09-07-2010 02:28 PM
I have the following VPN setup on a 1711 router and am trying to understand it better. This is what i know so far. Phase 1 for the ipsec tunnels is esp-3des. Phase 2 is esp-sha-hmac. DH group is 2. The tunnels use pre-share keys. The rules for the tunnels correspond to the access list associated with each tunnel.
What I am not sure of is how the crypto isakmp policies tie into the picture, is the key shown below the actual key or an encrypted version, on a 12.3 ios how do i get the real key, and do the route-maps matter? I do not see the route maps applied anywhere.
I am not concerned with the client/easy vpn config part. Thank you.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key vpnhd1989 address a.b.c.d no-xauth
crypto isakmp key vpnhd1989 address a.b.c.e no-xauth
crypto isakmp key 242009hd address a.b.c.f no-xauth
crypto isakmp key vpnhd1989 address a.b.c.g no-xauth
crypto isakmp key vpnhd1989 address a.b.c.h no-xauth
!
crypto isakmp client configuration group remotevpn
key ************
pool SDM_POOL_1
acl 108
!
!
crypto ipsec transform-set CT_VPN esp-3des esp-sha-hmac
crypto ipsec transform-set Easy_VPN_Server esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set Easy_VPN_Server
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address initiate
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to a.b.c.h CT
set peer a.b.c.h
set transform-set CT_VPN
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to a.b.c.e
set peer a.b.c.e
set transform-set CT_VPN
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to a.b.c.d
set peer a.b.c.d
set transform-set CT_VPN
match address 106
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to LS a.b.c.f
set peer a.b.c.f
set transform-set CT_VPN
match address 112
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
route-map SDM_RMAP_4 permit 1
match ip address 103 113
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 105
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny tcp 192.168.1.0 0.0.0.255 eq domain 192.168.2.0 0.0.0.255 eq domain
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 any
09-07-2010 02:42 PM
During the phase 1 exchange, the initiator and responder will agree on the parameters to be used to secure the communications between the two peers. These parameters are defined in the ISAKMP policy. Both the initator and responder will need to agree on a matching ISAKMP policy if the negotiations are going to proceed. The ISAKMP keys in your configuration are the actual keys vs. encrypted keys. As for the route-maps, they should be unrelated to the overall VPN configuration, however, I would need to see the entire config to understand what other services may be referencing them. These could include NAT and policy routing to name a few.
09-08-2010 10:17 AM
I thought the Transform set defined phase one and two. If not, how do you tell which policy a tunnel is using? I need to translate this so i can move it to a firewall.
Thank you.
09-08-2010 10:52 AM
During the phase 1 exchange, the initiator will send its configured ISAKMP policies to its peer. The peer will then compare the promposed polcies to those that are locally configured and select the first match. During phase 2, a similar exchange is performed for the transform set attributes. You can use the "sh cry isa sa det" and "sh cry ipsec sa peer [ip address]" commands to review what attributes are being used for a given tunnel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: