crypto map ipsec configuration..

Answered Question
Nov 21st, 2007

Hi Experts,

I am going to configure a point to point ipsec tunnelling.Am new in this technology..Anybody can point me to the right location for this info?

And the troubleshooting steps if face with problems?

Thanks!

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 9 years 2 weeks ago

Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.

I quote !!

IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.

4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Here are some terminology to start getting familiar with , check Intro to IPsec encryption

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Rate any helpful post

Rgds

Jorge

Correct Answer by Jon Marshall about 9 years 2 weeks ago

Hi Cindy

Attached is a link to a whole load of configuration examples for IPSEC tunnels from routers/firewalls/VPN concentrators. You should be able to find a document there to start you off and feel free to come back with any more questions.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
cindylee27 Wed, 11/21/2007 - 17:14

Sheik,

I can;t view this link as need to have CCO account.

As for Jon and Samuel.. I have rated you guys post..

I will get back to you all if I face with any issues on this.. :-)

Thanks!

cindylee27 Wed, 11/21/2007 - 18:19

Guys,

I managed to get 2 routers to play with for this ipsec configuration.

Currently I am thinking of using these 2 routers for testing but configuring on the routers itself using cross cable.

Can I know if this method will works ? From Fast E of Router 1 to Router 2 and how can i Verify that it is really encrpyted as I need to convince the customer that they are really on encrpytion process...

Thanks so much again!

JORGE RODRIGUEZ Wed, 11/21/2007 - 18:57

Cyndy name seems familiar from previous posts but not sure, anyways greetings!

Sure you can do router to router L2L vpn simulation but I guess you would need at least one station/laptop at each end to initiate " interesting traffic ", interesting traffic is key to bring up the tunnel and that happens say when host-1 behind routerA sends a ping or any other tcp request to Host-1 behind RouterB. I speak from fw l2l vpns but I would expect to be same principle when using IOS.

There are two commands you can use to see whether tunnel is up or not.

show crypto ipsec sa - shows the phase 2 security associations.

show crypto isakmp sa - shows the phase 1 security associations

There are few commands to debugging which is excellent tool for troubleshooting crypto to see what is going on if tunnel does not come up or to see traffic encrypted when tunnel is up.

I quote from one of Jon's posted links

debug crypto ipsec -Shows the IPSec negotiations of phase 2.

debug crypto isakmp -Shows the ISAKMP negotiations of phase 1.

debug crypto engine -Shows the traffic that is encrypted.

Rgds

Jorge

cindylee27 Wed, 11/21/2007 - 19:06

Thanks Jon!

Yeah..have been posting and you guys are great on helping out..:) Have been missing a while in this forum as I went for my vacation.. ;)

Anyway, Thanks for the reply. Would like to understand what is the diff between phase 1 and phase 2 of sec associations.. or are the 2 phases must always come together in the ipsec config??

Thanks again..

Correct Answer
JORGE RODRIGUEZ Wed, 11/21/2007 - 19:39

Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.

I quote !!

IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.

4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Here are some terminology to start getting familiar with , check Intro to IPsec encryption

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Rate any helpful post

Rgds

Jorge

cindylee27 Wed, 11/21/2007 - 20:41

Great answer Jorge! :) and have rated your post..

And also..sorry about the mismatch name, As i overlooked on it..:P -> causing "duplex mismatch" ..haa..

I will let you guys know if this testing is successful by posting back at this forum.

Thanks once again..

Jon Marshall Wed, 11/21/2007 - 23:31

Cindy

Thanks for the rating much appreciated and welcome back.

Jorge

Appreciate the compliment but the only real difference between our postings is that i have been doing it longer :)

Jon

cindylee27 Thu, 11/22/2007 - 00:38

Guys,

I have done the testing..

but would like to verify if the result is good.

I did a....

Router#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 0

5131 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 151

5132 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 151 0

iS this enough to show that the crypto is working ?

Jon Marshall Thu, 11/22/2007 - 00:57

Hi Cindy

The commands i normally use to check are

1) sh crypto isa sa - this shows you if phase 1 has completed successfully. It should say "QM_IDLE" under status

2) sh crypto ipsec sa - this shows you if the Phase 2 tunnels were set up successfully and will also show the number of encrypted and decrypted packets.

Jon

cindylee27 Thu, 11/22/2007 - 01:48

Jon,

Thanks,

Can i say that the result below is verified for ipsec encryption?

--------------------------------------------

Router#sh crypto isa sa

dst src state conn-id slot

20.20.20.21 20.20.20.20 QM_IDLE 1 0

Router#sh crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: hsbc-iras, local addr. 20.20.20.20

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 20.20.20.21:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 204, #pkts encrypt: 204, #pkts digest 204

#pkts decaps: 191, #pkts decrypt: 191, #pkts verify 191

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 20.20.20.20, remote crypto endpt.: 20.20.20.21

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 711DF592

inbound esp sas:

spi: 0x98B451FB(2561954299)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 5133, flow_id: 13, crypto map: hsbc-iras

sa timing: remaining key lifetime (k/sec): (4444514/2197)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x711DF592(1897788818)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 5134, flow_id: 14, crypto map: hsbc-iras

sa timing: remaining key lifetime (k/sec): (4444512/2193)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Jon Marshall Thu, 11/22/2007 - 01:51

Cindy

Phase 1 looks good and phase 2 looks good as well.

The real test is can you pass traffic down the tunnel. From the phase 2 output it looks like you can.

Without wising to sound patronising that's a really good job you've done because setting up VPN's can be a very time consuming and finicky problem :)

Jon

cindylee27 Thu, 11/22/2007 - 01:54

Thanks Jon.. :)

Another question is..how can i determine the tunnel is up and can be passed through?

As you were saying the real test is to pass down the tunnel...

Thanks once again :D

Jon Marshall Thu, 11/22/2007 - 02:02

Cindy

The tunnel is up because of the output from the "sh crypto ipsec sa". If there was no tunnel up you wouldn't see all that output from your command.

From the output

"local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

"

The local network (local to the router you ran the command on) is

192.168.1.0/24

The remote network is

192.168.2.0/24

So you need to generate traffic from a host on 192.168.1.0/24 network to a host on the 192.168.2.0/24 network.

Don't forget that if you have access-lists on the interfaces on each router that use the public addressing you will need to add the relevant ports into the access-list.

Jon

cindylee27 Thu, 11/22/2007 - 05:35

Thanks Jon,

Got it... :)

Will let you know if i face with the problem at a later stage during production..

JORGE RODRIGUEZ Thu, 11/22/2007 - 08:43

Completely agree Jon, and believe me.. beisde labs and reading links books etc.. I follow your post to lear from , there are quite very good engineers in netpro and you're one among them.

Rgds

Jorge

Actions

This Discussion