cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1769
Views
9
Helpful
18
Replies

crypto map ipsec configuration..

cindylee27
Level 1
Level 1

Hi Experts,

I am going to configure a point to point ipsec tunnelling.Am new in this technology..Anybody can point me to the right location for this info?

And the troubleshooting steps if face with problems?

Thanks!

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Cindy

Attached is a link to a whole load of configuration examples for IPSEC tunnels from routers/firewalls/VPN concentrators. You should be able to find a document there to start you off and feel free to come back with any more questions.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Jon

View solution in original post

Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.

I quote !!

IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.

4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Here are some terminology to start getting familiar with , check Intro to IPsec encryption

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Rate any helpful post

Rgds

Jorge

Jorge Rodriguez

View solution in original post

18 Replies 18

Sheik,

I can;t view this link as need to have CCO account.

As for Jon and Samuel.. I have rated you guys post..

I will get back to you all if I face with any issues on this.. :-)

Thanks!

Jon Marshall
Hall of Fame
Hall of Fame

Hi Cindy

Attached is a link to a whole load of configuration examples for IPSEC tunnels from routers/firewalls/VPN concentrators. You should be able to find a document there to start you off and feel free to come back with any more questions.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

HTH

Jon

Wilson Samuel
Level 7
Level 7

Hi,

Cisco SRNDs are also a good place to learn about the Technology in depth. You may follow the following SRND to understand to understand the tech and to see a few good examaples and situations

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf

Kind Regards,

Wilson Samuel

Please rate all helpful posts.

Guys,

I managed to get 2 routers to play with for this ipsec configuration.

Currently I am thinking of using these 2 routers for testing but configuring on the routers itself using cross cable.

Can I know if this method will works ? From Fast E of Router 1 to Router 2 and how can i Verify that it is really encrpyted as I need to convince the customer that they are really on encrpytion process...

Thanks so much again!

Cyndy name seems familiar from previous posts but not sure, anyways greetings!

Sure you can do router to router L2L vpn simulation but I guess you would need at least one station/laptop at each end to initiate " interesting traffic ", interesting traffic is key to bring up the tunnel and that happens say when host-1 behind routerA sends a ping or any other tcp request to Host-1 behind RouterB. I speak from fw l2l vpns but I would expect to be same principle when using IOS.

There are two commands you can use to see whether tunnel is up or not.

show crypto ipsec sa - shows the phase 2 security associations.

show crypto isakmp sa - shows the phase 1 security associations

There are few commands to debugging which is excellent tool for troubleshooting crypto to see what is going on if tunnel does not come up or to see traffic encrypted when tunnel is up.

I quote from one of Jon's posted links

debug crypto ipsec -Shows the IPSec negotiations of phase 2.

debug crypto isakmp -Shows the ISAKMP negotiations of phase 1.

debug crypto engine -Shows the traffic that is encrypted.

Rgds

Jorge

Jorge Rodriguez

Thanks Jon!

Yeah..have been posting and you guys are great on helping out..:) Have been missing a while in this forum as I went for my vacation.. ;)

Anyway, Thanks for the reply. Would like to understand what is the diff between phase 1 and phase 2 of sec associations.. or are the 2 phases must always come together in the ipsec config??

Thanks again..

Cyndy, Im not Jon but thanks for the complement ! There are two phases, in order, Phase I must be stablish to Phase II.

I quote !!

IPSec Phase 1 Internet Key Exchange Security Association policy to be used to negotiate the tunnel, which consists of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Diffie Hellman Group, which must be the same for both devices-group 1, group 2, group 5, or group 7. The default is group 2.

4. IPSec Phase 2 Encryption and Authentication policy to be applied to the VPN tunnel. The parameters and options consist of the following:

-Encryption algorithm for IPSec VPN tunnel, which must be the same for both devices-DES, 3DES, AES-128, AES-192, or AES-256. The default is 3DES.

-Authentication algorithm for the IPSec VPN tunnel, which must be the same for both devices-MD5 or SHA. The default is SHA.

Here are some terminology to start getting familiar with , check Intro to IPsec encryption

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

Rate any helpful post

Rgds

Jorge

Jorge Rodriguez

Great answer Jorge! :) and have rated your post..

And also..sorry about the mismatch name, As i overlooked on it..:P -> causing "duplex mismatch" ..haa..

I will let you guys know if this testing is successful by posting back at this forum.

Thanks once again..

Cindy

Thanks for the rating much appreciated and welcome back.

Jorge

Appreciate the compliment but the only real difference between our postings is that i have been doing it longer :)

Jon

Guys,

I have done the testing..

but would like to verify if the result is good.

I did a....

Router#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 0

5131 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 0 151

5132 FastEthernet0/1 20.20.20.20 set HMAC_MD5+3DES_56_C 151 0

iS this enough to show that the crypto is working ?

Hi Cindy

The commands i normally use to check are

1) sh crypto isa sa - this shows you if phase 1 has completed successfully. It should say "QM_IDLE" under status

2) sh crypto ipsec sa - this shows you if the Phase 2 tunnels were set up successfully and will also show the number of encrypted and decrypted packets.

Jon

Jon,

Thanks,

Can i say that the result below is verified for ipsec encryption?

--------------------------------------------

Router#sh crypto isa sa

dst src state conn-id slot

20.20.20.21 20.20.20.20 QM_IDLE 1 0

Router#sh crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: hsbc-iras, local addr. 20.20.20.20

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 20.20.20.21:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 204, #pkts encrypt: 204, #pkts digest 204

#pkts decaps: 191, #pkts decrypt: 191, #pkts verify 191

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 20.20.20.20, remote crypto endpt.: 20.20.20.21

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 711DF592

inbound esp sas:

spi: 0x98B451FB(2561954299)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 5133, flow_id: 13, crypto map: hsbc-iras

sa timing: remaining key lifetime (k/sec): (4444514/2197)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x711DF592(1897788818)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 5134, flow_id: 14, crypto map: hsbc-iras

sa timing: remaining key lifetime (k/sec): (4444512/2193)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Cindy

Phase 1 looks good and phase 2 looks good as well.

The real test is can you pass traffic down the tunnel. From the phase 2 output it looks like you can.

Without wising to sound patronising that's a really good job you've done because setting up VPN's can be a very time consuming and finicky problem :)

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: