Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

FlexVPN - Crypto Map with Symmetric PSK w/ no Keyring

Picture
This lab is an IKEv2 setup with no keyring, where the PSK is configured under the IKEv2 Profile. The IPsec and IKEv2 encryption parameters are set to older and less CPU intensive algorithms, 3DES with no integrity check added. Future labs will add these features.


CSR1
crypto ikev2 proposal IKEV2_PROPOSAL 
 encryption 3des
 integrity sha1
 group 5
crypto ikev2 policy IKEV2_POLICY 
 proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote address 108.0.0.8 255.255.255.255 
 authentication local pre-share key cisco
 authentication remote pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des 
 mode tunnel
!
ip access-list extended IKEV2_VPN
 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp 
 set peer 108.0.0.8
 set transform-set IKEV2_TSET 
 set ikev2-profile IKEV2_PROFILE
 match address IKEV2_VPN



CSR8
crypto ikev2 proposal IKEV2_PROPOSAL 
 encryption 3des
 integrity sha1
 group 5
!
crypto ikev2 policy IKEV2_POLICY 
 proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote address 101.0.0.10 255.255.255.255 
 authentication remote pre-share key cisco
 authentication local pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des 
 mode tunnel
!
ip access-list extended IKEV2_VPN
 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp 
 set peer 101.0.0.10
 set transform-set IKEV2_TSET 
 set ikev2-profile IKEV2_PROFILE
 match address IKEV2_VPN


With the configuration in place, we'll do a test. We'll enable IKEv2 debugs on CSR1 and ping from SW1 to SW2.

SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/22/31 ms

IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-3des  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_1536_MODP/Group 5 

IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 362E7405F2C70660 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 

IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 2
   3DES   Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 ENCR 
 

IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.

IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-3des  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
        src addr     : 10.1.0.0
        dst addr     : 10.2.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
        src addr     : 10.1.0.0
        dst addr     : 10.2.0.0
        protocol     : 256
        src port     : 0
        dst port     : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
  (sa) sa_dest= 101.0.0.10, sa_proto= 50, 
    sa_spi= 0xC3CA60DA(3284820186), 
    sa_trans= esp-3des , sa_conn_id= 2008
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
  (sa) sa_dest= 108.0.0.8, sa_proto= 50, 
    sa_spi= 0x3D651D72(1030036850), 
    sa_trans= esp-3des , sa_conn_id= 2007
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found




CSR1#show crypto ikev2 sa detailed 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         101.0.0.10/500        108.0.0.8/500         none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/331 sec
      CE id: 1008, Session-id: 8
      Status Description: Negotiation done
      Local spi: 362E7405F2C70660       Remote spi: FC15AB42FC99D83C
      Local id: 101.0.0.10
      Remote id: 108.0.0.8
      Local req msg id:  2              Remote req msg id:  0         
      Local next msg id: 2              Remote next msg id: 0         
      Local req queued:  2              Remote req queued:  0         
      Local window:      5              Remote window:      5         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes




CSR1#show crypto ipsec sa 

interface: GigabitEthernet1
    Crypto map tag: IKEV2, local addr 101.0.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
   current_peer 108.0.0.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x3D651D72(1030036850)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xC3CA60DA(3284820186)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3247)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3D651D72(1030036850)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3247)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:





CSR8#show crypto ikev2 sa detailed 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         108.0.0.8/500         101.0.0.10/500        none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/405 sec
      CE id: 1008, Session-id: 8
      Status Description: Negotiation done
      Local spi: FC15AB42FC99D83C       Remote spi: 362E7405F2C70660
      Local id: 108.0.0.8
      Remote id: 101.0.0.10
      Local req msg id:  0              Remote req msg id:  2         
      Local next msg id: 0              Remote next msg id: 2         
      Local req queued:  0              Remote req queued:  2         
      Local window:      5              Remote window:      5         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : No




CSR8# show crypto ipsec sa 

interface: GigabitEthernet1
    Crypto map tag: IKEV2, local addr 108.0.0.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   current_peer 101.0.0.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xC3CA60DA(3284820186)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3D651D72(1030036850)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3176)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC3CA60DA(3284820186)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3176)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto