Cisco - Troubleshooting Cisco Ios and Pix Firewall-Based Ipsec Implementations (2003)

www.GetPedia.
com
* The Ebook starts from the next page : Enjoy !

SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 1
Troubleshooting Cisco IOS® and PIX ™

Firewall-Based IPSec Implementations
Session SEC-3010
SEC-3010
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
What’s Not Covered
• PKI-based troubleshooting
• Debugs from the PIX platforms
• Dynamic Multipoint VPN (DMVPN)
• IPSec VPN Service Module
SEC-3010
Presentation_ID.scr
Why Troubleshooting Is Important
in Today’s VPN Deployment
• Complex security association and key

management protocols and a rich set of
cryptographic algorithms from which VPN
peers can choose
• VPNs are often implemented on top of
existing networks
• Some other advance features could break
IPSec Implementations
• VPNs could be used between different
vendors
SEC-3010
A Key Point to Remember
“Debug and Show commands are

your friends in troubleshooting any
IPSec related issues.”
SEC-3010
Presentation_ID.scr
Secure Communications
Using IPSec VPN
ISAKMP and IKE

Key Generation
Proposals Key Management Proposals
Security Association
VPN Tunnel IPSec
Message
Message
A B
Needs Secure Communications over Insecure Channel

ge
Me
ssa
ss
ag
e
Me
SEC-3010
IKE (Two-Phase Protocol)
IKE
IPSec
Data
• Two-phase protocol:
Phase I exchange: two peers establish a secure, authenticated
channel with which to communicate; main mode or aggressive mode
accomplishes a phase I exchange
Phase II exchange: security associations are negotiated on behalf
of IPSec services; quick mode accomplishes a phase II exchange
• Each phase has its SAs: ISAKMP SA (phase I) and

IPSec SA (phase II)
SEC-3010
Presentation_ID.scr
Main Mode with Pre-Shared Key
Initiator Responder
IKE
DES DES DES

MD5 SHA HDR, SA Proposal MD5
DH 1 DH 2 DH 1
Pre-Share Pre-Share HDR, SA choice Pre-Share
Phase I SA parameter negotiation complete

Generate
DH public value HDR, KEI, NonceI
and Nonce Generate
HDR, KER , NonceR DH public value
and Nonce
DH key exchange complete, share secret SKEYIDe derived
Nonce exchange defeat replay
HASHI =HMAC(SKEYID,HDR*, ID , HASH

I I
KEI |KER |cookieI | HASHR =HMAC(SKEYID,
cookieR |SA|IDI ) HDR*, IDR , HASHR
KER |KEI |cookieR |
cookieI |SA|IDR )
IDs are exchanged, HASH is verified for authentication
ID and HASH are encrypted by derived shared secret
SEC-3010
Phase II Quick Mode Negotiation

Initiator Responder
IPSec
ESP ESP
DES DES
SHA HDR*, HASH1 , Saproposal , NonceI [,KEI ] [,IDCI ,IDCR ] SHA
PFS 1 PFS 1
HDR*, HASH2 , SAchoice , NonceR , [,KER ] [,IDCI ,IDCR ]
HDR*, HASH3
• Protected by Phase I SA
• Optional DH exchange for Perfect Forward Secrecy (PFS)
• Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR]
• Two unidirectional IPSec SA established with unique SPI number
• Nonce exchanged for generating session key
KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)
SEC-3010
Presentation_ID.scr
Agenda
• Introduction
• PIX IPSec VPNs
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
Layout
209.165.200.227 209.165.201.4
Backbone
Router1 Router2
10.1.1.0/24 10.1.2.0/24
Encrypted
SEC-3010
Presentation_ID.scr
Router Configurations
“crypto isakmp policy” Defines the

crypto isakmp policy 10 Phase 1 SA Parameters
encr 3des
authentication pre-share
crypto isakmp key jw4ep9846804ijl address 209.165.201.4
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
! “crypto ipsec transform-set..” Command
Defines IPSec Encryption and authen algo
crypto map vpn 10 ipsec-isakmp
set peer 209.165.201.4
“crypto map..” Commands Defines the
set transform-set myset IPSec SA (Phase II SA) Parameters
match address 101
SEC-3010
interface Ethernet0/2
ip address 10.1.1.1 255.255.255.0 Interface that Is Connected to the
Private Side of the Network
!
interface Ethernet0/3 crypto map Is then Applied to an

ip address 209.165.200.227 255.255.255.0 Outbound Interface
crypto map vpn

!
Access-list Defines Interesting VPN
Traffic
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
SEC-3010
Presentation_ID.scr
R1#show crypto map

Crypto Map "vpn" 10 IPsec-isakmp
Peer = 209.165.201.4
Extended IP access list 101
Current peer: 209.165.201.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet0/3
SEC-3010
Important Debugs Commands
• debug crypto isakmp

• debug crypto ipsec
• debug crypto engine
• debug ip packet <acl> detail
SEC-3010
Presentation_ID.scr
Debugs Functionality Flow Chart
Interesting Traffic Received
Main Mode IKE Negotiation
Quick Mode Negotiation
Establishment of Tunnel
IKE
IPSec
Data
SEC-3010
Tunnel Establishment
Interesting Traffic Received

• The ping source and destination
addresses matched the match address
access list for the crypto map vpn
22:17:24.426: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 209.165.200.227, remote = 209.165.201.4,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy = 10.1.2.0/255.255.255.0/0/0 (type=4),
• The ‘local’ is the local tunnel end-point, the ‘remote’ is the remote crypto end
point as configured in the map. The src proxy is the src interesting traffic as
defined by the match address access list; The dst proxy is the destination
interesting traffic as defined by the match address access list
protocol= ESP, transform= esp-3des esp -md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x 400A
• The protocol and the transforms are specified by the crypto map which has
been hit, as are the lifetimes
SEC-3010
Presentation_ID.scr
IKE Main Mode Negotiation—
Phase I SA Negotiation
Initiator Responder
• Begins Main Mode exchange; IKE

The first two packets negotiate 3DES HDR, SAProposal 3DES
phase I SA parameters SHA-1

DH 1
SHA-1
DH 1
Pre-Share HDR, SAchoice Pre-Share
ISAKMP: received ke message (1/1)

ISAKMP: local port 500, remote port 500
ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State =
IKE_READY New State = IKE_I_MM1
ISAKMP (0:1): beginning Main Mode exchange

22:17:24: ISAKMP (0:1): sending packet to 209.165.201.4 (I)MM_NO_STATE
22:17:24: ISAKMP (0:1): received packet from 209.165.201.4 (I)
MM_NO_STATE
22:17:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER , IKE_MM_EXCH
Old State = IKE_I_MM1 New State = IKE_I_MM2
SEC-3010

Phase I SA Negotiation
22:17:24: ISAKMP (0:1): processing SA payload . message ID = 0

22:17:24: ISAKMP (0:1): processing vendor id payload
22:17:24: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
22:17:24: ISAKMP: hash SHA
22:17:24: ISAKMP: default group 1
22:17:24: ISAKMP: auth pre-share
22:17:24: ISAKMP: life type in seconds
22:17:24: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x8 0
22:17:24: ISAKMP (0:1): atts are acceptable . Next payload is 0
22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE

• The policy 10 on this router and the atts offered by

the other side matched
SEC-3010
Presentation_ID.scr
DH Exchange
Initiator Responder
• The third and fourth packets IKE

completes Diffie-Hellman 3DES HDR, SAProposal 3DES
SHA-1 SHA-1
exchange DH 1 DH 1
ISAKMP (0:1): sending packet to HDR, KEI, NonceI
209.165.201.4 (I) MM_SA_SETUP HDR, KER, NonceR

ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_SA_SETUP
ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP (0:1): processing KE payload . message ID = 0

ISAKMP (0:1): processing NONCE payload . message ID = 0
ISAKMP (0:1): found peer pre -shared key matching 209.165.201.4
ISAKMP (0:1): SKEYID state generated
ISAKMP (0:1): processing vendor id payload
SEC-3010

Authentication
Initiator Responder
• The fifth and sixth packets IKE
complete IKE authentication;
3DES HDR, SAProposal 3DES
Phase 1 SA established SHA-1 SHA-1
DH 1 DH 1
ISAKMP (0:1): SA is doing pre-shared key HDR, KEI, NonceI
authentication using id type ID_IPV4_ADDR HDR, KER, NonceR

……
ISAKMP (0:1): sending packet to 209.165.201.4 HDR*, ID I , HASH I
(I) MM_KEY_EXCH HDR*, IDR, HASHR

ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCH

ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP (0:1): processing ID payload. message ID = 0
ISAKMP (0:1): processing HASH payload. message ID = 0
ISAKMP (0:1): SA has been authenticated with 209.165.201.4
ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
SEC-3010
Presentation_ID.scr
IKE Quick Mode
IPSec SA Negotiations
Initiator Responder
IKE
IPSec
• Begin Quick Mode exchange;
IPSec SA will be negotiated ESP
3DES
HDR*, HASH1 , Saproposal , NonceI [,KEI ] [,ID CI ,ID CR ] ESP
3DES
in QM SHA
SHA
ISAKMP (0:1): beginning Quick Mode exchange ,

M-ID of 843945273
ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE
ISAKMP (0:1): Node 843945273, Input = IKE_MESG_INTERNAL, IKE_INI T_QM Old
State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP (0:1): received packet from 209.165.201.4 (I) QM_IDLE
• The IPSec SA proposal offered by far end will be checked against local
crypto map configuration
ISAKMP (0:1): processing HASH payload. message ID = 843945273
ISAKMP (0:1): processing SA payload. message ID = 843945273
SEC-3010
IKE Quick Mode

IPSec SA Negotiations
ISAKMP (0:1): Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0:1): atts are acceptable.
IPsec(validate_proposal_request): proposal part #1 ,
(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4 ,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp -3des esp-md5-hmac ,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
SEC-3010
Presentation_ID.scr
IKE Quick Mode
SA Creation
• Two IPSec SAs have been negotiated, an incoming SA with the SPI
generated by the local machine and an outbound SA with the SPIs
proposed by the remote end
ISAKMP (0:1): Creating IPSec SAs

inbound SA from 209.165.201.4 to 209.165.200.227(proxy 10.1.2.0 to 10.1.1. 0)
has spi 0x8EAB0B22 and conn_id 2000 and flags 2
lifetime of 3600 seconds lifetime of 4608000 kilobytes
outbound SA from 209.165.200.227 to 209.165.201.4 (proxy 10.1.1.0 to 10.1.2.0)
has spi -1910720646 and conn_id 2001 and flags A
lifetime of 3600 seconds lifetime of 4608000 kilobytes
SEC-3010
IKE Quick Mode

SA Initialization
• The IPSec SA info negotiated by IKE will be populated
into router’s SADB
22:17:25 : IPsec(key_engine): got a queue event...
22:17:25: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local = 209.165.200.227, remote= 209.165.201.4,

local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform = esp -3des esp-md5-hmac ,
lifedur = 3600s and 4608000kb,
spi = 0x4579753B(1165587771), conn_id = 2000, keysize= 0, flags=0x2
22:17:25: IPsec(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 209.165.200.227, remote = 209.165.201.4,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform = esp -3des esp-md5-hmac ,
lifedur = 3600s and 4608000kb,
spi = 0x8E1CB77A(2384246650), conn_id = 2001, keysize= 0, flags= 0xA
SEC-3010
Presentation_ID.scr
IKE Quick Mode
Phase 2 Completion
Initiator Responder
• IPSec SA created in SADB, IKE

sent out last packet with commit
IPSec
bit set; IPSec tunnel established
ESP HDR*, HASH1 , Saproposal , NonceI [,KEI ] [,ID CI ,ID CR ] ESP
IPsec(create_sa): sa created , 3DES 3DES
SHA SHA
(sa) sa_dest= 209.165.200.227,
sa_prot= 50, HDR*, HASH3
sa_spi= 0x4579753B(1165587771),
Data
sa_trans= esp -3des esp -md5-hmac ,
sa_conn_id= 2000
IPsec(create_sa): sa created,
(sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(23 84246650),
sa_trans= esp -3des esp -md5-hmac , sa_conn_id= 2001
ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE
ISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM _EXCH
Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
SEC-3010
Show Commands
• Show crypto engine connection active

• Show crypto isakmp sa [detail]
• Show crypto ipsec sa [peer <addr>]
SEC-3010
Presentation_ID.scr
Show Commands
Router#sh cry engine connection active

ID Interface IP -Address State Algorithm Encrypt Decrypt
1 Ethernet0/3 209.165.200.227 set HMAC_SHA+3DES_56_C 0 0
This is ISAKMP SA
2000 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 0 19
2001 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 19 0
These two are IPSec SAs
Router#sh crypto isakmp sa

dst src state conn-id slot
209.165.201.4 209.165.200.227 QM_IDLE 1 0
SEC-3010
Show Commands
Router#sh crypto ipsec sa
interface: Ethernet0/3
Crypto map tag: vpn, local addr. 209.165.200.227
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 209.165.201.4
PERMIT, flags={origin_is_acl,}
#pkts encaps : 19, #pkts encrypt : 19, #pkts digest 19
#pkts decaps : 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, # pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 209.165.200.227, remote crypto endpt .: 209.165.201.4

path mtu 1500, media mtu 1500
current outbound spi: 8E1CB77A
SEC-3010
Presentation_ID.scr
Show Commands
inbound esp sas:
spi: 0x4579753B(1165587771)
transform: esp-3des esp -md5 -hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:

spi : 0x8E1CB77A(2384246650)
transform: esp-3des esp -md5 -hmac ,
in use settings ={ Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
SEC-3010
Hardware Crypto Engine
• In latest Cisco IOS versions, show commands for different

types of hardware crypto cards have been unified
Verify hardware/software Show crypto engine configuration

crypto engine
Hardware info Show diag
Turn on/off the hardware

[no] crypto engine accelerator [slot_no.]
crypto engine
Display statistics Show crypto engine accelerator stat
Debug crypto engine Debug crypto engine accelerator

control/packet
SEC-3010
Presentation_ID.scr
Hardware Crypto Engine (Cont.)
• show crypto engine configuration

crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware Indicates Hardware
Crypto Engine on
Product Name: AIM-VPN/EP
• show diag
slot : 0
Shows the Type of
Encryption AIM 0: Hardware Encryption
Hardware Revision : 1.0
Top Assy. Part Number : 800-15369-03
Board Revision : B0
SEC-3010
show crypto engine accelerator statistic

Virtual Private Network (VPN) Module in aim slot : 0
Statistics for Hardware VPN Module since the last clear
of counters 430281 seconds ago
0 packets in 0 packets out
0 packet overruns 0 output packets dropped
Last 5 minutes:
0 packets in 0 packets out
0 packets decrypted 0 packets encrypted
0 bytes decrypted 0 bytes encrypted
0 bytes before decrypt 0 bytes after encrypt
SEC-3010
Presentation_ID.scr
• Debug crypto engine accelerator

debug cry engine accelerator control
detail display the entire command content
error display errors from control commands
<cr>
debug cry engine accelerator packet

detail display packet going through crypto accelerator
error display errors from packets going through crypto
accelerator
number number of packet to be printed
<cr>
SEC-3010
Verify Crypto Engine

router#sh crypto engine configuration Privileged Mode: 0x0000
Maximum buffer length: 4096
crypto engine name: unknown Maximum DH index: 1014
crypto engine type: ISA/ISM Maximum SA index: 2029
CryptIC Version: FF41 Maximum Flow index: 4059
CGX Version: 0111 Maximum RSA key size: 0000
DSP firmware version: 0061 crypto engine in slot: 5
MIPS firmware version: 0003030F platform: predator
ISA/ISM serial number: crypto_engine
B82CA6C09E080DF0E0A1029EF8E7112F3FF5F
67B
Crypto Adjacency Counts:
PCBD info: 3-DES [07F000260000]
Lock Count: 0
Compression: No
Unlock Count: 0
3 DES: Yes
SEC-3010
Presentation_ID.scr
Common Issues
• Incompatible ISAKMP policy or

pre-shared secrets
• Incompatible transform sets
• Incompatible or incorrect access lists
• Crypto map on the wrong interface
• Overlapping ACLs
• Routing issues
• Caveats: switching paths
SEC-3010
Incompatible ISAKMP Policy

or Pre-Shared Secrets
• If the configured ISAKMP policies don’t match the

proposed policy by the remote peer, the router tries the
default policy of 65535, and if that does not match either,
it fails ISAKMP negotiation
Default protection suite
encryption algorithm: DES—Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
• A sh crypto isakmp sa shows the ISAKMP SA to be in

MM_NO_STATE, meaning the main-mode failed
SEC-3010
Presentation_ID.scr
3d01h: ISAKMP (0:1): processing SA ISAKMP (0:1): Checking ISAKMP
payload. message ID = 0 transform 1 against priority 65535
policy
3d01h: ISAKMP (0:1): found peer pre -
shared key matching 209.165.200.227 ISAKMP: encryption 3DES -CBC
ISAKMP (0:1): Checking ISAKMP ISAKMP: hash MD5
transform 1 against priority 1 policy
ISAKMP: default group 1
ISAKMP: encryption 3DES -CBC
ISAKMP: auth pre -share
ISAKMP: hash MD5
ISAKMP: life type in seconds
ISAKMP: default group 1
ISAKMP: life duration (VPI) of
ISAKMP: auth pre -share 0x0 0x1 0x51 0x80
ISAKMP: life type in seconds ISAKMP (0:1): Encryption algorithm
offered does not match policy!
ISAKMP: life duration (VPI) of
0x0 0x1 0x51 0x80 ISAKMP (0:1): atts are not acceptable.
Next payload is 0
ISAKMP (0:1): Hash algorithm offered
does not match policy! ISAKMP (0:1): no offers accepted!
ISAKMP (0:1): atts are not acceptable. ISAKMP (0:1): phase 1 SA not
Next payload is 0 acceptable!
SEC-3010

• If the pre-shared secrets are not the same

on both sides, the negotiation will fail
again, with the router complaining about
sanity check failed
• A sh crypto isakmp sa shows the ISAKMP
SA to be in MM_NO_STATE, meaning the
main mode failed
SEC-3010
Presentation_ID.scr
ISAKMP (62): processing SA payload. message ID = 0

ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy
encryption DES-CBC
hash SHA
default group 1
auth pre-share
ISAKMP (62): atts are acceptable. Next payload is 0
ISAKMP (62): SA is doing pre-shared key authentication
ISAKMP (62): processing KE payload. message ID = 0
ISAKMP (62): processing NONCE payload. message ID = 0
ISAKMP (62): SKEYID state generated
ISAKMP (62); processing vendor id payload
ISAKMP (62): speaking to another IOS box!
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 209.165.200.227
failed its sanity check or is malformed
SEC-3010
Incompatible IPSec Transform Set
• If the ipsec transform-set is not compatible or mismatched on the two IPSec

devices, the IPSec negotiation will fail, with the router complaining about “atts not
acceptable” for the IPSec proposal

ISAKMP: encaps is 1
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not
supported
ISAKMP (0:2): atts not acceptable. Next payload is 0
ISAKMP (0:2): SA not acceptable!
SEC-3010
Presentation_ID.scr
Incompatible or
Incorrect Access Lists
• If the access lists on the two routers don’t match

proxy identities not supported will result
• It is recommended that access lists on the two
routers be ‘reflections’ of each other
• It is also highly recommended that the key word
any not be used in match address access lists
SEC-3010
Incompatible or
Incorrect Access Lists
1w6d: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
1w6d: IPSEC(validate_transform_proposal): proxy identities not supported
1w6d: ISAKMP (0:2): IPSec policy invalidated proposal
1w6d: ISAKMP (0:2): phase 2 SA not acceptable!
Access List at 209.165.200.227:

access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access List at 209.165.201.4:

access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
SEC-3010
Presentation_ID.scr
Crypto Map on the Wrong Interface
• The crypto map needs to be applied to the outgoing

interface of the router
IPSEC(validate_proposal): invalid local address 209.165.201.4
ISAKMP (0:4): atts not acceptable. Next payload is 0
ISAKMP (0:4): phase 2 SA not acceptable!
• If you don’t want to use the outside interface’s IP as the

local ID, use the command ‘crypto map <name> local-
address <interface>, to specify the correct interface
• If there are physical as well as logical interfaces involved
in carrying outgoing traffic, the crypto map needs to be
applied to both; however, this restriction has been taken
off in the latest Cisco IOS
SEC-3010
Overlapping ACLs
• If there are multiple peers to a router,

make sure that the match address
access lists for each of the peers are
mutually exclusive from the match
address access list for the other peers
• If this is not done, the router will choose
the wrong crypto map to try and establish
a tunnel with one of the other peers
SEC-3010
Presentation_ID.scr
Incorrect SA Selection by the Router
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp -3des esp -md5-hmac ,
IPSEC(validate_transform_proposal): peer address 209.165.202.149 not found
ISAKMP (0:2): IPSec policy invalidated proposal
ISAKMP (0:2): phase 2 SA not acceptable!
Access list for 209.165.201.4:

Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access list for 209.165.202.149:

SEC-3010
Routing Issues
• A packet needs to be routed to the interface which
has the crypto map configured on it before IPSec
will kick in
• Routes need to be there for:
The router to reach its peers address
The IP subnets of the destination host before the packets
are encrypted
The IP subnets of the destination host once the packets
are decrypted
• Use the debug ip packet <acl> detailed to see if the

routing is occurring correctly (be careful on the busy
networks!!!)
SEC-3010
Presentation_ID.scr
Possible Caveats in Switching Paths
• Symptom: Only see encryption or decryption

counter incrementing from “show crypto eng
conn active”
• Caveats in the switching paths might cause
IPSec encryption/decryption failures
• Workaround: Try different switch paths
(CEF, fast switching, process switching)
• Process switching can cause
performance issues!
SEC-3010
Quiz Time
Agenda
“PROXY IDS NOT SUPPORTED..”
• Introduction
Debug Message Means:
• PIX IPSec VPNs
1. Phase 2 Hashing is mismatched
2. Access-List is mismatched
• NAT with IPSec
• Firewalling
3. Phase and IPSec type is
2 Encryption
mismatched
• MTU Issues
• GRE over IPSec
4. DH group is mismatched
SEC-3010
Presentation_ID.scr
Layout
10.1.2.0/24
10.1.1.0/24
209.165.202.129 209.165.200.226
Internet
PIX 1 PIX 2
Private Encrypted Private
Public
SEC-3010
PIX-to-PIX VPN Configuration
Access-List “bypassnat”
access-list bypassnat permit ip 10.1.1.0 Defines Interesting Traffic
255.255.255.0 10.1.2.0 255.255.255.0 to bypass NAT for VPN
NAT 0 Command Bypasses NAT

nat (inside) 0 access-list bypassnat for the Pkts Destined over
the IPSec Tunnel
Access-list “encrypt” Defines

access-list encrypt permit ip 10.1.1.0 VPN Interesting Traffic
255.255.255.0 10.1.2.0 255.255.255.0
ip address outside 209.165.202.129 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0 IP Addresses on the outside
route outside 0.0.0.0 0.0.0.0 209.165.202.158 and
1 inside Interfaces
Sysopt Command Bypasses

sysopt connection permit-ipsec Conduits or ACLs Checking to
Be Applied on the Inbound VPN
Packets after Decryption
SEC-3010
Presentation_ID.scr
Standard Site-to-Site VPN
Configuration Highlight
“crypto IPSec..” Command
crypto ipsec transform-set mysetdes esp-des Defines IPSec Encryption
esp-md5-hmac and authen algo
crypto map encryptmap 20 ipsec-isakmp “crypto map..”

crypto map encryptmap 20 match address encrypt Commands Define the
crypto map encryptmap 20 set peer 209.165.200.226 IPSec SA (Phase II SA)
Parameters
crypto map encryptmap 20 set transform-set mysetdes
crypto map encryptmap interface outside
isakmp enable outside

“isakmp key..” Command
isakmp key cisco123 address 209.165.200.226 Defines the Pre-Shared Key
netmask 255.255.255.255 no-xauth no-config-mode for the Peer Address
isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des
isakmp policy 10 hash md5 “isakmp policy..” Defines
isakmp policy 10 group 1 the Phase 1 SA Parameters
isakmp policy 10 lifetime 86400
SEC-3010
Common Issues
• Bypassing NAT
• Enabling ISAKMP
• Missing sysopt commands
• Combining PIX-PIX and
PIX-VPN client issues
SEC-3010
Presentation_ID.scr
Bypassing NAT
• Nat needs to be bypassed on the PIX

in order for the remote side to access the
private network behind the PIX seamlessly
• Use the NAT 0 command with an access
list to achieve that
SEC-3010
Enabling ISAKMP
• Unlike the router, ISAKMP is not enabled

by default on the PIX
• Use the command isakmp enable
<interface> to enable it on an interface
SEC-3010
Presentation_ID.scr
Missing Sysopt Commands
• After decryption, PIX will check the

access-lists or conduits against the
decrypted IP packets
• Access-lists or conduits need to be
configured to permit decrypted IP traffic
• Enable sysopt connection permit-ipsec to
bypass the access-list/conduit checking
against VPN traffic after decryption
SEC-3010
Combining PIX-PIX
and PIX-Client Issues
• If you are doing mode config or x-auth for

the VPN clients you would need to disable
them for the site-to-site VPN connections
• Use the no-config-mode and no x-auth
tags at the end of the pre-shared
key definitions to disable mode config
and x-auth
• isakmp peer fqdn fqdn no-xauth no-
config-mode in case rsa-sig is used as IKE
authentication method
SEC-3010
Presentation_ID.scr
Agenda
• Introduction
• PIX IPSec VPNs
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
Layout
209.165.200.227
172.18.124.96
WINS
VPN Client
Router
14.38.1.0/24
10.1.1.0/24 Internet
209.165.201.4 Router
DNS 14.38.2.0/24
Pix Pix
209.165.200.226 209.165.201.2
SEC-3010
Presentation_ID.scr
EasyVPN Client to a Router
aaa new-model
aaa authentication login userauthen local aaa Commands Enable User
aaa authorization network groupauthor local Authentication and Group
Authorization
username cisco password 0 cisco123
Username pix password 0 cisco123
!
crypto isakmp policy 3 ISAKMP Policy Defines Phase 1

encr 3des Parameters
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient

key cisco123
“Crypto isakmp client configuration
dns 10.1.1.10 ..” commands define mode-
wins 10.1.1.20 Configuration Parameters that Will
domain cisco.com Be Passed to the VPN Clients
pool ippool
acl 100
SEC-3010
EasyVPN Client to a Router (Cont.)
“crypto IPSec..” Command

crypto IPSec transform-set myset esp -3des esp -sha-hmac Defines IPSec Encryption and
! authen algo
crypto dynamic-map dynmap 10

“crypto dynamic-map…” Defines
set transform-set myset a Dynamic Map which Would Be
! Included in the Actual Map
crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond “crypto map…” Commands
Define the Actual Map which
crypto map clientmap 10 IPsec-isakmp dynamic dynmap
Would Be Applied to the
Outbound Interface for the Data
Encryption
SEC-3010
Presentation_ID.scr
EasyVPN Client to a Router (Cont.)
“ip local pool…” Command

ip local pool ippool 14.1.1.1 14.1.1.254 Defines a Pool of Addresses to Be
! Assigned back to the VPN Client

access-list Defines
access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.1.0 0.0.0.255 Split-Tunneling
!
crypto map Is then Applied to an

interface FastEthernet2/0
Outbound Interface
ip address 209.165.200.227 255.255.255.0
crypto map clientmap
SEC-3010
EasyVPN Client to a PIX
Define an Access-List, that

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 Would Be Used to by-pass
access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.1.0 255.255.255. 0 NAT for the IPSec Traffic
access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.2.0 255.255.255. 0
nat (inside) 0 access-list 101

Define IP Address on the
ip address inside 10.1.1.1 255.255.255.0 Interfaces
isakmp enable outside

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des ISAKMP Policy Defines
Phase 1 Parameters
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
SEC-3010
Presentation_ID.scr
EasyVPN Client to a PIX (Cont.)
Define a Pool of Addresses to Be
ip local pool ippool 10.1.2.1-10.1.2.254 Assigned back to the VPN Client
Sysopt Command Bypasses

sysopt connection permit-IPsec Conduits or ACLs Checking to Be
Applied on the Inbound VPN
vpngroup vpnclient address-pool ippool Packets after Decryption
vpngroup vpnclient dns-server 10.1.1.2
vpngroup Commands Enable
vpngroup vpnclient wins-server 10.1.1.2
Group Authorization; You Can
vpngroup vpnclient default-domain cisco.com Pass down Mode-Configuration
vpngroup vpnclient split-tunnel 101 Parameters within This Section
vpngroup vpnclient idle-time 1800 back to the VPN Client;
vpngroup vpnclient password ******** Note that Access -list 101 Can Be
Used Again for Split-Tunneling
crypto IPSec transform-set myset esp -des esp -md5-hmac “crypto IPSec transform-set…”
crypto dynamic-map dynmap 10 set transform-set myset Command Defines Phase 2
Negotiation Parameters
crypto map mymap 10 IPsec-isakmp dynamic dynmap “crypto map…” Commands
crypto map mymap interface outside Defines the Actual Map which
Would Be Applied to
an Interface for the Data
SEC-3010 Encryption
VPN Client Configuration

To Launch the VPN client, click:
Start | Programs | Cisco Systems VPN client | VPN Client
SEC-3010
Presentation_ID.scr
Cisco IOS EasyVPN Client
crypto ipsec client ezvpn ezvpnclient

connect auto “crypto ipsec client …”
group vpnclient key cisco123 Commands Define the Connection
Parameters to Establish an
mode network-extension EasyVPN tunnel
peer 209.165.200.227
interface Ethernet0
ip address 14.38.1.1 255.255.255.0 “crypto ipsec client … inside”
crypto ipsec client ezvpn ezvpnclient inside Command Defines the Private
Subnet for the IPSec Encryption
hold-queue 100 out
interface Ethernet1
ip address 209.165.201.4 255.255.255.224 “crypto ipsec client … ”
crypto ipsec client ezvpn ezvpnclient Command Is then Applied to an
Outbound Interface
SEC-3010
PIX EasyVPN Client
hostname vpn-pix501b
domain-name cisco.com
vpnclient server 209.165.200.227

vpnclient mode network-extension-mode “vpnclient …” Commands Define
vpnclient vpngroup vpnclient password ******** the Connection Parameters to
Establish an EasyVPN Tunnel
vpnclient username cisco password ********
vpnclient enable
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1

ip address inside 14.38.2.1 255.255.255.0
SEC-3010
Presentation_ID.scr
Cisco IOS Debugs: Phase I Negotiation
Debug crypto isakmp
Debug crypto ipsec
Debug crypto ipsec client ezvpn ( on EZVPN client )
This Message Indicates that This

ISAKMP (0:0): received packet from 172.18.124.96 (N) NEW SA Router Received an ISAKMP
ISAKMP: local port 500, remote port 500 Message from the EZVPN Client
… on src port 500, dst port=500
ISAKMP (0:10): Checking ISAKMP transform 1 against priority 3
policy
ISAKMP: encryption 3DES-CBC Router Is Trying to Match the
ISAKMP: hash SHA Received Proposal # 1 with the
ISAKMP: default group 2 Configured Proposal # 3
ISAKMP: auth XAUTHInitPreShared

ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:10): atts are acceptable. Next payload is 3 Received Proposal Is Acceptable
…
Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT Since the 3.x Client Does
Aggressive Mode, the New State
SEC-3010 Is IKE_R_AM_AAA_AWAIT
Cisco IOS Debugs: Xauth
…
ISAKMP (0:10): Need XAUTH
…
ISAKMP/xauth: request attribute XAUTH_TYPE_V2
ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2 Router Is Requesting the VPN
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 Client for User Authentication
ISAKMP/xauth: request attribute

XAUTH_USER_PASSWORD_V2
...
ISAKMP: Config payload REPLY
ISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected
Router Is Receiving the X-Auth
ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 Attributes from the VPN Client
ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
SEC-3010
Presentation_ID.scr
Cisco IOS Debugs:
Mode Configuration
ISAKMP (0:10): checking request:
ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK
ISAKMP: IP4_DNS Received Mode Configuration
ISAKMP: IP4_NBNS Request from the VPN Client
ISAKMP: ADDRESS_EXPIRY
ISAKMP: APPLICATION_VERSION Unknown Attr: Is Not an Error; It
ISAKMP: UNKNOWN Unknown Attr: 0x7000 Just Means that PIX Does Not
… Support this mode-config
Attribute Requested by the VPN
ISAKMP: Sending private address: 14.1.1.3
Client
ISAKMP: Unknown Attr: IP4_NETMASK (0x2)
ISAKMP: Sending IP4_DNS server address: 14.36.1.10
ISAKMP: Sending IP4_NBNS server address: 14.36.1.20
Router Is Sending the
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the
address: 86395 Mode-Configuration back to
the VPN Client
ISAKMP: Sending APPLICATION_VERSION string: Cisco
Internetwork OperatingSystem Software
IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T,
RELEASE SOFTWARE (fc1)
ISAKMP: Unknown Attr: UNKNOWN (0x7000)
SEC-3010
Cisco IOS Debugs:

Phase II Negotiation
Router Is Checking and
ISAKMP: authenticator is HMAC -SHA
Validating the IPSec Proposals
ISAKMP: encaps is 1
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:11): atts are acceptable.
…
ISAKMP (0:11): Creating IPSec SAs
inbound SA from 172.18.124.96 to 14.36.100.101
(proxy 14.1.1.4 to 14.36.100.101) After Validating the Phase II, the
has spi 0x962A493B and conn_id 2000 and flags 4 IPSec SAs Are Created; One SA
lifetime of 2147483 seconds for Inbound Traffic and the Other
SA for the Outbound Traffic
outbound SA from 14.36.100.101 to 172.18.124.96 (proxy
14.36.100.101 to 14.1.1.4)
has spi -2145675534 and conn_id 2001 and flags C
lifetime of 2147483 seconds
SEC-3010
Presentation_ID.scr
Common Issues
• VPN clients only propose DH group 2 and 5

Configure DH group 2 or 5 on Cisco IOS or PIX
• Configure “isakmp identity hostname” if rsa-sig is
used as an IKE authentication method
• aaa authorization needs to be enabled on the router,
so that router can accept/send mode-configuration
attributes
• On, Cisco IOS EasyVPN client, for X-Auth, you have
to manually type “crypto ipsec client ezvpn xauth”
SEC-3010
Quiz Time
Agenda
The Purpose of
• Introduction
“sysopt connection permit-IPsec”
• Router IPSec VPNs Is:
• PIX IPSec VPNs
1. To bypass conduits
• Cisco EasyVPN or ACL checking
Clients
against the decrypted VPN traffic
• NAT with IPSec
2. To bypass NATand
• Firewalling forIPSec
the IPSec traffic
• MTU Issues
3. To bypass the assignment of IP address
• GRE over IPSec
to the VPN client
4. To bypass X-Auth for the VPN clients
SEC-3010
Presentation_ID.scr
Common Problems
• Bypassing NAT entries

• NAT in the middle of an IPSec tunnel
SEC-3010
Bypassing NAT Entries

• Bypassing dynamic NAT entries
ip nat inside source route-map nonat interface Ethernet1/0 overload
access list 150 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access list 150 permit ip 10.1.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 150
• Static NAT entries can be bypassed using a loopback interface
and policy routing for Cisco IOS images prior to 12.2.4T;
Starting from 12.2.4T a route-map can be used with static NAT
to bypass NAT
• Tools to debug this setup are:
show ip nat translation
debug ip nat
debug ip policy
SEC-3010
Presentation_ID.scr
Bypassing Static NAT Entries
lo1
ip address 10.1.1.3 255.255.255.0
ip nat inside
e0/3 ip route-cache policy
e0/2
nat in nat out ip policy route-map nonat
crypto map
crypto map vpn 10 IPsec-isakmp ip nat inside source list 1 interface Ethernet0/3 overload
set peer 209.165.201.4
ip nat inside source static 10.1.1.1 209.165.200.230
set transform-set myset
match address 101 access list 1 permit 10.0.0.0 0.255.255.255
interface Loopback1 access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0
ip address 10.2.2.2 255.255.255.252 0.0.0.255
access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0
0.0.0.255
ip address 209.165.200.227 255.255.255.0
ip nat outside match ip address 120
set ip next-hop 10.2.2.1
crypto map vpn
SEC-3010
Bypassing Static NAT Entries
e0/3
e0/2
nat out
nat in
crypto map
ip address 10.1.1.3 255.255.255.0
crypto map vpn 10 IPsec-isakmp ip nat inside
set peer 209.165.201.4
set transform-set myset ip nat inside source list 1 interface Ethernet0/3 overload
match address 101
ip nat inside source static 10.1.1.1 209.165.200.230 route-map
nonat
interface Ethernet0/03 access-list 1 permit 10.1.1.0 255.255.255.0
ip address 209.165.200.227 55.255.255.0 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
ip nat outside
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
crypto map vpn
match ip address 120
SEC-3010
Presentation_ID.scr
NAT in the Middle of an IPSec Tunnel
• In many cases, VPN clients are behind NAT/PAT devices

• IPSec over NAT (NAT -T) support was first introduced in
12.2.15T for routers and version 6.3 for PIX
• IPSec pass-thru feature is supported on certain NAT/PAT
devices; ISAKMP cookie and ESP SPI are used to build
translation table
• NAT -T is turned on by default on Cisco IOS
• Use isakmp nat-traversal <natkeepalive> to turn on
NAT -T on PIX
• Turn on IPSec over UDP/TCP, or NAT -T feature in case of
VPN 3000 Concentrator
SEC-3010
Agenda
• Introduction
• PIX IPSec VPNs
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
Presentation_ID.scr
Firewall in the Middle
Internet
Router
Private Private
Encrypted
Public
• ESP (IP protocol type 50) or/and AH (IP/51)

• UDP port 500 (ISAKMP), and/or UDP port 4500 (NAT -T)
SEC-3010
Firewalling and IPSec

• Firewall on the IPSec endpoint router:
ESP or/and
AH
UDP port 500 (IKE) and 4500 (NAT -T)
Decrypted packet IP addresses
(incoming access group is applied twice)
• Firewall on the IPSec endpoint PIX:
Sysopt connection permit-IPsec
(no conduit or access-list is needed)
Use of conduits or access-list
(no sysopt connection permit-ipsec is needed—gives
you more security for the decrypted pkts)
SEC-3010
Presentation_ID.scr
Agenda
• Introduction
• PIX IPSec VPNs
• Cisco EZVPN Clients
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
IPSec MTU Issues

• Overhead introduced by IPSec encapsulation
(~60 bytes)
• Possible fragmentation after encryption leads
to reassembly on the VPN peer router
(process-switched, performance degradation)
• IPSec and Path MTU discovery (PMTU)
IPSec copies Don’t Fragment (DF) bit from original data
packets’ IP header
IPSec dynamically update Path MTU in the SADB if router
receives PMTU ICMP message
The MTU hint in the PMTU ICMP message is physical
MTU- ipsec_overhead (calculated based on transform-set)
SEC-3010
Presentation_ID.scr
IPSec and PMTU
MTU 1500 172.16.172.10/28 172.16.172.20/28 MTU 1500 10.1.2.2
10.1.1.2
e1/1 e1/0 MTU MTU MTU
1500 1400 1500
Path 1500 IPSec Tunnel Path 1500

Media 1500 Media 1500
1500 DF=1
ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to
ICMP Type3 Code 4
10.1.1.2 (“debug ip icmp” output)
(1454)
1454 DF=1 1500 DF copied
ICMP: dst (172.16.172.20) frag. needed and

ICMP (1400) DF set unreachable rcv from 172.16.172.11
IPSec SPI copied Adjust path MTU on corresponding IPSec SA
1454 DF=1 path mtu 1400, media mtu 1500
current outbound spi: EB84DC85
ICMP Type3 Code 4
(1354)
1354 DF=1 1400 1400 1354

SEC-3010
Common Problem
• PMTU ICMP packets lost or blocked

Debug ip icmp on router to verify if ICMP packets
are sent or received
Use sniffer to verify if ICMP packets are lost
• Work arounds
Reduce MTU or disable PMTU on end host
Configure router to clear DF bit of data packets
Adjust TCP MSS on router to fine tune TCP windows
Look-ahead fragmentation
SEC-3010
Presentation_ID.scr
MTU Issues Work around:
Policy Routing
crypto map vpn 10 IPsec -isakmp route-map ClearDF permit 10
set peer 172.16.172.10 match ip address 101
set transform -set myset set ip df 0
match address 101 !
! access-list 101 permit ip 10.1.2.0
interface Ethernet1/0 0.0.0.255 10.1.1.0 0.0.0.255
ip address 172.16.172.20 255.255.255.240

no ip redirects
duplex half
Use policy routing to
crypto map vpn set DF bit of the
! interesting traffic
interface Ethernet1/1 to 0
ip address 10.1.2.1 255.255.255.0
ip policy route -map ClearDF
no ip redirects
duplex half
SEC-3010

DF Bit Override Feature
• DF bit override feature with IPSec allows

router to set, copy or clear the DF bit from
the IPSec encapsulated header
Router(config)#crypto ipsec df-bit clear
• First introduced in 12.2(2)T

• Only works for IPSec tunnel mode
• With “df-bit clear” option, large packets
will be fragmented after encryption
SEC-3010
Presentation_ID.scr
Look ahead Fragmentation
• Fragment large packets before IPSec

encryption to avoid performance issues
• Works for IPSec tunnel mode only
• Depends on crypto ipsec df-bit config
• First introduced in 12.1(11)E; the feature
was integrated in 12.2.(13)T and 12.2(14)S
Crypto ipsec df-bit clear

Crypto ipsec fragmentation before-encryption
SEC-3010

Adjusting TCP MSS
• Adjust TCP MSS (maximum send segment)
under ingress interface:
ip tcp adjust-mss <number>
• Router will sniff on the incoming TCP SYN
packets and tweak the TCP MSS field to
configured number
• Remote host will use adjusted MSS value
correspondingly
• Choose MSS to avoid fragmentation
MSS <= interface MTU—IPSec Overhead—40
(IP header and TCP header)
SEC-3010
Presentation_ID.scr
Agenda
Quiz Time
The Purpose of
• Introduction
“crypto ipsec df-bit
• Router IPSecclear
VPNs” Is:
• PIX IPSec VPNs
1. To adjust the TCP-MSS value in the syn
packets
• NAT with IPSec
2. To help the router in doing Path MTU
Discovery
• MTU Issues
3. To drop the IPSec packets if don’t
• GRE over IPSec
fragment bit is set
4. To remove the don’t
• Interoperability fragment bit
Troubleshooting
SEC-3010
GRE over IPSec
c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a IP Hdr 1 TCP hdr Data
b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data
c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data
d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data
SEC-3010
Presentation_ID.scr
GRE over IPSec
(Common Configuration Issues)
• Apply crypto map on both the tunnel

interfaces and the physical interfaces
• Specify GRE traffic as IPSec
interesting traffic
access-list 101 permit gre host 200.1.1.1 host
150.1.1.1
• Static or dynamic routing is needed to

send VPN traffic to the GRE tunnel before
it gets encrypted
SEC-3010
GRE over IPSec

(Avoid Recursive Routing)
• To avoid GRE tunnel interface flapping due to

recursive routing, keep transport and passenger
routing information separate:
Use different routing protocols or separate routing
protocol identifiers
Keep tunnel IP address and actual IP network
addresses ranges distinct
For tunnel interface IP address, don’t use unnumbered
to loopback interface when the loopback’s IP address
resides in the ISP address space
SEC-3010
Presentation_ID.scr
GRE over IPSec (MTU Issues)
• Overhead calculation of GRE over IPSec

(assume ESP-DES and ESP-MD5-HMAC):
ESP overhead (with authentication): 31–38 bytes
GRE header: 24 bytes
IP header: 20 byes
• GRE over IPSec with tunnel mode introduces ~75
bytes overhead, GRE over IPSec with transport
mode introduces ~55 bytes overhead
SEC-3010
• After GRE tunnel encapsulation, the packets will

be sent to physical interface with DF bit set to 0
• The GRE packets will then be encrypted at
physical interface; if IPSec overhead causes final
IPSec packets to be bigger than the interface
MTU, the router will fragment the packets
• The remote router will need to reassemble the
fragmented IPSec packets (process switched)
which causes performance degradation
SEC-3010
Presentation_ID.scr
• To avoid fragementation and reassembly of

IPSec packets:
1. Set ip mtu 1420 (GRE/IPsec tunnel mode),
ip mtu 1440 (GRE/IPsec transport mode) under
tunnel interface
2. Enable “tunnel path-mtu-discovery” (DF bit copied
after GRE encapsulation) under tunnel interface
3. Turn on “Look-Ahead Fragmentation” feature
• Use “show ip int switching” to verify
switching path
SEC-3010
• Workarounds in case PMTU ICMP packets are

lost or blocked
int tunnel 0
ip mtu 1500
• Incoming big size packets with DF=1 will not be

dropped by GRE tunnel due to larger MTU setting
• The IPSec packets after GRE encapsulation
(DF=0) will be fragmented before they leave
the router
• Performance affects due to fragmentation
SEC-3010
Presentation_ID.scr
Agenda
• Introduction
• PIX IPSec VPNs
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
Loss of Connectivity of IPSec Peers
Internet
IPSec SA IPSec SA
SPI SPI
Peer Peer
ESP SPI=0xB1D1EA3F Local_id
Local_id
Remote_id Remote_id
Transform Transform
… …
00:01:33: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec

packet has invalid spi for destaddr=172.16.172.28, prot=50,
spi=0xB1D1EA3F(-1311643073)
SEC-3010
Presentation_ID.scr
Loss of Connectivity of IPSec Peers
• Use ISAKMP keepalives to detect loss of

connectivity of Cisco IOS IPSec peers
crypto isakmp keepalive <# of sec. between keepalive>
<number of sec. between retries if keepalive fails>
• ISAKMP keepalives might cause performance
degradation for large deployments, choose
keepalive parameters carefully
• In latest Cisco IOS and PIX versions, ISAKMP
keepalives are replaced by DPD (Dead Peer
Detection) for lower CPU overhead
SEC-3010
Agenda
• Introduction
• PIX IPSec VPNs
• NAT with IPSec
• MTU Issues
• GRE over IPSec
SEC-3010
Presentation_ID.scr
Interoperability Tips
• Start with configuring the two ends side

by side with exact matching policies
Phase I Parameters Phase II Parameters
IKE authentication method IPSec mode (tunnel or transport)
Hash algorithm Encryption algorithm
DH group Authentication algorithm
ISAKMP SA lifetime PFS group
Encryption algorithm IPSec SA Lifetime
Matching pre-shared secret Interesting traffic definition
• Turn off vendor specific features:

Mode config, Xauth, IKE keepalive
SEC-3010
Troubleshooting Resource—TAC Web
• Field Notices—alerts to
critical issues
• Security Advisories—
internet security issues
and response
procedures
• TAC Technical Tips—
tips for
troubleshooting;
sample configurations
www.cisco.com/tac
SEC-3010
Presentation_ID.scr
Troubleshooting Resource—TAC Web
• Task -based organization

• Overview
• Network design
• Implementation and
configuration
• Verification and
troubleshooting
• Operating and
maintaining
• Documentation
www.cisco.com/tac
SEC-3010
Recommended Reading
Troubleshooting Cisco IP
Telephony
ISBN: 1587050757
Available on-site at the Cisco Company Store

SEC-3010
Presentation_ID.scr
Please Complete Your
Evaluation Form
Session SEC-3010
SEC-3010
SEC-3010
8121_05_2003_c2
Presentation_ID.scr

Cisco - Troubleshooting Cisco Ios and Pix Firewall-Based Ipsec Implementations (2003)

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco - Troubleshooting Cisco Ios and Pix Firewall-Based Ipsec Implementations (2003)

Caricato da

Copyright:

Formati disponibili

www.GetPedia.

* The Ebook starts from the next page : Enjoy !

Troubleshooting Cisco IOS® and PIX ™

What’s Not Covered

• Complex security association and key

A Key Point to Remember

“Debug and Show commands are

ISAKMP and IKE

VPN Tunnel IPSec

Needs Secure Communications over Insecure Channel

IKE (Two-Phase Protocol)

• Each phase has its SAs: ISAKMP SA (phase I) and

DES DES DES

Phase I SA parameter negotiation complete

HASHI =HMAC(SKEYID,HDR*, ID , HASH

Phase II Quick Mode Negotiation

HDR*, HASH2 , SAchoice , NonceR , [,KER ] [,IDCI ,IDCR ]

“crypto isakmp policy” Defines the

match address 101

interface Ethernet0/3 crypto map Is then Applied to an

crypto map vpn

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

R1#show crypto map

Important Debugs Commands

• debug crypto isakmp

Main Mode IKE Negotiation

Quick Mode Negotiation

Interesting Traffic Received

• Begins Main Mode exchange; IKE

phase I SA parameters SHA-1

ISAKMP: received ke message (1/1)

ISAKMP (0:1): beginning Main Mode exchange

Old State = IKE_I_MM1 New State = IKE_I_MM2

IKE Main Mode Negotiation—

22:17:24: ISAKMP (0:1): processing SA payload . message ID = 0

22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_M AIN_MODE

• The policy 10 on this router and the atts offered by

• The third and fourth packets IKE

ISAKMP (0:1): sending packet to HDR, KEI, NonceI

209.165.201.4 (I) MM_SA_SETUP HDR, KER, NonceR

ISAKMP (0:1): processing KE payload . message ID = 0

IKE Main Mode Negotiation—

ISAKMP (0:1): SA is doing pre-shared key HDR, KEI, NonceI

authentication using id type ID_IPV4_ADDR HDR, KER, NonceR

(I) MM_KEY_EXCH HDR*, IDR, HASHR

ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCH

ISAKMP (0:1): beginning Quick Mode exchange ,

IKE Quick Mode

ISAKMP (0:1): Creating IPSec SAs

IKE Quick Mode

(key eng. msg.) INBOUND local = 209.165.200.227, remote= 209.165.201.4,

• IPSec SA created in SADB, IKE

• Show crypto engine connection active

Router#sh cry engine connection active

These two are IPSec SAs

Router#sh crypto isakmp sa

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

local crypto endpt.: 209.165.200.227, remote crypto endpt .: 209.165.201.4

outbound esp sas:

Hardware Crypto Engine

• In latest Cisco IOS versions, show commands for different

Verify hardware/software Show crypto engine configuration

Hardware info Show diag

Turn on/off the hardware