VPN on IOS 12.3 1711 router - config help

Unanswered Question
Sep 7th, 2010

I have the following VPN setup on a 1711 router and am trying to understand it better.  This is what i know so far.  Phase 1 for the ipsec tunnels is esp-3des.  Phase 2 is esp-sha-hmac.  DH group is 2.  The tunnels use pre-share keys.  The rules for the tunnels correspond to the access list associated with each tunnel.


What I am not sure of is how the crypto isakmp policies tie into the picture, is the key shown below the actual key or an encrypted version, on a 12.3 ios how do i get the real key, and do the route-maps matter?  I do not see the route maps applied anywhere. 

I am not concerned with the client/easy vpn config part.    Thank you.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key vpnhd1989 address a.b.c.d no-xauth

crypto isakmp key vpnhd1989 address a.b.c.e no-xauth

crypto isakmp key 242009hd address a.b.c.f no-xauth

crypto isakmp key vpnhd1989 address a.b.c.g no-xauth

crypto isakmp key vpnhd1989 address a.b.c.h no-xauth

!

crypto isakmp client configuration group remotevpn

key ************

pool SDM_POOL_1

acl 108

!

!

crypto ipsec transform-set CT_VPN esp-3des esp-sha-hmac

crypto ipsec transform-set Easy_VPN_Server esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set Easy_VPN_Server

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address initiate

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to a.b.c.h CT

set peer a.b.c.h

set transform-set CT_VPN

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to a.b.c.e

set peer a.b.c.e

set transform-set CT_VPN

match address 107

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to a.b.c.d

set peer a.b.c.d

set transform-set CT_VPN

match address 106

crypto map SDM_CMAP_1 4 ipsec-isakmp

description Tunnel to LS a.b.c.f

set peer a.b.c.f

set transform-set CT_VPN

match address 112

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 remark IPSec Rule

access-list 100 permit tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain

access-list 107 remark SDM_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 106 remark SDM_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 112 remark IPSec Rule

access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

route-map SDM_RMAP_4 permit 1

match ip address 103 113

!

route-map SDM_RMAP_1 permit 1

match ip address 103

!

route-map SDM_RMAP_2 permit 1

match ip address 104

!

route-map SDM_RMAP_3 permit 1

match ip address 105

access-list 103 remark SDM_ACL Category=2

access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 103 permit ip 192.168.0.0 0.0.255.255 any

access-list 104 remark SDM_ACL Category=2

access-list 104 remark IPSec Rule

access-list 104 deny   tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 104 permit ip 192.168.0.0 0.0.255.255 any

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 105 permit ip 192.168.0.0 0.0.255.255 any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Tue, 09/07/2010 - 14:42

During the phase 1 exchange, the initiator and responder will agree on the parameters to be used to secure the communications between the two peers. These parameters are defined in the ISAKMP policy.  Both the initator and responder will need to agree on a matching ISAKMP policy if the negotiations are going to proceed.  The ISAKMP keys in your configuration are the actual keys vs. encrypted keys.  As for the route-maps, they should be unrelated to the overall VPN configuration, however, I would need to see the entire config to understand what other services may be referencing them.  These could include NAT and policy routing to name a few.

lkadlik Wed, 09/08/2010 - 10:17

I thought the Transform set defined phase one and two.  If not, how do you tell which policy a tunnel is using?  I need to translate this so i can move it to a firewall.


Thank you.

Todd Pula Wed, 09/08/2010 - 10:52

During the phase 1 exchange, the initiator will send its configured ISAKMP policies to its peer.   The peer will then compare the promposed polcies to those that are locally configured and select the first match.  During phase 2, a similar exchange is performed for the transform set attributes.  You can use the "sh cry isa sa det" and "sh cry ipsec sa peer [ip address]" commands to review what attributes are being used for a given tunnel.

Actions

This Discussion