identify the traffic that should go across the vpn. check the acl configuration try to ping across...

7
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer. The router should send a UDP/500 packet towards the other peer. i.e. (IOS) IPv4 Crypto ISAKMP SA dst src state conn- id status 172.18.254.4 172.18.254.89 MM_NO_STATE 0 ACTIVE MM1 Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface P R O T O C O L F L O W

Upload: erika-shelton

Post on 21-Jan-2016

219 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

Identify the traffic that should go across the VPN. Check the ACL configuration

Try to ping across the tunnel using a ping that matches the ACL

We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer.

The router should send a UDP/500 packet towards the other peer.

i.e. (IOS)

IPv4 Crypto ISAKMP SAdst src state conn-id status172.18.254.4 172.18.254.89 MM_NO_STATE 0 ACTIVE MM1

Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface

PROTO

COL FLO

W

Page 2: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

The responder should receive the MM1 packet and also create an entry in it’s table. Check the table and see if there is an entry.

At this point the responder should send back UDP/500 Main Mode Message 2. You can see that with “show cry isakmp sa”

i.e. (ASA)

1 IKE Peer: 172.18.254.89 Type : user Role : responder Rekey : no State : MM_WAIT_MSG3

The responder should process the packet and negotiate which ISAKMP policy to choose. “debug crypto isakmp 128” should show you this.

If not successful you’ll [IKEv1 DEBUG]IP = 172.18.254.89, All SA proposals found unacceptable

If successful you’ll see : [IKEv1 DEBUG]IP = 172.18.254.89, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5

MM2

PROTO

COL FLO

W

Page 3: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

The initiator should receive the MM2 packet (UDP/500) process it.

The responder should get the MM3 packet (UDP/500)andReturn MM4 (UDP/500)

Debugs on IOS show:

*Feb 1 21:44:23.314: ISAKMP (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_NO_STATE*Feb 1 21:44:23.314: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

The initiator should then send back MM3 (UDP/500)

Debugs on IOS show:

*Feb 1 21:44:23.315: ISAKMP:(0): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_SA_SETUP*Feb 1 21:44:23.315: ISAKMP:(0):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Feb 1 21:44:23.315: (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_SA_SETUP*Feb 1 21:44:23.315: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Feb 1 21:44:23.315: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4

PROTO

COL FLO

W

MM3

MM4

Page 4: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

R100#show cry isa saIPv4 Crypto ISAKMP SAdst src state conn-id status1.1.1.102 1.1.1.100 MM_KEY_EXCH 1006 ACTIVE

At this point the Initiator has enough information to determine whether either of the peers are behind NAT. If they are not communication remains to occur on UDP/500, however if they are then it switches to UDP/4500

*Feb 1 21:44:23.315: ISAKMP:(1002):Total payload length: 12*Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_KEY_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5

The initiator should send Main Mode message 5.

MM5

PROTO

COL FLO

W

The Responder should receive MM5 and authenticate the Initiator. If responder successfully authenticates the peer it will send back MM6. If it fails the authentication the responder will re-transmit the last successful packet (i.e. MM4) back to the initiator.

Page 5: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

*Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_KEY_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002): processing ID payload. message ID = 0*Feb 1 21:44:23.315: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 1.1.1.102 protocol : 17 port : 500 length : 12*Feb 1 21:44:23.315: ISAKMP:(0):: peer matches *none* of the profiles*Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 0*Feb 1 21:44:23.315: ISAKMP:(1002):SA authentication status: authenticated*Feb 1 21:44:23.315: ISAKMP:(1002):SA has been authenticated with 1.1.1.102*Feb 1 21:44:23.315: ISAKMP: Trying to insert a peer 1.1.1.101/1.1.1.102/500/, and inserted successfully 52F9320.*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

PROTO

COL FLO

W

MM6

Phase 1 COMPLETE

The Phase 1 SA negotiation is complete and the initiator will now propose a phase 2 to protect traffic.

Page 6: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

PROTO

COL FLO

W

QM1

The initiator will send QM1 which contains the requested IPsec SA parameters.

*Feb 1 21:44:24.315: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 196323019*Feb 1 21:44:24.315: ISAKMP:(1002):QM Initiator gets spi*Feb 1 21:44:24.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:24.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_INTERNAL, IKE_INIT_QM*Feb 1 21:44:24.315: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

The responder will validate the proposal. It will check the proposed SA against it’s ACL, peer, and transform configuration. It will send back QM2 to notify whether the proposal was accepted or not.

If successful:*Feb 1 21:44:24.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002): processing HASH payload. message ID = 196323019*Feb 1 21:44:24.315: ISAKMP:(1002): processing SA payload. message ID = 196323019*Feb 1 21:44:24.315: ISAKMP:(1002):Checking IPSec proposal 1*Feb 1 21:44:24.315: ISAKMP: transform 1, ESP_3DES*Feb 1 21:44:24.315: ISAKMP: attributes in transform:*Feb 1 21:44:24.315: ISAKMP: encaps is 2 (Transport)*Feb 1 21:44:24.315: ISAKMP: SA life type in seconds*Feb 1 21:44:24.315: ISAKMP: SA life duration (basic) of 3600*Feb 1 21:44:24.315: ISAKMP: SA life type in kilobytes*Feb 1 21:44:24.315: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Feb 1 21:44:24.315: ISAKMP: authenticator is HMAC-MD5*Feb 1 21:44:24.315: ISAKMP:(1002):atts are acceptable.

Page 7: Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should

PROTO

COL FLO

W QM2

If not successful:*Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP: set new node 1984354591 to QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 1984354591*Feb 1 21:44:23.315: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2340447730, message ID = 1984354591, sa = 4990F28*Feb 1 21:44:23.315: ISAKMP:(1002): deleting spi 2340447730 message ID = 24306363*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 24306363 error TRUE reason "Delete Larval"*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 1984354591 error FALSE reason "Informational (in) state 1"*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

The initiator will the acknowledge the acceptance with QM3 and complete the phase 2 installation.

Phase 2 COMPLETE

QM3

*Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 196323019 error FALSE reason "No Error"*Feb 1 21:44:23.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE