Académique Documents
Professionnel Documents
Culture Documents
8121_05_2003_c2
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
PKI-based troubleshooting
Debugs from the PIX platforms
Dynamic Multipoint VPN (DMVPN)
IPSec VPN Service Module
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Secure Communications
Using IPSec VPN
ISAKMP and IKE
Proposals
Key Generation
Key Management
Security Association
Proposals
VPN Tunnel
IPSec
Message
Message
Me
ssa
ge
SEC-3010
8121_05_2003_c2
Two-phase protocol:
Phase I exchange: two peers establish a secure, authenticated
channel with which to communicate; main mode or aggressive mode
accomplishes a phase I exchange
Phase II exchange: security associations are negotiated on behalf
of IPSec services; quick mode accomplishes a phase II exchange
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Responder
IKE
DES
DES
MD5
SHA
DH 1
DH 2
Pre-Share Pre-Share
HDR, SA Proposal
HDR, SA choice
DES
MD5
DH 1
Pre-Share
Generate
DH public value
and Nonce
HASHR =HMAC(SKEYID,
KER |KEI |cookieR |
cookieI |SA|IDR )
IDs are exchanged, HASH is verified for authentication
ID and HASH are encrypted by derived shared secret
SEC-3010
8121_05_2003_c2
Responder
IPSec
ESP
DES
SHA
PFS 1
ESP
DES
SHA
PFS 1
HDR*, HASH3
Protected by Phase I SA
Optional DH exchange for Perfect Forward Secrecy (PFS)
Negotiate IPSec SA parameters, including proxy identities [IDCI, IDCR]
Two unidirectional IPSec SA established with unique SPI number
Nonce exchanged for generating session key
KEYMAT = HMAC (SKEYIDd,[KEIKER|]protocol|SPI|NonceI|NonceR)
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
10
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
11
Layout
209.165.200.227
209.165.201.4
Backbone
Router1
Router2
10.1.1.0/24
10.1.2.0/24
Encrypted
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
12
Router Configurations
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key jw4ep9846804ijl address 209.165.201.4
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
SEC-3010
8121_05_2003_c2
13
Router Configurations
interface Ethernet0/2
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
ip address 209.165.200.227 255.255.255.0
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
14
Router Configurations
R1#show crypto map
Crypto Map "vpn" 10 IPsec-isakmp
Peer = 209.165.201.4
Extended IP access list 101
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Current peer: 209.165.201.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
Interfaces using crypto map vpn:
Ethernet0/3
SEC-3010
8121_05_2003_c2
15
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
16
17
Tunnel Establishment
Interesting Traffic Received
The local is the local tunnel end-point, the remote is the remote crypto end
point as configured in the map. The src proxy is the src interesting traffic as
defined by the match address access list; The dst proxy is the destination
interesting traffic as defined by the match address access list
protocol= ESP, transform= esp-3des esp -md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x4579753B(1165587771), conn_id= 0, keysize= 0, flags= 0x 400A
The protocol and the transforms are specified by the crypto map which has
been hit, as are the lifetimes
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
18
Responder
IKE
3DES
SHA-1
DH 1
Pre-Share
HDR, SAProposal
HDR, SAchoice
3DES
SHA-1
DH 1
Pre-Share
(I)
19
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
22:17:24:
ISAKMP (0:1):
ISAKMP (0:1):
ISAKMP (0:1):
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP (0:1):
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
20
Responder
IKE
3DES
SHA-1
DH 1
Pre-Share
3DES
SHA-1
DH 1
Pre-Share
HDR, SAProposal
HDR, SAchoice
HDR, KEI, NonceI
21
Responder
IKE
3DES
SHA-1
DH 1
Pre-Share
HDR, SAProposal
HDR, SAchoice
3DES
SHA-1
DH 1
Pre-Share
HDR*,
ID
,
HASH
I
I
ISAKMP (0:1): sending packet to 209.165.201.4
(I) MM_KEY_EXCH
HDR*, IDR, HASHR
ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETEOld State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (0:1): received packet from 209.165.201.4 (I) MM_KEY_EXCH
ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP (0:1): processing ID payload. message ID = 0
ISAKMP (0:1): processing HASH payload. message ID = 0
ISAKMP (0:1): SA has been authenticated with 209.165.201.4
ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
22
Responder
IKE
IPSec
ESP
3DES
SHA
ESP
3DES
SHA
The IPSec SA proposal offered by far end will be checked against local
crypto map configuration
ISAKMP (0:1): processing HASH payload. message ID = 843945273
ISAKMP (0:1): processing SA payload. message ID = 843945273
SEC-3010
8121_05_2003_c2
23
attributes in transform:
ISAKMP:
encaps is 1
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
authenticator is HMAC-MD5
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
24
SEC-3010
8121_05_2003_c2
25
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
26
Responder
IKE
IPSec
ESP
3DES
SHA
ESP
3DES
SHA
HDR*, HASH3
sa_spi= 0x4579753B(1165587771),
Data
sa_trans= esp -3des esp -md5-hmac ,
sa_conn_id= 2000
IPsec(create_sa): sa created,
(sa) sa_dest= 209.165.201.4, sa_prot= 50, sa_spi= 0x8E1CB77A(23 84246650),
sa_trans= esp -3des esp -md5-hmac , sa_conn_id= 2001
ISAKMP (0:1): sending packet to 209.165.201.4 (I) QM_IDLE
ISAKMP (0:1): Node 843945273, Input = IKE_MESG_FROM_PEER, IKE_QM _EXCH
Old State = IKE_QM_I_QM1
SEC-3010
8121_05_2003_c2
27
Show Commands
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
28
Show Commands
Interface
IP -Address
Ethernet0/3
209.165.200.227 set
State
Algorithm
Encrypt
Decrypt
HMAC_SHA+3DES_56_C
19
This is ISAKMP SA
2000 Ethernet0/3
209.165.200.227 set
HMAC_MD5+3DES_56_C
2001 Ethernet0/3
209.165.200.227 set
HMAC_MD5+3DES_56_C
19
src
209.165.201.4
209.165.200.227
SEC-3010
8121_05_2003_c2
state
QM_IDLE
conn-id
1
slot
0
29
Show Commands
Router#sh crypto ipsec sa
interface: Ethernet0/3
Crypto map tag: vpn, local addr. 209.165.200.227
local
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
30
Show Commands
inbound esp sas:
spi: 0x4579753B(1165587771)
transform: esp-3des esp -md5 -hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
31
Hardware info
Show diag
Display statistics
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
32
Indicates Hardware
Crypto Engine on
show diag
slot : 0
Encryption AIM 0:
Hardware Revision
: 1.0
: 800-15369-03
Board Revision
: B0
SEC-3010
8121_05_2003_c2
33
0 packets out
0 packet overruns
Last 5 minutes:
0 packets in
0 packets out
0 packets decrypted
0 packets encrypted
0 bytes decrypted
0 bytes encrypted
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
34
35
Privileged Mode:
0x0000
unknown
Maximum DH index:
1014
ISA/ISM
Maximum SA index:
2029
CryptIC Version:
CGX Version:
FF41
0111
0003030F
3-DES [07F000260000]
Compression:
3 DES:
SEC-3010
8121_05_2003_c2
4059
No
4096
0000
platform: predator
crypto_engine
Unlock Count:
Yes
2003, Cisco Systems, Inc. All rights reserved.
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
36
Common Issues
Incompatible ISAKMP policy or
pre-shared secrets
Incompatible transform sets
Incompatible or incorrect access lists
Crypto map on the wrong interface
Overlapping ACLs
Routing issues
Caveats: switching paths
SEC-3010
8121_05_2003_c2
37
hash algorithm:
authentication method:
Rivest-Shamir-Adleman Signature
Diffie-Hellman group:
#1 (768 bit)
lifetime:
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
38
ISAKMP:
hash MD5
ISAKMP:
default group 1
ISAKMP:
ISAKMP:
ISAKMP:
life duration (VPI) of
0x0 0x1 0x51 0x80
ISAKMP (0:1): Hash algorithm offered
does not match policy!
ISAKMP (0:1): atts are not acceptable.
Next payload is 0
SEC-3010
8121_05_2003_c2
ISAKMP:
hash MD5
ISAKMP:
default group 1
ISAKMP:
ISAKMP:
ISAKMP:
life duration (VPI) of
0x0 0x1 0x51 0x80
ISAKMP (0:1): Encryption algorithm
offered does not match policy!
ISAKMP (0:1): atts are not acceptable.
Next payload is 0
ISAKMP (0:1): no offers accepted!
ISAKMP (0:1): phase 1 SA not
acceptable!
39
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
40
41
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
42
Incompatible or
Incorrect Access Lists
SEC-3010
8121_05_2003_c2
43
Incompatible or
Incorrect Access Lists
1w6d: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 209.165.201.4, remote= 209.165.200.227,
local_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
1w6d: IPSEC(validate_transform_proposal): proxy identities not supported
1w6d: ISAKMP (0:2): IPSec policy invalidated proposal
1w6d: ISAKMP (0:2): phase 2 SA not acceptable!
Access List at 209.165.200.227:
access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Access List at 209.165.201.4:
access list 101 permit ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
44
45
Overlapping ACLs
If there are multiple peers to a router,
make sure that the match address
access lists for each of the peers are
mutually exclusive from the match
address access list for the other peers
If this is not done, the router will choose
the wrong crypto map to try and establish
a tunnel with one of the other peers
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
46
47
Routing Issues
A packet needs to be routed to the interface which
has the crypto map configured on it before IPSec
will kick in
Routes need to be there for:
The router to reach its peers address
The IP subnets of the destination host before the packets
are encrypted
The IP subnets of the destination host once the packets
are decrypted
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
48
49
Quiz Time
Agenda
PROXY IDS
NOT SUPPORTED..
Introduction
Debug Message Means:
Router IPSec VPNs
2. Access-List
is mismatched
NAT with IPSec
Firewalling
and IPSec type is
3. Phase
2 Encryption
MTU Issues
mismatched
GRE over IPSec
4. DH
group is mismatched
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
50
Layout
10.1.2.0/24
10.1.1.0/24
209.165.202.129
209.165.200.226
Internet
PIX 1
PIX 2
Private
Encrypted
Private
Public
SEC-3010
8121_05_2003_c2
51
Access-List bypassnat
Defines Interesting Traffic
to bypass NAT for VPN
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
map
map
map
map
map
encryptmap
encryptmap
encryptmap
encryptmap
encryptmap
20 ipsec-isakmp
20 match address encrypt
20 set peer 209.165.200.226
20 set transform-set mysetdes
interface outside
crypto map..
Commands Define the
IPSec SA (Phase II SA)
Parameters
policy
policy
policy
policy
policy
SEC-3010
8121_05_2003_c2
10
10
10
10
10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
53
Common Issues
Bypassing NAT
Enabling ISAKMP
Missing sysopt commands
Combining PIX-PIX and
PIX-VPN client issues
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
54
Bypassing NAT
SEC-3010
8121_05_2003_c2
55
Enabling ISAKMP
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
56
57
Combining PIX-PIX
and PIX-Client Issues
If you are doing mode config or x-auth for
the VPN clients you would need to disable
them for the site-to-site VPN connections
Use the no-config-mode and no x-auth
tags at the end of the pre-shared
key definitions to disable mode config
and x-auth
isakmp peer fqdn fqdn no-xauth noconfig-mode in case rsa-sig is used as IKE
authentication method
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
58
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
59
Layout
209.165.200.227
172.18.124.96
WINS
VPN Client
Router
10.1.1.0/24
14.38.1.0/24
Internet
209.165.201.4
Router
14.38.2.0/24
DNS
Pix
Pix
209.165.200.226
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
209.165.201.2
60
61
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
62
SEC-3010
8121_05_2003_c2
access-list Defines
Split-Tunneling
63
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
64
SEC-3010
8121_05_2003_c2
65
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
66
SEC-3010
8121_05_2003_c2
67
hostname vpn-pix501b
domain-name cisco.com
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
68
encryption 3DES-CBC
ISAKMP:
hash SHA
ISAKMP:
default group 2
ISAKMP:
auth XAUTHInitPreShared
ISAKMP:
ISAKMP:
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
70
71
attributes in transform:
ISAKMP:
ISAKMP:
encaps is 1
ISAKMP:
ISAKMP:
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
72
Common Issues
VPN clients only propose DH group 2 and 5
Configure DH group 2 or 5 on Cisco IOS or PIX
Configure isakmp identity hostname if rsa-sig is
used as an IKE authentication method
aaa authorization needs to be enabled on the router,
so that router can accept/send mode-configuration
attributes
On, Cisco IOS EasyVPN client, for X-Auth, you have
to manually type crypto ipsec client ezvpn xauth
SEC-3010
8121_05_2003_c2
73
Quiz Time
Agenda
The Purpose
of
Introduction
sysopt connection
permit-IPsec
Is:
Router IPSec
VPNs
PIX IPSec VPNs
1. To bypass
conduits
or ACL checking
Cisco EasyVPN
Clients
against
the decrypted VPN traffic
NAT with IPSec
Firewalling
2. To bypass
NATand
forIPSec
the IPSec traffic
MTU Issues
3. To bypass
the assignment of IP address
GRE over IPSec
to the VPN client
Loss of Connectivity of IPSec Peers
4. To bypass
X-Auth for the VPN clients
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
74
Common Problems
SEC-3010
8121_05_2003_c2
75
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
76
e0/2
nat in
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map nonat
e0/3
nat out
crypto map
interface Loopback1
ip address 10.2.2.2 255.255.255.252
interface Ethernet0/03
ip address 209.165.200.227 255.255.255.0
ip nat outside
crypto map vpn
SEC-3010
8121_05_2003_c2
77
e0/3
nat out
crypto map
e0/2
nat in
interface Ethernet0/2
ip address 10.1.1.3 255.255.255.0
ip nat inside
ip nat inside source list 1 interface Ethernet0/3 overload
ip nat inside source static 10.1.1.1 209.165.200.230 route-map
nonat
interface Ethernet0/03
ip address 209.165.200.227 55.255.255.0
ip nat outside
access-list
access-list
access-list
access-list
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
78
79
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
80
Internet
Router
Private
Encrypted
Private
Public
81
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
82
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EZVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
83
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
84
10.1.1.2
172.16.172.10/28
e1/0 MTU
1500
e1/1
172.16.172.20/28
MTU
1400
IPSec Tunnel
Path 1500
Media 1500
MTU 1500
10.1.2.2
MTU
1500
Path 1500
Media 1500
1500 DF=1
ICMP Type3 Code 4
(1454)
1454 DF=1
1500 DF copied
ICMP (1400)
IPSec SPI copied
1454 DF=1
1400
1400
1354
85
Common Problem
PMTU ICMP packets lost or blocked
Debug ip icmp on router to verify if ICMP packets
are sent or received
Use sniffer to verify if ICMP packets are lost
Work arounds
Reduce MTU or disable PMTU on end host
Configure router to clear DF bit of data packets
Adjust TCP MSS on router to fine tune TCP windows
Look-ahead fragmentation
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
86
87
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
88
89
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
90
Agenda
Quiz Time
The Purpose
of
Introduction
crypto ipsec
df-bit
clear
Router
IPSec
VPNs Is:
PIX IPSec VPNs
2. To help
the router in doing Path MTU
Firewalling and IPSec
Discovery
MTU Issues
3. To drop
the IPSec packets if dont
GRE over IPSec
fragment bit is set
Loss of Connectivity of IPSec Peers
4. To remove
the dont
fragment bit
Interoperability
Troubleshooting
SEC-3010
8121_05_2003_c2
91
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a
b
c
d
SEC-3010
8121_05_2003_c2
IP hdr 3
IP Hdr 1
TCP hdr
Data
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
IP hdr 2
ESP hdr
GRE hdr
IP Hdr 1
TCP hdr
Data
ESP hdr
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
92
93
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
94
SEC-3010
8121_05_2003_c2
95
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
96
SEC-3010
8121_05_2003_c2
97
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
98
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
99
Internet
IPSec SA
IPSec SA
SPI
Peer
Local_id
Remote_id
Transform
ESP SPI=0xB1D1EA3F
SPI
Peer
Local_id
Remote_id
Transform
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
100
101
Agenda
Introduction
Router IPSec VPNs
PIX IPSec VPNs
Cisco EasyVPN Clients
NAT with IPSec
Firewalling and IPSec
MTU Issues
GRE over IPSec
Loss of Connectivity of IPSec Peers
Interoperability Troubleshooting
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
102
Interoperability Tips
Start with configuring the two ends side
by side with exact matching policies
Phase I Parameters
IKE authentication method
Hash algorithm
DH group
ISAKMP SA lifetime
Encryption algorithm
Matching pre-shared secret
Phase II Parameters
IPSec mode (tunnel or transport)
Encryption algorithm
Authentication algorithm
PFS group
IPSec SA Lifetime
Interesting traffic definition
103
Field Noticesalerts to
critical issues
Security Advisories
internet security issues
and response
procedures
TAC Technical Tips
tips for
troubleshooting;
sample configurations
www.cisco.com/tac
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
104
SEC-3010
8121_05_2003_c2
105
Recommended Reading
Troubleshooting Cisco IP
Telephony
ISBN: 1587050757
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
106
SEC-3010
8121_05_2003_c2
SEC-3010
8121_05_2003_c2
Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
107