VTI - Static VTI config
conf t
inter fa1/1
no shut
ip address 1.1.1.1 255.255.255.252
exit
!
inter fa1/0
no shut
ip add 10.10.10.1 255.255.255.0
exit
!
crypto ipsec profile myprofile
set transform-set tunnel1
!
inter tu0
ip add 172.16.14.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 1.1.1.2
! these are two additional commands
tunnel mode ipsec ipv4 ***********
tunnel protection ipsec profile myprofile
exit!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
!
no need to define access list here since its going to decide the exit interface based on routing table.
and no need for a crypto map
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
! no need to apply crypto map to outside interface
!
! lets finally enable the tunnel!
inter tun0
no shut
!
exit
=====================
on R3
R2#
conf t
inter fa1/0
no shut
ip address 1.1.1.2 255.255.255.252
exit
!
inter fa1/1
no shut
ip add 20.20.20.1 255.255.255.0
exit
!
crypto ipsec profile myprofile
set transform-set tunnel1
!
inter tu0
ip add 172.16.14.2 255.255.255.252
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
! these are two additional commands
tunnel mode ipsec ipv4 *********** as you enter this command your tunnel interface will go down if it was UP earlier.
see the logs here:
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#
*Oct 7 02:35:42.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
tunnel protection ipsec profile myprofile * this command does the same thing when you enable a crypto map on an interface.
R2(config-if)#tunnel protection ipsec profile myprofile
R2(config-if)#
*Oct 7 02:37:20.307: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
exitsee the logs here:
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#
*Oct 7 02:35:42.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
tunnel protection ipsec profile myprofile * this command does the same thing when you enable a crypto map on an interface.
R2(config-if)#tunnel protection ipsec profile myprofile
R2(config-if)#
*Oct 7 02:37:20.307: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
!
no need to define access list here since its going to decide the exit interface based on routing table.
and no need for a crypto map
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
! no need to apply crypto map to outside interface
!
! lets finally enable the tunnel!
inter tun0
no shut
!
exit
Now if you see routing table on R3, since we are using GRE so R3 is learning the routes from R2 and it knows that 10.10.10.0/24 network is reachable via Tunnel 0.
R2(config-if)#do sh ip ro
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/30 is directly connected, FastEthernet1/0
L 1.1.1.2/32 is directly connected, FastEthernet1/0
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.10.0 [90/26882560] via 172.16.14.1, 00:00:14, Tunnel0
Useful Show commands:
==================
sh crypto session - This command will give you a list of all IKE and IPSec SA sessions
Some common status:
1. Up-Active – IPSec SA is up/active and transferring data.
2. Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel
3. Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery
4. Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel.
5. Down – The VPN tunnel is down.
Some common status:
1. Up-Active – IPSec SA is up/active and transferring data.
2. Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel
3. Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery
4. Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel.
5. Down – The VPN tunnel is down.
sh crypto sockets
Socket State - This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist.
Socket State - This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist.
sh crypto map
sh crypto isakmp sa - This command will tell us the status of our negotiations, here are some of the common ISAKMP SA status
The following four modes are found in IKE main mode
The following four modes are found in IKE main mode
- MM_NO_STATE – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
- MM_SA_SETUP – Both peers agree on ISAKMP SA parameters and will move along the process
- MM_KEY_EXCH – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
- MM_KEY_AUTH – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.
- AG_NO_STATE – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
- AG_INIT_EXCH – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.
- AG_AUTH– ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.
- QM_IDLE – The ISAKMP SA is idle and authenticated
sh crypto ipsec sa - There are a few key things to watch out for. Such as the #pkts
encaps/encrypt/decap/decrypt, these numbers tell us how many packets
have actually traversed the IPSec tunnel and also verifies we are
receiving traffic back from the remote end of the VPN tunnel. This will
also tell us the local and remote SPI, transform-set, DH group, &
the tunnel mode for IPSec SA.
(Ref: http://ccie-or-null.net/2012/04/30/verifying-ipsec-tunnels/)
R1#sh crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 1.1.1.2 port 500
IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
==============================================
R1#sh crypto sockets
Number of Crypto Socket connections 1
Tu0 Peers (local/remote): 1.1.1.1/1.1.1.2
Local Ident (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0)
Remote Ident (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0)
IPSec Profile: "myprofile"
Socket State: Open
Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "myprofile" Map-name: "Tunnel0-head-0"
===============================================
R1#sh crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: myprofile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
tunnel1: { esp-aes esp-sha-hmac } ,
}
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 1.1.1.2
Extended IP access list
access-list permit ip any any
Current peer: 1.1.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
tunnel1: { esp-aes esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
=============================================
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 1.1.1.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
============================================
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 258, #pkts encrypt: 258, #pkts digest: 258
#pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256
==============================================
Important Debug commands:
======================
debug crypto isa sa
debug crypto ipsec sa
debug tunnel
debug tunnel keepalive
debug crypto socket
debug tunnel protection
0 comments:
Post a Comment