Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

L2L VPN on Routers w/ Crypto Map and ISAKMP defaults

Picture
Crypto map deployments typically require both sides of the connection to agree on all of the parameters to form the VPN. This isn't always possible, a customer I dealt with a long time ago provided VPN services to customer/partners. The VPNs were supposed to be dynamically created. This meant static crypto maps wouldn't work since a "peer" and "match" statement couldn't be defined since we don't know who the remote end is going to be. This means we need to use the dynamic crypto map, which allows things like EzVPN solutions to work for L2L and RA VPN implementations. 

The dynamic crypto map is created on R3 but no Phase 1 or Phase 2 attributes are defined. We'll rely on the default options which are available if nothing is statically defined.

R3#show crypto isakmp default policy 

Default IKE policy
Default protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65508
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65509
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65510
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65511
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65512
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65513
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65514
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit

There is also a default crypto IPsec transform-set available. We'll also use this default IPsec transform-set.

R3#show crypto ipsec transform-set 
Transform set default: { esp-aes esp-sha-hmac  } 
   will negotiate = { Transport,  }, 

This will allow us to form an encrypted connection that will use ESP-AES and ESP-SHA-HMAC and negotiate the mode of transport. 

The dynamic map is created like a crypto map with no attributes applied and then the crypto map calls the dynamic map.

R3

crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 108.0.0.8      
!
crypto dynamic-map R3_TO_CSR8 10
!
crypto map CMAP 10 ipsec-isakmp dynamic R3_TO_CSR8 
!
interface g0/0 
crypto map CMAP

CSR8
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 103.0.0.3      
!
ip access-list extended ACL_CSR8_TO_R3
 permit ip host 88.88.88.88 host 33.33.33.33
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 103.0.0.3
 match address ACL_CSR8_TO_R3

​CSR8#ping 33.33.33.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/16/19 ms

​ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0xEF4A258 peer_handle = 0x80000005
ISAKMP: (0):Locking peer struct 0xEF4A258, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):insert sa successfully sa = EF2A050
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 

ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0):      encryption AES-CBC
ISAKMP: (0):      keylength of 128
ISAKMP: (0):      hash SHA256
ISAKMP: (0):      default group 5
ISAKMP: (0):      auth pre-share
ISAKMP: (0):      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.

ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID is DPD
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):speaking to another IOS box!
ISAKMP: (1004):processing vendor id payload
ISAKMP: (1004):vendor ID seems Unity/DPD but major 50 mismatch
ISAKMP: (1004):vendor ID is XAUTH
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):His hash no match - this node outside NAT
ISAKMP: (1004):received payload type 20
ISAKMP: (1004):No NAT Found for self or peer
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM3  New State = IKE_R_MM3 

ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM3  New State = IKE_R_MM4 

ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1004):Old State = IKE_R_MM4  New State = IKE_R_MM5 

ISAKMP: (1004):processing ID payload. message ID = 0
ISAKMP: (1004):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1004): address      : 108.0.0.8
ISAKMP: (1004): protocol     : 17 
        port         : 500 
        length       : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1004):processing HASH payload. message ID = 0
ISAKMP: (1004):processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0xEF2A050
ISAKMP: (1004):SA authentication status:
        authenticated
ISAKMP: (1004):SA has been authenticated with 108.0.0.8
ISAKMP: (1004):SA authentication status:
        authenticated
ISAKMP: (1004):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/, 
ISAKMP: (0): and inserted successfully EF4A258.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1004):Old State = IKE_R_MM5  New State = IKE_R_MM5 

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1004):SA is doing 
ISAKMP: (1004):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1004):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1004): address      : 103.0.0.3
ISAKMP: (1004): protocol     : 17 
        port         : 500 
        length       : 12
ISAKMP: (1004):Total payload length: 12
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1004):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

ISAKMP: (1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE      
ISAKMP: (1004):set new node -1211157027 to QM_IDLE      
ISAKMP: (1004):processing HASH payload. message ID = 3083810269
ISAKMP: (1004):processing SA payload. message ID = 3083810269
ISAKMP: (1004):Checking IPSec proposal 1
ISAKMP: (1004):transform 1, ESP_AES 
ISAKMP: (1004):   attributes in transform:
ISAKMP: (1004):      encaps is 1 (Tunnel)
ISAKMP: (1004):      SA life type in seconds
ISAKMP: (1004):      SA life duration (basic) of 3600
ISAKMP: (1004):      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP: (1004):      authenticator is HMAC-SHA
ISAKMP: (1004):      key length is 128
ISAKMP: (1004):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
(ipsec_process_proposal)Map Accepted: R3_TO_CSR8, 10
ISAKMP: (1004):processing NONCE payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):processing ID payload. message ID = 3083810269
ISAKMP: (1004):QM Responder gets spi
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1004):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(crypto_ipsec_create_ipsec_sas): Map found R3_TO_CSR8, 10
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
  (sa) sa_dest= 103.0.0.3, sa_proto= 50, 
    sa_spi= 0x731D173(120705395), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 11
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
  (sa) sa_dest= 108.0.0.8, sa_proto= 50, 
    sa_spi= 0x218B976B(562796395), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 12
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1004):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1004):Successfully installed IPSEC SA (SPI:0x731D173) on GigabitEthernet0/0
ISAKMP-PAK: (1004):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE      
ISAKMP: (1004):Sending an IKE IPv4 Packet.
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
ISAKMP-PAK: (1004):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE      
ISAKMP: (1004):deleting node -1211157027 error FALSE reason "QM done (await)"
ISAKMP: (1004):Node 3083810269, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1004):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP



R3#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
103.0.0.3       108.0.0.8       QM_IDLE           1004 ACTIVE



R3#show crypto ipsec sa 

interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 103.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
   current_peer 108.0.0.8 port 500
     PERMIT, flags={}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x218B976B(562796395)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x731D173(120705395)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4344262/2842)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x218B976B(562796395)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4344262/2842)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto