Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 3
• PKI-based troubleshooting
• Debugs from the PIX platforms
• Dynamic Multipoint VPN (DMVPN)
• IPSec VPN Service Module
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 4
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Why Troubleshooting Is Important
in Today’s VPN Deployment
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 6
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Secure Communications
Using IPSec VPN
Message
Message
A B
Me
ssa
ss
ag
e
Me
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 7
IKE
IPSec
Data
• Two-phase protocol:
Phase I exchange: two peers establish a secure, authenticated
channel with which to communicate; main mode or aggressive mode
accomplishes a phase I exchange
Phase II exchange: security associations are negotiated on behalf
of IPSec services; quick mode accomplishes a phase II exchange
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Main Mode with Pre-Shared Key
Initiator Responder
IKE
ESP ESP
DES DES
SHA HDR*, HASH1 , Saproposal , NonceI [,KEI ] [,IDCI ,IDCR ] SHA
PFS 1 PFS 1
HDR*, HASH3
• Protected by Phase I SA
• Optional DH exchange for Perfect Forward Secrecy (PFS)
• Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR]
• Two unidirectional IPSec SA established with unique SPI number
• Nonce exchanged for generating session key
KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 10
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 11
Layout
209.165.200.227 209.165.201.4
Backbone
Router1 Router2
10.1.1.0/24 10.1.2.0/24
Encrypted
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 12
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Router Configurations
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 13
Router Configurations
interface Ethernet0/2
ip address 10.1.1.1 255.255.255.0 Interface that Is Connected to the
Private Side of the Network
!
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 14
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Router Configurations
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 15
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 16
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Debugs Functionality Flow Chart
Interesting Traffic Received
Establishment of Tunnel
IKE
IPSec
Data
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 17
Tunnel Establishment
• The ‘local’ is the local tunnel end-point, the ‘remote’ is the remote crypto end
point as configured in the map. The src proxy is the src interesting traffic as
defined by the match address access list; The dst proxy is the destination
interesting traffic as defined by the match address access list
protocol= ESP, transform= esp-3des esp -md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x 400A
• The protocol and the transforms are specified by the crypto map which has
been hit, as are the lifetimes
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 18
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IKE Main Mode Negotiation—
Phase I SA Negotiation
Initiator Responder
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 19
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 20
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IKE Main Mode Negotiation—
DH Exchange
Initiator Responder
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 21
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IKE Quick Mode
IPSec SA Negotiations
Initiator Responder
IKE
IPSec
• Begin Quick Mode exchange;
IPSec SA will be negotiated ESP
3DES
HDR*, HASH1 , Saproposal , NonceI [,KEI ] [,ID CI ,ID CR ] ESP
3DES
in QM SHA
HDR*, HASH2 , SAchoice , NonceR , [,KER ] [,IDCI ,IDCR ]
SHA
• The IPSec SA proposal offered by far end will be checked against local
crypto map configuration
ISAKMP (0:1): processing HASH payload. message ID = 843945273
ISAKMP (0:1): processing SA payload. message ID = 843945273
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 23
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 24
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IKE Quick Mode
SA Creation
• Two IPSec SAs have been negotiated, an incoming SA with the SPI
generated by the local machine and an outbound SA with the SPIs
proposed by the remote end
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 25
22:17:25: IPsec(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 209.165.200.227, remote = 209.165.201.4,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy = 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform = esp -3des esp-md5-hmac ,
lifedur = 3600s and 4608000kb,
spi = 0x8E1CB77A(2384246650), conn_id = 2001, keysize= 0, flags= 0xA
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 26
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IKE Quick Mode
Phase 2 Completion
Initiator Responder
sa_spi= 0x4579753B(1165587771),
Data
sa_trans= esp -3des esp -md5-hmac ,
sa_conn_id= 2000
IPsec(create_sa): sa created,
(sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(23 84246650),
sa_trans= esp -3des esp -md5-hmac , sa_conn_id= 2001
ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE
ISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM _EXCH
Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 27
Show Commands
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 28
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Show Commands
This is ISAKMP SA
2000 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 0 19
2001 Ethernet0/3 209.165.200.227 set HMAC_MD5+3DES_56_C 19 0
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 29
Show Commands
Router#sh crypto ipsec sa
interface: Ethernet0/3
Crypto map tag: vpn, local addr. 209.165.200.227
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 30
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Show Commands
inbound esp sas:
spi: 0x4579753B(1165587771)
transform: esp-3des esp -md5 -hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 31
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 32
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Hardware Crypto Engine (Cont.)
• show diag
slot : 0
Shows the Type of
Encryption AIM 0: Hardware Encryption
Hardware Revision : 1.0
Top Assy. Part Number : 800-15369-03
Board Revision : B0
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 33
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 34
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Hardware Crypto Engine (Cont.)
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Common Issues
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 38
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Incompatible ISAKMP Policy
or Pre-Shared Secrets
3d01h: ISAKMP (0:1): processing SA ISAKMP (0:1): Checking ISAKMP
payload. message ID = 0 transform 1 against priority 65535
policy
3d01h: ISAKMP (0:1): found peer pre -
shared key matching 209.165.200.227 ISAKMP: encryption 3DES -CBC
ISAKMP (0:1): Checking ISAKMP ISAKMP: hash MD5
transform 1 against priority 1 policy
ISAKMP: default group 1
ISAKMP: encryption 3DES -CBC
ISAKMP: auth pre -share
ISAKMP: hash MD5
ISAKMP: life type in seconds
ISAKMP: default group 1
ISAKMP: life duration (VPI) of
ISAKMP: auth pre -share 0x0 0x1 0x51 0x80
ISAKMP: life type in seconds ISAKMP (0:1): Encryption algorithm
offered does not match policy!
ISAKMP: life duration (VPI) of
0x0 0x1 0x51 0x80 ISAKMP (0:1): atts are not acceptable.
Next payload is 0
ISAKMP (0:1): Hash algorithm offered
does not match policy! ISAKMP (0:1): no offers accepted!
ISAKMP (0:1): atts are not acceptable. ISAKMP (0:1): phase 1 SA not
Next payload is 0 acceptable!
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 39
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 40
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Incompatible ISAKMP Policy
or Pre-Shared Secrets
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 41
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 42
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Incompatible or
Incorrect Access Lists
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 43
Incompatible or
Incorrect Access Lists
1w6d: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
1w6d: IPSEC(validate_transform_proposal): proxy identities not supported
1w6d: ISAKMP (0:2): IPSec policy invalidated proposal
1w6d: ISAKMP (0:2): phase 2 SA not acceptable!
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 44
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Crypto Map on the Wrong Interface
Overlapping ACLs
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 46
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Incorrect SA Selection by the Router
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp -3des esp -md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 209.165.202.149 not found
ISAKMP (0:2): IPSec policy invalidated proposal
ISAKMP (0:2): phase 2 SA not acceptable!
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 47
Routing Issues
• A packet needs to be routed to the interface which
has the crypto map configured on it before IPSec
will kick in
• Routes need to be there for:
The router to reach its peers address
The IP subnets of the destination host before the packets
are encrypted
The IP subnets of the destination host once the packets
are decrypted
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Possible Caveats in Switching Paths
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 49
Quiz Time
Agenda
“PROXY IDS NOT SUPPORTED..”
• Introduction
Debug Message Means:
• Router IPSec VPNs
• PIX IPSec VPNs
1. Phase 2 Hashing is mismatched
• Cisco EasyVPN Clients
2. Access-List is mismatched
• NAT with IPSec
• Firewalling
3. Phase and IPSec type is
2 Encryption
mismatched
• MTU Issues
• GRE over IPSec
4. DH group is mismatched
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 50
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Layout
10.1.2.0/24
10.1.1.0/24
209.165.202.129 209.165.200.226
Internet
PIX 1 PIX 2
Public
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 51
Access-List “bypassnat”
access-list bypassnat permit ip 10.1.1.0 Defines Interesting Traffic
255.255.255.0 10.1.2.0 255.255.255.0 to bypass NAT for VPN
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Standard Site-to-Site VPN
Configuration Highlight
“crypto IPSec..” Command
crypto ipsec transform-set mysetdes esp-des Defines IPSec Encryption
esp-md5-hmac and authen algo
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 53
Common Issues
• Bypassing NAT
• Enabling ISAKMP
• Missing sysopt commands
• Combining PIX-PIX and
PIX-VPN client issues
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 54
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Bypassing NAT
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 55
Enabling ISAKMP
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 56
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Missing Sysopt Commands
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 57
Combining PIX-PIX
and PIX-Client Issues
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 59
Layout
209.165.200.227
172.18.124.96
WINS
VPN Client
Router
14.38.1.0/24
10.1.1.0/24 Internet
209.165.201.4 Router
DNS 14.38.2.0/24
Pix Pix
209.165.200.226 209.165.201.2
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 60
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
EasyVPN Client to a Router
aaa new-model
aaa authentication login userauthen local aaa Commands Enable User
aaa authorization network groupauthor local Authentication and Group
Authorization
username cisco password 0 cisco123
Username pix password 0 cisco123
!
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 62
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
EasyVPN Client to a Router (Cont.)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 63
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 64
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
EasyVPN Client to a PIX (Cont.)
Define a Pool of Addresses to Be
ip local pool ippool 10.1.2.1-10.1.2.254 Assigned back to the VPN Client
crypto IPSec transform-set myset esp -des esp -md5-hmac “crypto IPSec transform-set…”
crypto dynamic-map dynmap 10 set transform-set myset Command Defines Phase 2
Negotiation Parameters
crypto map mymap 10 IPsec-isakmp dynamic dynmap “crypto map…” Commands
crypto map mymap interface outside Defines the Actual Map which
Would Be Applied to
an Interface for the Data
SEC-3010 Encryption
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 65
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 66
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Cisco IOS EasyVPN Client
interface Ethernet0
ip address 14.38.1.1 255.255.255.0 “crypto ipsec client … inside”
crypto ipsec client ezvpn ezvpnclient inside Command Defines the Private
Subnet for the IPSec Encryption
hold-queue 100 out
interface Ethernet1
ip address 209.165.201.4 255.255.255.224 “crypto ipsec client … ”
crypto ipsec client ezvpn ezvpnclient Command Is then Applied to an
Outbound Interface
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 67
hostname vpn-pix501b
domain-name cisco.com
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 68
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Cisco IOS Debugs: Phase I Negotiation
Debug crypto isakmp
Debug crypto ipsec
Debug crypto ipsec client ezvpn ( on EZVPN client )
…
ISAKMP (0:10): Need XAUTH
…
ISAKMP/xauth: request attribute XAUTH_TYPE_V2
ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2 Router Is Requesting the VPN
ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 Client for User Authentication
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 70
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Cisco IOS Debugs:
Mode Configuration
ISAKMP (0:10): checking request:
ISAKMP: IP4_ADDRESS
ISAKMP: IP4_NETMASK
ISAKMP: IP4_DNS Received Mode Configuration
ISAKMP: IP4_NBNS Request from the VPN Client
ISAKMP: ADDRESS_EXPIRY
ISAKMP: APPLICATION_VERSION Unknown Attr: Is Not an Error; It
ISAKMP: UNKNOWN Unknown Attr: 0x7000 Just Means that PIX Does Not
… Support this mode-config
Attribute Requested by the VPN
ISAKMP: Sending private address: 14.1.1.3
Client
ISAKMP: Unknown Attr: IP4_NETMASK (0x2)
ISAKMP: Sending IP4_DNS server address: 14.36.1.10
ISAKMP: Sending IP4_NBNS server address: 14.36.1.20
Router Is Sending the
ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the
address: 86395 Mode-Configuration back to
the VPN Client
ISAKMP: Sending APPLICATION_VERSION string: Cisco
Internetwork OperatingSystem Software
IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T,
RELEASE SOFTWARE (fc1)
ISAKMP: Unknown Attr: UNKNOWN (0x7000)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 71
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 72
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Common Issues
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 73
Quiz Time
Agenda
The Purpose of
• Introduction
“sysopt connection permit-IPsec”
• Router IPSec VPNs Is:
• PIX IPSec VPNs
1. To bypass conduits
• Cisco EasyVPN or ACL checking
Clients
against the decrypted VPN traffic
• NAT with IPSec
2. To bypass NATand
• Firewalling forIPSec
the IPSec traffic
• MTU Issues
3. To bypass the assignment of IP address
• GRE over IPSec
to the VPN client
• Loss of Connectivity of IPSec Peers
4. To bypass X-Auth for the VPN clients
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 74
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Common Problems
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 75
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Bypassing Static NAT Entries
lo1
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
ip nat inside
e0/3 ip route-cache policy
e0/2
nat in nat out ip policy route-map nonat
crypto map
crypto map vpn 10 IPsec-isakmp ip nat inside source list 1 interface Ethernet0/3 overload
set peer 209.165.201.4
ip nat inside source static 10.1.1.1 209.165.200.230
set transform-set myset
match address 101 access list 1 permit 10.0.0.0 0.255.255.255
interface Loopback1 access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0
ip address 10.2.2.2 255.255.255.252 0.0.0.255
access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0
0.0.0.255
interface Ethernet0/03
ip address 209.165.200.227 255.255.255.0
route-map nonat permit 10
ip nat outside match ip address 120
set ip next-hop 10.2.2.1
crypto map vpn
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 77
e0/3
e0/2
nat out
nat in
crypto map
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
crypto map vpn 10 IPsec-isakmp ip nat inside
set peer 209.165.201.4
set transform-set myset ip nat inside source list 1 interface Ethernet0/3 overload
match address 101
ip nat inside source static 10.1.1.1 209.165.200.230 route-map
nonat
interface Ethernet0/03 access-list 1 permit 10.1.1.0 255.255.255.0
ip address 209.165.200.227 55.255.255.0 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
ip nat outside
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
crypto map vpn
route-map nonat permit 10
match ip address 120
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 78
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
NAT in the Middle of an IPSec Tunnel
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 79
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 80
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Firewall in the Middle
Internet
Router
Private Private
Encrypted
Public
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 81
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EZVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 83
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 84
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IPSec and PMTU
MTU 1500 172.16.172.10/28 172.16.172.20/28 MTU 1500 10.1.2.2
10.1.1.2
e1/1 e1/0 MTU MTU MTU
1500 1400 1500
1500 DF=1
ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to
ICMP Type3 Code 4
10.1.1.2 (“debug ip icmp” output)
(1454)
1454 DF=1 1500 DF copied
(1354)
Common Problem
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 86
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
MTU Issues Work around:
Policy Routing
crypto map vpn 10 IPsec -isakmp route-map ClearDF permit 10
set peer 172.16.172.10 match ip address 101
set transform -set myset set ip df 0
match address 101 !
! access-list 101 permit ip 10.1.2.0
interface Ethernet1/0 0.0.0.255 10.1.1.0 0.0.0.255
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 87
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 88
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
MTU Issues Work around:
Look ahead Fragmentation
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 89
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
Quiz Time
The Purpose of
• Introduction
“crypto ipsec df-bit
• Router IPSecclear
VPNs” Is:
• PIX IPSec VPNs
1. To adjust the TCP-MSS value in the syn
• Cisco EasyVPN Clients
packets
• NAT with IPSec
2. To help the router in doing Path MTU
• Firewalling and IPSec
Discovery
• MTU Issues
3. To drop the IPSec packets if don’t
• GRE over IPSec
fragment bit is set
• Loss of Connectivity of IPSec Peers
4. To remove the don’t
• Interoperability fragment bit
Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 91
c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a IP Hdr 1 TCP hdr Data
d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 92
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
GRE over IPSec
(Common Configuration Issues)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 94
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
GRE over IPSec (MTU Issues)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 95
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 96
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
GRE over IPSec (MTU Issues)
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 97
int tunnel 0
ip mtu 1500
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 99
Internet
IPSec SA IPSec SA
SPI SPI
Peer Peer
ESP SPI=0xB1D1EA3F Local_id
Local_id
Remote_id Remote_id
Transform Transform
… …
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Loss of Connectivity of IPSec Peers
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 101
Agenda
• Introduction
• Router IPSec VPNs
• PIX IPSec VPNs
• Cisco EasyVPN Clients
• NAT with IPSec
• Firewalling and IPSec
• MTU Issues
• GRE over IPSec
• Loss of Connectivity of IPSec Peers
• Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 102
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Interoperability Tips
• Field Notices—alerts to
critical issues
• Security Advisories—
internet security issues
and response
procedures
• TAC Technical Tips—
tips for
troubleshooting;
sample configurations
www.cisco.com/tac
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 104
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Troubleshooting Resource—TAC Web
www.cisco.com/tac
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 105
Recommended Reading
Troubleshooting Cisco IP
Telephony
ISBN: 1587050757
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Please Complete Your
Evaluation Form
Session SEC-3010
SEC-3010
8121_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 107
SEC-3010
8121_05_2003_c2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr