.Thepolicyisaninformationwhattraffic
should be encrypted by GM and what encryption algorithms must be used. The most important
functionofKSisgenerationofencryptionkeys.Therearetwokeysused:
TEKTransportEncryptionKeyusedbyGMtoencryptthedata
KEKKeyEncryptionKeyusedtoencryptinformationbetweenKSandGM
AveryimportantaspectofGETisthatitdoesnotsetupanyIPSectunnelsbetweenGMs!ItisNOT
likeDMVPN.EveryGMhasthepolicy(whattoencrypt,whatencryptionalgorithmto use,what key
isusedbytheencryptionalgorithm)andjustencrypteverypacketconformingitspolicyandsends
it out to the network using ESP (Encapsulated Security Payload). Note that it uses original IP
addresses to route the packet out (this is called IP Header Preservation mechanism), hence the
packet can be routed towards every other router in the network as long as the routing table has
suchinformation.
OnR1
FirstweneedRSAkeystobeusedbyourKSforRekeyprocess.TheKSmustsendouta
newTEK(andKEK)beforeTEKisexpired(defaultis3600seconds).Itdoesthisinso
calledRekeyphase.ThisphaseisauthenticatedandsecuredbyISAKMPSAwhichis
establishedbetweenKSandGM.ThisISAKMPusesGDOImessages(thinkofthislikea
mutationofIKE)tobuildSAandencryptGMregistration.TheGDOIusesUDP/848instead
ofUDP/500likeIKEdoes.
TheRSAkeysareusedtoauthenticatedtheKStoGMintheRekeyprocess.
CCIESecurity
Page279 of 322
RememberthattogeneratenewRSAkeysyoumusthaveHostnameandDomainname
configuredontherouter.
R1(config)#ipdomainnamemicronicstraining.com
Thenameforthekeyswillbe:R1.micronicstraining.com
R1(config)#
ThenweneedISAKMPparamaters,justlikeinregularIPSecconfiguration.Preshared
keymustbespecifiedonbothKSandGMtobeabletoauthenticate.Thiswillbeused
toestablishISAKMPSAtosecurefurtherGDOImessages.
R1(configisakmp)#exi
R1(config)#cryptoisakmpkeyGETVPNR5address10.1.25.5
TheIPSecparamatersmustbeconfiguredonKS.ThiseparametersarenotusedbyKS
itself.TheyarepartofpolicythatwillbesenddowntotheGMs.TheIPSecprofile
tellstheGMwhatencryptionalgorithmuse.
R1(config)#cryptoipsectransformsetTSETespaesespshahmac
R1(cfgcryptotrans)#cryptoipsecprofileGETVPNPROF
NowitstimetoconfigureKS.TodothatweneedtospecifyTheGroup.OneKSmayhave
manygroupsandeachgroupmayhavedifferentsecuritypolicy.
R1(ipsecprofile)#cryptogdoigroupGETVPN
R1(configgdoigroup)#identitynumber1
R1(configgdoigroup)#serverlocal
%CRYPTO6GDOI_ON_OFF:GDOIisON
HereweneedtospecifyRekeyparameters.TheRekeyphasecanbeperformedintwoways:
UnicastRekeywhenwedonothavemulticassupportinourinfrastructure
(maybeacasewhenISPdoesnotsupportmulticastinitsIPVPNcloud).
TheKSsendsdownaRekeypackettoeveryGMitknowsof.
MulticastRekeywhenwehavemulticastreadyinfrastructure,thenwecan
enablemulticastRekayandtheKSgeneratesonlyonepacketandsendsit
downtoallGMsatonetime
R1(gdoilocalserver)#rekeyauthenticationmypubkeyrsaR1.micronicstraining.com
R1(gdoilocalserver)#rekeyretransmit10number2
R1(gdoilocalserver)#rekeytransportunicast
BydefaulteveryGMcanregistertoKSaslongasithascorrectPSKconfigured(or
validCertificateincaseofPKI).ToauthorizeGMstobeabletoregisterinthis
grouponKS,youneedtospecifyastandardACLwithGMsIPaddresses.OurACLis
namedGMLIST.
R1(gdoilocalserver)#authorizationaddressipv4GMLIST
NowitstimetoconfigurepolicyforourGMs.EncryptionpolicyiscreatedbyIPSec
Profileconfiguredearlier.TotelltheGMswhatpacketstheyshouldencrypt,weneed
anotherACL(extendedthistime).OurACLisnamedLANLIST.Wecanalsospecifywindow
sizeforTimebasedAntiReplayprotection.ThelastparameterimportantisKSsIP
address.ThisparametermustaswellbesenddontotheGMsasKSmayberunon
differentIPaddress(likeLoopback).
R1(gdoilocalserver)#saipsec1
R1(gdoisaipsec)#profileGETVPNPROF
R1(gdoisaipsec)#matchaddressipv4LANLIST
R1(gdoisaipsec)#replaycounterwindowsize64
R1(gdoisaipsec)#addressipv410.1.12.1
R1(gdoilocalserver)#
%GDOI5KS_REKEY_TRANS_2_UNI:GroupGETVPNtransitionedtoUnicastRekey.
R1(gdoilocalserver)#exi
R1(configgdoigroup)#exi
CCIESecurity
Page280 of 322
R1(config)#ipaccessliststandardGMLIST
R1(configstdnacl)#permit10.1.25.5
R1(configstdnacl)#exi
HeresourpolicyACL.NotethatwemustexcludeGDOI(UDP/848)fromthispolicyas
thereisnotmuchsensetoencryptsomethingalreadyencrypted.
R1(config)#ipaccesslistextendedLANLIST
R1(configextnacl)#denyudpanyeq848anyeq848
R1(configextnacl)#permitip192.168.0.00.0.255.255192.168.0.00.0.255.255
R1(configextnacl)#exi
OnR5
R5isourfirstGM.WeneedthefollowingtobeconfiguredoneveryGM:
ISAKMPpolicyandpresharedkey(incaseofPSK)
theGrouptowhichtheGMneedstoberegisteredto
(optional)ACLtoexcludesometrafficfromencryption
cryptomaptypeGDOI
R5(config)#cryptogdoigroupGETVPN
R5(configgdoigroup)#serveraddressipv410.1.12.1
ThisACLisoptional.IngeneralweshouldconfigureourpolicyonKSonly,butthere
aresomesituationswhenweneedtoexcludesomeflowsfromencryption.Likehere,we
wereaskedforexcludingSSHtrafficbetween192.168.4.0/24AND192.168.5.0/24
networks.
WhenpolicyisconfiguredonbothKSandGM,theconcatenatedpolicylookslikefollow:
DeniedtrafficonKS
PermittedtrafficonKS
DeniedtrafficonGM
WecanonlyDENY(exclude)thetrafficonGM,wecannotPERMITittobeencrypted.To
displaythatconcatenatedpolicyuseshcryptogdoigmaclcommandonGM.
R5(config)#ipaccesslistextendedDONOTENCRYPT
R5(configextnacl)#denytcp192.168.4.00.0.0.255eq22192.168.5.00.0.0.255
R5(configextnacl)#denytcp192.168.5.00.0.0.255192.168.4.00.0.0.255eq22
R5(config)#cryptomapCMAPGETVPN10gdoi
%NOTE:Thisnewcryptomapwillremaindisableduntilavalid
grouphasbeenconfigured.
R5(configcryptomap)#setgroupGETVPN
R5(configcryptomap)#matchaddressDONOTENCRYPT
R5(config)#ints0/1/0.52
R5(configsubif)#cryptomapCMAPGETVPN
R5(configsubif)#exi
R5(config)#
%CRYPTO5GM_REGSTER:StartregistrationtoKS10.1.12.1forgroupGETVPNusingaddress
10.1.25.5
R5(config)#
R5(config)#
%GDOI5GM_REKEY_TRANS_2_UNI:GroupGETVPNtransitionedtoUnicastRekey.
%GDOI5GM_REGS_COMPL:RegistrationtoKS10.1.12.1completeforgroupGETVPNusingaddress
10.1.25.5
SeeaboveSYSLOGmessages.TheyindicatethatGMhasstartedregistrationprocesswith
KSandregisteredsuccessfully.
CCIESecurity
Page281 of 322
OnR4
SameconfigurationfornextGM.
R4(configextnacl)#cryptomapCMAPGETVPN10gdoi
R4(configsubif)#exi
10.1.24.4
R4(config)#
R4(config)#
10.1.24.4
Verification
R1#shcryptogdoigroupGETVPN
GroupName:GETVPN(Unicast)
GroupIdentity:1
GroupMembers:2
IPSecSADirection:Both
ActiveGroupServer:Local
GroupRekeyLifetime:86400secs
GroupRekey
RemainingLifetime:86361secs
RekeyRetransmitPeriod:10secs
RekeyRetransmitAttempts:2
GroupRetransmit
IPSecSANumber:1
IPSecSARekeyLifetime:3600secs
ProfileName:GETVPNPROF
Replaymethod:CountBased
ReplayWindowSize:64
SARekey
ACLConfigured:accesslistLANLIST
GroupServerlist:Local
R1#shcryptogdoikspolicy
KeyServerPolicy:
ForgroupGETVPN(handle:2147483650)server10.1.12.1(handle:2147483650):
#ofteks:1Seqnum:0
KEKPOLICY(transporttype:Unicast)
spi:0x76749A6D99B3C0A3827FA26F1558ED63
managementalg:disabled
encryptalg:3DES
CCIESecurity
Page282 of 322
cryptoivlength:8keysize:24
origlife(sec):86400remaininglife(sec):86355
sighashalgorithm:enabledsigkeylength:162
sigsize:128
sigkeyname:R1.micronicstraining.com
TEKPOLICY(encaps:ENCAPS_TUNNEL)
spi:0xAF4FA6F8
accesslist:LANLIST
#oftransforms:0
transform:ESP_AES
hmacalg:HMAC_AUTH_SHA
algkeysize:16sigkeysize:20
teklife(sec):3600elapsedtime(sec):44
antireplaywindowsize:64
Seebothkeys:TEKandKEK.
KEKforRekeyencryption,defaultlifetime24hours,defaultenrytpionalgorithm3DES
TEKfortrafficencryptionbetweenGMs,defaultlifetime1hour,encryptionelgorith
dependsonconfiguredpolicy(nodefaults).
R1#shcryptogdoiksacl
GroupName:GETVPN
ConfiguredACL:
accesslistLANLISTdenyudpanyport=848anyport=848
accesslistLANLISTpermitip192.168.0.00.0.255.255192.168.0.00.0.255.255
HerestheACLwhichtellstheGMswhattraffictheyshouldencrypt.
R1#shcryptogdoiksmembers
GroupMemberInformation:
NumberofrekeyssentforgroupGETVPN:1
GroupMemberID:10.1.24.4
GroupID:1
GroupName:GETVPN
KeyServerID:10.1.12.1
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
GroupID:1
GroupName:GETVPN
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
RegisteredmembersonKS.Keepinmindyoumayhavethousandsofmembersregisteredto
differentgroups.Onemembercanregistertotwogroupsatthesametime.
R1#shcryptogdoiksrekey
GroupGETVPN(Unicast)
NumberofRekeyssent:1
NumberofRekeysretransmitted:0
KEKrekeylifetime(sec):86400
Remaininglifetime(sec):86335
Retransmitperiod:10
Numberofretransmissions:2
IPSecSA1lifetime(sec):3600
WehaveconfiguredthatforRekeyphase.ItisveryimportantforUnicastRekeythatKS
willretransmitRekeymessageifitdidntreceiveACKfromtheGM.
CCIESecurity
Page283 of 322
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.24.4
GDOI_IDLE1002ACTIVE
10.1.12.110.1.25.5GDOI_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
NotethatISAKMPSAisestablishedbetweenKSandGMsonly.ThereisnoISAKMPSA
betweenGMs.
R1#shcryptoipsecsa
NoSAsfound
TherearenoIPSecSAbetweenKSandGMs.AllisdoneusingISAKMPSA.AfterIKEPhase
1establishestheSA,theGDOIprotocolusesitforGMRegistrationandRekey.
ThesamebunchofcommandsareonGMs.
R4#shcryptogdoigm
GroupMemberInformationForGroupGETVPN:
ACLReceivedFromKS:gdoi_group_GETVPN_temp_acl
Lastrekeyseqnum:0
Reregister
Remainingtime:3389secs
RetryTimer
:NOTRUNNING
R4#shcryptogdoigmacl
GroupName:GETVPN
ACLDownloadedFromKS10.1.12.1:
accesslistdenyudpanyport=848anyport=848
accesslistpermitip192.168.0.00.0.255.255192.168.0.00.0.255.255
ACLConfiguredLocally:
MapName:CMAPGETVPN
accesslistDONOTENCRYPTdenytcp192.168.4.00.0.0.255port=22192.168.5.00.0.0.255
accesslistDONOTENCRYPTdenytcp192.168.5.00.0.0.255192.168.4.00.0.0.255port=22
HeresthecurrentPolicyonGM.SeethisisconcatenatedACL(KSACL+GMACL).
R4#shcryptogdoigmrekey
NumberofRekeysreceived(cumulative):0
NumberofRekeysreceivedafterregistration:0
NumberofRekeyAckssent:0
Rekey(KEK)SAinformation:
dstsrcconnidmycookiehiscookie
New:10.1.24.410.1.12.11004827FA26F76749A6D
Current:
Previous:
GroupName:GETVPN
GroupIdentity:1
Rekeysreceived:0
ActiveGroupServer:10.1.12.1
GroupServerlist:10.1.12.1
GMReregistersin:3371secs
RekeyReceived(hh:mm:ss):00:15:45
Rekeysreceived
Cumulative:0
Afterregistration:0
RekeyAckssent:0
CCIESecurity
Page284 of 322
KEKPOLICY:
RekeyTransportType:Unicast
Lifetime(secs):86394
EncryptAlgorithm:3DES
KeySize:192
SigHashAlgorithm:HMAC_AUTH_SHA
SigKeyLength(bits):1024
TEKPOLICYforthecurrentKSPolicyACEsDownloaded:
Serial0/0/0.42:
IPsecSA:
spi:0xAF4FA6F8(2941232888)
transform:espaesespshahmac
satiming:remainingkeylifetime(sec):(3494)
AntiReplay:Disabled
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.24.4GDOI_IDLE1001ACTIVE
IPv6CryptoISAKMPSA
GMmaintainsISAKMPSAwithKSonly!
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.24.410.1.12.1ACTIVEdesshapsk123:43:50
IPv6CryptoISAKMPSA
ThebelowisIPSecSA.ThisisbuiltuponpolicyreceivedfromKS.Hence,thereareas
manyProxyIDsaspermitACEsinACLdownloadedfromtheKS.
NotethatthereisNOpeer!
R4#shcryptoipsecsa
interface:Serial0/0/0.42
Cryptomaptag:CMAPGETVPN,localaddr10.1.24.4
protectedvrf:(none)
currentoutboundspi:0xAF4FA6F8(2941232888)
inboundespsas:
spi:0xAF4FA6F8(2941232888)
transform:espaesespshahmac,
CCIESecurity
Page285 of 322
connid:2007,flow_id:NETGX:7,sibling_flags80000040,cryptomap:CMAPGETVPN
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
NotetheInboundandOutboundSPIisthesame.ThisisbecauseeveryGMunderstands
thatSPI(itisconfiguredonKSandsendsdowntoallGMs).
R4#shiproute
S*0.0.0.0/0[1/0]via10.1.24.2
See,thereisonlydefaultrouteconfiguredonGM.LetstrytopingnetworkbehindR5
andsourcethetrfficfromLo0.
R4#ping192.168.5.5solo0
.....
Successrateis0percent(0/5)
Unsuccessful!Why?Letslookatcrypto.
R4#shcryptoipsecsa
protectedvrf:(none)
CCIESecurity
Page286 of 322
inboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
SeemslikeICMPpacketshavebeenencryptedandsentout.Hence,theproblemmustlay
somewhereelse.SinceGETVPNusesIPHeaderPreservationmechnanism,theoriginal
sourceanddestinationIPaddressesarenotchanged(thereisnotunneling).Letslook
atR2iftherearecorrectroutestothatnetworksandaddthemissingroutes.
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#iproute192.168.4.0255.255.255.010.1.24.4
R2(config)#iproute192.168.5.0255.255.255.010.1.25.5
R4#ping192.168.5.5solo0
!!!!!
Success!Letslookatcryptoagain.
R4#shcryptoipsecsa
protectedvrf:(none)
inboundespsas:
spi:0xAF4FA6F8(2941232888)
CCIESecurity
Page287 of 322
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Allpacketshavebeenencryptedanddecrypted.
NowtakealookatR5.ThesamebunchofcommandsforGDOI.
R5#shcryptogdoigm
Lastrekeyseqnum:0
Reregister
RetryTimer
:NOTRUNNING
GroupName:GETVPN
MapName:CMAPGETVPN
New:10.1.25.510.1.12.11004827FA26F76749A6D
Current:
Previous:
GroupName:GETVPN
GroupIdentity:1
Rekeysreceived:0
CCIESecurity
Page288 of 322
Rekeysreceived
Cumulative:0
Afterregistration:0
RekeyAckssent:0
KEKPOLICY:
Lifetime(secs):86400
KeySize:192
Serial0/1/0.52:
IPsecSA:
spi:0xAF4FA6F8(2941232888)
AntiReplay:Disabled
rencRSAencryption
IPv4CryptoISAKMPSA
100110.1.25.510.1.12.1ACTIVEdesshapsk123:40:56
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
protectedvrf:(none)
inboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
CCIESecurity
Page289 of 322
outboundespsas:
spi:0xAF4FA6F8(2941232888)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
Test
ToverifythepolicyconfiguredonGMs,weneedtoenableSSHserveronR4andR5and
configurelocaluserdatabase.NotethatyoumusttestSSHtrafficbetween192.168.[4
5].0/24networks,soyouneedtoinformtherouterswhatinterfaceuseasSSHsource.
R4(config)#ipsshsourceinterfacelo0
R4(config)#crykeygenrsamod1024
R4(config)#
R4(config)#linevty04
R4(configline)#loginlocal
R5(config)#usernamestudentpasswordstudent123
R5(config)#linevty04
R5(configline)#loginlocal
R5(configline)#exit
R5(config)#ipsshsourceinterfacelo0
PleasecreateRSAkeys(ofatleast768bitssize)toenableSSHv2.
R5(config)#cryptokeygeneratersamod1024
R5(config)#
R5(config)#end
First,checktheencryption/decryptioncounters.
R5#shcryipssa|inlocal|remot|enca|deca
Connecttor4usingSSHtogeneratethetraffic.
R5#sshlstudent192.168.4.4
Password:
R4>shusers
CCIESecurity
Page290 of 322
0con0idle00:03:29
*514vty0studentidle
00:00:00192.168.5.5
InterfaceUserModeIdlePeerAddress
R4>exit
Checktheencryption/decryptioncounters.
Noencryptioncountersincremented!!!ThisisbecauseSSHbetweenthosenetworksis
excludedfromencryption.
SametestonR4:
R4#sshlstudent192.168.5.5
Password:
R5>shusers
LineUserHost(s)Idle
Location
0con0idle00:01:00
*514vty0studentidle00:00:00192.168.4.4
R5>exit
Noencryptioncountersincremented!!Letsverifybydoingping.
R4#ping192.168.5.5solo0
!!!!!
Contershavebeenincrementedby5packets!
CCIESecurity
Page291 of 322
Lab2.22. GETVPN(PKI)
LabSetup:
pointtopointmanner
pointtopointmanner
IPAddressing:
Device
R1
R2
R4
R5
CCIESecurity
Interface
Lo0
F0/0
F0/0
S0/1/0.25
S0/1/0.24
Lo0
S0/0/0.42
Lo0
S0/1/0.52
IPaddress
192.168.1.1/24
10.1.12.1/24
10.1.12.2/24
10.1.25.2/24
10.1.24.2/24
192.168.4.4/24
10.1.24.4/24
192.168.5.5/24
10.1.25.5/24
Page292 of 322
Task1
Configure NTP server with MD5 authentication (cisco123) and CA server on R1. It
willbeusedforenrollingcertificatesforGETVPNGroupMembers.
(LANs behind R5 and R4). R1 must be used as Key Server and R5 and R4 are
GroupMembers.
Groupname:
Server:
Rekey:
Authorization:
IPSecSA:
ISAKMPPolicy
GETVPN
Identity1
IPaddress10.1.12.1
Unicast
Noretransmits
Lifetime400seconds
RSAkeynameKSKEYS
Timebasedantireplaywindow:64
Encryption:AES128
Integrity:SHA
Authentication:Certificates
Encryption:DES
Hashing:SHA
DonotencryptTELNETtrafficbetween192.168.5.0/24and192.168.4.0/24
networks.ThisexceptionmustbeconfiguredonGMs.
Thislabisverysimilartothepreviousone.Here,wereaskedforcertificateauthenticationbetween
KSandGMs.Whencertificatesareinuse,weneedtobecarefulabouttimesothatweareaskedto
configureNTPserveronR1andNTPclientsonR4andR5.
R1mustworkasCertificateAuthoritytogiveoutthecertificatestoallrouters.TheCAconfiguration
hasbeendescribedindetailsinthelab2.4.
NotethatsincetheR1mustworkasKSitmusthaveitsowncertificateaswell.Hence,weneedto
createtrustpointonR1andenrollacertificateaswedooneveryotherrouter.
OnR1
R1(config)#ntpauthenticationkey1md5cisco123
OnR5
OnR4
CCIESecurity
Page293 of 322
OnR1
R1(config)#doshntpstatus
referencetimeisCEA97CF5.2B02C9E8(19:01:09.168UTCSatNov142009)
R1(config)#cryptokeygeneratersamod1024labelKSKEYSexportable
Thenameforthekeyswillbe:KSKEYS
%Generating1024bitRSAkeys,keyswillbeexportable...[OK]
R1(config)#
R1(config)#cryptopkiserverIOSCA
R1(csserver)#databaseurlnvram:
%Serverdatabaseurlwaschanged.Youneedtomovethe
%existingdatabasetothenewlocation.
R1(csserver)#databaselevelminimum
R1(csserver)#
R1(csserver)#noshut
%Pleaseenterapassphrasetoprotecttheprivatekey
%ortypeReturntoexit
Password:
Reenterpassword:
%CertificateServerenabled.
R1(csserver)#
R1(csserver)#exi
HeresthetrustpointtoenrollthecertificatefromCAinstalledonR1.
R1(config)#cryptocatrustpointR1IOSCA
R1(catrustpoint)#enrollmenturlhttp://10.1.12.1:80
R1(catrustpoint)#revocationchecknone
R1(catrustpoint)#exi
R1(config)#cryptocaauthenticateR1IOSCA
FingerprintMD5:1EDBC58CC0EC6E6A30277787757F752B
FingerprintSHA1:AC5AAD4E6F972239CD46EE2345265D7AA756B2C5
R1(config)#cryptocaenrollR1IOSCA
%
Password:
CCIESecurity
Page294 of 322
%CRYPTO6AUTOGEN:Generatednew512bitkeypair
Reenterpassword:
%Thesubjectnameinthecertificatewillinclude:R1.micronicstraining.com
%The'showcryptocacertificateR1IOSCAverbose'commandwillshowthefingerprint.
R1(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:BAFB1982AD56FE4E7A13792FA30D12FF
CRYPTO_PKI:CertificateRequestFingerprintSHA1:D4D7E9C158521229DABAAD4B88A19A2B
2A5CFB27
R1(config)#
Theconfigurationisverysimilartothatpresentedinthepreviouslab.Theone
differenceisinISAKMPpolicy.WedonotneedtospecifyRSASIGasitisenabledby
default.AnotherthingisthatwedonotconfigureISAKMPKeyssincewedonotusePSK
anymore.
R1(config)#cryptoipsecprofileGETVPNPROF
R1(gdoilocalserver)#rekeylifetimeseconds400
R1(gdoilocalserver)#norekeyretransmit
R1(gdoilocalserver)#rekeyauthenticationmypubkeyrsaKSKEYS
R1(gdoilocalserver)# authorizationaddressipv4GMLIST
OnR5
BeforeconfiguringGM2,ensurethetimeissynchronized.
referencetimeisCEA97E83.4F5E1788(19:07:47.310UTCSatNov142009)
CCIESecurity
Page295 of 322
YouneedatrustpointtobeabletoenrollthecertificateformCA.
Whethetrustpointisready,weneedtodownloadCAcertificate.
OncewehavetheCAcertificate,wecanrequestacertificatefortherouteritself.
YoudonotneedtogenerateRSAkeys.Thekeyswillbeautomaticallygeneratedduring
theenrollmentprocess.
R5(config)#cryptocaenrollR1IOSCA
%
Password:
RSAkeysizeneedstobeatleast768bitsforsshversion2
Reenterpassword:
%Thesubjectnameinthecertificatewillinclude:R5
R5(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:C9AFC720731E766948B60A5C66A96152
CRYPTO_PKI:CertificateRequestFingerprintSHA1:6384402D15D72B7D8E733C1AC6151667
B9E74C77
R5(config)#
GMconfigurationisverysimilartothatpresentedinpreviouslab,except
authenticationmethod.
R5(configextnacl)#denytcp192.168.5.00.0.0.255192.168.4.00.0.0.255eqtelnet
R5(configextnacl)#denytcp192.168.4.00.0.0.255eqtelnet192.168.5.00.0.0.255
CCIESecurity
Page296 of 322
R5(configsubif)#
10.1.25.5
R5(configsubif)#
R5(configsubif)#exi
10.1.25.5
SeethatR5hassentregistrationrequestandregisteredsuccessfully.
OnR4
SamebunchofcommandsonsecondGM.
referencetimeisCEA981C9.A89DB4CF(19:21:45.658UTCSatNov142009)
R4(config)#crycaenrR1IOSCA
%
Password:
Reenterpassword:
R4(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:9B4F4499CC69D4F5686DF42C93D66C71
CRYPTO_PKI:CertificateRequestFingerprintSHA1:A53AE9D9B2EF40C3BC54FBC17FDB65B5
66A4A88E
R4(config)#
CCIESecurity
Page297 of 322
R4(configsubif)#
10.1.24.4
R4(configsubif)#exi
R4(config)#
10.1.24.4
Verification
OnKScheckwhatGMshavebeenregistered.
GroupID:1
GroupName:GETVPN
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
GroupID:1
GroupName:GETVPN
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
WhatgroupisconfiguredonKSandwhatsthepolicy.
R1#shcryptogdoiks
Totalgroupmembersregisteredtothisbox:2
KeyServerInformationForGroupGETVPN:
GroupName:GETVPN
GroupIdentity:1
GroupMembers:2
ACLConfigured:
accesslistLANLIST
R1#shcryptogdoiksacl
GroupName:GETVPN
ConfiguredACL:
CCIESecurity
Page298 of 322
accesslistLANLISTdenyudpanyport=848anyport=848
accesslistLANLISTpermitip192.168.0.00.0.255.255192.168.0.00.0.255.255
KeyServerPolicy:
#ofteks:1Seqnum:0
spi:0x9B0C69C0246B33C2A011A4E8A0C41ED5
managementalg:disabledencryptalg:3DES
sigsize:128
sigkeyname:KSKEYS
spi
:0x325AC16Caccesslist:LANLIST
#oftransforms:0transform:ESP_AES
Retransmitperiod:0
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.25.5GDOI_IDLE1001ACTIVE
10.1.12.110.1.24.4GDOI_IDLE
1002ACTIVE
IPv6CryptoISAKMPSA
ISAKMPSahasbeenestablishedbetweenKSandGMs.
R1#shcryptoipsecsa
NoSAsfound
NotethatthereisnoIPSecSAbetweenKSandGM.TheIPSecSAsareonlyonGMs.
R5#shcryptogdoigm
Lastrekeyseqnum:0
Reregister
defaultis3600secs(1hour)
RetryTimer
:NOTRUNNING
GroupName:GETVPN
MapName:CMAPGETVPN
CCIESecurity
Page299 of 322
New:10.1.25.510.1.12.11005A011A4E89B0C69C0
Current:
Previous:
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
10.1.12.110.1.25.5GDOI_IDLE1001ACTIVE
10.1.25.510.1.12.1GDOI_REKEY1005ACTIVE
IPv6CryptoISAKMPSA
R5#shcryptoipsecsa
protectedvrf:(none)
thereisnopeerIPaddress
currentoutboundspi:0x325AC16C(844808556)
inboundespsas:
spi:0x325AC16C(844808556)
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x325AC16C(844808556)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R5#ping192.168.4.4solo0
CCIESecurity
Page300 of 322
.....
Successrateis0percent(0/5)
R5#shcryptoipsecsa|incloca|remot|enca|deca
Notethatpingisunsuccessful.However,packetsareleavingtherouterandget
encrypted.ItmeanssomewhereonthewaytoR4packetsaredropped.TakealookatR2.
R2#shipro
See,noroutingto192.168.4.0/24and192.168.5.0/24networks.Thoseroutesare
necessaryasGETVPNusesIPSectunnelmodewithIPheaderpreservation,sothe
originalIPheaderisusedtoroutepackets.
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#iproute192.168.4.0255.255.255.010.1.24.4
R2(config)#iproute192.168.5.0255.255.255.010.1.25.5
R2(config)#exi
R5#ping192.168.4.4solo0
!!!!!
Nowallpacketsgetencryptedanddecrypted.
SamebunchofcommandsonthesecondGM.
R4#shcryptogdoi
GROUPINFORMATION
GroupName:GETVPN
GroupIdentity:1
Rekeysreceived:0
CCIESecurity
Page301 of 322
Rekeysreceived
Cumulative:0
Afterregistration:0
RekeyAckssent:0
KEKPOLICY:
Lifetime(secs):394
KeySize:192
SigHashAlgorithm
:HMAC_AUTH_SHA
Serial0/0/0.42:
IPsecSA:
spi:0x325AC16C(844808556)
AntiReplay:Disabled
New:10.1.24.410.1.12.11005A011A4E89B0C69C0
Current:
Previous:
TEST:TelnetfromR5sloopbackinterfacetoR4sloobpackinterface.
1.DisableCEFswitchingonR2toseepacketsgoingthroughtherouter.
R2(configsubif)#noiproutecache
R2(configsubif)#ints0/1/0.24
R2(configsubif)#noiproutecache
R2(configsubif)#exi
2.EnabledebuggingforallTELNETpackets.Logtothebuffer.
R2(config)#accesslist123permittcpanyanyeqtelnet
R2(config)#accesslist123permittcpanyeqtelnetany
R2(config)#dodebippacdet123
IPpacketdebuggingison(detailed)foraccesslist123
R2(config)#loggbuffered7
R2(config)#loggon
R2(config)#doclearlogg
Clearloggingbuffer[confirm]
R2(config)#
3.TelnetfromR5sloopback0toR4sloopback0.
R5#tel192.168.4.4/solo0
CCIESecurity
Page302 of 322
Password:
R4>shusers
0con0idle00:06:21
*514vty0
idle00:00:00192.168.5.5
R4>exit
4.BacktoR2toseeifanypacketshavebeencaptured.
R2#shlogg
Sysloglogging:enabled(12messagesdropped,1messagesratelimited,
0flushes,0overruns,xmldisabled,filteringdisabled)
NoActiveMessageDiscriminator.
NoInactiveMessageDiscriminator.
Consolelogging:leveldebugging,564messageslogged,xmldisabled,
filteringdisabled
Monitorlogging:leveldebugging,0messageslogged,xmldisabled,
filteringdisabled
Bufferlogging:leveldebugging,516messageslogged,xmldisabled,
filteringdisabled
LoggingExceptionsize(4096bytes)
Countandtimestamploggingmessages:disabled
Persistentlogging:disabled
Noactivefiltermodules.
ESM:0messagesdropped
Traplogging:levelinformational,55messagelineslogged
LogBuffer(4096bytes):
IP:s=192.168.5.5(Serial0/1/0.25),d=192.168.4.4(Serial0/1/0.24),g=10.1.24.4,len41,
forward
TCPsrc=56259,dst=23,seq=1588224466,ack=5056452141,win=5768ACKPSH
IP:tableid=0,s=192.168.4.4(Serial0/0/0.24),d=192.168.5.5(Serial0/0/0.25),routedviaFIB
IP:s=192.168.4.4(Serial0/1/0.24),d=192.168.5.5(Serial0/1/0.25),g=10.1.25.5,len41,
forward
TCPsrc=23,dst=56259,seq=5056452141,ack=1588224467,win=4078ACKPSH
<outputomitted>
SeethesourceanddestinationIPaddresses.NotetheTELNETtrafficisnotencrypted
(asthereisport23seeninthecapture).
CCIESecurity
Page303 of 322
Lab2.23. GETVPNCOOP(PKI)
Lo0
Lo0
R1
.1
.5
F0/0
F0/0
10.1.12.0/24
R5
10.1.25.0/24
G0/0
G0/1
R2
.2
.2
.2
S0/1/0.26
206
10.1.26.0/24
Lo0
S0/1/0.62
.6
602
S0/1/0.24
204
402
10.1.24.0/24
S0/0/0.42
.4
Lo0
R4
R6
LabSetup:
pointtopointmanner.
pointtopointmanner.
ConfigureRIPversion2dynamicroutingonallrouters(alldirectlyconnected
interfaces).
IPAddressing:
Device
R1
R2
R4
R5
CCIESecurity
Interface
Lo0
F0/0
G0/0
G0/1
S0/1/0.26
S0/1/0.24
Lo0
S0/0/0.42
Lo0
IPaddress
1.1.1.1/24
10.1.12.1/24
10.1.12.2/24
10.1.25.2/24
10.1.26.2/24
10.1.24.2/24
192.168.4.4/24
10.1.24.4/24
5.5.5.5/24
Page304 of 322
F0/0
Lo0
S0/1/0.62
R6
10.1.25.5/24
192.168.6.6/24
10.1.26.6/24
Task1
Configure NTP server with MD5 authentication (cisco123) and CA server on R1. It
willbeusedforenrollingcertificatesforGETVPNGroupMembers.
(LANsbehindR6andR4).R1andR5mustbeusedasKeyServersandR6andR4
are Group Members. Enable COOP protocol and ensure that R1 becomes Primary
KS.
Groupname:
Server:
Rekey:
Authorization:
IPSecSA:
ISAKMPPolicy
GETVPN
Identity1
PrimaryKSIPaddress:1.1.1.1
SecondaryKSIPaddress:5.5.5.5
Unicast
3retransmits,every10seconds
Lifetime400seconds
RSAkeynameKSKEYS
Timebasedantireplaywindow64
Encryption:AES128
Integrity:SHA
Authentication:Certificates
Encryption:DES
Hashing:SHA
DonotencryptTELNETtrafficbetween192.168.6.0/24and192.168.4.0/24
networks.ThisexceptionmustbeconfiguredonGMs.
When desiging and deploying GET VPN solution it is obvious that the Key Server is the most
important component as it creates and maintains security policy for all GMs. If KS is down a new
TEK cannot be delivered to GMs on time and when TEKs lifetime is over the GMs start dropping
packets.
To addressthatissue,more KSserversshouldbe deployed.However,itisnotenoughto just set
up another KS as it would give out diffeternt TEK to its members. Thus, members of one KS
couldntsendpacketstomembersofsecondKS.
To resolve that issue, Cisco developed a new protocol called COOP (COOPerative KS protocol).
This protocol is designed to synchronize both KS in terms of GMs info, keys (TEK, KEK), policy
(ACL),pseudotime(forTimebasedantireplayprotection).
Although all Key Servers accept registration from GMs, only one KS will be responsible for the
rekey operation.This KSis calledthePrimary KS. ThePrimary KSis decidedthrough anelection
process among all the cooperative Key Servers. In order to aid this process a priority number
shouldbeconfiguredineachKS.IfmorethanoneKeyServershavethesamehighestpriority,then
CCIESecurity
Page305 of 322
theonewithhighestIPaddresswillbeselected.
ElectionprocesswillberepeatedwhenevertheexistingprimaryKS goesdown.Itshouldbenoted
thatwhenanewKSjoinsthegroup,electionprocesswillnotbetriggeredevenifthenewKShasa
higherprioritythantheexistingprimary.
OnR1
OnR5
OnR6
OnR4
OnR1
referencetimeisCEA9949F.DC28907D(20:42:07.859UTCSatNov142009)
R1(config)#doshntpasso
*~127.127.1.1.LOCL.31016770.0000.000187.72
*sys.peer,#selected,+candidate,outlyer,xfalseticker,~configured
R1musthaveRSAkeysforRekeyauthentication.However,whentherearemorethanone
KSinthenetwork,allKSmustlookthesameforallGMs.Hence,weneedtohavethe
sameRSAkeysonbothKSes.KeepinmindthatyouneedtomarknewRSAkeysas
exportabletobeabletoexportthemandimportonanotherKS.
R1(config)#cryptokeygeneratersamod1024labelKSKEYSexportable
Thenameforthekeyswillbe:KSKEYS
%Generating1024bitRSAkeys,keyswillbeexportable...[OK]
R1(config)#
R1(config)#cryptopkiserverIOSCA
R1(csserver)#databaseurlnvram:
CCIESecurity
Page306 of 322
%Serverdatabaseurlwaschanged.Youneedtomovethe
%existingdatabasetothenewlocation.
R1(csserver)#databaselevelminimum
R1(csserver)#
R1(csserver)#noshut
%Pleaseenterapassphrasetoprotecttheprivatekey
%ortypeReturntoexit
Password:
Reenterpassword:
%CertificateServerenabled.
R1(csserver)#
R1(csserver)#cryptocatrustpointR1IOSCA
R1(config)#crycaauthR1IOSCA
FingerprintMD5:4C94A45D5200C2CF99D4804C34C1F733
FingerprintSHA1:BDE3C4933A9A0B179A0AA6013C7819DB96F4220C
%
Password:
Reenterpassword:
R1(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:E37524AF52D5C9E7AE626E90C113B2F7
CRYPTO_PKI:CertificateRequestFingerprintSHA1:424B180DC8858DB2CE02D5301D29388E
B7759993
R1(config)#
ConfigureRSASIGauthenticationforISAKMP.
CCIESecurity
Page307 of 322
HerestheCOOPconfiguration.WeneedtospecifythepriorityoftheKS(1255,
defaultis1).TheKSwithhigherprioritywins.Wneedtospecifythepeerwhichis
otherKS.ThisIPaddressmustbeaccessibleonthenetwork.
R1(gdoilocalserver)#redundancy
R1(gdoicoopksconfig)#localpriority100
R1(gdoicoopksconfig)#peeraddressipv45.5.5.5
R1(gdoicoopksconfig)#
%GDOI5COOP_KS_ADD:5.5.5.5addedasCOOPKeyServeringroupGETVPN.
R1(gdoicoopksconfig)#exi
ExportRSAselfsignedkeysforusingthemonthesecondKS.
R1(config)#cryptokeyexportrsaKSKEYSpemterminal3descisco123
%Keyname:KSKEYS
Usage:GeneralPurposeKey
Keydata:
BEGINPUBLICKEY
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmct4j/ecT1PumBNG1fWPMm1RE
/Rt/gT1WdhRDWwKmt8ftVFMU6rqjwjUqhn7hLRPortnBGS14t4UjK6IXzPLuxUbI
pgAlPn+PldDbpbgZP4Iv9VDp7xbU+9AVVkZpnYZLjo6aGQxBvHuLPA1S31+jSgXw
tDkjpNA1w48fHDAgYwIDAQAB
ENDPUBLICKEY
BEGINRSAPRIVATEKEY
ProcType:4,ENCRYPTED
DEKInfo:DESEDE3CBC,4C0424B43DE3EAC5
PjSOnv50zJZWwAUA5vTRRdRffJmi5cn9yH+eTLSg1A5GilKXmT5UhKucVMzHb1ep
XMaBacqt6QiJnib/MEHQAyjrbKSg5Ayvp1hTap+Vw/reOyMJovrDcCRmt3hzynz9
r/LXN/ykNKWeQvCr+YFglzMtptdEwQfhBA1P4eSMLCozP/r8Sd+oABMBIh4Im8kZ
Z3skBIKUT8CiNTmKDA3B/QMe2F1bcEeaA7r0CvoMQNWG9kLwhyQnnZzMjIPZ/yG8
4RrxmpWxrL3VOnAbAXxYu/fe597JKQEcp3XnURYnNHsh4dIphemlAAegPRHLCJQR
pd2an5I/Q4vAuVLaXgRRCuwe75fLUSZtk8UKAJXS3ZiOKbuABQ5QiLFS+S9Unnb2
1MLe3szgMKg6eyswYTFCXRNLauEyNhA4PMSxxLCPDeDaQr4XilB/iKMXy6ROMUhQ
OenT1u3vhjUzqxX+b/2IWYARvlY+rKahA4XkRhXwctsYB2Gs9a+dvuC+nl9JI5ys
zv++hUvrxAPlxfi/YM9tVMN91Rd8kZamIPwGFHgMk7wMwqwmdLljD2Qs+2wa8AtM
q+TvgQNUtqq9il0YHcRDZEiA5NWyNvcFFZKGn/+EqlalSX5VAKfnvdnQEY5RNcN9
BUpP7mLApWOBvAZz7vHC7/ZYaPeHtpabPaEvcqTXGc5mah6HLyPS0YhjWXs3XwRz
1czJ+cnBo6YXkvvTo4HefIfnnZHO+it8Y/chbny+/aVw1/fcdbWQ8l37XL+b6jzG
sdHa5IyBbs+kIeNELJTg9W1NLNaxEUhXjTh525CEXnU=
ENDRSAPRIVATEKEY
OnR5
AstheRSAkeysforRekeymustbethesameyoumustfirstimportKSKEYSonR5.
R5(config)#cryptokeyimportrsaKSKEYSpemexportableterminalcisco123
%EnterPEMformattedpublicGeneralPurposekeyorcertificate.
%Endwithablanklineor"quit"onalinebyitself.
BEGINPUBLICKEY
CCIESecurity
Page308 of 322
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmct4j/ecT1PumBNG1fWPMm1RE
/Rt/gT1WdhRDWwKmt8ftVFMU6rqjwjUqhn7hLRPortnBGS14t4UjK6IXzPLuxUbI
pgAlPn+PldDbpbgZP4Iv9VDp7xbU+9AVVkZpnYZLjo6aGQxBvHuLPA1S31+jSgXw
tDkjpNA1w48fHDAgYwIDAQAB
ENDPUBLICKEY
%EnterPEMformattedencryptedprivateGeneralPurposekey.
%Endwith"quit"onalinebyitself.
BEGINRSAPRIVATEKEY
ProcType:4,ENCRYPTED
DEKInfo:DESEDE3CBC,4C0424B43DE3EAC5
PjSOnv50zJZWwAUA5vTRRdRffJmi5cn9yH+eTLSg1A5GilKXmT5UhKucVMzHb1ep
XMaBacqt6QiJnib/MEHQAyjrbKSg5Ayvp1hTap+Vw/reOyMJovrDcCRmt3hzynz9
r/LXN/ykNKWeQvCr+YFglzMtptdEwQfhBA1P4eSMLCozP/r8Sd+oABMBIh4Im8kZ
Z3skBIKUT8CiNTmKDA3B/QMe2F1bcEeaA7r0CvoMQNWG9kLwhyQnnZzMjIPZ/yG8
4RrxmpWxrL3VOnAbAXxYu/fe597JKQEcp3XnURYnNHsh4dIphemlAAegPRHLCJQR
pd2an5I/Q4vAuVLaXgRRCuwe75fLUSZtk8UKAJXS3ZiOKbuABQ5QiLFS+S9Unnb2
1MLe3szgMKg6eyswYTFCXRNLauEyNhA4PMSxxLCPDeDaQr4XilB/iKMXy6ROMUhQ
OenT1u3vhjUzqxX+b/2IWYARvlY+rKahA4XkRhXwctsYB2Gs9a+dvuC+nl9JI5ys
zv++hUvrxAPlxfi/YM9tVMN91Rd8kZamIPwGFHgMk7wMwqwmdLljD2Qs+2wa8AtM
q+TvgQNUtqq9il0YHcRDZEiA5NWyNvcFFZKGn/+EqlalSX5VAKfnvdnQEY5RNcN9
BUpP7mLApWOBvAZz7vHC7/ZYaPeHtpabPaEvcqTXGc5mah6HLyPS0YhjWXs3XwRz
1czJ+cnBo6YXkvvTo4HefIfnnZHO+it8Y/chbny+/aVw1/fcdbWQ8l37XL+b6jzG
sdHa5IyBbs+kIeNELJTg9W1NLNaxEUhXjTh525CEXnU=
ENDRSAPRIVATEKEY
quit
%Keypairimportsucceeded.
R5(config)#
%
Password:
Reenterpassword:
R5(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:B9ED0BDD1450D53791494EAD94409D25
CRYPTO_PKI:CertificateRequestFingerprintSHA1:40380C2EF606F036A678EAA91989B2AB
32EF79B1
R5(config)#
CCIESecurity
Page309 of 322
%GDOI4COOP_KS_UNAUTH:ContactfromunauthorizedKS1.1.1.1ingroupGETVPNatlocaladdress
5.5.5.5(PossibleMISCONFIGofpeer/localaddress)
NoCOOPconfigurationonR5yet,sothismessageisdisplayed.
R5(gdoisaipsec)#exi
R5(gdoilocalserver)#addressipv45.5.5.5
COOPconfigurationonR5thisKShaslowerprioritysothatitwillbecomeSecondary
KS.
R5(gdoilocalserver)#redundancy
R5(gdoicoopksconfig)#localpriority50
R5(gdoicoopksconfig)#peeraddressipv41.1.1.1
R5(gdoicoopksconfig)#
%GDOI5COOP_KS_ADD:1.1.1.1addedasCOOPKeyServeringroupGETVPN.
%GDOI5COOP_KS_ELECTION:KSenteringelectionmodeingroupGETVPN(PreviousPrimary=NONE)
R5(gdoicoopksconfig)#exi
R5(config)#
%GDOI5COOP_KS_TRANS_TO_PRI:KS1.1.1.1ingroupGETVPNtransitionedtoPrimary(Previous
Primary=NONE)
NotethattheabovemessagesaysthatKS1.1.1.1hasbecamePrimaryKS.
OnR6
CCIESecurity
Page310 of 322
%
Password:
Reenterpassword:
R6(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:5EBA522CFFA2108C7ACEB4AD28F16066
CRYPTO_PKI:CertificateRequestFingerprintSHA1:E10B16726EC20657169EC6D1109F612E
64BD8EE0
R6(config)#
R6(configsubif)#
10.1.26.6
R6(configsubif)#exi
R6(config)#
10.1.26.6
GMhassuccessfullyregisteredtothePrimaryKS.
OnR4
CCIESecurity
Page311 of 322
%
Password:
Reenterpassword:
R4(config)#
CRYPTO_PKI:CertificateRequestFingerprintMD5:4F88B5934469B0CE91C579DBD454D96A
CRYPTO_PKI:CertificateRequestFingerprintSHA1:A3A48B4CEC2BE24250EF7B2231ED7CEB
EE5744AA
R4(config)#
R4(configsubif)#
10.1.24.4
R4(configsubif)#exi
10.1.24.4
GMhassuccessfullyregisteredtothePrimaryKS.
Verification
CCIESecurity
Page312 of 322
R1#shcryptogdoiks
GroupName:GETVPN
GroupIdentity
:1
GroupMembers:2
ACLConfigured:
accesslistLANLIST
Redundancy:Configured
LocalAddress:1.1.1.1
LocalPriority:100
LocalKSStatus:Alive
LocalKSRole:Primary
R1#shcryptogdoikscoop
CryptoGdoiGroupName:GETVPN
Grouphandle:2147483650,LocalKeyServerhandle:2147483650
LocalPriority:100
LocalKSRole:Primary,LocalKSStatus:Alive
PrimaryTimers:
PrimaryRefreshPolicyTime:20
RemainingTime:10
AntireplaySequenceNumber:9
PeerSessions:
Session1:
Serverhandle:2147483651
PeerAddress:5.5.5.5
PeerPriority:50
PeerKSRole:Secondary,PeerKSStatus:Alive
IKEstatus:Established
Counters:
Annmsgssent:7
Annmsgssentwithreplyrequest:1
Annmsgsrecv:1
Annmsgsrecvwithreplyrequest:1
Packetsentdrops:1
PacketRecvdrops:0
Totalbytessent:3713
Totalbytesrecv:591
NotethatCOOPlaveragesISAKMPSAtosecurelytransferallinformation.Hence,when
youusePSKforauthenticationyoumustremembertoconfigurepresharedkeyforPeer
KS.
GroupID:1
GroupName:GETVPN
KeyServerID:1.1.1.1
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
GroupID:1
GroupName:GETVPN
KeyServerID
:1.1.1.1
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
CCIESecurity
Page313 of 322
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
KeyServerPolicy:
#ofteks:1Seqnum:0
spi:0x3A67598E27379BA8F7613793A7A03C2F
sigsize:128
sigkeyname:KSKEYS
spi
:0xA175D05Eaccesslist:LANLIST
Retransmitperiod:10
R1#shcryptogdoiksreplay
AntireplayInformationForGroupGETVPN:
TimebasedReplay:
isnotenabled
R1#shcryptoisakmpsa
IPv4CryptoISAKMPSA
1.1.1.110.1.24.4GDOI_IDLE1007ACTIVE
5.5.5.51.1.1.1GDOI_IDLE
1005ACTIVE
IPv6CryptoISAKMPSA
SeeanadditionalISAKMPSAbetweenKSes.
R1#shcryptoipsecsa
NoSAsfound
R1#shcryptocacertificates
Certificate
Status:Available
CertificateSerialNumber(hex):02
Issuer:
cn=IOSCA
Subject:
Name:R1.micronicstraining.com
hostname=R1.micronicstraining.com
ValidityDate:
CCIESecurity
Page314 of 322
startdate:04:58:59UTCJul312010
enddate:04:58:59UTCJul312011
AssociatedTrustpoints:R1IOSCA
CACertificate
Status:Available
Issuer:
cn=IOSCA
Subject:
cn=IOSCA
ValidityDate:
AssociatedTrustpoints:R1IOSCAIOSCA
R5#shcryptogdoiks
GroupName:GETVPN
GroupIdentity:1
GroupMembers:2
ACLConfigured:
accesslistLANLIST
LocalPriority:50
LocalKSStatus:Alive
LocalKSRole:Secondary
NotethesecondaryKShas2membersregistered!ThisinfohasbeensentfromPrimaryKS
noGMshasregistereddirectlytothatKS.
R5#shcryptogdoikscoop
CryptoGdoiGroupName:GETVPN
Grouphandle:2147483650,LocalKeyServerhandle:2147483650
LocalPriority:50
LocalKSRole:Secondary,LocalKSStatus:Alive
SecondaryTimers:
SecPrimaryPeriodicTime:30
RemainingTime:28,Retries:0
InvalidANNPSTrecvd:0
NewGMTemporaryBlockingEnforced?:No
PeerSessions:
Session1:
Serverhandle:2147483651
PeerAddress:1.1.1.1
PeerPriority:100
PeerKSRole:Primary,PeerKSStatus:Alive
IKEstatus:Established
Counters:
Annmsgssent:1
Annmsgssentwithreplyrequest:1
Annmsgsrecv:11
Annmsgsrecvwithreplyrequest:1
Packetsentdrops:2
PacketRecvdrops:0
Totalbytessent:591
Totalbytesrecv:5821
CCIESecurity
Page315 of 322
GroupID:1
GroupName:GETVPN
KeyServerID:1.1.1.1
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
GroupID:1
GroupName:GETVPN
KeyServerID:1.1.1.1
Rekeyssent:0
Rekeysretries:0
RekeyAcksRcvd:0
RekeyAcksmissed:0
Sentseqnum:0000
Rcvdseqnum:0000
R5#shcryptogdoiksreplay
TimebasedReplay:
isnotenabled
Retransmitperiod:10
KeyServerPolicy:
#ofteks:1Seqnum:0
spi:0x3A67598E27379BA8F7613793A7A03C2F
sigsize:128
sigkeyname:KSKEYS
spi:0xA175D05Eaccesslist:LANLIST
hmacalg
:HMAC_AUTH_SHA
ComparethepolicyontheSecondaryKSitisexactlythesameasitisonthePrimary
KS.
GroupName:GETVPN(Unicast)
GroupIdentity:1
GroupMembers:2
CCIESecurity
Page316 of 322
ActiveGroupServer:Local
LocalPriority:50
LocalKSStatus:Alive
LocalKSRole:Secondary
GroupRekeyLifetime:400secs
GroupRekey
RekeyRetransmitPeriod:10secs
RekeyRetransmitAttempts:3
GroupRetransmit
IPSecSANumber:1
IPSecSARekeyLifetime:3600secs
ProfileName:GETVPNPROF
Replaymethod:CountBased
ReplayWindowSize:64
SARekey
ACLConfigured:accesslistLANLIST
GroupServerlist:Local
R5#shcryptoisakmpsa
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
SeethatSecondaryKShasISAKMPSAforeveryGM.
R5#shcryptoipsecsa
NoSAsfound
Certificate
Status:Available
Issuer:
cn=IOSCA
Subject:
Name:R5.micronicstraining.com
hostname=R5.micronicstraining.com
ValidityDate:
CACertificate
Status:Available
Issuer:
cn=IOSCA
Subject:
cn=IOSCA
ValidityDate:
OnGMweshouldseethatithasbeenregisteredtoPrimaryKSonly.
R4#shcryptogdoigm
CCIESecurity
Page317 of 322
IPSecSADirection
:Both
Lastrekeyseqnum:0
Reregister
RetryTimer
:NOTRUNNING
GroupName:GETVPN
MapName:CMAPGETVPN
NumberofRekeyAckssent
:0
New:10.1.24.41.1.1.11007F76137933A67598E
Current:
Previous:
R4#shcryptogdoigmreplay
TimebasedReplay:
isnotenabled
GroupName:GETVPN
GroupIdentity:1
Rekeysreceived:0
5.5.5.5
Rekeysreceived
Cumulative:0
Afterregistration:0
RekeyAckssent:0
KEKPOLICY:
Lifetime(secs):330
KeySize:192
SigHashAlgorithm
:HMAC_AUTH_SHA
Serial0/0/0.42:
IPsecSA:
spi:0xA175D05E(2708852830)
CCIESecurity
Page318 of 322
AntiReplay:Disabled
R4#shcryptoisakmpsa
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R4doesmaintainISKAMPSAwithPrimaryandSecondaryKS.Thisisbecauseincaseof
PrimaryKSfailuretheKSdoesnotneedtorenegotiateIKEPhase1tosendRekey
messages.
R4#shcryptoipsecsa
protectedvrf:(none)
currentoutboundspi:0xA175D05E(2708852830)
inboundespsas:
spi:0xA175D05E(2708852830)
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xA175D05E(2708852830)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
R4#ping192.168.6.6solo0
!!!!!
PingworksfinebecausethereisRIPv2enabledinthenetworksothatR2knowsabout
allnetworks.
CCIESecurity
Page319 of 322
Countershasincremented.LetstryTELNET.Itshouldbeexcludedfromencryption.
R4#tel192.168.6.6/solo0
Password:
R6>exit
Nocountersareincremented!Thatsgood.
Certificate
Status:Available
Issuer:
cn=IOSCA
Subject:
Name:R4
hostname=R4
ValidityDate:
CACertificate
Status:Available
Issuer:
cn=IOSCA
Subject:
cn=IOSCA
ValidityDate:
SamebunchofcommandsonR6.
R6#shcryptogdoigm
Lastrekeyseqnum:0
Reregister
RetryTimer
:NOTRUNNING
GroupName:GETVPN
CCIESecurity
Page320 of 322
MapName:CMAPGETVPN
New:10.1.26.61.1.1.11007F76137933A67598E
Current:
Previous:
GroupName:GETVPN
GroupIdentity
:1
Rekeysreceived:0
5.5.5.5
Rekeysreceived
Cumulative:0
Afterregistration:0
RekeyAckssent:0
KEKPOLICY:
Lifetime(secs):344
KeySize:192
Serial0/1/0.62:
IPsecSA:
spi:0xA175D05E(2708852830)
AntiReplay:Disabled
R6#shcryptoisakmpsa
IPv4CryptoISAKMPSA
IPv6CryptoISAKMPSA
R6#shcryptoipsecsa
CCIESecurity
Page321 of 322
protectedvrf:(none)
currentoutboundspi:0xA175D05E(2708852830)
inboundespsas:
spi:0xA175D05E(2708852830)
IVsize:16bytes
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0xA175D05E(2708852830)
IVsize:16bytes
Status:ACTIVE
outboundahsas:
outboundpcpsas:
SameSPInumberforInboundandOutbound.ThisSPIisexactlythesameoneveryGM.
Certificate
Status:Available
Issuer:
cn=IOSCA
Subject:
Name:R6
hostname=R6
ValidityDate:
CACertificate
Status:Available
Issuer:
cn=IOSCA
Subject:
cn=IOSCA
ValidityDate:
CCIESecurity
Page322 of 322

Site 2 Site VPNs

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Site 2 Site VPNs

Uploaded by

Copyright:

Available Formats

Advanced

LAB2.10. SITETOSITEIPSECVPNUSINGEASYVPNNEM(IOSIOS)...................................... 103

ISAKMP(InternetSecurity Associationand Key ManagementProtocol) isdefinedinRFC2408 and

Use IOS CA server configured on R1 for certificate enrollment. Configure domain

The defaultoptionisrequired, meaning thatifthe remotepeerdoesnotprovide correct identity

Jul 18 11:18:38 [IKEv1 DEBUG]: Group = 10.1.105.5, IP = 10.1.105.5, Received keepalive of

Use IOS CA server configured on R1 for certificate enrollment. Configure domain

Jul 23 03:43:19 [IKEv1]: IP = 10.1.104.4, IKE_DECODE RECEIVED Message (msgid=9b5f88d8) with

Phase1: simple HubandSpoketopologyweredynamicIPaddresseson thespokesmay

DMVPN Phase2introduces a newfeature whichis direct SpoketoSpoke communicationthrough

DMVPNPhase2with OSPFisvery similartoPhase2withEIGRP.WeneedtoconfigureOSPFina

A single DMVPNnetworkwitheachspoke using a singlemultipoint GRE tunnel interface

You might also like