Site to site timeouts : Stop Site-to-Site VPN Drop (ASA & Router)

Site to site timeouts : Stop Site-to-Site VPN Drop (ASA & Router)

  October 30, 2015    Raj

---

By default, site-to-site VPNs timeout after 30 minutes of idle time.

On ASA:
=========

Enter the vpn-idle-timeout command in
group-policy configuration mode or in username configuration mode in
order to configure the user timeout period: 

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none

Configure a maximum amount of time for VPN connections with the vpn-session-timeout 

command in group-policy configuration mode or in username configuration mode: 

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none

On ROUTER:

=========== 

Use the crypto ipsec security-association idle-time command in global configuration

mode or crypto map configuration mode in order to configure the IPsec SA idle 

timer. 

By default IPsec SA idle timers are disabled. 

crypto ipsec security-association idle-time 
seconds

Time is in seconds, which the idle timer allows an inactive peer to maintain an SA.

Valid values for the seconds argument range from 60 to 86400. 

Read More

Anyconnect licensing

Anyconnect licensing

  October 23, 2015    Raj

---

http://www.tunnelsup.com/understanding-cisco-asa-anyconnect-licensing

Read More

ASA L2L IPsec not encrypting the traffic (Duplicate SPI troubleshooting)

ASA L2L IPsec not encrypting the traffic (Duplicate SPI troubleshooting)

  October 22, 2015    Raj

---

What is an SPI ?

SPIs are the components that are going to be used to provide
protection to an outgoing packet ( Security Parameter Index ), so we are
going to see that it will identify a packet that is going to be
protected via an encryption

How to identify that we have duplicate SPIs: ?

1) Do a packet-tracer for the traffic that is supposed to go over the
VPN tunnel and get encrypted , include the Detail keyword to get the
information need it to proceed. and look at VPN - Allow section.

packet-tracer input inside udp 10.255.203.102 1610 10.220.100.17 3389 DETAIL

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcf20d730, priority=70, domain=encrypt, deny=false

hits=3016, *user_data=0x2d2ea0a4*, cs_id=0xcd3b96f0, reverse, flags=0×0,
protocol=0

src ip=10.255.203.0, mask=255.255.255.0, port=0

dst ip=10.220.100.0, mask=255.255.255.0, port=0, dscp=0×0



The value highlighted is the Virtual-Context being used for that VPN
traffic (There are several VPN contexts  used by a single crypto-map.)

2) Copy the  user_data vlaue from the above output and then paste it a notepad and capitalize the letters and then we are going to do a show asp table vpn-context search (We must capitalize the letters) .

show asp table vpn-context detail | begin  *0x2D2EA0A4*

VPN CTX  =* 0x2D2EA0A4*

Peer IP  = 10.220.100.0

Pointer  = 0xD26F7CA8

State    = UP

Flags    = *ENCR+ESP*

SA       =* 0x6B856011*

SPI      =* 0x25A3076D*

Group    = 7

Pkts     = *41006*

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 9

Rekey Call = 9

Okay now we have the *VPN context , SA and SPI* being used for that
particular VPN traffic (remember that multiple VPN context can be used
for*different subnets*, this is why one subnet traffic across the VPN
might work and other ones not on the same Crypto-Map).

We can also see that it says*ENCR+ESP* which means that it’s encrypting
the traffic. We also see that it has a value of 4006 (Packets being
encrypted) So for the sake of the Packet-tracer everything is good.


3) Now let’s go to the Show crypto IPSec SA to get the SPI (in a perfect
world it should be the same one than the one used for the packet
tracer *0x25A3076D) *But let’s see if there is an issue:

sh crypto ipsec sa peer X.X.X.X ( We will focus only on the   current
 outbound esp SPI  as the problem is with encryption traffic)

peer address: X.X.X.X

Crypto map tag: TEST, seq num: 40, local addr: Y.Y.Y.Y

access-list TEST permit ip 10.255.203.0 255.255.255.0 10.220.100.0
255.255.255.0

local ident (addr/mask/prot/port): (10.255.203.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.220.100.0/255.255.255.0/0/0)

current_peer: X.X.X.X

* #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0*

*      #pkts decaps: 484, #pkts decrypt: 484, #pkts verify: 484*

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X

path mtu 1500, ipsec overhead 58, media mtu 1500

*      current outbound spi: A19EC57E*

inbound esp sas:

spi: 0xCF559E0D (3478494733)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 43950080, crypto-map: TEST

sa timing: remaining key lifetime (kB/sec): (4373958/27285)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x25A3076D (2711537022)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 43950080, crypto-map: TEST

sa timing: remaining key lifetime (kB/sec): (4374000/27284)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0×00000000 0×00000001

What are the interesting outputs here:


1)  No packets are being encrypted, we are just decrypting traffic.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 484, #pkts decrypt: 484, #pkts verify: 484

 2)  We  have an SPI value for the IPSec SA which is different than the
one used for the Packet-tracer

Packet tracer *25A3076D*

SPI                *      A19EC57E*



So what is next..



Well now that we have the SPI for the real IPSec traffic (not the
virtual-packet tracer flow) let’s look for the VPN context of that SPI:

sh asp table vpn-context detail | begin *A19EC57E*

* *

*VPN CTX  = 0x2D80E6FC*

Peer IP  = 10.220.100.0

Pointer  = 0xD08A30D0

State    = UP

Flags    = ENCR+ESP

*SA       = 0x6D5DAF29*

*SPI      = 0xA19EC57E*

Group    = 0

Pkts     = 0

Bad Pkts = 0

Bad SPI  = 0

Spoof    = 0

Bad Crypto = 0

Rekey Pkt  = 0

Rekey Call = 0



And there you go, 2 different VPN context and SPIs assigned to the same
traffic flow.. And in this one ( the real one) there are no packets
being encrypted.. which matches what the show crypto IPSec sa shows…

Now that we have recognized the issue, How do we fix it:

Well this is certainly a bug (an unexpected behavior) a reboot will fix
it! I know.. I know.. A reboot is not good enough .



Do this: clear crypto ipsec sa inactive

https://tools.cisco.com/bugsearch/bug/CSCtd36473

Read More

Site to site Error messages

Site to site Error messages

  October 15, 2015    Raj

---

During debug I could see this log:

Queueing KEY-ACQUIRE messages to be processed when P1 SA is complete.

I referred many documents to figure out what does this message say, and tried all
their suggestions but couldn't get my tunnel up.
Then I realized I have been missing something in my configuration.

I took a closer look and found that I have not enabled isakmp on my DMZ interface
where I was trying to create a tunnel to.
crypto isakmp enable DMZ

Read More

EZVPN on routers

EZVPN on routers

  October 12, 2015    Raj

---

Server side:
=================

username ezvpn-spoke1 password cisco1

aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local

Create A pool:
====================
ip local pool VPN-POOL 10.1.1.1 10.1.1.10

Split ACL :

ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any

!--- IKE configuration
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

!
crypto isakmp client configuration group VPN1
acl SPLIT_T
key cisco123
pool VPN-POOL
save-password

!--- IPSec configuration
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
! Create a dynamic map
crypto dynamic-map dynamap
set transform-set TRANSFORM-1
!
crypto map mymap client authentication list USER_AAA
crypto map mymap isakmp authorization list GROUP_AAA
crypto map mymap client configuration address respond
crypto map mymap 30000 ipsec-isakmp dynamic dynamap

on public interface
crypto map mymap


Client Side config:
=========================
!--- IPSec configuration
!
crypto ipsec client ezvpn VPN1
connect auto
group VPN1 key cisco123
mode client
peer 1.1.1.1
username ezvpn-spoke1 password cisco1


on private interface
crypto ipsec client ezvpn VPN1 inside

on public Interface:
====================
crypto ipsec client ezvpn VPN1













Ref:
http://www.cisco.com/c/en/us/td/docs/routers/access/1800/1841/software/configuration/guide/sw/ezvpn.html

Read More

VPN client on ASA

VPN client on ASA

  October 12, 2015    Raj

---

This section describes how to configure remote access VPNs and includes the following topics:

•Configuring Interfaces
•Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
•Configuring an Address Pool
•Adding a User
•Creating a Transform Set
•Defining a Tunnel Group
•Creating a Dynamic Crypto Map
•Creating a Crypto Map Entry to Use the Dynamic Crypto Map

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

 crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

isakmp enable outside

Configuring an Address Pool

ip local pool testpool 192.168.0.10-192.168.0.15

Creating Split ACL

access-list SPLIT st permit ip 10.10.10.0 255.255.255.0

Creating Group policy:  Later we will call this policy in tunnel group

group-policy MYVPN
group-policy MYVPN internal
group-policy MYVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT

Creating a Transform Set 

crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

Defining a Tunnel Group 

tunnel-group testgroup type ipsec-ra

tunnel-group testgroup general-attributes 

address-pool testpool

default-group-policy MYVPN ********* This one is for split tunnel 

tunnel-group testgroup ipsec-attributes

pre-shared-key cisco123

Creating a Dynamic Crypto Map

crypto dynamic-map dyn1 1 set transform-set FirstSet

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

crypto map mymap 65530 ipsec-isakmp dynamic dyn1

 crypto map mymap interface outside

 

 Ref: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/vpnrmote.html#wp1084002

 

 

 

Read More

TND Feature for Anyconnect VPN : TND - Trusted Network Detection

TND Feature for Anyconnect VPN : TND - Trusted Network Detection

  October 08, 2015    Raj

---

Read More

Anyconnect CLI config on ASA

Anyconnect CLI config on ASA

  October 07, 2015    Raj

---

upload .pkg file to asa
You can ASDM to ASA and put .pkg file to your disk0.
or you can copy fro your TFTP
copy tftp flash
enter source IP
enter source file name anyconnect-win-3.1.05152-k9
destination file name , let it be same just hit enter

! Here is the scenario

!
! Create a 'pool' of IP addresses that the ASA will allocate to the remote clients.
!
ip local pool MYANYCONNECTPOOL 10.10.10.10-10.10.10.60 mask 255.255.255.0
!
!
! Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect. we are doing this so that if a user doesnt have anyconnect software he can connect to web VPN and then download the installation package.
!
webvpn
enable outside
tunnel-group-list enable ********** this command enables your tunnel-group drop down list option on the WebVPN Login page from webvpn mode
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 
anyconnect enable
!
! create a local username and password, you may choose to use RADIUS or Kerberos AAA. also create an ACL that we will use for split tunneling in a minute.
!
username raj password cisco123
!
access-list SPLIT-TUNNEL standard permit 20.20.20.0 255.255.255.0
!
! Create a group policy and define the tunnel protocol as ssl-client also define what you want to do with your split tunnel.
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
!
! Create a matching tunnel-group that ties everything together. A tunnel group should have atleast three attributes : Type - Remote access, Pool & authentication method
!
tunnel-group Bangalore type remote-access
! Bangalore is the name of the profile that we will connect to.
tunnel-group Bangalore general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool MYANYCONNECTPOOL
tunnel-group Bangalore webvpn-attributes
! now when you will connect to VPN it will by default fall on default-webvpn tunnel group and you will get all drop down options to select your tunnel group/profile. But if you want to have direct connection to your profile then this can be done using "Group URL". you need to add this command additionally. I am not going to use it so I am just putting the command here :
! group-url https://10.197.226.101/Bangalore enable
group-alias Bangalore enable

2-factor authentication example:
==========================
We can enable 2- factor authentication and it will ask for 2 local user name and passwords if local authentication is enabled. Normally this Secondary authentication is done either using certificate or AD in association with a softoken software.

Here is how we can just test it using local authentication:

Using CLI :
============

 tunnel-group Bangalore general-attributes

        authentication-attr-from-server secondary

        authenticated-session-username secondary

        secondary-authentication-server-group LOCAL

Using ASDM:

============

source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/vpn_asdm_setup.html

Read More

VTI - DVTI cofig for VPN client

VTI - DVTI cofig for VPN client

  October 06, 2015    Raj

---

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 5

!

!Create a pool: ip local pool ippool 192.168.1.1 192.168.1.2
!
!Split ACL:
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!Create isakmp group:
!================
crypto isakmp client configuration group cisco
key cisco
acl 101
pool ippool
!
aaa authentication login methodlist1 local aaa authorization network methodlist2 local
!
!Create IPSec policies:
!================
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
!Create ISAKMP profile and associate ISAKMP group with it:
!============================================
crypto isakmp profile myprofile
match identity group cisco
client authentication list methodlist1
isakmp authorization list methodlist2
client configuration address respond
virtual-template 1
!
!Create IPSec profile and associate isakmp profile:
!=================================================
crypto ipsec profile cisco
set isakmp-profile myprofile
set transform-set MYSET

!!

!Create a virtual Template:
!==============================================
interface Virtual-Template 1 type tunnel
ip unnumbered <egress interface>
tunnel source <egress interface>
tunnel mode ipsec ipv4
tunnel protection ipsec profile myprofile

Read More

VTI - Static VTI config

VTI - Static VTI config

  October 06, 2015    Raj

---

R2#
conf t
inter fa1/1
no shut
ip address 1.1.1.1 255.255.255.252
exit
!
inter fa1/0
no shut
ip add 10.10.10.1 255.255.255.0
exit
!
crypto ipsec profile myprofile
set transform-set tunnel1
!
inter tu0
ip add 172.16.14.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 1.1.1.2
! these are two additional commands

tunnel mode ipsec ipv4 ***********

tunnel protection ipsec profile myprofile

exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
!
no need to define access list here since its going to decide the exit interface based on routing table.
and no need for a crypto map

ip access-list ex GRE1
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
interface fa1/1
! no need to apply crypto map to outside interface
crypto map mymap
!
! lets finally enable the tunnel!
inter tun0
no shut
!
exit
=====================
on R3
R2#
conf t
inter fa1/0
no shut
ip address 1.1.1.2 255.255.255.252
exit
!
inter fa1/1
no shut
ip add 20.20.20.1 255.255.255.0
exit
!
crypto ipsec profile myprofile
set transform-set tunnel1
!
inter tu0
ip add 172.16.14.2 255.255.255.252
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
! these are two additional commands

tunnel mode ipsec ipv4 *********** as you enter this command your tunnel interface will go down if it was UP earlier.
see the logs here:
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#
*Oct  7 02:35:42.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
tunnel protection ipsec profile myprofile * this command does the same thing when you enable a crypto map on an interface.
R2(config-if)#tunnel protection ipsec profile myprofile
R2(config-if)#
*Oct  7 02:37:20.307: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
!
no need to define access list here since its going to decide the exit interface based on routing table.
and no need for a crypto map

ip access-list ex GRE1
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
interface fa1/0
! no need to apply crypto map to outside interface
crypto map mymap
!
! lets finally enable the tunnel!
inter tun0
no shut
!
exit


Now if you see routing table on R3, since we are using GRE so R3 is learning the routes from R2 and it knows that 10.10.10.0/24 network is reachable via Tunnel 0.
R2(config-if)#do sh ip ro
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/30 is directly connected, FastEthernet1/0
L        1.1.1.2/32 is directly connected, FastEthernet1/0
      10.0.0.0/24 is subnetted, 1 subnets
D        10.10.10.0 [90/26882560] via 172.16.14.1, 00:00:14, Tunnel0

Useful Show commands:

==================

sh crypto session - This command will give you a list of all IKE and IPSec SA sessions
Some common status:
1. Up-Active – IPSec SA is up/active and transferring data.
2. Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel
3. Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery
4. Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel.
5. Down – The VPN tunnel is down.

sh crypto sockets 
Socket State - This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist.

sh crypto map

sh crypto isakmp sa - This command will tell us the status of our negotiations, here are some of the common ISAKMP SA status
The following four modes are found in IKE main mode

• MM_NO_STATE – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
• MM_SA_SETUP – Both peers agree on ISAKMP SA parameters and will move along the process
• MM_KEY_EXCH – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
• MM_KEY_AUTH – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.

The following three modes are found in IKE aggressive mode

• AG_NO_STATE – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
• AG_INIT_EXCH – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.
• AG_AUTH– ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.

The following mode is found in IKE Quick Mode, phase 2

• QM_IDLE – The ISAKMP SA is idle and authenticated

sh crypto ipsec sa - There are a few key things to watch out for. Such as the #pkts encaps/encrypt/decap/decrypt, these numbers tell us how many packets have actually traversed the IPSec tunnel and also verifies we are receiving traffic back from the remote end of the VPN tunnel. This will also tell us the local and remote SPI, transform-set, DH group, & the tunnel mode for IPSec SA.

(Ref: http://ccie-or-null.net/2012/04/30/verifying-ipsec-tunnels/)

R1#sh crypto session 

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE     

Peer: 1.1.1.2 port 500 

  IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active 

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 

        Active SAs: 2, origin: crypto map

==============================================

R1#sh crypto sockets 

Number of Crypto Socket connections 1

   Tu0 Peers (local/remote): 1.1.1.1/1.1.1.2 

       Local Ident  (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0)

       Remote Ident (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0)

       IPSec Profile: "myprofile"

       Socket State: Open

       Client: "TUNNEL SEC" (Client State: Active)

Crypto Sockets in Listen state:

Client: "TUNNEL SEC" Profile: "myprofile" Map-name: "Tunnel0-head-0"

===============================================

R1#sh crypto map 

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp

Profile name: myprofile

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={ 

tunnel1:  { esp-aes esp-sha-hmac  } , 

}

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 1.1.1.2

Extended IP access list 

   access-list  permit ip any any

Current peer: 1.1.1.2

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={ 

tunnel1:  { esp-aes esp-sha-hmac  } , 

}

Always create SAs

Interfaces using crypto map Tunnel0-head-0:

                Tunnel0

=============================================

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

1.1.1.1         1.1.1.2         QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

============================================

R1#sh crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 1.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 258, #pkts encrypt: 258, #pkts digest: 258

    #pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256

==============================================

Important Debug commands:

======================

debug crypto isa sa

debug crypto ipsec sa

debug tunnel

debug tunnel keepalive

debug crypto socket

debug tunnel protection

Read More

GRE over IPSec

GRE over IPSec

  October 06, 2015    Raj

---

R2#
! Interface configuration:
conf t
inter fa1/1
no shut
ip address 1.1.1.1 255.255.255.252
exit
!
! Interface configuration:
inter fa1/0
no shut
ip add 10.10.10.1 255.255.255.0
exit
!
! Create a virtual tunnel Interface, give an IP address to this interface. This IP address must not be used anywhere else in your internal network. Then we define tunnel source and destination.
inter tu0
ip add 172.16.14.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 1.1.1.2
exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
ip access-list ex GRE1
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
! Create a Crypto map
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
! Apply the crypto map to exit interface
interface fa1/1
crypto map mymap
!
! Turn ON the tunnel :) 
inter tun0
no shut
!
exit
=========

on R3

R3#
conf t
inter fa1/0
no shut
ip address 1.1.1.2 255.255.255.252
exit
!
inter fa1/1
no shut
ip add 20.20.20.1 255.255.255.0
exit
!
inter tu0
ip add 172.16.14.2 255.255.255.252
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac

!
ip access-list ex GRE1
permit gre 1.1.1.2 255.255.255.255 1.1.1.1 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set tunnel1
match address GRE1
!
interface fa1/0
crypto map mymap
!
inter tun0
no shut
!
exit

=================
Debug command:

debug tunnel

These are the debugs taken when your tunnel comes up:
=================================================
*Oct 11 04:28:30.027: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies
*Oct 11 04:28:35.771: Tunnel0: GRE/IP encapsulated 1.1.1.1->1.1.1.2 (linktype=7, len=84)
*Oct 11 04:28:35.775: Tunnel0 count tx, adding 0 encap bytes
*Oct 11 04:28:36.955: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=96 ttl=254 tos=0xC0)
*Oct 11 04:28:36.959: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=96 ttl=254 tos=0xC0)
*Oct 11 04:28:36.963: Tunnel0: GRE/IP (PS) to decaps 1.1.1.2->1.1.1.1 (tbl=0,"default" len=96 ttl=253)
*Oct 11 04:28:36.967: Tunnel0: GRE decapsulated IP packet (linktype=7, len=72)
*Oct 11 04:28:36.971: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=64 ttl=254 tos=0xC0)
*Oct 11 04:28:36.971: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=64 ttl=254 tos=0xC0)
*Oct 11 04:28:36.983: %DUAL-5-NBRCHANGE: EIGRP-IPv4 110: Neighbor 172.168.16.2 (Tunnel0) is up: new adjacency

Router#sh inter tu0

Tunnel0 is up, line protocol is up 

  Hardware is Tunnel

  Internet address is 172.168.16.1/30

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 1.1.1.1, destination 1.1.1.2

  Tunnel protocol/transport GRE/IP

Read More

VPN Client on router

VPN Client on router

  October 02, 2015    Raj

---

If you want aaa authentication to be done <otherwise you can skip this part and directly start from phase 1 config>

aaa new-model
!

!--- In order to enable Xauth for user authentication, !--- enable the aaa authentication commands.


aaa authentication login userauthen<THis is just a name> local


!--- In order to enable group authorization, enable !--- the aaa authorization commands.

aaa authorization network groupauthor local 

!

Phase 1 config: Define policies <The HAGLE items>

!--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.


crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

Create an access list for your split ACL. The traffic that you define in this ACL will only be allowed on your VPN tunnel, rest of the traffic will not be tunneled and work solely based on your routing table.

So here 10.10.10.0/24 is my internal network. 192.168.1.0/24 is the pool that I have created for my VPN users that I want them to get IP from.

Now, lets say I haven't defined any split traffic rules yet, so what happens.
A remote client connects to VPN and gets an IP address 192.168.1.1. He tries to access my internal network, say 10.10.10.10, traffic hits the tunnel and gets encrypted and comes through the tunnel, and thats what I needed.

Now that same client opens google.com but that traffic is also getting routed to my VPN tunnel instead it should have gone directly to internet. In order to make that happen we define a split ACL that will inject a route in your remote host once he connects to VPN.

When we look at it from client side:
The route should say when there is any traffic from 192.168.1.0/24 to 10.10.10.0/24 please send it via VPN tunnel.
remaining traffic will go to whatever routing/NAT  you have done in your box.

When we look at it from Router side:
The route should say when there is any traffic from 10.10.10.0/24 to 192.168.1.0/24 please send it via VPN tunnel.

so the point to take away from the above example is , this ACL gets reverse implemented on client side.

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

!--- Create a pool of addresses to be !--- assigned to the VPN Clients. 

ip local pool ippool 192.168.1.1 192.168.1.2

Apply the ACL on the group properties.

crypto isakmp client configuration group 
testgroup <this is the name which will be used to connect your client>
 key cisco123
 dns 10.10.10.10
 wins 10.10.10.20
 domain cisco.com
 pool ippool
 acl 101

Phase 2 Policies:

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac

 !--- Create a dynamic map and apply !--- the transform set that was created earlier.... There is one more way this can be achieved: Using ISAKMP profile:Click here

crypto dynamic-map dynmap 10
 set transform-set myset <Calling the trasnform set in dynamic map>
 reverse-route

!--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor 
crypto map clientmap client configuration address respond 
crypto map clientmap 10 ipsec-isakmp dynamic dynmap <binding the dynamic map with our crypto map>

!--- Apply the crypto map on the outbound interface.





crypto map clientmap

Example of we do NAT how can we do NAT exemption:

!--- Enables Network Address Translation (NAT) !--- of the inside source address that matches access list 111 !--- and gets PATed with the FastEthernet IP address.


ip nat inside source list 111 interface FastEthernet1/0 overload
!

!--- The access list is used to specify which traffic !--- is to be translated for the outside Internet.
 

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

============================

We can do it in one more way,create ISAKMP profile and then associate that profile with dynamic map, then call the dynamic map into crypto map on last line:

Create ISAKMP profile:

crypto isakmp profile VPNclient 
   description VPN clients profile 
   match identity group testgroup 
   client authentication list clientauth 
   isakmp authorization list groupauthor 
   client configuration address respond

Associate this profile with Dynamic map:

crypto ipsec transform-set myset esp-3des esp-sha-hmac <Create a transform set if you dont already have it>

crypto dynamic-map dynmap 5 
 set transform-set myset  
 set isakmp-profile VPNclient

Now apply the dynamic map to crypto map:

crypto map mymap 10 ipsec-isakmp dynamic dynmap

go back to where you were

Source:

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46242-lan-to-lan-vpn-client.html

Read More