I was troubleshooting a site-to-site IPsec VPN connection with a client who's using a Palo Alto (PA) firewall on their network. There's a great
link which helped me understand and troubleshoot a PA firewall. We were exchanging our IKE Phase 1 and Phase 2 policies configured between our VPN router and their PA firewall and after a couple of sleepless nights (damn that
PFS!), we were able to establish the VPN tunnel. Maybe I should take up Palo Alto
PCNSE cert next year.
Router##show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
17.8.17.44 202.7.2.2
QM_IDLE 1010 ACTIVE
IPv6 Crypto ISAKMP SA
Router#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: CMAP, local addr 202.7.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.27.193.162/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.5.202.0/255.255.255.0/0/0)
current_peer 17.8.17.44 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 380030, #pkts encrypt: 380030, #pkts digest: 380030
#pkts decaps: 366102, #pkts decrypt: 366102, #pkts verify: 366102
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.7.2.2, remote crypto endpt.: 17.8.17.44
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x826B1D60(2188057952)
PFS (Y/N): Y, DH group: group2
It's challenging to configure and to troubleshoot VPNs but you won't get lost once you've built a foundation of the basic IKE policies and IPsec framework. I was able to review my CCNA Security and ASA basics last year but forgot about to post this lab for a site-to-site IPsec VPN between an IOS router and ASA firewall.
Router(config)#hostname R1
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul 7 12:24:32.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jul 7 12:24:59.615: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0
Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 7 12:23:52.779: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul 7 12:23:53.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate 64000
R2(config-if)#
*Jul 7 12:24:14.411: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1
Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
*Jul 7 12:31:11.111: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul 7 12:31:12.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1
R3(config)#enable secret cisco
R3(config)#line vty 0 4
R3(config-line)#password cisco
R3(config-line)#login
R3(config-line)#line console 0
R3(config-line)#password cisco
R3(config-line)#login
R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco123
R3(config)#ip http authentication local
ciscoasa> enable
Password: <ENTER>
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# hostname CCNAS-ASA
CCNAS-ASA(config)# enable password class
CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# passwd cisco
CCNAS-ASA(config)# interface ethernet0/0
CCNAS-ASA(config-if)# switchport access vlan 2
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/1
CCNAS-ASA(config-if)# switchport access vlan 1
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface vlan 1
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# interface vlan 3
CCNAS-ASA(config-if)# no forward interface vlan 1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0 0 209.165.200.225
CCNAS-ASA(config)# username admin password cisco123
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config-pmap)# exit
CCNAS-ASA(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
CCNAS-ASA(config)#
R3(config)#crypto isakmp policy 1 // JAVA DOWNGRADED FOR ASDM; CONFIGURE R3 S2S IPSEC VPN VIA CLI
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco12345 address 209.165.200.226
R3(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#access-list 100 permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#set peer 209.165.200.226
R3(config-crypto-map)#set transform-set TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jul 7 13:12:27.235: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
CCNAS-ASA# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
ss-api Set Crypto Secure Socket API debug levels
vpnclient Set EasyVPN client debug levels
CCNAS-ASA# debug crypto ikev1 ?
<1-255> Specify an optional debug level (default is 1)
timers debug the ikev1 timers
<cr>
CCNAS-ASA# debug crypto ikev1
R3#ping 192.168.1.3 source 172.16.3.3
CCNAS-ASA# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.2.2.1
Type : L2L Role : responder
Rekey : no
State : MM_ACTIVE // IPSEC ESTABLISHED IN ASA
There are no IKEv2 SAs
CCNAS-ASA# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.226
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
current_peer: 10.2.2.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 // DUE TO GENERATED ICMP
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.165.200.226/0, remote crypto endpt.: 10.2.2.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D933E94D
current inbound spi : 6A6DC4E8
inbound esp sas:
spi: 0x6A6DC4E8 (1785578728)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/3517)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xD933E94D (3644057933)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/3517)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
209.165.200.226 10.2.2.1
QM_IDLE 1001 0 ACTIVE
// IPSEC ESTABLISHED IN ASA
IPv6 Crypto ISAKMP SA
R3#show crypto ipsec sa
interface: Serial0/0/1
Crypto map tag: CMAP, local addr 10.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 209.165.200.226 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
local crypto endpt.: 10.2.2.1, remote crypto endpt.: 209.165.200.226
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1
current outbound spi: 0x6A6DC4E8(1785578728)
inbound esp sas:
spi: 0xD933E94D(3644057933)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4456786/3543)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6A6DC4E8(1785578728)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4456786/3543)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#ping 192.168.1.3 source 172.16.3.3 repeat 10 // TO GENERATE MORE IPSEC VPN TRAFFIC STATS
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 84/90/124 ms