LAN-to-LAN IPSec VPN between IOS hub and PIX/ASA 7.2 spokes with dynamic IP addresses
From Internetworkpro
Contents |
[edit] Overview
As a continuation upon LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses this is an example configuration in a bit of a different mode to configure lan to lan IPSEC between ASA spokes and an IOS hub. This configuration will differ from the previous since we're using quickmode and static keys, but this configuration can be scaled and adapted to use private keys as well.
To note, that the only way this tunnel will come up is to initiate traffic from the spoke to the hub - the hub doesn't know where to find the spokes. Usage if isakmp keepalives may assist in this.
[edit] Device configuration
Each ASA Spoke is dynamically addressed via DHCP - in that there are no hard-coded options in the configuration. The ASA spokes are configured identically for their keys and peer IP addresses. This ACL was included to be 'wide ranging'.
[edit] Config of ASA Spoke (7.2)
interface Ethernet0 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet1 nameif inside security-level 100 ip address 172.16.1.1 255.255.255.0 ! access-list VPN extended permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list Inside-IN extended permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-group Inside-IN in interface inside crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto map Site1 10 match address VPN crypto map Site1 10 set peer 10.0.0.1 crypto map Site1 10 set transform-set des-md5 crypto map Site1 interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 3600 tunnel-group 10.0.0.1 type ipsec-l2l tunnel-group 10.0.0.1 ipsec-attributes pre-shared-key sites
[edit] Config of IOS Hub
interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto crypto map DYNMAP ! interface FastEthernet1/0 ip address 172.16.2.0 255.255.255.0 duplex auto speed auto ! ip access-list extended Sites permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key sites ! crypto isakmp policy 10 authentication pre-share group 2 lifetime 3600 crypto isakmp identity hostname crypto isakmp profile sites description Sites! keyring spokes match identity address 0.0.0.0 ! ! crypto ipsec transform-set des-md5 esp-des esp-md5-hmac ! crypto dynamic-map Sites 10 set transform-set des-md5 set isakmp-profile sites match address Sites reverse-route ! ! crypto map DYNMAP 10 ipsec-isakmp dynamic Sites
[edit] Command outputs
[edit] IOS Hub
[edit] debug crypto engine on Hub
Hub#
*Mar 1 00:32:12.055: ISAKMP (0:134217730): received packet from 2.0.0.11 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 00:32:12.059: ISAKMP: set new node -800302303 to QM_IDLE
*Mar 1 00:32:12.063: CryptoEngine0: generate hmac context for conn id 2
*Mar 1 00:32:12.067: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -800302303
*Mar 1 00:32:12.071: ISAKMP:(0:2:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -800302303, sa = 64B2D3DC
*Mar 1 00:32:12.075: ISAKMP:(0:2:SW:1):deleting node -800302303 error FALSE reason "Informational (in) state 1"
*Mar 1 00:32:12.079: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 00:32:12.083: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):purging node 1095580893
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):DPD/R_U_THERE received from peer 2.0.0.11, sequence 0x4365A723
*Mar 1 00:32:12.087: ISAKMP: set new mode 1347149792 to QM_IDLE
*Mar 1 00:32:12.087: CryptoEngine0: generate hmac context for conn id 2
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1688777216, message ID = 1347149792
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1): seq. no 0x4365A723
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1): sending packet to 2.0.0.11 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):purging node 1347149792
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Mar 1 00:32:12.087: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:32:22.079: ISAKMP:(0:2:SW:1):purging node 1969952174
*Mar 1 00:32:32.071: ISAKMP:(0:2:SW:1):purging node 47506458
*Mar 1 00:32:32.075: ISAKMP (0:134217730): received packet from 2.0.0.11 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 00:32:32.079: ISAKMP: set new node 348318055 to QM_IDLE
*Mar 1 00:32:32.083: CryptoEngine0: generate hmac context for conn id 2
*Mar 1 00:32:32.083: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 348318055
*Mar 1 00:32:32.083: ISAKMP:(0:2:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 348318055, sa = 64B2D3DC
*Mar 1 00:32:32.083: ISAKMP:(0:2:SW:1):deleting node 348318055 error FALSE reason "Informational (in) state 1"
*Mar 1 00:32:32.083: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 00:32:32.083: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1):DPD/R_U_THERE received from peer 2.0.0.11, sequence 0x4365A724
*Mar 1 00:32:32.087: ISAKMP: set new node - peer300694997 to QM_IDLE
*Mar 1 00:32:32.087: CryptoEngine0: generate hmac context for conn id 2
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1688777216, message ID = -300694997
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1): seq. no 0x4365A724
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1): sending packet to 2.0.0.11 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1):purging node -300694997
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Mar 1 00:32:32.087: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
[edit] show isakmp sa
Hub# show isakmp sa dst src state conn-id slot status 10.0.0.1 2.0.0.11 QM_IDLE 2 0 ACTIVE sites 10.0.0.1 1.0.0.2 QM_IDLE 1 0 ACTIVE sites
[edit] Show crypto sa
Hub#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: DYNMAP, local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer 2.0.0.11 port 500
PERMIT, flags={}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 1.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x52108B50(1376815952)
inbound esp sas:
spi: 0x95556C81(2505403521)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: DYNMAP
sa timing: remaining key lifetime (k/sec): (4391949/1677)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x52108B50(1376815952)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: DYNMAP
sa timing: remaining key lifetime (k/sec): (4391950/1676)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 2.0.0.11
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC19CF421(3248288801)
inbound esp sas:
spi: 0x9192D843(2442319939)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: DYNMAP
sa timing: remaining key lifetime (k/sec): (4411391/1900)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC19CF421(3248288801)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: DYNMAP
sa timing: remaining key lifetime (k/sec): (4411391/1900)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
[edit] show crypto dynamic-map
Hub#show crypto dynamic-map
Crypto Map Template"Sites" 10
ISAKMP Profile: sites
Extended IP access list Site1
access-list Site1 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
des-md5,
}
[edit] ASA Spoke
When the tunnel comes up, a simple syslog message should drop out.
fw1# %PIX-3-713119: Group = 10.0.0.1, IP = 10.0.0.1, PHASE 1 COMPLETED
[edit] show isakmp sa
fw1# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 64.135.2.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
[edit] show ipsec sa
fw1# show ipsec sa
interface: outside
Crypto map tag: Site1, seq num: 10, local addr: 1.0.0.2
access-list VPN permit ip 172.16.0.0 255.255.0.0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 10.0.0.1
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.0.0.2, remote crypto endpt.: 10.0.01
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7B14991C
inbound esp sas:
spi: 0xF8A75FB4 (4171718580)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: Site1
sa timing: remaining key lifetime (kB/sec): (4274999/3499)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7B14991C (2064947484)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2, crypto-map: Site1
sa timing: remaining key lifetime (kB/sec): (4274999/3499)
IV size: 8 bytes
replay detection support: Y
[edit] show log with debug crypto engine enabled
%PIX-4-113019: Group = 10.0.0.1, Username = 10.0.0.1, IP = 10.0.0.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:35s, Bytes xmt: 293, Bytes rcv: 428, Reason: Administrator Reset %PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD5554654) between 1.0.0.2 and 10.0.0.1 (user= 10.0.0.1) has been deleted. %PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xE6604202) between 1.0.0.2 and 10.0.0.1 (user= 10.0.0.1) has been deleted. %PIX-5-713904: IP = 10.0.0.1, Received encrypted packet with no matching SA, dropping %PIX-5-713041: IP = 10.0.0.1, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.1 local Proxy Address 172.16.0.0, remote Proxy Address 172.16.1.0, Crypto map (Site1) %PIX-4-713903: Group = 10.0.0.1, IP = 10.0.0.1, Freeing previously allocated memory for authorization-dn-attributes %PIX-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 10.0.0.1 %PIX-3-713119: Group = 10.0.0.1, IP = 10.0.0.1, PHASE 1 COMPLETED %PIX-5-713073: Group = 10.0.0.1, IP = 10.0.0.1, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds %PIX-5-713049: Group = 10.0.0.1, IP = 10.0.0.1, Security negotiation complete for LAN-to-LAN Group (10.0.0.1) Initiator, Inbound SPI = 0x16d193f0, Outbound SPI = 0x1d2cb0a1 %PIX-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x1D2CB0A1) between 1.0.0.2 and 10.0.0.1 (user= 10.0.0.1) has been created. %PIX-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x16D193F0) between 1.0.0.2 and 10.0.0.1 (user= 10.0.0.1) has been created. %PIX-5-713120: Group = 10.0.0.1, IP = 10.0.0.1, PHASE 2 COMPLETED (msgid=7f8f63e5) %PIX-6-302013: Built outbound TCP connection 24 for outside:172.16.1.2/23 (172.16.1.2/23) to inside:172.16.2.2/22889 (172.16.2.2/22889) %PIX-6-302014: Teardown TCP connection 24 for outside:172.16.1.2/23 to inside:172.16.2.2/22889 duration 0:00:02 bytes 73 TCP FINs fw1# %PIX-7-111009: User 'enable_15' executed cmd: show logging %PIX-7-715036: Group = 10.0.0.1, IP = 10.0.0.1, Sending keep-alive of type DPD R-U-THERE (seq number 0x7d070f13) %PIX-7-715046: Group = 10.0.0.1, IP = 10.0.0.1, constructing blank hash payload %PIX-7-715046: Group = 10.0.0.1, IP = 10.0.0.1, constructing qm hash payload %PIX-7-713236: IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=1445e414) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 %PIX-7-713236: IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=b9fdccdb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 %PIX-7-715047: Group = 10.0.0.1, IP = 10.0.0.1, processing hash payload %PIX-7-715047: Group = 10.0.0.1, IP = 10.0.0.1, processing notify payload %PIX-7-715075: Group = 10.0.0.1, IP = 10.0.0.1, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7d070f13)
