TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC ...

TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC IMPLEMENTATIONS SESSION SEC-3010

SEC-3010 9825_05_2004_c1

© 2004 Cisco Systems, Inc. All rights reserved.

1

Agenda • Introduction • Router IPSec VPNS • PIX IPSec VPNS • Cisco EasyVPN Clients • NAT with IPSec • Firewalling and IPSec • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1


© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA. 9825_05_2004_c1

2

What’s Not Covered • PKI-based troubleshooting • Debugs from the PIX® platforms • IPSec VPN Services Module • VRF aware IPSec

SEC-3010 9825_05_2004_c1


3

Why Troubleshooting Is Important in Today’s VPN Deployment • Complex security association and key management protocols and a rich set of cryptographic algorithms from which VPN peers can choose • VPNs are often implemented on top of existing networks • Some advance features could break IPSec Implementations • VPNs could be used between different vendors

SEC-3010 9825_05_2004_c1



4

A Key Point to Remember

“DEBUG AND SHOW COMMANDS ARE YOUR FRIENDS IN TROUBLESHOOTING ANY IPSEC RELATED ISSUES.”

SEC-3010 9825_05_2004_c1

5


Secure Communications Using IPSec VPN

Message

Message

Me ss ag

e

A

SEC-3010 9825_05_2004_c1

B

Needs Secure Communications over Insecure Channel M



es sa ge

6

IKE (Two-Phase Protocol)

• Two-phase protocol: Phase I exchange: two peers establish a secure, authenticated channel with which to communicate; main mode or aggressive mode accomplishes a phase I exchange Phase II exchange: security associations are negotiated on behalf of IPSec services; quick mode accomplishes a phase II exchange

• Each phase has its SAs: ISAKMP SA (phase I) and IPSec SA (phase II) SEC-3010 9825_05_2004_c1


7

Main Mode with Pre-Shared Key Initiator

Responder

Phase I SA parameter negotiation complete

DH key exchange complete, share secret SKEYIDe derived Nonce exchange defeat replay

SEC-3010 9825_05_2004_c1



8

Phase II Quick Mode Negotiation

• • • • •

Protected by Phase I SA Optional DH exchange for Perfect Forward Secrecy (PFS) Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR] Two unidirectional IPSec SA established with unique SPI number Nonce exchanged for generating session key KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)

SEC-3010 9825_05_2004_c1


9

Agenda • Introduction • Router IPSec VPNs • PIX IPSec VPNs • Cisco EasyVPN Clients • NAT with IPSec • Firewalling and IPSec • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1



10

Layout

209.165.200.227

209.165.201.4

Backbone Router1

Router2

10.1.1.0/24

10.1.2.0/24

Encrypted

SEC-3010 9825_05_2004_c1

11


Router Configurations crypto isakmp policy 10 “crypto isakmp policy” Defines the Phase 1 SA Parameters

encr 3des authentication pre-share

crypto isakmp key jw4ep9846804ijl address 209.165.201.4 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac “crypto ipsec transform-set..” Command Defines IPSec Encryption and authen algo

! crypto map vpn 10 ipsec-isakmp set peer 209.165.201.4 set transform-set myset

“crypto map..” Commands Defines the IPSec SA (Phase II SA) Parameters

match address 101

SEC-3010 9825_05_2004_c1



12

Router Configurations

interface Ethernet0/2 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0/3 ip address 209.165.200.227 255.255.255.0

Interface that is connected to the Private network

crypto map applied to the outbound Interface

crypto map vpn !

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Access-list defines interesting VPN traffic

SEC-3010 9825_05_2004_c1


13

Router Configurations R1# show crypto map Crypto Map "vpn" 10 IPSec-isakmp Peer = 209.165.201.4 Extended IP access list 101 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Current peer: 209.165.201.4 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map vpn: Ethernet0/3

SEC-3010 9825_05_2004_c1



14

Important Debugs Commands • debug crypto isakmp • debug crypto ipsec • debug crypto engine • debug ip packet detail

SEC-3010 9825_05_2004_c1


15

Debugs Functionality Flow Chart Interesting Traffic Received Main Mode IKE Negotiation Quick Mode Negotiation Establishment of Tunnel

SEC-3010 9825_05_2004_c1



16

Tunnel Establishment Interesting Traffic Received

• The ping source and destination addresses matched the match address access list for the crypto map VPN 22:17:24.426: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),

• The ‘local’ is the local tunnel end-point, the ‘remote’ is the remote crypto end point as configured in the map; The src proxy is the src interesting traffic as defined by the match address access list; The dst proxy is the destination interesting traffic as defined by the match address access list protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x400A

• The protocol and the transforms are specified by the crypto map which has been hit, as are the lifetimes SEC-3010 9825_05_2004_c1

17


IKE Main Mode Negotiation: Phase I SA Negotiation Initiator

Responder

IKE

• Begins Main Mode exchange; the first two packets negotiate phase I SA parameters • ISAKMP: received ke message (1/1) ISAKMP: local port 500, remote port 500 ISAKMP (0:1): Input = IKE_MESG_FROM_IPsec, IKE_SA_REQ_MM Old State = IKE_READY

New State = IKE_I_MM1

ISAKMP (0:1): beginning Main Mode exchange 22:17:24: ISAKMP (0:1): sending packet to 209.165.201.4(I)MM_NO_STATE 22:17:24: ISAKMP (0:1): received packet from 209.165.201.4

(I) MM_NO_STATE

22:17:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM1 SEC-3010 9825_05_2004_c1




18

IKE Main Mode Negotiation: Phase I SA Negotiation

22:17:24: 22:17:24: 22:17:24: 22:17:24: 22:17:24: 22:17:24: 22:17:24: 22:17:24: 22:17:24:

ISAKMP (0:1): ISAKMP (0:1): ISAKMP (0:1): ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP (0:1):

processing SA payload. message ID = 0 processing vendor id payload Checking ISAKMP transform 1 against priority 10 policy hash SHA The policy 10 on this router and default group 1 the atts offered by the other side auth pre-share matched life type in seconds life duration (VPI) of 0x0 0x1 0x51 0x80 atts are acceptable. Next payload is 0

22:17:24: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Old State = IKE_I_MM2 New State = IKE_I_MM2

SEC-3010 9825_05_2004_c1

19


IKE Main Mode Negotiation: DH Exchange • The third and fourth packets completes Diffie-Hellman exchange

ISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_SA_SETUP ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Old State = IKE_I_MM2


ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_SA_SETUP ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM3


ISAKMP (0:1): processing KE payload. message ID = 0 ISAKMP (0:1): processing NONCE payload. message ID = 0 ISAKMP (0:1): found peer pre-shared key matching 209.165.201.4 ISAKMP (0:1): SKEYID state generated ISAKMP (0:1): processing vendor id payload SEC-3010 9825_05_2004_c1



20

IKE Main Mode Negotiation: Authentication • The fifth and sixth packets complete IKE authentication; Phase 1 SA established

ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR …… ISAKMP (0:1): sending packet to 209.165.201.4 (I) MM_KEY_EXCH ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5 ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCH ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Old State = IKE_I_MM5 New State = IKE_I_MM6 ISAKMP (0:1): processing ID payload. message ID = 0 ISAKMP (0:1): processing HASH payload. message ID = 0 ISAKMP (0:1): SA has been authenticated with 209.165.201.4 ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE SEC-3010 9825_05_2004_c1


21

IKE Quick Mode IPSec SA Negotiations • Begin Quick Mode exchange; IPSec SA will be negotiated in QM

ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 843945273 ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE ISAKMP (0:1): Node 843945273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY New State = IKE_QM_I_QM1 ISAKMP (0:1): received packet from 209.165.201.4 (I) QM_IDLE

• The IPSec SA proposal offered by far end will be checked against local crypto map configuration

ISAKMP (0:1): processing HASH payload. message ID = 843945273 ISAKMP (0:1): processing SA payload. message ID = 843945273 SEC-3010 9825_05_2004_c1



22

IKE Quick Mode IPSec SA Negotiations ISAKMP (0:1): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP:

attributes in transform:

ISAKMP:

encaps is 1

ISAKMP:

SA life type in seconds

ISAKMP:

SA life duration (basic) of 3600

ISAKMP:

SA life type in kilobytes

ISAKMP:

SA life duration (VPI) of

ISAKMP:

authenticator is HMAC-MD5

0x0 0x46 0x50 0x0

ISAKMP (0:1): atts are acceptable. IPsec(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 SEC-3010 9825_05_2004_c1


23

IKE Quick Mode SA Creation • Two IPSec SAs have been negotiated, an incoming SA with the SPI generated by the local machine and an outbound SA with the SPIs proposed by the remote end

ISAKMP (0:1): Creating IPSec SAs inbound SA from 209.165.201.4 to 209.165.200.227(proxy 10.1.2.0 to 10.1.1.0) has spi 0x8EAB0B22 and conn_id 2000 and flags 2 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 209.165.200.227 to 209.165.201.4 (proxy 10.1.1.0 to 10.1.2.0) has spi -1910720646 and conn_id 2001 and flags A lifetime of 3600 seconds lifetime of 4608000 kilobytes

SEC-3010 9825_05_2004_c1



24

IKE Quick Mode SA Initialization • The IPSec SA info negotiated by IKE will be populated into router’s SADB 22:17:25 : IPsec(key_engine): got a queue event... 22:17:25: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x4579753B(1165587771), conn_id= 2000, keysize= 0, flags=0x2 22:17:25: IPsec(initialize_sas): , (key eng. msg.) OUTBOUND local= 209.165.200.227, remote= 209.165.201.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 3600s and 4608000kb, spi= 0x8E1CB77A(2384246650), conn_id= 2001, keysize= 0, flags= 0xA SEC-3010 9825_05_2004_c1


25

IKE Quick Mode Phase 2 Completion • IPSec SA created in SADB, sent out last packet with commit bit set; IPSec tunnel established IPsec(create_sa): sa created, (sa) sa_dest= 209.165.200.227, sa_prot= 50, sa_spi= 0x4579753B(1165587771), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2000 IPsec(create_sa): sa created, (sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(2384246650), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001 ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE ISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Old State = IKE_QM_I_QM1 SEC-3010 9825_05_2004_c1

New State = IKE_QM_PHASE2_COMPLETE



26

Show Commands • Show crypto engine connection active • Show crypto isakmp sa [detail] • Show crypto ipsec sa [detail]

SEC-3010 9825_05_2004_c1

27


Show Commands Router#show cry engine connection active ID Interface IP-Address State 1 Ethernet0/3 209.165.200.227 set This is ISAKMP SA 2000 Ethernet0/3 209.165.200.227 set 2001 Ethernet0/3 209.165.200.227 set These two are IPSec SAs Router#sh crypto isakmp sa dst src state 209.165.201.4 209.165.200.227 QM_IDLE

Algorithm HMAC_SHA+3DES_56_C

Encrypt 0

HMAC_MD5+3DES_56_C HMAC_MD5+3DES_56_C

conn-id 1

Decrypt 0

0 19

19 0

slot 0

Router#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature, renc - RSA encryption C-id 1

Local Remote I-VRF 209.165.200.227 209.165.201.4 Connection-id:Engine-id = 1:1(software)

SEC-3010 9825_05_2004_c1



Encr Hash Auth DH Lifetime Cap. 3des sha psk 1 23:59:40

28

Show Commands Router# show crypto ipsec sa interface: Ethernet0/3 Crypto map tag: vpn, local addr. 209.165.200.227 local

ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0) current_peer: 209.165.201.4 PERMIT, flags={origin_is_acl,} #pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 209.165.200.227, remote crypto endpt.: 209.165.201.4 path mtu 1500, media mtu 1500 current outbound spi: 8E1CB77A SEC-3010 9825_05_2004_c1


29

Show Commands inbound esp sas: spi: 0x4579753B(1165587771) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x8E1CB77A(2384246650) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4456885/3531) IV size: 8 bytes replay detection support: Y SEC-3010 9825_05_2004_c1



30

Show Commands Router# show crypto ipsec sa detail ... #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 1, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 ... SEC-3010 9825_05_2004_c1

31


Hardware Crypto Engine • In latest Cisco IOS versions, show commands for different types of hardware crypto cards have been unified Verify hardware/software crypto engine

Show crypto engine configuration

Hardware info

Show diag

Turn on/off the hardware crypto engine

[no] crypto engine accelerator [slot_no.]

Display statistics

Show crypto engine accelerator stat

Debug crypto engine

Debug crypto engine accelerator control/packet

SEC-3010 9825_05_2004_c1



32

Hardware Crypto Engine (Cont.) • show crypto engine configuration crypto engine name: Virtual Private Network (VPN) Module crypto engine type: hardware Product name: AIM-VPN/EP

Indicates Hardware Crypto Engine On

• show diag slot : 0

Shows the Type of Hardware Encryption

Encryption AIM 0:

SEC-3010 9825_05_2004_c1

Hardware revision

: 1.0

Top assy. part number

: 800-15369-03

Board revision

: B0


33

Hardware Crypto Engine (Cont.) • show crypto engine accelerator statistic Virtual Private Network (VPN) Module in aim slot : 0 Statistics for Hardware VPN Module since the last clear of counters 31 seconds ago 605 packets in 605 packets out 0 packet overruns 0 output packets dropped Last 5 minutes: 605 packets in 605 packets out 307 packets decrypted 298 packets encrypted 15708 bytes decrypted 13854 bytes encrypted 19 paks/sec in 19 paks/sec out 17 Kbits/sec decrypted 14 Kbits/sec encrypted SEC-3010 9825_05_2004_c1



34

Hardware Crypto Engine (Cont.) • Debug crypto engine accelerator debug cry engine accelerator control detail display the entire command content error display errors from control commands debug cry engine accelerator packet detail display packet going through crypto accelerator error display errors from packets going through crypto accelerator number number of packet to be printed SEC-3010 9825_05_2004_c1

35


Verify Crypto Engine router#sh crypto engine configuration

Privileged Mode:

0x0000

Maximum buffer length: crypto engine name:

unknown

Maximum DH index:

1014

crypto engine type:

ISA/ISM

Maximum SA index:

2029

CryptIC Version: CGX Version:

FF41

Maximum Flow index:

0111

DSP firmware version: MIPS firmware version:

0003030F

ISA/ISM serial number: B82CA6C09E080DF0E0A1029EF8E7112F3FF5F 67B PCBD info:

3-DES [07F000260000]

Compression: 3 DES: SEC-3010 9825_05_2004_c1

4059

Maximum RSA key size: 0061

No

4096

0000

crypto engine in slot:

5

platform: predator crypto_engine

Crypto Adjacency Counts: Lock Count:

0

Unlock Count:

0

Yes © 2004 Cisco Systems, Inc. All rights reserved.


36

Common Issues • Incompatible ISAKMP policy or pre-shared secrets • Incompatible transform sets • Incompatible or incorrect access lists • Crypto map on the wrong interface • Overlapping ACLs • Routing and filtering issues • Caveats: switching paths

SEC-3010 9825_05_2004_c1


37

Incompatible ISAKMP Policy or Pre-Shared Secrets • If the configured ISAKMP policies don’t match the proposed policy by the remote peer, the router tries the default policy of 65535, and if that does not match either, it fails ISAKMP negotiation Default protection suite encryption algorithm:

DES—Data Encryption Standard (56 bit keys).

hash algorithm:

Secure Hash Standard

authentication method:

Rivest-Shamir-Adleman Signature

Diffie-Hellman group:

#1 (768 bit)

lifetime:

86400 seconds, no volume limit

• A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main-mode failed SEC-3010 9825_05_2004_c1



38

Incompatible ISAKMP Policy or Pre-Shared Secrets 3d01h: ISAKMP (0:1): processing SA payload. message ID = 0 3d01h: ISAKMP (0:1): found peer preshared key matching 209.165.200.227 ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy ISAKMP:

encryption 3DES-CBC

ISAKMP:

hash MD5

ISAKMP:

default group 1

ISAKMP:

auth pre-share

ISAKMP:

life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:1): Hash algorithm offered does not match policy! ISAKMP (0:1): atts are not acceptable. Next payload is 0 SEC-3010 9825_05_2004_c1

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy ISAKMP:

encryption 3DES-CBC

ISAKMP:

hash MD5

ISAKMP:

default group 1

ISAKMP:

auth pre-share

ISAKMP:

life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0:1): Encryption algorithm offered does not match policy! ISAKMP (0:1): atts are not acceptable. Next payload is 0 ISAKMP (0:1): no offers accepted! ISAKMP (0:1): phase 1 SA not acceptable!


39

Incompatible ISAKMP Policy or Pre-Shared Secrets • If the pre-shared secrets are not the same on both sides, the negotiation will fail again, with the router complaining about sanity check failed • A sh crypto isakmp sa shows the ISAKMP SA to be in MM_NO_STATE, meaning the main mode failed

SEC-3010 9825_05_2004_c1



40

Incompatible ISAKMP Policy or Pre-Shared Secrets ISAKMP (62): processing SA payload. message ID = 0 ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy encryption DES-CBC hash SHA default group 1 auth pre-share ISAKMP (62): atts are acceptable. Next payload is 0 ISAKMP (62): SA is doing pre-shared key authentication ISAKMP (62): processing KE payload. message ID = 0 ISAKMP (62): processing NONCE payload. message ID = 0 ISAKMP (62): SKEYID state generated ISAKMP (62); processing vendor id payload ISAKMP (62): speaking to another IOS box!

ISAKMP: reserved not zero on ID payload! %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 209.165.200.227 failed its sanity check or is malformed SEC-3010 9825_05_2004_c1

41


Incompatible IPSec Transform Set • If the ipsec transform-set is not compatible or mismatched on the two IPSec devices, the IPSec negotiation will fail, with the router complaining about “atts not acceptable” for the IPSec proposal

Phase II Parameters IPSec mode (tunnel or transport)

ISAKMP (0:2): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES Encryption algorithm ISAKMP: attributes in transform: Authentication algorithm ISAKMP: encaps is 1 PFS group ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 IPSec SA Lifetime ACL - traffic definition ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 0) not supported ISAKMP (0:2): atts not acceptable. Next payload is 0 ISAKMP (0:2): SA not acceptable!

SEC-3010 9825_05_2004_c1



42

Incompatible or Incorrect Access Lists • If the access lists on the two routers don’t match proxy identities not supported will result • It is recommended that access lists on the two routers be ‘a mirror’ of each other • It is also highly recommended that the key word any not be used in match address access lists

SEC-3010 9825_05_2004_c1


43

Incompatible or Incorrect Access Lists 1w6d: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227, local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 1w6d: IPSEC(validate_transform_proposal): proxy identities not supported 1w6d: ISAKMP (0:2): IPSec policy invalidated proposal 1w6d: ISAKMP (0:2): phase 2 SA not acceptable! Access List at 209.165.200.227: access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Access List at 209.165.201.4: access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 SEC-3010 9825_05_2004_c1



44

Crypto Map on the Wrong Interface • The crypto map needs to be applied to the outgoing interface of the router IPSEC(validate_proposal): invalid local address 209.165.201.4 ISAKMP (0:4): atts not acceptable. Next payload is 0 ISAKMP (0:4): phase 2 SA not acceptable!

• If you don’t want to use the outside interface’s IP as the local ID, use the command ‘crypto map local-address , to specify the correct interface • If there are physical as well as logical interfaces involved in carrying outgoing traffic, the crypto map needs to be applied to both; however, this restriction has been taken off in the latest Cisco IOS SEC-3010 9825_05_2004_c1


45

Overlapping ACLs • If there are multiple peers to a router, make sure that the match address access-lists for each of the peers are mutually exclusive from the match address access-list for the other peers • If this is not done, the router will choose the wrong crypto map to try and establish a tunnel with one of the other peers

SEC-3010 9825_05_2004_c1



46

Incorrect SA Selection by the Router IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 209.165.200.227, remote= 209.165.202.149, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 IPSEC(validate_transform_proposal): peer address 209.165.202.149 not found ISAKMP (0:2): IPSec policy invalidated proposal ISAKMP (0:2): phase 2 SA not acceptable! Access list for 209.165.201.4: Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255 Access list for 209.165.202.149: Access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 SEC-3010 9825_05_2004_c1


47

Routing Issues • A packet needs to be routed to the interface which has the crypto map configured on it before IPSec kicks in • Routes need to be there for: The router to reach its peers address The IP subnets of the destination host before the packets are encrypted The IP subnets of the destination host once the packets are decrypted

• Use the debug ip packet detailed to see if the routing is occurring correctly (be careful on the busy networks!!!) SEC-3010 9825_05_2004_c1



48

Possible Caveats in Switching Paths • Symptom: Only see encryption or decryption counter incrementing from “show crypto eng conn active” • Caveats in the switching paths might cause IPSec encryption/decryption failures • Workaround: Try different switch paths (CEF, fast switching, process switching) • Process switching can cause Performance issues!!!

SEC-3010 9825_05_2004_c1


49

Quiz Time Agenda “PROXY IDS NOT SUPPORTED..” • Introduction Debug Message Means: • Router IPSec VPNs

• PIX IPSec VPNs is mismatched 1. Phase 2 Hashing • Cisco EasyVPN 2. Access-List is Clients mismatched • NAT with2 IPSec 3. Phase Encryption type is mismatched • Firewalling and IPSec 4. DH group is mismatched • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1



50

Layout

10.1.2.0/24 10.1.1.0/24 209.165.200.226

209.165.202.129

Internet PIX 1

PIX 2 Private

Encrypted

Private

Public

SEC-3010 9825_05_2004_c1

51


PIX-to-PIX VPN Configuration access-list bypassnat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Access-List “bypassnat” Defines Interesting Traffic to bypass NAT for VPN

nat (inside) 0 access-list bypassnat

NAT 0 Command Bypasses NAT for the Pkts Destined over the IPSec Tunnel

access-list encrypt permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Access-list “encrypt” Defines VPN Interesting Traffic

ip address outside 209.165.202.129 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 IP Addresses on the outside route outside 0.0.0.0 0.0.0.0 209.165.202.158 1 and inside Interfaces

sysopt connection permit-ipsec

SEC-3010 9825_05_2004_c1



Sysopt Command Bypasses Conduits or ACLs Checking to Be Applied on the Inbound VPN Packets after Decryption 52

Standard Site-to-Site VPN Configuration Highlight crypto ipsec transform-set mysetdes esp-des esp-md5-hmac crypto crypto crypto crypto crypto

map map map map map

encryptmap encryptmap encryptmap encryptmap encryptmap

“crypto IPSec..” Command Defines IPSec Encryption and authen algo

20 ipsec-isakmp 20 match address encrypt 20 set peer 209.165.200.226 20 set transform-set mysetdes interface outside

“crypto map..” Commands Define the IPSec SA (Phase II SA) Parameters

isakmp enable outside “isakmp key..” Command isakmp key cisco123 address 209.165.200.226 Defines the Pre-Shared netmask 255.255.255.255 no-xauth no-config-mode Key for the Peer Address isakmp isakmp isakmp isakmp isakmp

policy policy policy policy policy

SEC-3010 9825_05_2004_c1

10 10 10 10 10

authentication pre-share encryption des hash md5 group 1 lifetime 86400

“isakmp policy..” Defines the Phase 1 SA Parameters


53

Common Issues • Bypassing NAT • Enabling ISAKMP • Missing sysopt commands • Combining PIX-PIX and PIX-VPN client issues

SEC-3010 9825_05_2004_c1



54

Bypassing NAT • Nat needs to be bypassed on the PIX in order for the remote side to access the private network behind the PIX seamlessly • Use the NAT 0 command with an access list to achieve that

SEC-3010 9825_05_2004_c1


55

Enabling ISAKMP • Unlike the router, ISAKMP is not enabled by default on the PIX • Use the command isakmp enable to enable it on an interface

Pix(config)# isakmp enable outside

SEC-3010 9825_05_2004_c1



56

Missing Sysopt Commands • After decryption, PIX will check the access-lists or conduits against the decrypted IP packets • Access-lists or conduits need to be configured to permit decrypted IP traffic • Enable sysopt connection permit-ipsec to bypass the access-list/conduit checking against VPN traffic after decryption

SEC-3010 9825_05_2004_c1


57

Combining PIX-PIX and PIX-Client Issues • If you are doing mode config or x-auth for the VPN clients you would need to disable them for the siteto-site VPN connections • Use the no-config-mode and no x-auth tags at the end of the pre-shared key definitions to disable mode config and x-auth • isakmp peer fqdn fqdn no-xauth no-config-mode in case rsa-sig is used as IKE authentication method

SEC-3010 9825_05_2004_c1



58

Agenda • Introduction • Router IPSec VPNs • PIX IPSec VPNs • Cisco EasyVPN Clients • NAT with IPSec • Firewalling And IPSec • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1

59


Layout 172.18.124.96 WINS

VPN Client

10.1.1.0/24

Internet

14.38.1.0/24

Router 209.165.200.227

209.165.201.4

Router

14.38.2.0/24

DNS

PIX 209.165.201.2 SEC-3010 9825_05_2004_c1



EasyVPN Clients

60

Cisco VPN Clients to a Router 209.165.200.227

aaa new-model aaa authentication login userauthen local aaa authorization network groupauthor local username cisco password 0 cisco123 username pix password 0 cisco123 ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnclient key cisco123 dns 10.1.1.10 wins 10.1.1.20 domain cisco.com pool ippool acl 100 SEC-3010 9825_05_2004_c1

172.18.124.96

VPN Client

Router

aaa Commands Enable User Authentication and Group Authorization

ISAKMP Policy Defines Phase 1 Parameters

“Crypto isakmp client configuration” Commands Define Modeconfiguration Parameters To Be Passed to the VPN Clients

61



Router

172.18.124.96

VPN Client

crypto IPSec transform-set myset esp-3des esp-sha-hmac !

“crypto IPSec..” Command Defines IPSec Encryption and Authentication Algorithm

crypto dynamic-map dynmap 10 set transform-set myset !

“crypto dynamic-map…” Defines a Dynamic Map which Would Be Included in the Actual Map

crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 IPsec-isakmp dynamic dynmap

SEC-3010 9825_05_2004_c1



“crypto map…” Commands Define the Actual Map which Would Be Applied to the Outbound Interface for the Data Encryption

62


172.18.124.96

VPN Client

Router

ip local pool ippool 14.1.1.1 14.1.1.254 !

“ip local pool…” Command Defines a Pool of Addresses to Be Assigned Back to the VPN Client

access-list 100 permit ip 10.1.1.0 0.0.0.255 14.1.1.0 0.0.0.255 access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.1.0 0.0.0.255 access-list 100 permit ip 10.1.1.0 0.0.0.255 14.38.2.0 0.0.0.255 !

access-list Defines SplitTunneling

crypto map Is then Applied to the Outbound Interface

interface FastEthernet2/0 ip address 209.165.200.227 255.255.255.0 crypto map clientmap

SEC-3010 9825_05_2004_c1

63


Layout 172.18.124.96 WINS

VPN Client

10.1.1.0/24

Internet

14.38.1.0/24

PIX 209.165.200.226

209.165.201.4

Router

14.38.2.0/24

DNS

PIX 209.165.201.2 SEC-3010 9825_05_2004_c1



EasyVPN Clients

64

Cisco VPN Client to a PIX 209.165.200.226

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.1.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 14.38.2.0 255.255.255.0

172.18.124.96

VPN Client

PIX

Define an Access-List, that Would Be Used to Bypass NAT for the IPSec Traffic

nat (inside) 0 access-list 101 ip address outside 209.165.200.226 255.255.255.224

Define IP Address on the Interfaces

ip address inside 10.1.1.1 255.255.255.0 isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share

ISAKMP Policy Defines Phase 1 Parameters

isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 SEC-3010 9825_05_2004_c1

65


Cisco VPN Client to a PIX 209.165.200.226

172.18.124.96

PIX

VPN Client

ip local pool ippool 10.1.2.1-10.1.2.254

Define a Pool of Addresses To Be Assigned Back to the VPN Client

sysopt connection permit-IPsec

Sysopt Command Bypasses Conduits or ACLs

vpngroup vpnclient address-pool ippool vpngroup vpnclient dns-server 10.1.1.2 vpngroup vpnclient wins-server 10.1.1.2 vpngroup vpnclient default-domain cisco.com vpngroup vpnclient split-tunnel 101 vpngroup vpnclient idle-time 1800 vpngroup vpnclient password ******** crypto IPSec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 IPsec-isakmp dynamic dynmap crypto map mymap interface outside SEC-3010 9825_05_2004_c1



vpngroup Commands Enable Group Authorization; You Can Pass Down Mode-Configuration Parameters Within This Section Back to the VPN Client; Note That Access-List 101 Can Be Used Again for Split-Tunneling

“Crypto ipsec transform-set…” Command Defines Phase 2 Negotiation Parameters “crypto map…” Commands Defines the Actual Map which Would Be Applied to an Interface for the Data Encryption 66

Software VPN Client Configuration To Launch the VPN client, click: Start | Programs | Cisco Systems VPN client | VPN Client

SEC-3010 9825_05_2004_c1

67


Cisco IOS EasyVPN Client 209.165.200.227

crypto ipsec client ezvpn ezvpnclient connect auto group vpnclient key cisco123 mode network-extension peer 209.165.200.227

Router

209.165.201.4

EZVPN Client

“crypto ipsec client …” Commands Define the Connection Parameters to Establish an EasyVPN tunnel

interface Ethernet0 ip address 14.38.1.1 255.255.255.0 crypto ipsec client ezvpn ezvpnclient inside hold-queue 100 out

“crypto ipsec client … inside” Command Defines the Private Subnet for the IPSec Encryption

interface Ethernet1 ip address 209.165.201.4 255.255.255.224 crypto ipsec client ezvpn ezvpnclient

“crypto ipsec client … ” Command Is then Applied to an Outbound Interface

SEC-3010 9825_05_2004_c1



14.38.1.0/24

68

PIX EasyVPN 209.165.200.227

Router

209.165.201.2

14.38.2.0/24

EZVPN Client

hostname vpn-pix501b domain-name cisco.com

vpnclient server 209.165.200.227 vpnclient mode network-extension-mode vpnclient vpngroup vpnclient password ******** vpnclient username cisco password ******** vpnclient enable

“vpnclient …” Commands Define the Connection Parameters to Establish an EasyVPN Tunnel

route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 ip address outside 209.165.201.2 255.255.255.224 ip address inside 14.38.2.1 255.255.255.0

SEC-3010 9825_05_2004_c1

69


Cisco IOS Debugs: Phase I Negotiation Debug crypto isakmp Debug crypto ipsec Debug crypto ipsec client ezvpn ( on EZVPN client ) ISAKMP (0:0): received packet from 172.18.124.96 (N) NEW SA ISAKMP: local port 500, remote port 500 … ISAKMP (0:10): Checking ISAKMP transform 1 against priority 3 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth XAUTHInitPreShared ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:10): atts are acceptable. Next payload is 3 … Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT SEC-3010 9825_05_2004_c1



This Message Indicates That This Router Received an isakmp Message from the EZVPN client on src port 500, dst port=500

Router Is Trying to Match the Received Proposal #1 with the Configured Proposal #3

Received Proposal Is Acceptable Since the VPN Client Uses Aggressive Mode, the New State Is IKE_R_AM_AAA_AWAIT 70

Cisco IOS Debugs: Xauth …

ISAKMP (0:10): Need XAUTH … ISAKMP/xauth: request attribute XAUTH_TYPE_V2 ISAKMP/xauth: request attribute XAUTH_MESSAGE_V2 ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

Router Is Requesting the VPN Client for User Authentication

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 ... ISAKMP: Config payload REPLY ISAKMP/xauth: reply attribute XAUTH_TYPE_V2 unexpected ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

Router Is Receiving the x-auth Attributes from the VPN Client

ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

SEC-3010 9825_05_2004_c1

71


Cisco IOS Debugs: Mode Configuration ISAKMP (0:10): checking request: ISAKMP: IP4_ADDRESS ISAKMP: IP4_NETMASK ISAKMP: IP4_DNS ISAKMP: IP4_NBNS ISAKMP: ADDRESS_EXPIRY ISAKMP: APPLICATION_VERSION ISAKMP: UNKNOWN Unknown Attr: 0x7000 … ISAKMP: Sending private address: 14.1.1.3 ISAKMP: Unknown Attr: IP4_NETMASK (0x2) ISAKMP: Sending IP4_DNS server address: 14.36.1.10 ISAKMP: Sending IP4_NBNS server address: 14.36.1.20 ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86395 ISAKMP: Sending APPLICATION_VERSION string: Cisco Internetwork OperatingSystem Software IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.2(15)T, RELEASE SOFTWARE (fc1) ISAKMP: Unknown Attr: UNKNOWN (0x7000) SEC-3010 9825_05_2004_c1



Received Mode Configuration Request from the VPN Client Unknown attr: Is Not an Error; It Just Means that Router Does Not Support This Mode-Config Attribute Requested by the VPN Client

Router Is Sending the Mode-Configuration Parameters Back to the VPN Client

72

Cisco IOS Debugs: Phase II Negotiation ISAKMP (0:11): Checking IPSec proposal 4 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B ISAKMP (0:11): atts are acceptable. … ISAKMP (0:11): Creating IPSec SAs inbound SA from 172.18.124.96 to 14.36.100.101 (proxy 14.1.1.4 to 14.36.100.101) has spi 0x962A493B and conn_id 2000 and flags 4 lifetime of 2147483 seconds outbound SA from 14.36.100.101 to 172.18.124.96 (proxy 14.36.100.101 to 14.1.1.4) has spi -2145675534 and conn_id 2001 and flags C lifetime of 2147483 seconds

SEC-3010 9825_05_2004_c1

Router Is Checking and Validating the IPSec Proposals

After Validating the Phase II, the IPSec SAs Are Created; One SA for Inbound Traffic and the Other SA for the Outbound Traffic


73

Common Issues • VPN clients only propose DH group 2 and 5 Configure DH group 2 or 5 on Cisco IOS or PIX • Configure “isakmp identity hostname” if rsa-sig is used as an IKE authentication method • aaa authorization needs to be enabled on the router, so that router can accept/send modeconfiguration attributes • On, Cisco IOS EasyVPN client, for X-Auth, you have to manually type “crypto ipsec client ezvpn xauth”; However, this restriction has been lifted in the latest version of code SEC-3010 9825_05_2004_c1



74

Quiz Time Agenda The Purpose of • Introduction “sysopt connection permit-IPsec” Is:

• Router IPSec VPNs 1. ToIPSec bypass conduits or ACL checking against the • PIX VPNs decrypted VPN traffic • Cisco EasyVPN Clients 2. To bypass NAT for the IPSec traffic • NAT with IPSec 3. To bypass the assignment of IP address to the • Firewalling and IPSec VPN client • MTU Issues 4. To bypass X-Auth for the VPN clients • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1


75

Common Problems • Bypassing NAT entries • NAT in the middle of an IPSec tunnel

SEC-3010 9825_05_2004_c1



76

Bypassing NAT Entries • Bypassing dynamic NAT entries ip nat inside source route-map nonat interface Ethernet1/0 overload access list 150 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access list 150 permit ip 10.1.2.0 0.0.0.255 any route-map nonat permit 10 match ip address 150

• Static NAT entries can be bypassed using a loopback interface and policy routing for Cisco IOS images prior to 12.2.4T; Starting from 12.2.4T a route-map can be used with static NAT to bypass NAT • Tools to debug this setup are: show ip nat translation debug ip nat debug ip policy SEC-3010 9825_05_2004_c1

77


Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmp set peer 209.165.201.4 set transform-set myset match address 101

lo1

interface Loopback1 ip address 10.2.2.2 255.255.255.252

e0/2 nat in

interface Ethernet0/3 ip address 209.165.200.227 255.255.255.0 ip nat outside crypto map vpn interface Ethernet0/2 ip address 10.1.1.3 255.255.255.0 ip nat inside ip policy route-map nonat

e0/3 nat out crypto map

Be Careful: Packets Get PROCESS SWITCHED

ip nat inside source list 1 interface Ethernet0/3 overload ip nat inside source static 10.1.1.1 209.165.200.230 access list 1 permit 10.0.0.0 0.255.255.255 access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 route-map nonat permit 10 match ip address 120 set ip next-hop 10.2.2.1 SEC-3010 9825_05_2004_c1



78

Bypassing Static NAT Entries crypto map vpn 10 IPsec-isakmp set peer 209.165.201.4 set transform-set myset match address 101 interface Ethernet0/3 ip address 209.165.200.227 55.255.255.0 ip nat outside crypto map vpn

e0/2 nat in

e0/3 nat out crypto map

interface Ethernet0/2 ip address 10.1.1.3 255.255.255.0 ip nat inside ip nat inside source list 1 interface Ethernet0/3 overload ip nat inside source static 10.1.1.1 209.165.200.230 route-map nonat access-list 1 permit 10.1.1.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 any route-map nonat permit 10 match ip address 120

SEC-3010 9825_05_2004_c1


79

NAT in the Middle of an IPSec Tunnel • In many cases, VPN clients are behind NAT/PAT devices • IPSec over NAT (NAT-T) support was first introduced in 12.2.15T for routers and version 6.3 for PIX • IPSec pass-thru feature is supported on certain NAT/PAT devices; ISAKMP cookie and ESP SPI are used to build translation table • NAT-T is turned on by default on Cisco IOS • Use isakmp nat-traversal to turn on NAT-T on PIX • Turn on IPSec over UDP or IPSec over TCP feature in case of VPN 3000 Concentrator SEC-3010 9825_05_2004_c1



80

Agenda • Introduction • Router IPSec VPNs • PIX IPSec VPNs • Cisco EasyVPN Clients • NAT with IPSec • Firewalling and IPSec • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1

81


Firewall in the Middle

Internet Router Private

Encrypted

Private

Public

• ESP (IP protocol type 50) or/and AH (IP/51) • UDP port 500 (ISAKMP), and/or UDP port 4500 (NAT-T)

SEC-3010 9825_05_2004_c1



82

Firewalling and IPSec (Current Behavior) • Firewall on the IPSec endpoint router: ESP or/and AH UDP port 500 (IKE) and 4500 (NAT-T) Decrypted packet IP addresses (incoming access group is applied twice)

• Firewall on the IPSec endpoint PIX: Sysopt connection permit-IPsec (no conduit or access-list is needed) Use of conduits or access-list (no sysopt connection permit-ipsec is needed—gives you more security for the decrypted pkts) SEC-3010 9825_05_2004_c1


83

IPSec and Packet Filtering (New Behavior) • Functionality first introduced in 12.3(8)T • No need to permit clear text traffic through the interface access-list. • New “set ip access-group” command under crypto map, if clear traffic packet filtering is required • ESP and/or AH packets have to be allowed if outbound ACLs are being used; this was not required in the pre-12.3(8)T code

SEC-3010 9825_05_2004_c1



84

IPSec and Packet Filtering (New Behavior) (Cont.) crypto map vpnmap 10 ipsec-isakmp set peer 192.168.2.1 set transform-set trans1 match address 101 set ip access-group 171 in set ip access-group 181 out interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 interface Serial1/0 ip address 192.168.1.1 255.255.255.0 ip access-group 150 in ip access-group 160 out crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

set ip access-group Commands Are Optional; They Are Used for ClearText Packet Filtering

Optional: Access List Permitting Telnet Access

access-list 150 permit udp host 192.168.2.1 eq 500 host 192.168.1.1 eq 500 access-list 150 permit esp host 192.168.2.1 host 192.168.1.1 access-list 160 permit udp host 192.168.1.1 eq 500 host 192.168.2.1 eq 500 access-list 160 permit esp host 192.168.1.1 host 192.168.2.1 access-list 171 permit tcp 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq telnet access-list 181 permit tcp 10.1.1.0 0.0.0.255 eq telnet 10.1.2.0 0.0.0.255 SEC-3010 9825_05_2004_c1


85

Agenda • Introduction • Router IPSec VPNs • PIX IPSec VPNs • Cisco EasyVPN Clients • NAT with IPSec • Firewalling And IPSec • MTU Issues • GRE over IPSec • Loss of Connectivity of IPSec Peers SEC-3010 9825_05_2004_c1



86

IPSec MTU Issues • Overhead introduced by IPSec encapsulation (~60 bytes) • Possible fragmentation after encryption leads to reassembly on the VPN peer router (process-switched, performance degradation) • IPSec and Path MTU discovery (PMTU) IPSec copies Don’t Fragment (DF) bit from original data packets’ IP header IPSec dynamically update Path MTU in the SADB if router receives PMTU ICMP message The MTU hint in the PMTU ICMP message is physical MTU- ipsec_overhead (calculated based on transform-set) SEC-3010 9825_05_2004_c1

87


IPSec and PMTU MTU 1500

10.1.1.2

172.16.172.10/28 e1/0 MTU 1500

e1/1

172.16.172.20/28 MTU 1400 IPSec Tunnel

Path 1500 Media 1500

MTU 1500

10.1.2.2

MTU 1500 Path 1500 Media 1500

1500 DF=1 ICMP Type3 Code 4

ICMP: dst (10.1.2.2) frag. needed and DF set unreachable sent to 10.1.1.2 (“debug ip icmp” output)

(1454) 1454 DF=1

1500 DF copied ICMP (1400)

ICMP: dst (172.16.172.20) frag. needed and DF set unreachable rcv from 172.16.172.11

IPSec SPI copied

Adjust path MTU on corresponding IPSec SA path mtu 1400, media mtu 1500

1454 DF=1

current outbound spi: EB84DC85 ICMP Type3 Code 4 (1354) 1354 DF=1 SEC-3010 9825_05_2004_c1

1400



1400

1354 88

Common Problem • PMTU ICMP packets lost or blocked Debug ip icmp on router to verify if ICMP packets are sent or received Use sniffer to verify if ICMP packets are lost

• Work arounds Reduce MTU or disable PMTU on end host Adjust TCP MSS on router to fine tune TCP windows Configure router to clear DF bit of data packets Look-ahead fragmentation

SEC-3010 9825_05_2004_c1


89

MTU Issues Work Around: Adjusting TCP MSS • Adjust TCP MSS (maximum send segment) under ingress interface: ip tcp adjust-mss

• Router will sniff on the incoming TCP SYN packets and tweak the TCP MSS field to configured number • Remote host will use adjusted MSS value correspondingly • Choose MSS to avoid fragmentation MSS

TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC ...

TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC ...

Suggest Documents

TROUBLESHOOTING CISCO IOS AND PIX FIREWALL-BASED IPSEC ...

Cisco PIX Firewall Series

Troubleshooting IKE IPSec VPN Initialization

Configuring L2TP over IPSec - Cisco

Configuring IPSec VPN Fragmentation and MTU ... - Cisco

Troubleshooting Cisco IP Communicator

Troubleshooting TCP/IP - Cisco

Cisco IOS H.323 Configuration Guide, Cisco IOS Release 12.4T

Troubleshooting Cisco Switches - Global Knowledge

Cisco IPsec Configuration Guide Peplink ... - Cloud Distribution

8 Troubleshooting Cisco IP Communicator

Troubleshooting the Boot Process - Cisco

Cisco IOS Firewall

Cisco IOS Basic Skills

Cisco IOS XR Workbook

TSHOOT Troubleshooting and Maintaining Cisco IP Networks

Troubleshooting and Maintaining Cisco IP Networks ... - CCBootcamp

Cisco DSL Router Configuration and Troubleshooting Guide

Troubleshooting and Maintaining Cisco IP Networks ... - Pearsoncmg

Troubleshooting and maintaing cisco ip networks - Pass4Sure

CISCO CATALYST 4000 AND 4500 TROUBLESHOOTING ...

Troubleshooting and maintaining Cisco IP networks (TSHOOT ...

Troubleshooting and Maintaining Cisco IP Networks

Cisco's PIX Firewall Series and Stateful Firewall Security