Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

TAC Security Podcast Episode #26 - Troubleshooting IPSec VPNs

 

Episode Information

 

Episode Name: Episode 26 - Troubleshooting IPSec VPNs

Contributors:  David White Jr., Blayne Dreier, Jay Johnston, Magnus Mortensen, Wen Zhang, Jay Young Taylor

Posting Date: March 6, 2012

Description: Special guests Wen Zhang and Jay Young Taylor discuss troubleshooting methodologies for diagnosing and fixing problems with IPSec VPNs.

 


Listen Now    (MP3 30.8 MB; 42:42 mins)

 

Subscribe to the Podcast in iTunes by clicking the image below:

button_itunes.gifrss.gif

 

About the Cisco TAC Security Podcast

 

The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product   security features, with emphasis on troubleshooting.

 

Complete episode listing and show information

 

 

Show Notes

 

Useful commands:

 

Show commands

 

show crypto isakmp sa

show crypto ipsec sa peer x.x.x.x

show run | section crypto (on IOS)

show run crypto map (on ASA)

show logging

 

Debug Commands

 

debug crypto condition peer ipv4 x.x.x.x

debug crypto isakmp (on IOS)

debug crypto isakmp 128 (on ASA)

debug crypto ipsec (on IOS)

debug crypto ipsec 128 (on ASA)

 

Test Commands

 

packet-tracer input inside icmp z.z.z.z 8 0 y.y.y.y detail

ping inside y.y.y.y

ping tcp y.y.y.y

 

Use IPSec NULL Encryption

 

crypto ipsec transform-set NULLENC esp-null esp-md5-hmac

 

Packet marking/coloring techniques:

 

Marking

 

1. MQC (Modular QoS CLI)

 

 

class-map match-all my_flow

match access-group 150

!

policy-map marking

class my_flow

  set ip precedence 4

!

interface Ethernet1/0

service-policy input marking

 

 

2. PBR (Policy Based Routing)

 

interface Ethernet1/0

ip policy route-map mark

!

access-list 150 permit ip host 172.16.1.2 host 172.16.254.2

!

route-map mark permit 10

match ip address 150

set ip precedence flash-override

 

3. Using router generated pings

 

Router#ping ip

Target IP address: 172.16.254.2

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]: 128

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

<snip>

 

 

Monitoring

 

1. Packet capture (SPAN/RSPAN/ERSPAN, ASA packet capture, IOS Embedded Packet Capture)

 

2. IP Precedence accounting

 

interface Ethernet0/0

ip address 192.168.1.2 255.255.255.0

ip accounting precedence input

!

Router#show interface precedence

Ethernet0/0

  Input

Precedence 4:  100 packets, 17400 bytes

3. Use ACL counters

 

Router#sh access-list 144

Extended IP access list 144

    10 permit ip any any precedence routine

    20 permit ip any any precedence priority

    30 permit ip any any precedence immediate

    40 permit ip any any precedence flash

    50 permit ip any any precedence flash-override (100 matches)

    60 permit ip any any precedence critical

    70 permit ip any any precedence internet (1 match)

    80 permit ip any any precedence network

 

Topologies Referenced in the Show

Useful Documents

 

Troubleshooting guide and common scenarios

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Comments
New Member

Hi Jay

I think there is a problem with the attached audio-file.

It stoppes in between the middle of a sentence at 29:01. Same problem with itunes file.

Hopefully the rest of the potcast dont get lost!

Kind regards and please go on with the great show!

Gernot

Cisco Employee

Gernot,

     Thanks for letting me know; I've contacted the folks that should be able to fix this, and hopefully it will get resolved ASAP. I'll let you know when it is resolved.

Thanks,

Jay

Hello Gernot,

This issue should now be resolved. Please give the download another try and let us know if you continue to experience any trouble.

Thanks,

Blayne

New Member

Great job guys. I have been doing IPSEC for years  but also learned something new today.

Thanks for  sharing  your knowledge with us. It would be awsome if you talk about  trouble shooting NAT, Web  and any connect VPNs, firewall port issues and things like that in futue episodes.

New Member

Thanks to all.

I have to try out that thing with marking the packeds, sounds realy cool for troubleshooting.

Best wishes

Gernot

New Member

ditto, this show rocked!

New Member

question for packet tracer command, what should I enter on the source port? destination port is easy but how will i know which source port the source ip would use?

Regards,

N3t

Cisco Employee

N3t,

    We usually just use a random high number port (similar to how any normal network stack would). Why not 12345

Cisco Employee

Pretend to be a standard TCP or UDP client; set the port to something in the ephemeral range of 1024-65535 and it should work fine.

New Member

that's what I've been doing. just wanna make sure.

By the way, your podcast rocks. Though I just tuned in just a couple of weeks, I'm listening to your podcasts to and from work. I'm just new to IT and Security but I'm learning alot already. Expect alot of questions from me.

Hoping for more episodes, if possible, one per week. that would be great!

Cisco Employee

Thanks for the feedback! We're about to release an episode on tips and tricks for parsing through syslogs generated by devices. Expect more in the future

New Member

looking forward man...i'm also concentrating on IPS right now since I'll have to organize our IPS here in our company.

your episode on troubleshooting IPSec really helped me alot in troubleshooting IPSec with our client peers.

Great job guys!

3247
Views
5
Helpful
12
Comments