Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

Site to Site VPN on IOS Routers with Crypto Map

Picture
Crypto map based IPsec VPNs have been around for a really long time and are likely, based on experience, the most deployed VPN solution deployed. The logic of the crypto map is to act like a binding agent for the interesting traffic or proxy ACL; IPsec transform-set or the actual data plane encryption; and define the peer or peers to communicate with.

R3
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 108.0.0.8
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac 
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 108.0.0.8
 set transform-set TSET 
 match address ACL_R3_TO_CSR8
!
ip access-list extended ACL_R3_TO_CSR8
 permit ip host 33.33.33.33 host 88.88.88.88
!
interface GigabitEthernet0/0
 crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 103.0.0.1
!

CSR8
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-aes esp-sha256-hmac 
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 103.0.0.3
 set transform-set TSET 
 match address ACL_CSR8_TO_R3
!
ip access-list extended ACL_CSR8_TO_R3
 permit ip host 88.88.88.88 host 33.33.33.33
!
interface GigabitEthernet1
 crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 108.0.0.1
!


CSR8#ping 33.33.33.33 source loopback 0        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88 
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 13/15/17 ms


CSR9#show crypto isa sa   
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
204.0.0.24      29.0.0.9        QM_IDLE           1001 ACTIVE



ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: (0):Created a peer struct for 108.0.0.8, peer port 500
ISAKMP: (0):New peer created peer = 0x1049CB88 peer_handle = 0x80000003
ISAKMP: (0):Locking peer struct 0x1049CB88, refcount 1 for crypto_isakmp_process_block
ISAKMP: (0):local port 500, remote port 500
ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = CD120A8
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 

ISAKMP: (0):processing SA payload. message ID = 0
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (0):local preshared key found
ISAKMP: (0):Scanning profiles for xauth ...
ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: (0):      encryption AES-CBC
ISAKMP: (0):      keylength of 128
ISAKMP: (0):      hash SHA256
ISAKMP: (0):      default group 5
ISAKMP: (0):      auth pre-share
ISAKMP: (0):      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP: (0):atts are acceptable. Next payload is 0
ISAKMP: (0):Acceptable atts:actual life: 86400
ISAKMP: (0):Acceptable atts:life: 0
ISAKMP: (0):Fill atts in sa vpi_length:4
ISAKMP: (0):Fill atts in sa life_in_seconds:86400
ISAKMP: (0):Returning Actual lifetime: 86400
ISAKMP: (0):Started lifetime timer: 86400.

ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP: (0):vendor ID is NAT-T RFC 3947
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP: (0):vendor ID is NAT-T v7
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP: (0):vendor ID is NAT-T v3
ISAKMP: (0):processing vendor id payload
ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP: (0):vendor ID is NAT-T v2
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 

ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
ISAKMP-PAK: (0):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP: (0):Sending an IKE IPv4 Packet.
ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

ISAKMP-PAK: (0):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

ISAKMP: (0):processing KE payload. message ID = 0
ISAKMP: (0):processing NONCE payload. message ID = 0
ISAKMP: (0):found peer pre-shared key matching 108.0.0.8
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID is DPD
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):speaking to another IOS box!
ISAKMP: (1002):processing vendor id payload
ISAKMP: (1002):vendor ID seems Unity/DPD but major 11 mismatch
ISAKMP: (1002):vendor ID is XAUTH
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):His hash no match - this node outside NAT
ISAKMP: (1002):received payload type 20
ISAKMP: (1002):No NAT Found for self or peer
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM3  New State = IKE_R_MM3 

ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM3  New State = IKE_R_MM4 

ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: (1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP: (1002):Old State = IKE_R_MM4  New State = IKE_R_MM5 

ISAKMP: (1002):processing ID payload. message ID = 0
ISAKMP: (1002):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1002): address      : 108.0.0.8
ISAKMP: (1002): protocol     : 17 
        port         : 500 
        length       : 12
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (1002):processing HASH payload. message ID = 0
ISAKMP: (1002):processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0xCD120A8
ISAKMP: (1002):SA authentication status:
        authenticated
ISAKMP: (1002):SA has been authenticated with 108.0.0.8
ISAKMP: (1002):SA authentication status:
        authenticated
ISAKMP: (1002):Process initial contact,
bring down existing phase 1 and 2 SA's with local 103.0.0.3 remote 108.0.0.8 remote port 500
ISAKMP: (0):Trying to insert a peer 103.0.0.3/108.0.0.8/500/, 
ISAKMP: (0): and inserted successfully 1049CB88.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1002):Old State = IKE_R_MM5  New State = IKE_R_MM5 

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP: (1002):SA is doing 
ISAKMP: (1002):pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP: (1002):ID payload 
        next-payload : 8
        type         : 1
ISAKMP: (1002): address      : 103.0.0.3
ISAKMP: (1002): protocol     : 17 
        port         : 500 
        length       : 12
ISAKMP: (1002):Total payload length: 12
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

ISAKMP: (1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP: (1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE      
ISAKMP: (1002):set new node -900798332 to QM_IDLE      
ISAKMP: (1002):processing HASH payload. message ID = 3394168964
ISAKMP: (1002):processing SA payload. message ID = 3394168964
ISAKMP: (1002):Checking IPSec proposal 1
ISAKMP: (1002):transform 1, ESP_AES 
ISAKMP: (1002):   attributes in transform:
ISAKMP: (1002):      encaps is 1 (Tunnel)
ISAKMP: (1002):      SA life type in seconds
ISAKMP: (1002):      SA life duration (basic) of 3600
ISAKMP: (1002):      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP: (1002):      authenticator is HMAC-SHA256
ISAKMP: (1002):      key length is 128
ISAKMP: (1002):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha256-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Crypto mapdb : proxy_match
        src addr     : 33.33.33.33
        dst addr     : 88.88.88.88
        protocol     : 0
        src port     : 0
        dst port     : 0
(ipsec_process_proposal)Map Accepted: CMAP, 10
ISAKMP: (1002):processing NONCE payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):processing ID payload. message ID = 3394168964
ISAKMP: (1002):QM Responder gets spi
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP: (1002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
        src addr     : 33.33.33.33
        dst addr     : 88.88.88.88
        protocol     : 256
        src port     : 0
        dst port     : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP, 10
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 108.0.0.8
IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 100B8D9C
IPSEC(create_sa): sa created,
  (sa) sa_dest= 103.0.0.3, sa_proto= 50, 
    sa_spi= 0x2B8340A(45626378), 
    sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 5
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0
IPSEC(create_sa): sa created,
  (sa) sa_dest= 108.0.0.8, sa_proto= 50, 
    sa_spi= 0xE856F387(3898012551), 
    sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 6
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 103.0.0.3:0, remote= 108.0.0.8:0,
    local_proxy= 33.33.33.33/255.255.255.255/256/0,
    remote_proxy= 88.88.88.88/255.255.255.255/256/0
ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
ISAKMP: (1002):Received IPSec Install callback... proceeding with the negotiation
ISAKMP: (1002):Successfully installed IPSEC SA (SPI:0x2B8340A) on GigabitEthernet0/0
ISAKMP-PAK: (1002):sending packet to 108.0.0.8 my_port 500 peer_port 500 (R) QM_IDLE      
ISAKMP: (1002):Sending an IKE IPv4 Packet.
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP: (1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
ISAKMP-PAK: (1002):received packet from 108.0.0.8 dport 500 sport 500 Global (R) QM_IDLE      
ISAKMP: (1002):deleting node -900798332 error FALSE reason "QM done (await)"
ISAKMP: (1002):Node 3394168964, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP: (1002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
IPSEC: Expand action denied, notify RP



R3#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
103.0.0.3       108.0.0.8       QM_IDLE           1002 ACTIVE



R3#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: GigabitEthernet0/0
Uptime: 00:01:31
Session status: UP-ACTIVE     
Peer: 108.0.0.8 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 108.0.0.8
      Desc: (none)
  Session ID: 0  
  IKEv1 SA: local 103.0.0.3/500 remote 108.0.0.8/500 Active 
          Capabilities:(none) connid:1002 lifetime:23:58:27
  IPSEC FLOW: permit ip host 33.33.33.33 host 88.88.88.88 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4330938/3508
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4330938/3508



R3#show crypto ipsec sa 

interface: GigabitEthernet0/0
    Crypto map tag: CMAP, local addr 103.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/0/0)
   current_peer 108.0.0.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.0.0.3, remote crypto endpt.: 108.0.0.8
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xE856F387(3898012551)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2B8340A(45626378)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4330938/3447)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE856F387(3898012551)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4330938/3447)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto