identify the traffic that should go across the vpn. check the acl configuration try to ping across...
TRANSCRIPT
Identify the traffic that should go across the VPN. Check the ACL configuration
Try to ping across the tunnel using a ping that matches the ACL
We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer.
The router should send a UDP/500 packet towards the other peer.
i.e. (IOS)
IPv4 Crypto ISAKMP SAdst src state conn-id status172.18.254.4 172.18.254.89 MM_NO_STATE 0 ACTIVE MM1
Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface
PROTO
COL FLO
W
The responder should receive the MM1 packet and also create an entry in it’s table. Check the table and see if there is an entry.
At this point the responder should send back UDP/500 Main Mode Message 2. You can see that with “show cry isakmp sa”
i.e. (ASA)
1 IKE Peer: 172.18.254.89 Type : user Role : responder Rekey : no State : MM_WAIT_MSG3
The responder should process the packet and negotiate which ISAKMP policy to choose. “debug crypto isakmp 128” should show you this.
If not successful you’ll [IKEv1 DEBUG]IP = 172.18.254.89, All SA proposals found unacceptable
If successful you’ll see : [IKEv1 DEBUG]IP = 172.18.254.89, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
MM2
PROTO
COL FLO
W
The initiator should receive the MM2 packet (UDP/500) process it.
The responder should get the MM3 packet (UDP/500)andReturn MM4 (UDP/500)
Debugs on IOS show:
*Feb 1 21:44:23.314: ISAKMP (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_NO_STATE*Feb 1 21:44:23.314: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
The initiator should then send back MM3 (UDP/500)
Debugs on IOS show:
*Feb 1 21:44:23.315: ISAKMP:(0): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_SA_SETUP*Feb 1 21:44:23.315: ISAKMP:(0):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Feb 1 21:44:23.315: (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_SA_SETUP*Feb 1 21:44:23.315: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Feb 1 21:44:23.315: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4
PROTO
COL FLO
W
MM3
MM4
R100#show cry isa saIPv4 Crypto ISAKMP SAdst src state conn-id status1.1.1.102 1.1.1.100 MM_KEY_EXCH 1006 ACTIVE
At this point the Initiator has enough information to determine whether either of the peers are behind NAT. If they are not communication remains to occur on UDP/500, however if they are then it switches to UDP/4500
*Feb 1 21:44:23.315: ISAKMP:(1002):Total payload length: 12*Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_KEY_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5
The initiator should send Main Mode message 5.
MM5
PROTO
COL FLO
W
The Responder should receive MM5 and authenticate the Initiator. If responder successfully authenticates the peer it will send back MM6. If it fails the authentication the responder will re-transmit the last successful packet (i.e. MM4) back to the initiator.
*Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_KEY_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002): processing ID payload. message ID = 0*Feb 1 21:44:23.315: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 1.1.1.102 protocol : 17 port : 500 length : 12*Feb 1 21:44:23.315: ISAKMP:(0):: peer matches *none* of the profiles*Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 0*Feb 1 21:44:23.315: ISAKMP:(1002):SA authentication status: authenticated*Feb 1 21:44:23.315: ISAKMP:(1002):SA has been authenticated with 1.1.1.102*Feb 1 21:44:23.315: ISAKMP: Trying to insert a peer 1.1.1.101/1.1.1.102/500/, and inserted successfully 52F9320.*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
PROTO
COL FLO
W
MM6
Phase 1 COMPLETE
The Phase 1 SA negotiation is complete and the initiator will now propose a phase 2 to protect traffic.
PROTO
COL FLO
W
QM1
The initiator will send QM1 which contains the requested IPsec SA parameters.
*Feb 1 21:44:24.315: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 196323019*Feb 1 21:44:24.315: ISAKMP:(1002):QM Initiator gets spi*Feb 1 21:44:24.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:24.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_INTERNAL, IKE_INIT_QM*Feb 1 21:44:24.315: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
The responder will validate the proposal. It will check the proposed SA against it’s ACL, peer, and transform configuration. It will send back QM2 to notify whether the proposal was accepted or not.
If successful:*Feb 1 21:44:24.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002): processing HASH payload. message ID = 196323019*Feb 1 21:44:24.315: ISAKMP:(1002): processing SA payload. message ID = 196323019*Feb 1 21:44:24.315: ISAKMP:(1002):Checking IPSec proposal 1*Feb 1 21:44:24.315: ISAKMP: transform 1, ESP_3DES*Feb 1 21:44:24.315: ISAKMP: attributes in transform:*Feb 1 21:44:24.315: ISAKMP: encaps is 2 (Transport)*Feb 1 21:44:24.315: ISAKMP: SA life type in seconds*Feb 1 21:44:24.315: ISAKMP: SA life duration (basic) of 3600*Feb 1 21:44:24.315: ISAKMP: SA life type in kilobytes*Feb 1 21:44:24.315: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Feb 1 21:44:24.315: ISAKMP: authenticator is HMAC-MD5*Feb 1 21:44:24.315: ISAKMP:(1002):atts are acceptable.
PROTO
COL FLO
W QM2
If not successful:*Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP: set new node 1984354591 to QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 1984354591*Feb 1 21:44:23.315: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2340447730, message ID = 1984354591, sa = 4990F28*Feb 1 21:44:23.315: ISAKMP:(1002): deleting spi 2340447730 message ID = 24306363*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 24306363 error TRUE reason "Delete Larval"*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 1984354591 error FALSE reason "Informational (in) state 1"*Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
The initiator will the acknowledge the acceptance with QM3 and complete the phase 2 installation.
Phase 2 COMPLETE
QM3
*Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet.*Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 196323019 error FALSE reason "No Error"*Feb 1 21:44:23.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH*Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE