Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

FlexVPN - Crypto Map with Symmetric PSK w/ Key Ring

Picture
This example is a slightly different method of the symmetric PSK variation where no keyring was used. This time we use a keyring and call it from the profile. Everything else remains the same. Does using or not using a keyring make a difference? I say no, just testing out the different variations.



CSR1
crypto ikev2 proposal IKEV2_PROPOSAL 
 encryption 3des
 integrity sha1
 group 5
!
crypto ikev2 policy IKEV2_POLICY 
 proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
 peer CSR8
  address 108.0.0.8
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
crypto ikev2 profile IKEV2_PROFILE
 match identity remote address 108.0.0.8 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des 
 mode tunnel
!
ip access-list extended IKEV2_VPN
 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp 
 set peer 108.0.0.8
 set transform-set IKEV2_TSET 
 set ikev2-profile IKEV2_PROFILE
 match address IKEV2_VPN
 crypto map IKEV2
!
interface GigabitEthernet1
 crypto map IKEV2




CSR8
crypto ikev2 proposal IKEV2_PROPOSAL 
 encryption 3des
 integrity sha1
 group 5
!
crypto ikev2 policy IKEV2_POLICY 
 proposal IKEV2_PROPOSAL
!

crypto ikev2 keyring IKEV2_KEYRING
 peer CSR8
  address 101.0.0.10
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
crypto ikev2 profile IKEV2_PROFILE
 match identity remote address 101.0.0.10 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des 
 mode tunnel
!
ip access-list extended IKEV2_VPN
 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp 
 set peer 101.0.0.10
 set transform-set IKEV2_TSET 
 set ikev2-profile IKEV2_PROFILE
!
interface GigabitEthernet1
 crypto map IKEV2



SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 11/29/50 ms



IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-3des  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:% Getting preshared key from profile keyring IKEV2_KEYRING
IKEv2:% Matched peer block 'CSR8'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_1536_MODP/Group 5 

IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 

IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 2
   3DES   Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 ENCR 
 

IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0] 
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.

IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-3des  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
        src addr     : 10.1.0.0
        dst addr     : 10.2.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
        src addr     : 10.1.0.0
        dst addr     : 10.2.0.0
        protocol     : 256
        src port     : 0
        dst port     : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
  (sa) sa_dest= 101.0.0.10, sa_proto= 50, 
    sa_spi= 0x11761E4D(292953677), 
    sa_trans= esp-3des , sa_conn_id= 2012
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
  (sa) sa_dest= 108.0.0.8, sa_proto= 50, 
    sa_spi= 0xFD4A1755(4249491285), 
    sa_trans= esp-3des , sa_conn_id= 2011
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
    local_proxy= 10.1.0.0/255.255.0.0/256/0,
    remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found




CSR1#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         101.0.0.10/500        108.0.0.8/500         none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/333 sec

 IPv6 Crypto IKEv2  SA 




CSR1#show crypto ipsec sa 

interface: GigabitEthernet1
    Crypto map tag: IKEV2, local addr 101.0.0.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
   current_peer 108.0.0.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xFD4A1755(4249491285)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x11761E4D(292953677)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3262)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFD4A1755(4249491285)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3262)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)




CSR8#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         108.0.0.8/500         101.0.0.10/500        none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/504 sec

 IPv6 Crypto IKEv2  SA 




CSR8#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: IKEV2, local addr 108.0.0.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   current_peer 101.0.0.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x11761E4D(292953677)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFD4A1755(4249491285)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3088)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x11761E4D(292953677)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
        sa timing: remaining key lifetime (k/sec): (4607999/3088)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto