Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Implementing IPSec High Availability On IOS with Cisco expert Afaq Khan. Afaq is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems Inc. He specializes on VPN involving VPN3000, IOS, PIX FW and third party products. Feel free to post any questions relating to Implementing IPSec High Availability On IOS. Remember to use the rating system to let Afaq know if youve received an adequate response.
Afaq might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 31. Visit this forum often to view responses to your questions and the questions of other community members.
Cu installed new CA server for vpn client authentication...ipsec ...this stopped his pdm accessibility..ssl
Does he need to ca zeroize and then install certificates again ?
How ssl authentication functions compared to ipsec ?
Thanks for question.
I think you're running into CSCdw95531, basically its an issue with MS Enterprise CA cert, not really an issue with PIX FW, explanation follows :
The MS CA server can be configured in two modes actually,
- MS Enterprise CA server (using Active Directory) ---> I think that's your configuraiton
- standalone CA server (for Internet use)
The MS CA server has two different "policy modules" and which one is used depends on the
configuration when installing the CA.
Obviously the Enterprise policy module issues certificates, which can't be used by an Internet web
server. The intended purpose of this certificate is not for "Internet use". However, that's the
functionality which is needed for the PIX to act as an HTTP/SSL web server when the PDM is to be
downloaded to a client. The IE on the client checks obviously this and doesn't download the PDM,
while the Netscape browser on the client doesn't check and downloads the PDM anyway.
If the certificate is issued by the "standalone CA server", intended purpose of the certificate is
"all" and, hence, the PIX can act as a web server. It is no problem to download the PDM with IE 5.5
or 6.0 in this case. The Netscape browser works for both MS CA server "modes".
Since the type of certificate, the MS Enterprise CA server issues, is the cause of the prolem we
when downloading the PDM using IE, the problem is related to Microsoft. The only solution I'm aware
of is to write one's own policy module for the MS CA server , which will issue the type of
certificate needed, compile it and bind it to the CA server.
Alternatevily you can leave everything as is and use Netscape to download the PDM, since this is
obviously working, or use the "standalone CA server" to issue certificates. In this case the IE
work as well as Netscape.
Can I connect a easy-vpn client to a 6500 Service Module?
I am going to connect diferent types of user, Can I configure the 6500 Service Module to decrypt the packet and assign it to a different VLAN.
Where can i find an example of this.
Thanks very much.
12.2(14)SY & later versions of VPN SM sw does allow you to configure it as EZVPN server.
Thank you very much for posting Q.
IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. Customers employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of a active router failure. The process is transparent to the user, and the time that it takes for the standby router to take over depends on the following factors:
IKE keepalive timers and intervals
time to re-establish new VPN tunnels
IPSec Stateful Failover is designed to work in conjunction with Hot Standby Routing Protocol (HSRP). The HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from first hop failures in network edge devices or access circuits. A network administrator enables HSRP, assigns a virtual IP address, and enables IPSec Stateful Failover (VPN High Availability). After enabling both HSRP and IPSec Stateful Failover, the network administrator uses the show ssp, show crypto ipsec, and show crypto isakmp commands to verify that all processes are running properly.
The information that the active router transmits to the standby router includes:
IKE cookies stamp
Cisco Service Assurance Agent (SA Agent) attributes
Sequence number counter and window state
Kilobyte (KB) lifetime expirations
Dead-peer detection (DPD) sequence number updates
Contrast to this IPSec Stateless failover does *not* maintain above parameters, and when failover takes place IPSec tunnel is re-established (torn down with old HSRP active router, and established with new HSRP active router) between IPSec peers.
For further reading, you can point to :
hope that helps.
I wanted to know how to calculate the amount of load on CPU and bandwidth consumption, when IPSEC is applied on an interface.What are recommended limits, and the encryption bits.
Thanks for posting Q.
Conceptually, if you have a crypto HW card in your router, CPU should not be used for encryption/decryption overhead (u can verify this with show proc cpu command by looking at difference processes), in absence of crypto HW card, you can measure CPU utilization caused by IPSec by looking at the following processes:
IKMP, Encrypt etc.
you can sum up the % of CPU under these processes to get an approx value as to how much CPU is being utilized by IPSec.
For BW, you can send some fixed amount of data across the ipsec endpoint in clear text, and then same amount with IPSec encryption, and compare both to find out the IPSec overhead and encrypted throughput.
168-bit of encryption (3DES) is what I'd recommend for most of the scenarios.
My first question is about ACL processing and IPSec.
It is well known that inbound ACLs are processed twice (for outer and for inner ip headers). (There is a Bug ID CSCdz54626 describing this issue.) So, for Site-to-Site traffic to pass we need to allow remote network (say, 10.1.1.0) in inbound ACL. Also, we're using dynamic crypto maps for VPN 3.x clients. IP-addresses are assigned to them from the pool 10.2.2.0/24. And both static and dynamic crypto maps are applied to the same outside interface.
The question is: is it posible for an attacker to spoof source IP (to 10.2.2.x) and send us clear-text packets? Will the packets be allowed to pass? Or, does the IOS check the "acl" statement in the "crypto isakmp client configuration" and drop the packet because the packet is "not an IPSec packet"?
In general, what do you recommend here and will the Bug be fixed (should it be fixed at all?)?
Thanks for the Q.
Thats the way our behaviour is today, it really is a debatable topic, so I'd say development folks are still looking into it, and bug is being worked on.
1. Encrypted or data packet is received on interface. Check
packet against interface ACL.
if deny drop packet.
if permit goto 2.
2. If packet not encrypted check against reverse Crypto ACL
if permit drop packet (it should have been encrypted)
if deny route packet.
If packet is encrypted goto 3.
3. Check decrypted packet against crypto-map-access-ACL.
if deny drop packet
if permit route packet.
From above its evident that spoofing wont be possible.
thank you for the replay. But, I'd like to clariy one point. Dynamic crypto maps (when used for Remote-access VPNs) usually doesn't have crypto ACL applied. Instead, crypto ACL is applied to the group in the "crypto isakmp client configuration group ..." command.
The question is: will this crypto ACL be checked in step 2?
My second question is about IPSec HA extensions (stateless). Suppose we have redundant central site with two IPSec routers. Each router has serial interface to the Internet via different ISP and ethernet LAN interface. HSRP is configured on the LAN interfaces. Remote sites have two "set peer" commands for connection redundancy. DPD is used to detect tunnel failure.
The most common reason for tunnel disconnection is an ISP failure. Obviously with the help of DPD tunnel will be reestablished to the second IpSec peer. The problem I see is with the HSRP switchover. I'd like to make active HSRP router resign it's active status in case of IPSec tunnel failure. Note that IPSec is set up on the serial interface and HSRP is on the LAN interface. GRE is not used. The serial interface is always up.
The question is: is it possible to HSRP-track an IPSec tunnel? Will it ever be implemented? If not, what do you recommend? In general, what redundancy scheme is the best for the situation just described?
Thanks again for an excellent Q.
The behaviour you seem to be looking for, ie, tying ip IPSec crypto map with HSRP, is what we call stateless IPSec HA, its supported since 12.1.9E.
Router (config-if)# crypto map map-name redundancy [standby-name]
I'd suggest that you take a look at here to better understand the IPSec HA cofiguration:
hope that helps.
thanks for this answer and links.
The problem with "stateless IPSec HA" is that it requires IPSec and HSRP be configured on the SAME interface. This is usually not possible. So, tracking of tunnels is clearly needed. I heared about new technology "HSRP object tracking". Will this technology help? When will it be implemented?
My 3rd question is simple: Does the IOS support split DNS? If not, will it be implemented.
Its not supported on IOS yet, but going to be supported tentatively around 12.3(4)T.
So its on its way, stay tuned.
I see very strange problem with crypto ACLs in IOS 12.3(3). The ACL looks like "permit tcp local-lan remote-lan". This is ok, but the router doesn't consider TCP traffic "interesting" and doesn't initiate IKE exchange. Packets are sent in clear. Everything works great with "permit icmp ..." - ping initiates the tunnel. "clear cry sa, clear cry isa" doesn't help. The router is 3725 with IOS FW feature set, NAT, auth-proxy, etc... The configuration is very complex.
Do you know the BugID or is this a new Bug?
Actually you need to take a look at the hits (show access-list acl##), if its not getting matched you need to work backwords to find out the source of the problem, there could be an interface ACL blocking non-ICMP traffic inbound to it.
Anyways, complete config would help.
The next question is about "group lock" feature (as implemented by VPN 3000 concentrators).
My security policy requires that different groups of users have different access privileges within the corporate net (they are using software VPN client).
Each group receives IP addresses from the separate pool, so ACLs can be used to control access. Pre-shared keys are used for simplicity.
The problem is the following. User can obviously change group name on the VPN client Properties page. Changing password is also not a problem (they can ask the password from the other group people). In this case they will get the IP address from the other pool and break my security scheme!
The question is: can I lock the user in the group on IOS router? For example, how can I enforce the policy "the user USER1 must always IKE-authenticate with IKE-identity FRISCO and pre-shared key CISCO"? I know VPN3000 can do this.
Also, could you explain the "group-lock" 12.2(13)T command. It seems this command doesn't do the trick.
Group Lock feature on IOS should help you in this regard, its conceptually the same thing:
Is it possible for a site-to-site VPN either using Pix or IOS to recognize a dead peer and fail over the VPN tunnel to some other IP address?
Different types of fail-over scenarios are possible, depending on the ipsec endpoints.
Within Cisco IOS devices, you can use Cisco IOS to do stateful and stateless failover, as they all support IKE keepalives (DPDs) helping them failover quickly and reliably.
Are there any constraints in implementing IPSec High Availability on IOS relative to the use of IPSec/GRE tunnels between 7206 head-end routers and 2600/3600 routers at the edge?
IPSec HA is supported on all above platforms, if you're using (on top of it) IPSec/GRE tunnels, your failover would be rather seemless.
In researching the implementation of IPSec/GRE tunnels using the the paper on IPSec Stateful Failover (VPN High Availability) which you reference in your answer(s) in this forum, page 2 states a restriction that "GRE must not be configured with IPSec Stateful Failover (VPN High Availability).
Could you clear up any confusion on our part concerning the feasability of implementating IPSec/GRE tunnels to a HSRP address? We are currently running IOS version 12.2(15)T5 on two identical 7206 routers. Will this IOS version support this functionality?
I want to create VPN for my company. I do not want to hire any consultants. At the moment I am using CISCO 2650 router and CISCO Pix 501. I am having connectivity problem. I also have SonicWall Pro fire wall. I want to replace Sonicwall and Pix 501 with a VPN server and create site to site VPN. How to proceed?
Welll, I'd suggest that you stick to your pix-501 as the IPSec endpoint(rather than a server, or a PC) it would cause more issues if anything, what type of connectivty issues you're running into, are these bcoz of ISP, your internet access in general, or VPN traffic, once you find that out, you can take proper measures to correct it, or you can mention your issue specifically, and we can try & address them here.
I get error message on client side" peer server not available". It takes 5 or 6 attempts to connect it. It is very frustrating.
We are facing problem to copy the IOS through xmodem, after sending file through hyper terminal it starting to translation but after some minutes it says "Remote system no Response"
If we are copying IOS using CLI mode in the following method
Switch : copy xmodem: flash: < file name.bin>
after entering the command the system says
Xmodem translation 1K starting...
but after some time it says " I/O error."
Kindly suggest the solution