Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.

Similar presentations


Presentation on theme: "Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should."— Presentation transcript:

1 Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer. The router should send a UDP/500 packet towards the other peer. i.e. (IOS) IPv4 Crypto ISAKMP SA dst src state conn-id status 172.18.254.4 172.18.254.89 MM_NO_STATE 0 ACTIVE MM1 Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface PROTOCOL FLOW

2 The responder should receive the MM1 packet and also create an entry in it’s table. Check the table and see if there is an entry. At this point the responder should send back UDP/500 Main Mode Message 2. You can see that with “show cry isakmp sa” i.e. (ASA) 1 IKE Peer: 172.18.254.89 Type : user Role : responder Rekey : no State : MM_WAIT_MSG3 The responder should process the packet and negotiate which ISAKMP policy to choose. “debug crypto isakmp 128” should show you this. If not successful you’ll [IKEv1 DEBUG]IP = 172.18.254.89, All SA proposals found unacceptable If successful you’ll see : [IKEv1 DEBUG]IP = 172.18.254.89, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5 MM2 PROTOCOL FLOW

3 The initiator should receive the MM2 packet (UDP/500) process it. The responder should get the MM3 packet (UDP/500) and Return MM4 (UDP/500) Debugs on IOS show: *Feb 1 21:44:23.314: ISAKMP (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_NO_STATE *Feb 1 21:44:23.314: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 The initiator should then send back MM3 (UDP/500) Debugs on IOS show: *Feb 1 21:44:23.315: ISAKMP:(0): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_SA_SETUP *Feb 1 21:44:23.315: ISAKMP:(0):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Feb 1 21:44:23.315: (0): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_SA_SETUP *Feb 1 21:44:23.315: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4 PROTOCOL FLOW MM3 MM4

4 R100#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status 1.1.1.102 1.1.1.100 MM_KEY_EXCH 1006 ACTIVE At this point the Initiator has enough information to determine whether either of the peers are behind NAT. If they are not communication remains to occur on UDP/500, however if they are then it switches to UDP/4500 * Feb 1 21:44:23.315: ISAKMP:(1002):Total payload length: 12 *Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) MM_KEY_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 The initiator should send Main Mode message 5. MM5 PROTOCOL FLOW The Responder should receive MM5 and authenticate the Initiator. If responder successfully authenticates the peer it will send back MM6. If it fails the authentication the responder will re-transmit the last successful packet (i.e. MM4) back to the initiator.

5 *Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) MM_KEY_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002): processing ID payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : 1.1.1.102 protocol : 17 port : 500 length : 12 *Feb 1 21:44:23.315: ISAKMP:(0):: peer matches *none* of the profiles *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP:(1002):SA authentication status: authenticated *Feb 1 21:44:23.315: ISAKMP:(1002):SA has been authenticated with 1.1.1.102 *Feb 1 21:44:23.315: ISAKMP: Trying to insert a peer 1.1.1.101/1.1.1.102/500/, and inserted successfully 52F9320. *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE PROTOCOL FLOW MM6 Phase 1 COMPLETE The Phase 1 SA negotiation is complete and the initiator will now propose a phase 2 to protect traffic.

6 PROTOCOL FLOWQM1 The initiator will send QM1 which contains the requested IPsec SA parameters. *Feb 1 21:44:24.315: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 196323019 *Feb 1 21:44:24.315: ISAKMP:(1002):QM Initiator gets spi *Feb 1 21:44:24.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:24.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 1 21:44:24.315: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 The responder will validate the proposal. It will check the proposed SA against it’s ACL, peer, and transform configuration. It will send back QM2 to notify whether the proposal was accepted or not. If successful: *Feb 1 21:44:24.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002): processing HASH payload. message ID = 196323019 *Feb 1 21:44:24.315: ISAKMP:(1002): processing SA payload. message ID = 196323019 *Feb 1 21:44:24.315: ISAKMP:(1002):Checking IPSec proposal 1 *Feb 1 21:44:24.315: ISAKMP: transform 1, ESP_3DES *Feb 1 21:44:24.315: ISAKMP: attributes in transform: *Feb 1 21:44:24.315: ISAKMP: encaps is 2 (Transport) *Feb 1 21:44:24.315: ISAKMP: SA life type in seconds *Feb 1 21:44:24.315: ISAKMP: SA life duration (basic) of 3600 *Feb 1 21:44:24.315: ISAKMP: SA life type in kilobytes *Feb 1 21:44:24.315: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Feb 1 21:44:24.315: ISAKMP: authenticator is HMAC-MD5 *Feb 1 21:44:24.315: ISAKMP:(1002):atts are acceptable.

7 PROTOCOL FLOW QM2 If not successful: *Feb 1 21:44:23.315: ISAKMP (1002): received packet from 1.1.1.102 dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP: set new node 1984354591 to QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 1984354591 *Feb 1 21:44:23.315: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 2340447730, message ID = 1984354591, sa = 4990F28 *Feb 1 21:44:23.315: ISAKMP:(1002): deleting spi 2340447730 message ID = 24306363 *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 24306363 error TRUE reason "Delete Larval" *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 1984354591 error FALSE reason "Informational (in) state 1" *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE The initiator will the acknowledge the acceptance with QM3 and complete the phase 2 installation. Phase 2 COMPLETE QM3 *Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to 1.1.1.102 my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node 196323019 error FALSE reason "No Error" *Feb 1 21:44:23.315: ISAKMP:(1002):Node 196323019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE


Download ppt "Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should."

Similar presentations


Ads by Google