I recently configured another Cisco ASA firewall for site-to-site IPsec VPN (for pure remote management) for our Bangalore India point-of-presence (POP) back to our HQ. I thought we wouldn't be able to finish the VPN setup as ISP advised us that their government instructed not to run VPN back to any foreign country due to APT and rise in hacking incidents. But due to persistent discussions with the ISP, we were allowed to run VPN in the end.
The only added complexity for this setup was the failover since we don't have any out-of-band (OOB) management for our core devices. Aside from the public Internet access, we also ordered an international private lease circuit (IPLC) back to our campus in London and turned it into an MPLS circuit. Whenever the IPsec VPN tunnel fails, the route will go via the MPLS. This was accomplished simply by using the IP SLA configuration. Below is the site-to-site VPN lab I did while studying for my CompTIA Security+.
Router(config)#hostname R1
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 21 05:56:30.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#clock rate 64000
R1(config-if)#
*Jun 21 05:57:00.039: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#no ip domain-lookup
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 21 05:57:56.695: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 21 05:57:57.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate
*Jun 21 05:58:32.439: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#
*Jun 21 05:59:02.479: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*Jun 21 05:59:21.323: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:04:41.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface seria0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:05:23.671: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 21 06:05:24.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3(config-if)#exit
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*Jun 21 06:05:59.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacency
R3(config-router)#no auto-summary
R3(config-router)#
*Jun 21 06:06:12.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured
R1#ping 192.168.3.1 // R1 TO R3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\PC-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-A>ping 192.168.3.3 // PING PC-A TO PC-C
Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253
Ping statistics for 192.168.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 36ms, Average = 35ms
R1(config)#security passwords min-length 10
R1(config)#service password-encryption
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#security passwords min-length 10
R2(config)#service password-encryption
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#security passwords min-length 10
R3(config)#service password-encryption
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
C:\Users\PC-A>ping 192.168.3.3 // PING PC-C
Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Ping statistics for 192.168.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
R1(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
R1(config)#crypto isakmp enable // ENABLED BY DEFAULT
R3(config)#crypto isakmp enable
R1(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
R1(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
R1(config-isakmp)#hash sha
R1(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
R1(config-isakmp)#lifetime 3600
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
R1(config)#crypto isakmp key cisco123 ?
address define shared key with IP address
hostname define shared key with hostname
R1(config)#crypto isakmp key cisco123 address ?
A.B.C.D Peer IP address
ipv6 define shared key with IPv6 address
R1(config)#crypto isakmp key cisco123 address 10.2.2.1
R3(config)#crypto isakmp key cisco123 address 10.1.1.1
R1(config)#crypto ipsec ?
client Configure a client
default Default transform-set
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
R1(config)#crypto ipsec transform-set ?
WORD Transform set tag
R1(config)#crypto ipsec transform-set 50 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set 50 esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
R1(config)#crypto ipsec transform-set 50 esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R1(config)#crypto ipsec security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
lifetime security association lifetime
replay Set replay checking.
R1(config)#crypto ipsec security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
R1(config)#crypto ipsec security-association lifetime seconds ?
<120-86400> Security association duration in seconds
R1(config)#crypto ipsec security-association lifetime seconds 1800 // DEFUALT 3600 SECONDS (1 HOUR)
R3(config)#crypto ipsec security-association lifetime seconds 1800
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 // DEFINE
INTERESTING TRAFFIC; TRAFFIC TO ENCRYPT; SUBNET NOT DEFINED IN CRYPTO ACL IS SENT UNENCRYPTED
R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config)#crypto map ?
WORD Crypto map tag
R1(config)#crypto map CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
R1(config)#crypto map CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
R1(config)#crypto map CMAP 10 ipsec-isakmp // ASSOCIATES TRAFFIC THAT MATCHES CRYPTO ACL AND IPSEC SETTINGS
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
R1(config-crypto-map)#match ?
address Match address of packets to encrypt.
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address 101 // CRYPTO ACL
R1(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
R1(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
R1(config-crypto-map)#set peer 10.2.2.1 // R3 VPN ENDPOINT INTERFACE IP
R1(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)
<cr>
R1(config-crypto-map)#set pfs group5
R1(config-crypto-map)#set transform-set ?
WORD Proposal tag
R1(config-crypto-map)#set transform-set 50
R1(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.
R1(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
R1(config-crypto-map)#set security-association lifetime seconds ?
<120-86400> Security association duration in seconds
R1(config-crypto-map)#set security-association lifetime seconds 900
R1(config-crypto-map)#exi
R1(config)#interface serial0/0/0 // SECURITY ASSOCIATIONS (SA) WILL NOT FORM UNTIL CRYPTO MAP IS ACTIVATED BY INTERESTING TRAFFIC (CRYPTO ACL)
R1(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
R1(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
R1(config-if)#crypto map CMAP
R1(config-if)#
*Jun 26 14:18:23.659: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set pfs group5
R3(config-crypto-map)#set transform-set 50
R3(config-crypto-map)#set security-association lifetime seconds 900
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jun 26 14:19:51.635: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#show crypto ipsec ?
client Show Client Status
default Default crypto transform sets
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
R1#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
R1#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.2.2.1
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 10.2.2.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/0
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
R3#
R3#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
R3#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/1
R1#show crypto isakmp ?
default Show ISAKMP default
key Show ISAKMP preshared keys
peers Show ISAKMP peer structures
policy Show ISAKMP protection suite policy
profile Show ISAKMP profiles
sa Show ISAKMP Security Associations
R1#show crypto isakmp sa // NO IKE SA EXIST YET
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#ping 10.2.2.1 // PING R3 S0/0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R1#show crypto isakmp sa // NO SA CREATED SINCE IT DOESN'T FALL IN CRYPTO ACL
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R1#
*Jun 26 14:25:37.983: EIGRP: Sending HELLO on FastEthernet0/1
*Jun 26 14:25:37.983: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jun 26 14:25:38.843: EIGRP: Received HELLO on Serial0/0/0 nbr 10.1.1.2
*Jun 26 14:25:38.843: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
*Jun 26 14:25:39.923: EIGRP: Sending HELLO on Serial0/0/0
*Jun 26 14:25:39.923: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R1#undebug all
All possible debugging has been turned off
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#ping // EXTENDED PING TO ALLOW CONTROL THE SOURCE ADDRESS OF PACKETS
Protocol [ip]:
Target IP address: 192.168.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 92/92/92 ms
R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x6FB8F66B(1874392683)
inbound esp sas:
spi: 0x31F658DC(838228188)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4443187/830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6FB8F66B(1874392683)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4443187/830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1(config)#username admin privilege 15 secret cisco12345
R1(config)#ip http server
R1(config)#ip http authentication local
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http server
R3(config)#ip http authentication local
R3(config)#crypto isakmp policy 1 // COPY/PASTE MIRROR CONFIG GENRATED BY CCP
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr 3des
R3(config-isakmp)# hash sha
R3(config-isakmp)# group 2
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr aes 256
R3(config-isakmp)# hash md5
R3(config-isakmp)# group 5
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp key cisco12345 address 10.1.1.1
R3(config)#crypto ipsec transform-set LAB_TSET esp-sha-hmac esp-aes 256
R3(cfg-crypto-trans)# mode tunnel
R3(cfg-crypto-trans)# exit
R3(config)#ip access-list extended SDM_1
R3(config-ext-nacl)# remark CCP_ACL Category=4
R3(config-ext-nacl)# remark IPSec Rule
R3(config-ext-nacl)# permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config-ext-nacl)# exit
R3(config)#crypto map SDM_CMAP_1 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#$ IP address 10.2.2.1 that connects to this router.
R3(config-crypto-map)# set transform-set LAB_TSET
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# match address SDM_1
R3(config-crypto-map)# exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:00:58.043: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
R3#show crypto ipsec transform-set
Transform set LAB_TSET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, }
R3#show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Apply the crypto map on the peer router's interface having IP address 10.2.2.1
that connects to this router.
Peer = 10.1.1.1
Extended IP access list SDM_1
access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
LAB_TSET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
Serial0/0/1
R1(config)#interface serial0/0/0
R1(config-if)#no crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:05:39.607: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config-if)#no crypto map SDM_CMAP_1 1
R1(config-if)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#description Tunnel to 10.2.2.1
R1(config-crypto-map)#set peer 10.2.2.1
R1(config-crypto-map)#set transform-set LAB_TSET
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 10.1.1.1 YES NVRAM up up
Serial0/0/1 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down
R1(config)#interface serial0/0/0
R1(config-if)#crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:07:18.195: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#interface serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:08:22.543: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#exit
R3(config)#no crypto map SDM_CMAP_1 1
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#description Tunnel to 10.1.1.1
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set LAB_TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:09:41.931: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#show crypto isakmp sa // IKE PHASE 2 NOT ESTABLISHING
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
crypto ipsec transform-set LAB_TSET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 10 ipsec-isakmp
! Incomplete
description Tunnel to 10.1.1.1
set peer 10.1.1.1
set transform-set LAB_TSET
match address 100 // THERE'S NO ACL 100 ON R3
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#no match address 100
R3(config-crypto-map)#match address SDM_1
R3(config)#int serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
*Jun 26 23:38:59.903: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:39:04.611: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#clear crypto sa // IPSEC VPN ESTABLISHED AFTER CLEARING SA
R3#clear crypto sa
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: SDM_CMAP_1, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xF480B720(4102076192)
inbound esp sas:
spi: 0x27C0C9B(41684123)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4607750/3470)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF480B720(4102076192)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4607750/3470)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
*Jun 26 23:42:28.723: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.2.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 26 23:42:28.723: ISAKMP: local port 500, remote port 500
*Jun 26 23:42:28.723: ISAKMP: set new node 0 to QM_IDLE
*Jun 26 23:42:28.723: insert sa successfully sa = 64B9665C
*Jun 26 23:42:28.723: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 26 23:42:28.723: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 26 23:42:28.727: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 26 23:42:28.727: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 26 23:42:28.727: ISAKMP:(0): beginning Main Mode exchange
*Jun 26 23:42:28.727: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_NO_STATE
*Jun 26 23:42:28.727: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.827: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_NO_STATE
*Jun 26 23:42:28.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:28.827: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 26 23:42:28.831: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.831: ISAK
R1#MP:(0): local preshared key found
*Jun 26 23:42:28.831: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 26 23:42:28.831: ISAKMP: encryption 3DES-CBC
*Jun 26 23:42:28.831: ISAKMP: hash SHA
*Jun 26 23:42:28.831: ISAKMP: default group 2
*Jun 26 23:42:28.831: ISAKMP: auth pre-share
*Jun 26 23:42:28.831: ISAKMP: life type in seconds
*Jun 26 23:42:28.831: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 26 23:42:28.831: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 26 23:42:28.831: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 26 23:42:28.831: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:28.831: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 26 23:42:28.835: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_SA_SETUP
*Jun 26 23:42:28.835: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.835: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:28.835: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 26 23:42:29.075: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_SA_SETUP
*Jun 26 23:42:29.075: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.075: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 26 23:42:29.075: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 26 23:42:29.075: crypto_engine: Create DH shared secret
*Jun 26 23:42:29.143: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 26 23:42:29.143: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:29.147: crypto_engine: Create IKE SA
*Jun 26 23:42:29.147: crypto engine: deleting DH phase 2 SW:3
*Jun 26 23:42:29.147: crypto_engine: Delete DH shared secret
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is Unity
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is DPD
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): speaking to another IOS box!
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): His hash no match - this node outside NAT
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): No NAT Found for self or peer
*Jun 26 23:42:29.147: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.147: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 26 23:42:29.147: ISAKMP:(1002):Send initial contact
*Jun 26 23:42:29.147: ISAKMP:(1002):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Jun 26 23:42:29.151: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 500
length : 12
*Jun 26 23:42:29.151: ISAKMP:(1002):Total payload length: 12
*Jun 26 23:42:29.151: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.151: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.151: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_KEY_EXCH
*Jun 26 23:42:29.151: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.151: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.151: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 26 23:42:29.219: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 26 23:42:29.219: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.219: ISAKMP:(1002): processing ID payload. message ID = 0
*Jun 26 23:42:29.219: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 10.2.2.1
protocol : 17
port : 500
length : 12
*Jun 26 23:42:29.219: ISAKMP:(1002): processing HASH payload. message ID = 0
*Jun 26 23:42:29.219: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.219: ISAKMP:(1002):SA authentication status: authenticated
*Jun 26 23:42:29.219: ISAKMP:(1002):SA has been authenticated with 10.2.2.1
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 26 23:42:29.223: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -39302567
*Jun 26 23:42:29.223: ISAKMP:(1002):QM Initiator gets spi
*Jun 26 23:42:29.223: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.223: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.223: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.223: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.223: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 26 23:42:29.227: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.343: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) QM_IDLE
*Jun 26 23:42:29.343: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.343: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: ISAKMP:(1002): processing HASH payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing SA payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002):Checking IPSec proposal 1
*Jun 26 23:42:29.347: ISAKMP: transform 1, ESP_AES
*Jun 26 23:42:29.347: ISAKMP: attributes in transform:
*Jun 26 23:42:29.347: ISAKMP: encaps is 1 (Tunnel)
*Jun 26 23:42:29.347: ISAKMP: SA life type in seconds
*Jun 26 23:42:29.347: ISAKMP: SA life duration (basic) of 3600
*Jun 26 23:42:29.347: ISAKMP: SA life type in kilobytes
*Jun 26 23:42:29.347: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 26 23:42:29.347: ISAKMP: authenticator is HMAC-SHA
*Jun 26 23:42:29.347: ISAKMP: key length is 256
*Jun 26 23:42:29.347: ISAKMP:(1002):atts are acceptable.
*Jun 26 23:42:29.347: ISAKMP:(1002): processing NONCE payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.347: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.351: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.351: ISAKMP:(1002): Creating IPSec SAs
*Jun 26 23:42:29.351: inbound SA from 10.2.2.1 to 10.1.1.1 (f/i) 0/ 0
(proxy 192.168.3.0 to 192.168.1.0)
*Jun 26 23:42:29.351: has spi 0x27C0C9B and conn_id 0
*Jun 26 23:42:29.351: lifetime of 3600 seconds
*Jun 26 23:42:29.351: lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351: outbound SA from 10.1.1.1 to 10.2.2.1 (f/i) 0/0
(proxy 192.168.1.0 to 192.168.3.0)
*Jun 26 23:42:29.351: has spi 0xF480B720 and conn_id 0
*Jun 26 23:42:29.351: lifetime of 3600 seconds
*Jun 26 23:42:29.351: lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.351: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.351: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.351: ISAKMP:(1002):deleting node -39302567 error FALSE reason "No Error"
*Jun 26 23:42:29.351: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 26 23:42:29.351: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 26 23:42:29.355: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2.2.1
*Jun 26 23:42:29.355: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.1.1, sa_proto= 50,
sa_spi= 0x27C0C9B(41684123),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2001
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.2.2.1, sa_proto= 50,
sa_spi= 0xF480B720(4102076192),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2002
*Jun 26 23:42:29.355: crypto engine: updating MTU size of IPSec SA FPGA:2
*Jun 26 23:42:29.355: crypto_engine: Set IPSec MTU
*Jun 26 23:42:29.355: IPSEC(update_current_outbound_sa): updated peer 10.2.2.1 current outbound sa to SPI F480B720
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 21 05:56:30.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#clock rate 64000
R1(config-if)#
*Jun 21 05:57:00.039: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#no ip domain-lookup
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 21 05:57:56.695: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 21 05:57:57.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate
*Jun 21 05:58:32.439: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#
*Jun 21 05:59:02.479: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#
*Jun 21 05:59:21.323: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.1.1.1 (Serial0/0/0) is resync: summary configured
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:04:41.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface seria0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun 21 06:05:23.671: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 21 06:05:24.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3(config-if)#exit
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
*Jun 21 06:05:59.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is up: new adjacency
R3(config-router)#no auto-summary
R3(config-router)#
*Jun 21 06:06:12.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 101: Neighbor 10.2.2.2 (Serial0/0/1) is resync: summary configured
R1#ping 192.168.3.1 // R1 TO R3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\PC-A>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-A>ping 192.168.3.3 // PING PC-A TO PC-C
Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=36ms TTL=253
Ping statistics for 192.168.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 36ms, Average = 35ms
R1(config)#security passwords min-length 10
R1(config)#service password-encryption
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#security passwords min-length 10
R2(config)#service password-encryption
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#security passwords min-length 10
R3(config)#service password-encryption
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
C:\Users\PC-A>ping 192.168.3.3 // PING PC-C
Pinging 192.168.3.3 with 32 bytes of data:
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Reply from 192.168.3.3: bytes=32 time=35ms TTL=253
Ping statistics for 192.168.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
R1(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
R1(config)#crypto isakmp enable // ENABLED BY DEFAULT
R3(config)#crypto isakmp enable
R1(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
R1(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
R1(config-isakmp)#hash sha
R1(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds
R1(config-isakmp)#lifetime 3600
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
R1(config)#crypto isakmp key cisco123 ?
address define shared key with IP address
hostname define shared key with hostname
R1(config)#crypto isakmp key cisco123 address ?
A.B.C.D Peer IP address
ipv6 define shared key with IPv6 address
R1(config)#crypto isakmp key cisco123 address 10.2.2.1
R3(config)#crypto isakmp key cisco123 address 10.1.1.1
R1(config)#crypto ipsec ?
client Configure a client
default Default transform-set
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
R1(config)#crypto ipsec transform-set ?
WORD Transform set tag
R1(config)#crypto ipsec transform-set 50 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set 50 esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
R1(config)#crypto ipsec transform-set 50 esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R1(config)#crypto ipsec security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
lifetime security association lifetime
replay Set replay checking.
R1(config)#crypto ipsec security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
R1(config)#crypto ipsec security-association lifetime seconds ?
<120-86400> Security association duration in seconds
R1(config)#crypto ipsec security-association lifetime seconds 1800 // DEFUALT 3600 SECONDS (1 HOUR)
R3(config)#crypto ipsec security-association lifetime seconds 1800
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 // DEFINE
INTERESTING TRAFFIC; TRAFFIC TO ENCRYPT; SUBNET NOT DEFINED IN CRYPTO ACL IS SENT UNENCRYPTED
R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config)#crypto map ?
WORD Crypto map tag
R1(config)#crypto map CMAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
R1(config)#crypto map CMAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
R1(config)#crypto map CMAP 10 ipsec-isakmp // ASSOCIATES TRAFFIC THAT MATCHES CRYPTO ACL AND IPSEC SETTINGS
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
R1(config-crypto-map)#match ?
address Match address of packets to encrypt.
R1(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
R1(config-crypto-map)#match address 101 // CRYPTO ACL
R1(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
R1(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
R1(config-crypto-map)#set peer 10.2.2.1 // R3 VPN ENDPOINT INTERFACE IP
R1(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)
<cr>
R1(config-crypto-map)#set pfs group5
R1(config-crypto-map)#set transform-set ?
WORD Proposal tag
R1(config-crypto-map)#set transform-set 50
R1(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.
R1(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
R1(config-crypto-map)#set security-association lifetime seconds ?
<120-86400> Security association duration in seconds
R1(config-crypto-map)#set security-association lifetime seconds 900
R1(config-crypto-map)#exi
R1(config)#interface serial0/0/0 // SECURITY ASSOCIATIONS (SA) WILL NOT FORM UNTIL CRYPTO MAP IS ACTIVATED BY INTERESTING TRAFFIC (CRYPTO ACL)
R1(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
R1(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
R1(config-if)#crypto map CMAP
R1(config-if)#
*Jun 26 14:18:23.659: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set pfs group5
R3(config-crypto-map)#set transform-set 50
R3(config-crypto-map)#set security-association lifetime seconds 900
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jun 26 14:19:51.635: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#show crypto ipsec ?
client Show Client Status
default Default crypto transform sets
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
R1#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
R1#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.2.2.1
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 10.2.2.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/0
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
R3#
R3#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
R3#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/1
R1#show crypto isakmp ?
default Show ISAKMP default
key Show ISAKMP preshared keys
peers Show ISAKMP peer structures
policy Show ISAKMP protection suite policy
profile Show ISAKMP profiles
sa Show ISAKMP Security Associations
R1#show crypto isakmp sa // NO IKE SA EXIST YET
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#ping 10.2.2.1 // PING R3 S0/0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R1#show crypto isakmp sa // NO SA CREATED SINCE IT DOESN'T FALL IN CRYPTO ACL
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R1#
*Jun 26 14:25:37.983: EIGRP: Sending HELLO on FastEthernet0/1
*Jun 26 14:25:37.983: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jun 26 14:25:38.843: EIGRP: Received HELLO on Serial0/0/0 nbr 10.1.1.2
*Jun 26 14:25:38.843: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
*Jun 26 14:25:39.923: EIGRP: Sending HELLO on Serial0/0/0
*Jun 26 14:25:39.923: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R1#undebug all
All possible debugging has been turned off
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#ping // EXTENDED PING TO ALLOW CONTROL THE SOURCE ADDRESS OF PACKETS
Protocol [ip]:
Target IP address: 192.168.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 92/92/92 ms
R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x6FB8F66B(1874392683)
inbound esp sas:
spi: 0x31F658DC(838228188)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4443187/830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6FB8F66B(1874392683)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4443187/830)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1(config)#username admin privilege 15 secret cisco12345
R1(config)#ip http server
R1(config)#ip http authentication local
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http server
R3(config)#ip http authentication local
R3(config)#crypto isakmp policy 1 // COPY/PASTE MIRROR CONFIG GENRATED BY CCP
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr 3des
R3(config-isakmp)# hash sha
R3(config-isakmp)# group 2
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encr aes 256
R3(config-isakmp)# hash md5
R3(config-isakmp)# group 5
R3(config-isakmp)# lifetime 86400
R3(config-isakmp)# exit
R3(config)#crypto isakmp key cisco12345 address 10.1.1.1
R3(config)#crypto ipsec transform-set LAB_TSET esp-sha-hmac esp-aes 256
R3(cfg-crypto-trans)# mode tunnel
R3(cfg-crypto-trans)# exit
R3(config)#ip access-list extended SDM_1
R3(config-ext-nacl)# remark CCP_ACL Category=4
R3(config-ext-nacl)# remark IPSec Rule
R3(config-ext-nacl)# permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config-ext-nacl)# exit
R3(config)#crypto map SDM_CMAP_1 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#$ IP address 10.2.2.1 that connects to this router.
R3(config-crypto-map)# set transform-set LAB_TSET
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# match address SDM_1
R3(config-crypto-map)# exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:00:58.043: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
R3#show crypto ipsec transform-set
Transform set LAB_TSET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, }
R3#show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Apply the crypto map on the peer router's interface having IP address 10.2.2.1
that connects to this router.
Peer = 10.1.1.1
Extended IP access list SDM_1
access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
LAB_TSET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
Serial0/0/1
R1(config)#interface serial0/0/0
R1(config-if)#no crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:05:39.607: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config-if)#no crypto map SDM_CMAP_1 1
R1(config-if)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#description Tunnel to 10.2.2.1
R1(config-crypto-map)#set peer 10.2.2.1
R1(config-crypto-map)#set transform-set LAB_TSET
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 10.1.1.1 YES NVRAM up up
Serial0/0/1 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down
R1(config)#interface serial0/0/0
R1(config-if)#crypto map SDM_CMAP_1
R1(config-if)#
*Jun 26 23:07:18.195: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#interface serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:08:22.543: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#exit
R3(config)#no crypto map SDM_CMAP_1 1
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#description Tunnel to 10.1.1.1
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set LAB_TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:09:41.931: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3#show crypto isakmp sa // IKE PHASE 2 NOT ESTABLISHING
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
crypto ipsec transform-set LAB_TSET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 10 ipsec-isakmp
! Incomplete
description Tunnel to 10.1.1.1
set peer 10.1.1.1
set transform-set LAB_TSET
match address 100 // THERE'S NO ACL 100 ON R3
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#no match address 100
R3(config-crypto-map)#match address SDM_1
R3(config)#int serial0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
*Jun 26 23:38:59.903: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jun 26 23:39:04.611: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#clear crypto sa // IPSEC VPN ESTABLISHED AFTER CLEARING SA
R3#clear crypto sa
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: SDM_CMAP_1, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xF480B720(4102076192)
inbound esp sas:
spi: 0x27C0C9B(41684123)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4607750/3470)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF480B720(4102076192)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4607750/3470)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
*Jun 26 23:42:28.723: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.1.1.1, remote= 10.2.2.1,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 26 23:42:28.723: ISAKMP: local port 500, remote port 500
*Jun 26 23:42:28.723: ISAKMP: set new node 0 to QM_IDLE
*Jun 26 23:42:28.723: insert sa successfully sa = 64B9665C
*Jun 26 23:42:28.723: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 26 23:42:28.723: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 26 23:42:28.727: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 26 23:42:28.727: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 26 23:42:28.727: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 26 23:42:28.727: ISAKMP:(0): beginning Main Mode exchange
*Jun 26 23:42:28.727: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_NO_STATE
*Jun 26 23:42:28.727: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.827: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_NO_STATE
*Jun 26 23:42:28.827: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:28.827: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 26 23:42:28.831: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:28.831: ISAK
R1#MP:(0): local preshared key found
*Jun 26 23:42:28.831: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 26 23:42:28.831: ISAKMP: encryption 3DES-CBC
*Jun 26 23:42:28.831: ISAKMP: hash SHA
*Jun 26 23:42:28.831: ISAKMP: default group 2
*Jun 26 23:42:28.831: ISAKMP: auth pre-share
*Jun 26 23:42:28.831: ISAKMP: life type in seconds
*Jun 26 23:42:28.831: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 26 23:42:28.831: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Acceptable atts:life: 0
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 26 23:42:28.831: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 26 23:42:28.831: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 26 23:42:28.831: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 26 23:42:28.831: ISAKMP:(0): processing vendor id payload
*Jun 26 23:42:28.831: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 26 23:42:28.831: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Jun 26 23:42:28.831: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:28.831: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 26 23:42:28.835: ISAKMP:(0): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_SA_SETUP
*Jun 26 23:42:28.835: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 26 23:42:28.835: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:28.835: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 26 23:42:29.075: ISAKMP (0:0): received packet from 10.2.2.1 dport 500 sport 500 Global (I)
MM_SA_SETUP
*Jun 26 23:42:29.075: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.075: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 26 23:42:29.075: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 26 23:42:29.075: crypto_engine: Create DH shared secret
*Jun 26 23:42:29.143: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 26 23:42:29.143: ISAKMP:(0):found peer pre-shared key matching 10.2.2.1
*Jun 26 23:42:29.147: crypto_engine: Create IKE SA
*Jun 26 23:42:29.147: crypto engine: deleting DH phase 2 SW:3
*Jun 26 23:42:29.147: crypto_engine: Delete DH shared secret
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is Unity
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): vendor ID is DPD
*Jun 26 23:42:29.147: ISAKMP:(1002): processing vendor id payload
*Jun 26 23:42:29.147: ISAKMP:(1002): speaking to another IOS box!
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): His hash no match - this node outside NAT
*Jun 26 23:42:29.147: ISAKMP:received payload type 20
*Jun 26 23:42:29.147: ISAKMP (1002): No NAT Found for self or peer
*Jun 26 23:42:29.147: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.147: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 26 23:42:29.147: ISAKMP:(1002):Send initial contact
*Jun 26 23:42:29.147: ISAKMP:(1002):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
*Jun 26 23:42:29.151: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 500
length : 12
*Jun 26 23:42:29.151: ISAKMP:(1002):Total payload length: 12
*Jun 26 23:42:29.151: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.151: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.151: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I)
MM_KEY_EXCH
*Jun 26 23:42:29.151: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.151: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.151: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 26 23:42:29.219: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 26 23:42:29.219: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.219: ISAKMP:(1002): processing ID payload. message ID = 0
*Jun 26 23:42:29.219: ISAKMP (0:1002): ID payload
next-payload : 8
type : 1
address : 10.2.2.1
protocol : 17
port : 500
length : 12
*Jun 26 23:42:29.219: ISAKMP:(1002): processing HASH payload. message ID = 0
*Jun 26 23:42:29.219: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.219: ISAKMP:(1002):SA authentication status: authenticated
*Jun 26 23:42:29.219: ISAKMP:(1002):SA has been authenticated with 10.2.2.1
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 26 23:42:29.219: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 26 23:42:29.219: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 26 23:42:29.223: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.223: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -39302567
*Jun 26 23:42:29.223: ISAKMP:(1002):QM Initiator gets spi
*Jun 26 23:42:29.223: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.223: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.223: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.223: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.223: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 26 23:42:29.227: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jun 26 23:42:29.227: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 26 23:42:29.343: ISAKMP (0:1002): received packet from 10.2.2.1 dport 500 sport 500 Global (I) QM_IDLE
*Jun 26 23:42:29.343: crypto_engine: Decrypt IKE packet
*Jun 26 23:42:29.343: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: ISAKMP:(1002): processing HASH payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing SA payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002):Checking IPSec proposal 1
*Jun 26 23:42:29.347: ISAKMP: transform 1, ESP_AES
*Jun 26 23:42:29.347: ISAKMP: attributes in transform:
*Jun 26 23:42:29.347: ISAKMP: encaps is 1 (Tunnel)
*Jun 26 23:42:29.347: ISAKMP: SA life type in seconds
*Jun 26 23:42:29.347: ISAKMP: SA life duration (basic) of 3600
*Jun 26 23:42:29.347: ISAKMP: SA life type in kilobytes
*Jun 26 23:42:29.347: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 26 23:42:29.347: ISAKMP: authenticator is HMAC-SHA
*Jun 26 23:42:29.347: ISAKMP: key length is 256
*Jun 26 23:42:29.347: ISAKMP:(1002):atts are acceptable.
*Jun 26 23:42:29.347: ISAKMP:(1002): processing NONCE payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: ISAKMP:(1002): processing ID payload. message ID = -39302567
*Jun 26 23:42:29.347: crypto_engine: Generate IKE hash
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.347: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.347: crypto_engine: Generate IKE QM keys
*Jun 26 23:42:29.351: crypto_engine: Create IPSec SA (by keys)
*Jun 26 23:42:29.351: ISAKMP:(1002): Creating IPSec SAs
*Jun 26 23:42:29.351: inbound SA from 10.2.2.1 to 10.1.1.1 (f/i) 0/ 0
(proxy 192.168.3.0 to 192.168.1.0)
*Jun 26 23:42:29.351: has spi 0x27C0C9B and conn_id 0
*Jun 26 23:42:29.351: lifetime of 3600 seconds
*Jun 26 23:42:29.351: lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351: outbound SA from 10.1.1.1 to 10.2.2.1 (f/i) 0/0
(proxy 192.168.1.0 to 192.168.3.0)
*Jun 26 23:42:29.351: has spi 0xF480B720 and conn_id 0
*Jun 26 23:42:29.351: lifetime of 3600 seconds
*Jun 26 23:42:29.351: lifetime of 4608000 kilobytes
*Jun 26 23:42:29.351: crypto_engine: Encrypt IKE packet
*Jun 26 23:42:29.351: ISAKMP:(1002): sending packet to 10.2.2.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jun 26 23:42:29.351: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Jun 26 23:42:29.351: ISAKMP:(1002):deleting node -39302567 error FALSE reason "No Error"
*Jun 26 23:42:29.351: ISAKMP:(1002):Node -39302567, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 26 23:42:29.351: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Jun 26 23:42:29.355: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2.2.1
*Jun 26 23:42:29.355: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.1.1, sa_proto= 50,
sa_spi= 0x27C0C9B(41684123),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2001
*Jun 26 23:42:29.355: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.2.2.1, sa_proto= 50,
sa_spi= 0xF480B720(4102076192),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2002
*Jun 26 23:42:29.355: crypto engine: updating MTU size of IPSec SA FPGA:2
*Jun 26 23:42:29.355: crypto_engine: Set IPSec MTU
*Jun 26 23:42:29.355: IPSEC(update_current_outbound_sa): updated peer 10.2.2.1 current outbound sa to SPI F480B720
No comments:
Post a Comment