IPsec with OSPF Configuration Example

PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example Document ID: 63882 Contents Introduction Prerequisites Requirements Components Used...
Author: Jared Tate
0 downloads 0 Views 2MB Size
Report
Download PDF
PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example Document ID: 63882

Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Configure the PIX/ASA Security Appliance Version 7.x Use ASDM Enable Reverse Route Injection (RRI) Verify View the Logs Troubleshoot Related Information

Introduction This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA). PIX/ASA 7.x allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic Routing Encapsulation (GRE) tunnel.

Prerequisites Requirements Ensure that you can establish the VPN connection before you attempt this configuration.

Components Used The information in this document is based on these software and hardware versions: • Cisco 2500 that runs Cisco IOS® Software Release 12.1 and later • Cisco 2500 that runs Cisco IOS Software Release 12.0 and later • ASA 5500 Security Appliance running Software Version 7.x and later Note: The PIX 500 Series Version 7.x/8.x runs the same software seen in ASA 5500 Version 7.x/8.x. The configurations in this document are applicable to both product lines. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure In this section, you are presented with the information to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram This document uses this network setup:

Configurations This document uses these configurations: • Router Left • Router House Router Left version 12.1 no service single−slot−reload−enable service timestamps debug uptime service timestamps log uptime no service password−encryption ! hostname Left ! ! ! ! ! ! ip subnet−zero ip tcp synwait−time 5 no ip domain−lookup !

! ! ! interface Loopback11 ip address 11.11.11.11 255.255.255.0 ! interface Ethernet0 ip address 10.10.10.2 255.255.255.0 no keepalive ! interface Serial0 no ip address no keepalive no fair−queue ignore−dcd ! interface Serial1 no ip address shutdown ignore−dcd ! interface BRI0 no ip address shutdown ! router ospf 11 log−adjacency−changes network 10.10.10.0 0.0.0.255 area 0 network 11.11.11.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 10.10.10.1 ip http server ! logging trap debugging logging 20.20.20.2 access−list 100 permit ip any any access−list 101 permit ip any any ! line con 0 exec−timeout 0 0 line aux 0 line vty 0 4 privilege level 15 no login ! end

Router House version 12.0 service timestamps debug uptime service timestamps log uptime no service password−encryption ! hostname Right ! aaa new−model aaa authentication login default group tacacs+ none aaa authorization exec default group tacacs+ none ! ! ! ! !

ip subnet−zero no ip domain−lookup ! cns event−service server ! ! ! ! ! interface Loopback22 ip address 22.22.22.22 255.255.255.0 no ip directed−broadcast ! interface Tunnel0 no ip address no ip directed−broadcast ! interface Ethernet0 ip address 20.20.20.2 255.255.255.0 no ip directed−broadcast ! interface Serial0 no ip address no ip directed−broadcast no ip mroute−cache shutdown no fair−queue ! interface Serial1 no ip address no ip directed−broadcast shutdown ! interface Async1 no ip address no ip directed−broadcast encapsulation ppp ! router ospf 22 log−adjacency−changes network 20.20.20.0 0.0.0.255 area 0 network 22.22.22.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 20.20.20.1 ip http server ! ! ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 ! end

Configure the PIX/ASA Security Appliance Version 7.x You can use the Advanced Security Device Manager (ASDM) in order to configure the PIX/ASA Security Appliance by either the command−line interface (CLI) or GUI. The configuration in this section is for the ASA "Local". You configure the ASA "Remote" in the same way and only adjust for the differences in IP addressing.

Console into the PIX/ASA to configure the PIX/ASA Security Appliance version 7.x. From a cleared configuration, use the interactive prompts in order to enable the ASDM GUI for the management of the PIX/ASA from workstation 10.10.10.3. Note: If the OSPF neighbor does not come up, consider the option to reduce the maximum transmission unit (MTU) size. PIX/ASA−ASDM Bootstrap Pre−configure Firewall now through interactive prompts [yes]? Firewall Mode [Routed]: Enable password []: cisco Allow password recovery [yes]? Clock (UTC): Year [2006]: Month [May]: Day [25]: Time [06:00:44]: Inside IP address: 10.10.10.1 Inside network mask: 255.255.255.0 Host name: Local Domain name: cisco.com IP address of host running Device Manager: 10.10.10.3 The following configuration will be used: Enable password: cisco Allow password recovery: yes Clock (UTC): 06:00:44 May 25 2006 Firewall Mode: Routed Inside IP address: 10.10.10.1 Inside network mask: 255.255.255.0 Host name: Local Domain name: cisco.com IP address of host running Device Manager: 10.10.10.3 Use this configuration and write to flash? yes INFO: Security level for "inside" set to 100 by default. Cryptochecksum: 34f55366 a32e232d ebc32ac1 3bfa201a 969 bytes copied in 0.880 secs

Use ASDM Complete these steps in order to configure via the ASDM GUI: 1. From workstation 10.10.10.3, open a browser and use ASDM. In this example, you use https://10.10.10.1. 2. Click Yes on the certificate prompts. 3. Log in with the enable password. This login appears in the PIX/ASA−ASDM Bootstrap configuration. 4. Make a selection at the prompt to use ASDM Launcher or ASDM as a Java App. This prompt appears only if this is the first time that you have run ASDM on the PC. This example has selected and installed the ASDM Launcher. 5. Go to the ASDM Home window and click the Configuration tab.

6. Choose Interface > Edit in order to configure the outside interface.

7. Click OK.

8. Enter the interface details and click OK when complete.

9. Click OK in the Security Level Change dialog box.

10. Click Apply in order to accept the interface configuration.

The configuration also gets pushed onto the PIX. Note: This example uses static routes. 11. Choose Features > Routing > Static Route and click Add.

12. Configure the default gateway and click OK.

13. Configure a host based static for the remote peer in order to avoid possible recursive routing when OSPF comes up and then click OK.

14. Click Apply in order to accept the routing configuration.

The configuration also gets pushed onto the PIX.

15. Choose Wizards > VPN Wizard in order to use the VPN Wizard and create the LAN−to−LAN connection.

16. In the VPN Wizard window, click Next where Site−to−Site is the default selection.

17. Add the Peer IP Address, Tunnel Group Name (which is the IP address), and Pre−Shared Key information, and click Next.

18. Add the Encryption type, Authentication type, DH Group information, and click Next.

19. Add the IPsec parameters, Encryption type, Authentication type information, and click Next.

20. Configure the inside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.

21. Configure the outside host network. Click Add in order to move the address to the Selected Host/Networks field within this window. Click Next when complete.

22. Review the Summary for accuracy, then click Next.

23. Choose Configuration > VPN in order to verify the LAN−to−LAN tunnel configurations that the VPN Wizard created.

24. Create an access list in order to allow OSPF traffic to go across the VPN.

This VPN access list is for the OSPF routes that are learned. Choose Configuration > VPN.

25. Choose IPSec > IPSec Rules and click Add.

26. Add the OSPF neighbor (IP address) data in this window and click OK. Note: Be sure that you work on the outside interface.

27. Verify that the information is correct and click Apply.

28. Choose Configuration > NAT and click Translation Exemption Rules in order to verify the Network Address Translation (NAT) configurations that the VPN Wizard created.

29. Because this example uses NAT, uncheck the check box for Enable traffic through the firewall without address translation, then click Add. This step configures the NAT Rule.

30. Configure the Source Network. Click Browse in order to define the NAT pool addresses for the inside. Then select outside for Translate Address on Interface and click Manage Pools.

31. Select the outside interface and click Add.

32. Because Port Address Translation (PAT) uses the IP address of the interface in this example, click

Port Address Translation (PAT) using the IP address of the interface.

33. Click OK after you configure the PAT pools.

34. In the Add Address Translation Rule window, select the Address Pool that the configured Source Network is to use.

35. Click OK. This window shows the output from the NAT configuration.

36. Click Apply in order to save the configuration.

37. Choose Configuration > Routing > OSPF > Setup, go to the Process Instances tab and check Enable this OSPF Process in order to set up OSPF on the PIX.

38. Choose Area/Networks and click Add.

39. Enter the IP Address and Netmask of one network in the OSPF process field and click OK (MD5 was chosen to show it as an optional element, but is not required).

40. Verify that the information is correct and click Edit.

41. Enter the IP Address and Netmask of the second network and outside remote peer in the OSPF process field and click OK.

42. Verify that the information is correct and click Apply.

43. Choose OSPF > Interface > Properties > Outside and click Edit.

44. Uncheck Broadcast on the outside interface.

Note: This must be unicast.

45. Check the Broadcast column for the outside interface in order to verify that the selection is no and click Apply.

46. Choose OSPF > Static Neighbor and click Add.

47. Enter the IP address in the Neighbor field and select outside for the Interface. Click OK.

48. Verify that the information is correct and click Apply. This action completes the configuration.

Choose File > Show Running Configuration in New Window in order to view the CLI configuration.

ASA Local ASA Version 7.X no names ! interface GigabitEthernet0/0 nameif outside security−level 0 ip address 30.30.30.1 255.255.255.0

!−−− This line allows the unicast of OSPF over the IPsec tunnel. ospf network point−to−point non−broadcast !−−− This line is optional and not required for OSPF to work. !−−− Enable this option only if you want to enable MD5 digest for OSPF. ospf message−digest−key 10 md5 cisco ! interface GigabitEthernet0/1 nameif inside security−level 100 ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security−level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security−level no ip address ! interface Management0/0 shutdown no nameif no security−level no ip address ! enable password cisco encrypted passwd cisco encrypted hostname Local ftp mode passive

!−−− !−−− !−−− !−−−

These access control list (ACL) entries define interesting traffic for IPsec encryption and allow the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.

same−security−traffic permit intra−interface access−list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 access−list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.2 access−list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2 pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp permit any echo outside icmp permit any echo−reply outside icmp permit any echo inside icmp permit any echo−reply inside asdm image disk0:/asdm−502.bin no asdm history enable arp timeout 14400 global (outside) 10 interface

!−−− Do not translate traffic with NAT.

nat (inside) 0 access−list nonat nat (inside) 10 10.10.10.0 255.255.255.0 !

!−−− This is OSPF. !−−− Note: You must define the outside network of the remote peer.

router ospf 100 network 10.10.10.0 255.255.255.0 area 0 network 30.30.30.0 255.255.255.0 area 0 network 40.40.40.0 255.255.255.0 area 0

!−−− This is where OSPF is told where the !−−− PEER is located.

neighbor 40.40.40.2 interface outside log−adj−changes !

!−−− This is a host based static. This is not always !−−− necessary, but recommended to prevent recursive routing loops when !−−− OSPF comes up over the IPsec tunnel.

route outside 40.40.40.2 255.255.255.255 30.30.30.2 1 route outside 0.0.0.0 0.0.0.0 30.30.30.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.4.50 255.255.255.255 inside no snmp−server location no snmp−server contact snmp−server enable traps snmp

!−−− This is the IPsec and IKE/ISAKMP configuration. !−−− Make sure basic IPsec connectivity is present !−−− before you add in OSPF.

crypto crypto crypto crypto crypto crypto isakmp isakmp isakmp isakmp isakmp isakmp isakmp

ipsec transform−set myset esp−3des esp−sha−hmac map outside_map 10 match address outside_cryptomap_10 map outside_map 10 set peer 40.40.40.2 map outside_map 10 set transform−set myset map outside_map 10 set security−association lifetime seconds 86400 map outside_map interface outside identity address enable outside policy 10 authentication pre−share policy 10 encryption 3des policy 10 hash md5 policy 10 group 2 policy 10 lifetime 86400

isakmp isakmp isakmp isakmp isakmp

policy policy policy policy policy

65535 65535 65535 65535 65535

authentication pre−share encryption 3des hash sha group 2 lifetime 86400

telnet timeout 5 ssh timeout 5 console timeout 0

tunnel−group 40.40.40.2 type ipsec−l2l tunnel−group 40.40.40.2 ipsec−attributes pre−shared−key cisco class−map inspection_default match default−inspection−traffic policy−map asa_global_fw_policy class inspection_default inspect dns maximum−length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service−policy asa_global_fw_policy global Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28 : end

ASA Remote ASA Version 7.X no names ! interface GigabitEthernet0/0 nameif outside security−level 0 ip address 40.40.40.2 255.255.255.0 !−−− This line allows the unicast of OSPF over to !−−− the IPsec tunnel. ospf network point−to−point non−broadcast !−−− This line is optional and not required for OSPF to work. !−−− Enable this option only if you want to enable MD5 digest for OSPF. ospf message−digest−key 10 md5 cisco

! interface GigabitEthernet0/1 nameif inside security−level 100

ip address 20.20.20.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security−level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security−level no ip address ! interface Management0/0 shutdown no nameif no security−level no ip address ! enable password cisco encrypted passwd cisco encrypted hostname Remote ftp mode passive

!−−− These ACL entries define interesting traffic for IPsec encryption and allow !−−− the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.

same−security−traffic permit intra−interface access−list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 access−list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 access−list crypto extended permit ospf interface outside host 30.30.30.1

pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp permit any echo outside icmp permit any echo−reply outside icmp permit any echo inside icmp permit any echo−reply inside asdm image disk0:/asdm−502.bin no asdm history enable arp timeout 14400 global (outside) 20 interface

!−−− Do not translate traffic with NAT. nat (inside) 0 access−list nonat nat (inside) 20 20.20.20.0 255.255.255.0 !

!−−− This is OSPF. !−−− Note: You must define the remote peer's outside network.

router ospf 100 network 20.20.20.0 255.255.255.0 area 0 network 30.30.30.0 255.255.255.0 area 0 network 40.40.40.0 255.255.255.0 area 0

!−−− This is where the OSPF is told where the PEER is located.

neighbor 30.30.30.1 interface outside log−adj−changes !

!−−− This is a host based static. This is not always necessary, but recommended to prevent recursive routing loops when OSPF comes up over the IPsec tunnel.

route outside 0.0.0.0 0.0.0.0 40.40.40.1 1 route outside 30.30.30.1 255.255.255.255 40.40.40.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp−pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.4.50 255.255.255.255 inside no snmp−server location no snmp−server contact snmp−server enable traps snmp

!−−− This is the IPsec configuration. Make sure basic IPsec connectivity is present before you add in OSPF.

crypto crypto crypto crypto crypto

ipsec transform−set myset esp−3des esp−sha−hmac map vpn 10 match address crypto map vpn 10 set peer 30.30.30.1 map vpn 10 set transform−set myset map vpn interface outside

isakmp isakmp isakmp isakmp isakmp isakmp isakmp

identity address enable outside policy 10 authentication pre−share policy 10 encryption 3des policy 10 hash md5 policy 10 group 2 policy 10 lifetime 86400

isakmp isakmp isakmp isakmp isakmp

policy policy policy policy policy

65535 65535 65535 65535 65535

authentication pre−share encryption 3des hash sha group 2 lifetime 86400

telnet timeout 5 ssh timeout 5 console timeout 0

tunnel−group 30.30.30.1 type ipsec−l2l tunnel−group 30.30.30.1 ipsec−attributes pre−shared−key cisco class−map inspection_default

match default−inspection−traffic policy−map asa_global_fw_policy class inspection_default inspect dns maximum−length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service−policy asa_global_fw_policy global Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28 : end

Enable Reverse Route Injection (RRI) In order to inject the information of the remote LAN−to−LAN VPN networks into the OSPF running network, refer to Verify that Routing is Correct for CLI configuration and LAN²LAN Network RRI for ASDM configuration.

Verify Use this section to confirm that your configuration works properly. The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. • logging buffer debuggingShows the establishment of connections and denial of connections to hosts that go through the PIX. The PIX log buffer stores the information. You can see the output if you use the show log command. You can use ASDM in order to enable logging and to view the logs: • show crypto isakmp saShows the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) that is built between peers. Local#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1

IKE Peer: 40.40.40.2 Type : L2L Rekey : no

Role State

: initiator : MM_ACTIVE

Remote#show crypto isa sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1 1

IKE Peer: 30.30.30.1 Type : L2L Rekey : no

Role State

: responder : MM_ACTIVE

• show crypto ipsec saShows each Phase 2 SA that is built and the amount of traffic that is sent. Local#show crypto ipsec sa interface: outside Crypto map tag: vpn, local addr: 30.30.30.1 local ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0) remote ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0) current_peer: 40.40.40.2 #pkts #pkts #pkts #pkts #send

encaps: 355, #pkts encrypt: 355, #pkts digest: 355 decaps: 355, #pkts decrypt: 355, #pkts verify: 355 compressed: 0, #pkts decompressed: 0 not compressed: 355, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0

local crypto endpt.: 30.30.30.1, remote crypto endpt.: 40.40.40.2 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 83444440 inbound esp sas: spi: 0xAE9AB30C (2929373964) transform: esp−3des esp−sha−hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto−map: vpn sa timing: remaining key lifetime (kB/sec): (3824976/25399) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x83444440 (2202289216) transform: esp−3des esp−sha−hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto−map: vpn sa timing: remaining key lifetime (kB/sec): (3824975/25396) IV size: 8 bytes replay detection support: Y

Remote#show crypto ipsec sa interface: outside Crypto map tag: vpn, local addr: 40.40.40.2 local ident (addr/mask/prot/port): (40.40.40.2/255.255.255.255/89/0) remote ident (addr/mask/prot/port): (30.30.30.1/255.255.255.255/89/0) current_peer: 30.30.30.1 #pkts #pkts #pkts #pkts #send

encaps: 364, #pkts encrypt: 364, #pkts digest: 364 decaps: 364, #pkts decrypt: 364, #pkts verify: 364 compressed: 0, #pkts decompressed: 0 not compressed: 364, #pkts comp failed: 0, #pkts decomp failed: 0 errors: 0, #recv errors: 0

local crypto endpt.: 40.40.40.2, remote crypto endpt.: 30.30.30.1 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: AE9AB30C inbound esp sas: spi: 0x83444440 (2202289216) transform: esp−3des esp−sha−hmac

in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto−map: vpn sa timing: remaining key lifetime (kB/sec): (4274975/25301) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xAE9AB30C (2929373964) transform: esp−3des esp−sha−hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 1, crypto−map: vpn sa timing: remaining key lifetime (kB/sec): (4274975/25300) IV size: 8 bytes replay detection support: Y

• show ospf neighborShows OSPF neighbor relationships have formed. Local#show ospf neighbor Neighbor ID Pri State 40.40.40.2 1 FULL/ − 11.11.11.11 1 FULL/DR

Dead Time 0:00:38 0:00:33

Address 40.40.40.2 10.10.10.2

Interface outside inside

Remote#show ospf neighbor Neighbor ID Pri State 30.30.30.1 1 FULL/ − 22.22.22.22 1 FULL/DR

Dead Time 0:00:38 0:00:38

Address 30.30.30.1 20.20.20.2

Interface outside inside

• show debugDisplays the debug output. Local(config)#show debug debug crypto ipsec enabled at level 1 debug crypto engine enabled at level 1 debug crypto isakmp enabled at level 1 May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, IKE SA MM:ec9c234a rcv'd Terminate: state MM_ACTIVE flags 0x0021c042, ref2cnt 1, tuncnt 1 May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing blank hash May 25 12:49:21 [IKEv1 DEBUG]: constructing IPSec delete payload May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing qm hash May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=df6487d8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64 May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Active unit receives a delete event for remote peer 40.40.40.2. May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, IKE Deleting SA: Remote Proxy 40.40.40.2, Local Proxy 30.30.30.1 May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, IKE SA MM:ec9c234a terminating: flags 0x0121c002, refcnt 0, tuncnt 0 May 25 12:49:21 [IKEv1 DEBUG]: sending delete/delete with reason message May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing blank hash May 25 12:49:21 [IKEv1 DEBUG]: constructing IKE delete payload May 25 12:49:21 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing qm hash May 25 12:49:21 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=ec167928) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76 May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x504ea964 May 25 12:49:21 [IKEv1 DEBUG]: pitcher: received key delete msg, spi 0x79fbcb2d 28−05−05−ASA5520−2(config)# May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing SA payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Oakley proposal is acceptable May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload

May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Fragmentation VID May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing IKE SA May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3 May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ISA_SA for isakmp May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Fragmentation VID + extended capabilities payload May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ke payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing ISA_KE May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing nonce payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Cisco Unity client VID May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received xauth V6 VID May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, processing VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing ke payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing nonce payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing Cisco Unity VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing xauth V6 VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send IOS VID May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, constructing VID payload May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group 40.40.40.2 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Generating keys for Responder... May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Processing ID May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received 40.40.40.2 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing hash May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, computing hash May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Processing IOS keep alive payload: proposal=32767/32767 sec. May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing VID payload May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Received DPD VID May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Connection landed on tunnel_group 40.40.40.2 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2,

constructing ID May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, construct hash payload May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, computing hash May 25 12:49:39 [IKEv1 DEBUG]: IP = 40.40.40.2, Constructing IOS keep alive payload: proposal=32767/32767 sec. May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing dpd vid payload May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) + VENDOR (13) + NONE (0) total length : 92 May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, PHASE 1 COMPLETED May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, Keep−alive type for this connection: DPD May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Starting phase 1 rekey timer: 73440000 (ms) May 25 12:49:39 [IKEv1 DECODE]: IP = 40.40.40.2, IKE Responder starting QM: msg id = 0529ac6b May 25 12:49:39 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing hash May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing SA payload May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing nonce payload May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Processing ID May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received 40.40.40.2 May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Received remote Proxy Host data in ID Payload: Address 40.40.40.2, Protocol 89, Port 0 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Processing ID May 25 12:49:39 [IKEv1 DECODE]: ID_IPV4_ADDR ID received 30.30.30.1 May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Received local Proxy Host data in ID Payload: Address 30.30.30.1, Protocol 89, Port 0 May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Processing Notify payload May 25 12:49:39 [IKEv1]: QM IsRekeyed old sa not found by addr May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Static Crypto Map check, checking map = vpn, seq = 10... May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Static Crypto Map check, map vpn, seq = 10 is a successful match May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, IKE Remote Peer configured for SA: vpn May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, processing IPSEC SA May 25 12:49:39 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 10 May 25 12:49:39 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, IKE: requesting SPI! May 25 12:49:39 [IKEv1]: Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE May 25 12:49:40 [IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xf629186e May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, oakley constucting quick mode May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing blank hash

May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing ISA_SA for ipsec May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing ipsec nonce payload May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing proxy ID May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Transmitting Proxy Id: Remote host: 40.40.40.2 Protocol 89 Port 0 Local host: 30.30.30.1 Protocol 89 Port 0 May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, constructing qm hash May 25 12:49:40 [IKEv1 DECODE]: IKE Responder sending 2nd QM pkt: msg id = 0529ac6b May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE SENDING Message (msgid=529ac6b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156 May 25 12:49:40 [IKEv1]: IP = 40.40.40.2, IKE DECODE RECEIVED Message (msgid=529ac6b) with payloads : HDR + HASH (8) + NONE (0) total length : 48 May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, processing hash May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, loading all IPSEC SAs May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Generating Quick Mode Key! May 25 12:49:40 [IKEv1 DEBUG]: Group = 40.40.40.2, IP = 40.40.40.2, Generating Quick Mode Key! May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Security negotiation complete for LAN−to−LAN Group (40.40.40.2) Responder, Inbound SPI = 0xf629186e, Outbound SPI = 0x524e01e4 May 25 12:49:40 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x524e01e4 May 25 12:49:40 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xf629186e May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, Starting P2 Rekey timer to expire in 24480 seconds May 25 12:49:40 [IKEv1]: Group = 40.40.40.2, IP = 40.40.40.2, PHASE 2 COMPLETED (msgid=0529ac6b)

Verify that the LAN−to−LAN connection passes routing traffic by checking the routers: • show ip routeDisplays IP routing table entries. Left#show ip route Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2 E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area * − candidate default, U − per−user static route, o − ODR P − periodic downloaded static route Gateway of last resort is 10.10.10.1 to network 0.0.0.0

O O O C C O S*

20.0.0.0/24 is subnetted, 1 subnets 20.20.20.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0 22.0.0.0/32 is subnetted, 1 subnets 22.22.22.22 [110/31] via 10.10.10.1, 00:59:37, Ethernet0 40.0.0.0/24 is subnetted, 1 subnets 40.40.40.0 [110/30] via 10.10.10.1, 00:59:37, Ethernet0 10.0.0.0/24 is subnetted, 1 subnets 10.10.10.0 is directly connected, Ethernet0 11.0.0.0/24 is subnetted, 1 subnets 11.11.11.0 is directly connected, Loopback11 30.0.0.0/24 is subnetted, 1 subnets 30.30.30.0 [110/20] via 10.10.10.1, 00:59:38, Ethernet0 0.0.0.0/0 [1/0] via 10.10.10.1

Left#ping 20.20.20.2 Type escape sequence to abort. Sending 5, 100−byte ICMP Echos to 20.20.20.2, timeout is 2 seconds: !!!!! Right#show ip route Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2 E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area * − candidate default, U − per−user static route, o − ODR P − periodic downloaded static route Gateway of last resort is 20.20.20.1 to network 0.0.0.0

C C O O O O S*

20.0.0.0/24 is subnetted, 1 subnets 20.20.20.0 is directly connected, Ethernet0 22.0.0.0/24 is subnetted, 1 subnets 22.22.22.0 is directly connected, Loopback22 40.0.0.0/24 is subnetted, 1 subnets 40.40.40.0 [110/20] via 20.20.20.1, 01:01:45, Ethernet0 10.0.0.0/24 is subnetted, 1 subnets 10.10.10.0 [110/30] via 20.20.20.1, 01:01:45, Ethernet0 11.0.0.0/32 is subnetted, 1 subnets 11.11.11.11 [110/31] via 20.20.20.1, 01:01:45, Ethernet0 30.0.0.0/24 is subnetted, 1 subnets 30.30.30.0 [110/30] via 20.20.20.1, 01:01:46, Ethernet0 0.0.0.0/0 [1/0] via 20.20.20.1

Right#ping 10.10.10.2 Type escape sequence to abort. Sending 5, 100−byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round−trip min/avg/max = 12/12/12 ms

View the Logs Complete these steps in order to view the logs: 1. Choose Configuration > Properties > Logging > Logging Setup, check Enable logging, and click Apply.

2. Choose Monitoring > Logging > Log Buffer > Logging Level, select Logging Buffer from the drop−down menu, and click View.

Here is an example of the Log Buffer:

In order to view related graphs, choose Monitoring > VPN > IPSEC Tunnels. Then, move IPsec Active Tunnels and IKE Active Tunnels to Selected Graphs, and choose Show Graphs.

Troubleshoot There is currently no specific troubleshooting information available for this configuration.

Related Information • Cisco ASA 5500 Series Adaptive Security Appliances • Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions • Cisco PIX Firewall Software • Cisco Secure PIX Firewall Command References • Product Field Notice Summary page (including PIX) • Requests for Comments (RFCs) • Technical Support & Documentation − Cisco Systems

Contacts & Feedback | Help | Site Map © 2010 − 2011 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc.

Updated: Oct 14, 2008

Document ID: 63882

Suggest Documents

Dynamic to Dynamic IPsec Tunnel Configuration Example

Dynamic to Dynamic IPsec Tunnel Configuration Example
Read more
Vodafone MachineLink. IPSec Configuration Guide

Vodafone MachineLink. IPSec Configuration Guide
Read more
TheGreenBow IPSec VPN Client. Configuration Guide. IPCop

TheGreenBow IPSec VPN Client. Configuration Guide. IPCop
Read more
Network Configuration Example

Network Configuration Example
Read more
Network Configuration Example

Network Configuration Example
Read more
Network Configuration Example

Network Configuration Example
Read more
Network Configuration Example

Network Configuration Example
Read more
Network Configuration Example

Network Configuration Example
Read more
Cyberoam IPSec VPN Client Configuration Guide

Cyberoam IPSec VPN Client Configuration Guide
Read more
Configuring IPSec with CLI

Configuring IPSec with CLI
Read more
Configuring IPSec with CLI

Configuring IPSec with CLI
Read more
SAML SSO Setup with Kerberos Authentication Configuration Example

SAML SSO Setup with Kerberos Authentication Configuration Example
Read more
Thin Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Thin Client SSL VPN (WebVPN) IOS Configuration Example with SDM
Read more
Frame Manager Configuration Tool Example Configuration and Policy

Frame Manager Configuration Tool Example Configuration and Policy
Read more
D-Link DFL 700. TheGreenBow IPSec VPN Client Configuration Guide

D-Link DFL 700. TheGreenBow IPSec VPN Client Configuration Guide
Read more
VNS3 to Sonicwall Instructions. NSA IPsec Configuration Guide

VNS3 to Sonicwall Instructions. NSA IPsec Configuration Guide
Read more
Virtual Private Networks with IPsec

Virtual Private Networks with IPsec
Read more
IPSec. IPSec. Appendix - A

IPSec. IPSec. Appendix - A
Read more
ASA: Smart Tunnel using ASDM Configuration Example

ASA: Smart Tunnel using ASDM Configuration Example
Read more
Nexus 5500 Adapter FEX Configuration Example

Nexus 5500 Adapter FEX Configuration Example
Read more
Example - Configuring a Site-to-Site IPsec VPN Tunnel

Example - Configuring a Site-to-Site IPsec VPN Tunnel
Read more
Partially Redundant IPSec VPN Tunnel Example Technical Note

Partially Redundant IPSec VPN Tunnel Example Technical Note
Read more
IPSec contents. IPSec 1

IPSec contents. IPSec 1
Read more
Configurar el OSPF. Contenido

Configurar el OSPF. Contenido
Read more