Solved: CRYPTO ISAKMP POLICY - General Question

cisco_himg · ‎02-04-2010

Below are the ISAKMPS on my firewall. How come when i add a new policy it doesnt show up? I have a policy 51 that isnt showing up?

crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Ivan Martinon · ‎02-04-2010

The number after the crypto map statement is just the sequence number that indentifies one crypto map from another, that is how you can have multiple tunnels bound to a single interface, this also does not bound the crypto map to the isakmp policy (actually nothing binds them).

So basically what would happen is that if you change the crypto map from 54 to 100 it will move down on the list of existing tunnels and most likely you would just have duplicate entries on this.

View solution in original post

Ivan Martinon · ‎02-04-2010

Make sure that policy 51 does not have the same settings of a policy that you already have in the config, the firewall will not add one that has exactly the same settings as one already there.

cisco_himg · ‎02-04-2010

ok thanks,

Can i use those same policies for different tunnels? Becuase when i tried to use one it basically combines the information on the crypto, making it not functionional. So if i wanted to use policy 52 again, how would i do it?

crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 52 hash md5
crypto isakmp policy 52 authentication pre-share
crypto isakmp policy 52 encryption aes-256
crypto isakmp policy 52 group 2
crypto isakmp policy 52 lifetime 86400
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
!
!
crypto map OUTSIDE_VPN_MAP 52 match address outside_cryptomap_52
crypto map OUTSIDE_VPN_MAP 52 set peer 123.123.123.123

crypto map OUTSIDE_VPN_MAP 52 set transform-set ESP-AES-256-MD5
crypto map OUTSIDE_VPN_MAP interface outside
!

Ivan Martinon · ‎02-04-2010

Ok, so first we need to have clear that ISAKMP policy is never bounded to a tunnel as the transform set is, with this I mean that the isakmp policy will be used for that specific tunnel if all the settings match.

Another thing to have in mind is that the fact that your tunnel has an ipsec transform set with settings A and B does not mean that you need to have an ISAKMP policy with settings A and B, this can actually be C and D.

So if your tunnel has an isakmp policy that matches an existing one then it should work if it does not fully match in:

encryption

hashing

authentication

and DG group

you need to create one that matches.

cisco_himg · ‎02-04-2010

awesome. its starting to make sense....

So one more question, the number after my Crypto map name I.E. OUTSIDE_VPN_MAP 52, can that number 52 be anything? lets say i make it 100 what would happen?

crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 52 hash md5
crypto isakmp policy 52 authentication pre-share
crypto isakmp policy 52 encryption aes-256
crypto isakmp policy 52 group 2
crypto isakmp policy 52 lifetime 86400
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
!
!
crypto map OUTSIDE_VPN_MAP 52 match address outside_cryptomap_52
crypto map OUTSIDE_VPN_MAP 52 set peer 206.248.217.105
crypto map OUTSIDE_VPN_MAP 52 set transform-set ESP-AES-256-MD5
crypto map OUTSIDE_VPN_MAP interface outside
!

Ivan Martinon · ‎02-04-2010

The number after the crypto map statement is just the sequence number that indentifies one crypto map from another, that is how you can have multiple tunnels bound to a single interface, this also does not bound the crypto map to the isakmp policy (actually nothing binds them).

So basically what would happen is that if you change the crypto map from 54 to 100 it will move down on the list of existing tunnels and most likely you would just have duplicate entries on this.

cisco_himg · ‎02-04-2010

That totally makes sense now.. thank you for your help!

mchemsi28 · ‎02-14-2010

Hello everybody,

I get a little confused by the IOS IPSEC configuration commands. I stumbled in this thread after googling.

Ivan Martinon, can you please explain what do you mean by that:

So if your tunnel has an isakmp policy that matches an existing one then it should work if it does not fully match in:

encryption

hashing

authentication

and DG group

you need to create one that matches.

Precisely: how do a tunnel define all its parameters ? The transform-set defines encryption and hash methods only, how to retrieve Authentication, Diffie-Hellman keys among many policies in the config ?

Ivan Martinon · ‎02-14-2010

First thing to have present is that a VPN tunnel is built by 2 phases, phase 1 where you define the parameters to exchange the keys withs its own authetnication, hashing and encryption; and phase 2 which defines the encryption and hashing for the traffic to be encrypted.

That said isakmp policies define the phase 1 parameteres such as encryption, hashing authetnication type DH group to be used and so on:

isakmp policy 1

encr 3des

hash sha

group 2

authentication pre-shared..

And the transform set, defines the cypher and algorithms used for hashing and encryption of the actual traffic that goes through the tunnel.

crypto ipsec transform-set VPN esp-3des esp-sha-hmac..

mchemsi28 · ‎02-15-2010

May

mchemsi28 · ‎02-15-2010

Maybe I didn't express my question well.

Let's take this config of one router for site-to-site IPSEC VPN,

! define IKE phase 1 parameters, we have multiple policies
!
crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2
crypto isakmp policy 2
encryption aes 128
hash sha
authentication
group 1
!
crypto isakmp key key100 address 11.11.11.2

! define IKE phase 2 parameters
!
crypto ipsec transform-set ts1 esp-sha-hmac esp-aes 128

! define interesting traffic
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.18.1.0 0.0.0.255

! define crypto map
!
crypto map map1 10 ipsec-isakmp1
match address 100
set peer 11.11.11.2
set transform-set ts1

! apply crypto map to WAN interface
!
int s0/0
crypto map map1

Here's the question: for a new outgoing interesting traffic, how the router chooses the new tunnel parameters ?

For the encryption and hash, there is the transform-set statement. But for authentication and DH : how to choose between policy 1 and 2 ?

I find confusing the fact that the crypto-map doesn't explicitly "point" to one of the many policies present in a router, in order to define its parameters.

cisco_himg · ‎02-15-2010

ok lets take this in steps....

You need two access lists... one to match the tunnel, and one nonat...

ACCESS LISTS

access-list outside_cryptomap_55 remark Link to Radiology Inc Tunnel (ITS ALWAYS GOOD TO HAVE A REMARK TO IDENTIFY TUNNEL)
access-list outside_cryptomap_55 extended permit ip 172.18.20.0 255.255.255.0 host 10.10.55.16 (THIS IS INDENTIFYING INTERESTING TRAFFIC)
(ALSO WITH THIS ACCESS LIST, ITS INDENTIFIES AN ENTIRE NETWORK WHICH IS 172.18.20.0 GOING TO ONLY ONE HOST 10.10.55.16)

ACCESS LIST WITH NONAT (THIS WILL BYPASS THE NAT)

access-list nonat extended permit ip 172.18.20.0 255.255.255.0 10.10.55.16 255.255.255.255

now for your phases of crypto

First, Your crypto isakmp policies...

crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2
crypto isakmp policy 2
encryption aes 128
hash sha
authentication
group 1

Phase 1

for a router, you want your highest encrypted policies first.... such as the command encryption aes 256 or encryption aes 128 and for the hash you want SHA to be first...after your highest encrypted policies, then you start to trickle down your lower policies for lower encryption (encryption 3DES 128, or encryption des)...Here is why... when you start to send traffic through the tunnel to bring up the tunnel, its going to start PHASE 1 of the negotiation....which are the policies above. And if you have a ton of policies, your router will try to match up a policies that you already have configured to your remote router. keep in mind that these phase has no relation to your phase 2..its basically to get the process started...once your policies match up with your remote policies, then the REAL commands follow which is (phase 2)...also keep in mind, once phase 1 is over, then its over, there are no more negotiation dealing with phase..basically the router forgets about it and moves on to phase 2. YOU HAVE TO MATCH ENCRYPTION ON BOTH ENDS FOR THE ROUTER TO START SENDING INTERESTING TRAFFIC (PHASE 2).

Phase 2

during this process you will name your tunnel and set up peer addresses and transform sets. NOTE: THIS IS WHERE TRANSFORM SETS HAVE TO MATCH UP WITH EXISTING TRANSFORM SETS YOU HAVE CONFIGURED.

crypto map map1 10 ipsec-isakmp1

> 　 match address outside_cryptomap_55 (this matches the access list above)

> 　 set peer 11.11.11.2

> 　 set transform-set ts1 (FOR THIS COMMAND, I LIKE TO NAME MY TRANSFORM SETS WHAT THEY ARE TO MAKE IT EASIER TO IDENTIFY AND NOT TS1)

SO LETS RENAME IT.....

> 　 cryptop map (OUTSIDE_VPN_MAP 55) match address outside_cryptomap_55 (this matches the access list above, i used the # 55 to number my tunnel, this number also has no meaning to anything in above commands its just the difference between tunnel if you have more than 1)

> 　 set peer 11.11.11.2

> 　 set transform-set ESP-AES-256-MD5 (THIS HAS TO MATCH THE OTHER END OF THE TUNNEL)

Now you have to set it to an outside interface....

crypto map OUTSIDE_VPN_MAP interface outside

once everything is set up, you need a couple more commands to make it complete...

tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
pre-shared-key **********

NOW, once all that is done, you need to go on your core router and make a route to route the traffic inside...

for instance ip route 10.10.55.16 255.255.255.255 172.16.0.1 (this send all traffic to inside interface of your router coming from the remote host)

Make any more sense?

cisco_himg · ‎02-15-2010

check out the attached document. it will make sense there. its all the commands you will need for a L2L ipsec tunnel...

cisco_himg · ‎02-15-2010

check out the attached jpeg. its all commands you will need to complete your tunnel

Rate if helpful

Regards,

Dustin

mchemsi28 · ‎02-16-2010

So the router behaves like this:

to choose a policy for a new-created tunnel, match the first policy that have the same encryption and hash methods as the tunnel transform-set command (and of course the peer should have the same policy).

Thanks for your efforts cisco_himg.