I think I need to pick up the pace a bit today. I lost too much time trying to shoehorn things into GETVPN (and failing, but seeing as no-one else has replied to my challenge as yet, I am starting to feel less bad about it).
GETVPN is not finished yet. We still need to get the servers access to the 10.1.3.0/24 and 10.1.4.0/24 networks. TO do this we will probably need to run DMVPN over the top of GETVPN. But not today.
Today we'll be working on the right-hand side of the network, and aim to get IKEv1 running (see this post).
IKEv1 VPNs
We'll set up EIGRP named mode to get us the routes:GETVPN-S1(config)#router eigrp LowerLeft GETVPN-S1(config-router)#address-family ipv4 auto 103 GETVPN-S1(config-router-af)#eigrp router-id 103.1.1.1 GETVPN-S1(config-router-af)#network 10.1.15.0 0.0.0.255 GETVPN-S1(config-router-af)# Chicago(config)#router eigrp LowerLeft Chicago(config-router)#address-family ipv4 auto 103 Chicago(config-router-af)#eigrp router-id 10.1.15.2 Chicago(config-router-af)#network 10.1.15.0 0.0.0.255 Chicago(config-router-af)#network 10.1.15.0 0.0.0.255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.15.1 (GigabitEthern Chicago(config-router-af)# Chicago(config-router-af)#network 10.1.16.0 0.0.0.255 Chicago(config-router-af)#network 10.1.17.0 0.0.0.255 Chicago(config-router-af)# IKEv1(config)#router eigrp LowerLeft IKEv1(config-router)#add ipv4 auto 103 IKEv1(config-router-af)#eigrp router-id 10.1.17.1 IKEv1(config-router-af)# IKEv1(config-router-af)#network 10.1.17.0 0.0.0.255 IKEv1(config-router-af)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.17.2 (GigabitEthernet0/1) is up: new adjacency IKEv1(config-router-af)# IKEv1(config-router-af)#network 10.1.18.0 0.0.0.255 IKEv1(config-router-af)# NYC(config)#router eigrp EIGRP NYC(config-router)#add ipv4 auto 103 NYC(config-router-af)# NYC(config-router-af)#eigrp router-id 10.1.12.254 NYC(config-router-af)#network 10.1.14.0 0.0.0.255 NYC(config-router-af)# GETVPN-S1(config-router-af)#network 10.1.14.0 0.0.0.255 GETVPN-S1(config-router-af)# GETVPN-S1(config-router-af)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.14.254 (GigabitEthernet0/0) is up: new adjacency GETVPN-S1(config-router-af)#NYC now has routers up to IKEv1:
NYC(config-router-af)#do sh ip route | b Gate
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C 10.1.12.0/24 is directly connected, GigabitEthernet0/1
L 10.1.12.254/32 is directly connected, GigabitEthernet0/1
C 10.1.13.0/24 is directly connected, GigabitEthernet0/2
L 10.1.13.254/32 is directly connected, GigabitEthernet0/2
C 10.1.14.0/24 is directly connected, GigabitEthernet0/0
L 10.1.14.254/32 is directly connected, GigabitEthernet0/0
D 10.1.15.0/24 [90/15360] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D 10.1.16.0/24 [90/20480] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D 10.1.17.0/24 [90/20480] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D 10.1.18.0/24 [90/25600] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
NYC(config-router-af)#
NYC(config-router-af)#do ping 10.1.17.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/11 ms
NYC(config-router-af)#
As the goal is for IKEv1 to have access over the VPN to 2.2.2.2, we need to give NYC access to that network, and likewise, Telnet-1 needs a route back:NYC(config-router-af)#ip route 2.2.2.2 255.255.255.255 10.1.13.1 NYC(config)#do ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms NYC(config)# Telnet-2(config)#ip route 0.0.0.0 0.0.0.0 10.1.13.254 Telnet-2(config)#Start with the policy, create it on one, paste into the other:
IKEv1(config)#cry isakmp policy 10 IKEv1(config-isakmp)#encryption 3des IKEv1(config-isakmp)#hash sha IKEv1(config-isakmp)#group 2 IKEv1(config-isakmp)#auth pre IKEv1(config-isakmp)#life 3600 IKEv1(config-isakmp)#exit IKEv1(config)#do sh run | s crypto crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 IKEv1(config)# NYC(config)#crypto isakmp policy 10 NYC(config-isakmp)# encr 3des NYC(config-isakmp)# authentication pre-share NYC(config-isakmp)# group 2 NYC(config-isakmp)# lifetime 3600 NYC(config-isakmp)#Now we need a transport set:
IKEv1(config)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac IKEv1(cfg-crypto-trans)#exit IKEv1(config)# IKEv1(config)#do sh run | s transform crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac mode tunnel IKEv1(config)# NYC(config-isakmp)#exit NYC(config)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac NYC(cfg-crypto-trans)# mode tunnel NYC(cfg-crypto-trans)#exit NYC(config)#Define the interesting traffic:
IKEv1(config)#ip access-list standard IKEv1-Tunnel-Traffic IKEv1(config-std-nacl)#permit 2.2.2.2 IKEv1(config-std-nacl)#exit IKEv1(config)# NYC(config)#ip access-list extended IKEv1-Tunnel-Traffic NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.17.1 NYC(config-ext-nacl)#permit ip host 10.1.17.1 host 2.2.2.2 NYC(config-ext-nacl)#We set the keyring:
IKEv1(config)#crypto keyring NYC IKEv1(conf-keyring)#pre-shared-key address 10.1.14.254 key CCIE IKEv1(conf-keyring)#exit IKEv1(config)# NYC(config)#crypto keyring IKEv1 NYC(conf-keyring)#pre-shared-key address 10.1.17.1 key CCIE NYC(conf-keyring)#exit NYC(config)#Now we can create the crypto map, starting with NYC:
NYC(config)#crypto map CRY-MAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
NYC(config-crypto-map)#set peer 10.1.17.1
NYC(config-crypto-map)#match address IKEv1-Tunnel-Traffic
NYC(config-crypto-map)#set transform-set 3des-sha
NYC(config-crypto-map)#
NYC(config-crypto-map)#set isakmp-profile IKEv1-ISAK-Profile
% IKEv1 Profile IKEv1-ISAK-Profile not found
NYC(config-crypto-map)#
NYC(config-crypto-map)#exit
NYC(config)#cry isakmp profile IKEv1-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
NYC(conf-isa-prof)#
NYC(conf-isa-prof)#match identity address 10.1.17.1
NYC(conf-isa-prof)#keyring IKEv1
NYC(conf-isa-prof)#exit
NYC(config)#crypto map CRY-MAP 1 ipsec-isakmp
NYC(config-crypto-map)#set isakmp-profile IKEv1-ISAK-Profile
NYC(config-crypto-map)#
NYC(config-crypto-map)#do sh run | s crypto
crypto keyring IKEv1
pre-shared-key address 10.1.17.1 key CCIE
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp profile IKEv1-ISAK-Profile
keyring IKEv1
match identity address 10.1.17.1 255.255.255.255
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp
set peer 10.1.17.1
set transform-set 3des-sha
set isakmp-profile IKEv1-ISAK-Profile
match address IKEv1-Tunnel-Traffic
NYC(config-crypto-map)#
It looks like my attempts at NOT throwing every bit of configuration I can find, meant that I forgot to create the ISAKMP profile. Let's do IKEv1:IKEv1(config)#crypto keyring NYC
IKEv1(conf-keyring)#pre-shared-key address 10.1.14.254 key CCIE
IKEv1(conf-keyring)#
IKEv1(config)#crypto isakmp profile NYC-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
IKEv1(conf-isa-prof)#match identity address 10.1.14.254
IKEv1(conf-isa-prof)#keyring NYC
IKEv1(conf-isa-prof)#exit
IKEv1(config)#crypto map CRY-MAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
IKEv1(config-crypto-map)#set peer 10.1.14.254
IKEv1(config-crypto-map)#match add IKEv1-Tunnel-Traffic
Access-list type conflicts with prior definitionERROR: "IKEv1-Tunnel-Traffic" is either an invalid name or the
list already exists but is the wrong type.
IKEv1(config-crypto-map)#exit
IKEv1(config)#do sh run | s access-list
ip access-list standard IKEv1-Tunnel-Traffic
permit 2.2.2.2
IKEv1(config)#no ip access-list standard IKEv1-Tunnel-Traffic
IKEv1(config)#ip access-list extended IKEv1-Tunnel-Traffic
IKEv1(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.17.1
IKEv1(config-ext-nacl)#permit ip host 10.1.17.1 host 2.2.2.2
IKEv1(config-ext-nacl)#
IKEv1(config-ext-nacl)#crypto map CRY-MAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
IKEv1(config-crypto-map)#match add IKEv1-Tunnel-Traffic
IKEv1(config-crypto-map)#set transform-set 3des-sha
IKEv1(config-crypto-map)#set isakmp-profile NYC-ISAK-Profile
IKEv1(config-crypto-map)#do sh run | s crypto
crypto keyring NYC
pre-shared-key address 10.1.14.254 key CCIE
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp profile NYC-ISAK-Profile
keyring NYC
match identity address 10.1.14.254 255.255.255.255
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp
set peer 10.1.14.254
set transform-set 3des-sha
set isakmp-profile NYC-ISAK-Profile
match address IKEv1-Tunnel-Traffic
IKEv1(config-crypto-map)#
It needs to be an extended list, not a standard one. Now we attach this to the relevant interfaces:IKEv1(config-crypto-map)#int gi0/1 IKEv1(config-if)#crypto map CRY-MAP IKEv1(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON IKEv1(config-if)# NYC(config-crypto-map)#int gi0/0 NYC(config-if)#crypto map CRY-MAP NYC(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON NYC(config-if)#Is everything there? Let's find out:
Telnet-2#ping 10.1.17.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
Telnet-2#
NYC(config-if)#do sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.17.1 10.1.14.254 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
NYC(config-if)#do sh cry ips sa | i local|rem|enc|dec
Crypto map tag: CRY-MAP, local addr 10.1.14.254
local ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
sa timing: remaining key lifetime (k/sec): (4257472/3450)
sa timing: remaining key lifetime (k/sec): (4257472/3450)
NYC(config-if)#
IKEv1(config-if)#do sh cry isak sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.17.1 10.1.14.254 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
IKEv1(config-if)#do sh cry ips | i local|rem|enc|dec
% Incomplete command.
IKEv1(config-if)#do sh cry ips sa | i local|rem|enc|dec
Crypto map tag: CRY-MAP, local addr 10.1.17.1
local ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 10.1.17.1, remote crypto endpt.: 10.1.14.254
sa timing: remaining key lifetime (k/sec): (4186964/3396)
sa timing: remaining key lifetime (k/sec): (4186965/3396)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 10.1.17.1, remote crypto endpt.: 10.1.14.254
IKEv1(config-if)#
The tunnel is up, the problem is that IKEv1 doesn't know where to send traffic for 2.2.2.2, this is an easy fix:IKEv1(config-if)#ip route 2.2.2.2 255.255.255.255 10.1.14.254
IKEv1(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
IKEv1(config)#
Telnet-2#ping 10.1.17.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/17/33 ms
Telnet-2#
NYC#sh cry ips sa identity
interface: GigabitEthernet0/0
Crypto map tag: CRY-MAP, local addr 10.1.14.254
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.17.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
current_peer 10.1.17.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
NYC#
All is working. However, there is a little bit of tidying up to do. The access-lists are too permissive, and we only need one entry:NYC#sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
10 permit ip host 2.2.2.2 host 10.1.17.1 (44 matches)
20 permit ip host 10.1.17.1 host 2.2.2.2
NYC#
NYC#conf t
NYC(config)#ip access-list extended IKEv1-Tunnel-Traffic
NYC(config-ext-nacl)#no 20
NYC(config-ext-nacl)#exit
NYC(config)#exit
NYC#sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
10 permit ip host 2.2.2.2 host 10.1.17.1 (44 matches)
NYC#
IKEv1(config-ext-nacl)#do sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
10 permit ip host 2.2.2.2 host 10.1.17.1 (1 match)
20 permit ip host 10.1.17.1 host 2.2.2.2 (25 matches)
IKEv1(config-ext-nacl)#no 10
IKEv1(config-ext-nacl)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/13/15 ms
IKEv1(config-ext-nacl)#
The pings still work, and we can for the output from "sh cry ips sa" into one window. More importantly, the access-lists are cleaner:NYC#sh cry ips sa
interface: GigabitEthernet0/0
Crypto map tag: CRY-MAP, local addr 10.1.14.254
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
current_peer 10.1.17.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x6E4A5A46(1850366534)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x38DA9074(953847924)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map: CRY-MAP
sa timing: remaining key lifetime (k/sec): (4257669/3536)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6E4A5A46(1850366534)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map: CRY-MAP
sa timing: remaining key lifetime (k/sec): (4257669/3536)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
NYC#
For the last part of this we need to be able to telnet through, so let's set that up:Telnet-2(config)#line vty 0 4 Telnet-2(config-line)#password cisco Telnet-2(config-line)#login Telnet-2(config-line)#transport input telnet Telnet-2(config-line)# IKEv1#telnet 2.2.2.2 Trying 2.2.2.2 ... Open **************************************************************** * Banner. * **************************************************************** User Access Verification Password: **************************************************************** * Banner. * **************************************************************** Telnet-2>en % No password set Telnet-2>exit [Connection to 2.2.2.2 closed by foreign host] IKEv1#Not bad. One of the tasks can be crossed off, and we can move on and do IKEv2 between NYC and the Easy-Server.
IKEv2 VPNs
NYC(config)#crypto keyring EASY-Server
NYC(conf-keyring)#pre-shared-key address 10.1.6.254 key CCIE
NYC(conf-keyring)#exit
NYC(config)#crypto isakmp profile Easy-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
NYC(conf-isa-prof)#keyring EASY-Server
NYC(conf-isa-prof)#match identity address 10.1.6.254
NYC(conf-isa-prof)#
NYC(config)#crypto ikev2 keyring EASY-Server-Keyring
NYC(config-ikev2-keyring)#peer EASY-Server
NYC(config-ikev2-keyring-peer)#address 10.1.6.254
NYC(config-ikev2-keyring-peer)#exit
NYC(config-ikev2-keyring)#exit
NYC(config)#crypto ikev2 profile IKEv2-Profile
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate or match any statement.
NYC(config-ikev2-profile)#match identity remote add 10.1.6.254
NYC(config-ikev2-profile)#authen local pre-share
NYC(config-ikev2-profile)#authen remote pre-share
NYC(config-ikev2-profile)#keyring local EASY-Server-Keyring
NYC(config-ikev2-profile)#exit
NYC(config)#
NYC(config)#crypto map CRY-MAP 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
NYC(config-crypto-map)#set peer 10.1.6.254
NYC(config-crypto-map)#set transform-set 3des-sha
NYC(config-crypto-map)#set ikev2-profile IKEv2-Profile
NYC(config-crypto-map)#match address IKEv2-Tunnel-Traffic
NYC(config-crypto-map)#
NYC(config-crypto-map)#exit
NYC(config)#ip access-list extended IKEv2-Tunnel-Traffic
NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.6.254
NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1
NYC(config-ext-nacl)#exit
NYC(config)#
Easy-Server(config)#crypto isakmp policy 10
Easy-Server(config-isakmp)# encr 3des
Easy-Server(config-isakmp)# authentication pre-share
Easy-Server(config-isakmp)# group 2
Easy-Server(config-isakmp)# lifetime 3600
Easy-Server(config-isakmp)#exi
Easy-Server(config)#crypto keyring NYC
Easy-Server(conf-keyring)# pre-shared-key address 10.1.14.254 key CCIE
Easy-Server(conf-keyring)#exit
Easy-Server(config)#cry ikev2 keyring NYC
Easy-Server(config-ikev2-keyring)#peer NYC
Easy-Server(config-ikev2-keyring-peer)#address 10.1.14.254
Easy-Server(config-ikev2-keyring-peer)#exit
Easy-Server(config-ikev2-keyring)#exit
Easy-Server(config)#crypto ikev2 profile IKEv2-Profile
IKEv2 profile MUST have:
1. A local and a remote authentication method.
2. A match identity or a match certificate or match any statement.
Easy-Server(config-ikev2-profile)# authentication remote pre-share
Easy-Server(config-ikev2-profile)# authentication local pre-share
Easy-Server(config-ikev2-profile)#keyring local NYC
Easy-Server(config-ikev2-profile)#match identity remote address 10.1.14.254
Easy-Server(config-ikev2-profile)#exit
Easy-Server(config)#crypto isakmp profile NYC
% A profile is deemed incomplete until it has match identity statements
Easy-Server(conf-isa-prof)#keyring NYC
Easy-Server(conf-isa-prof)#match identity address 10.1.14.254
Easy-Server(conf-isa-prof)#exit
Easy-Server(config)#$c transform-set 3des-sha esp-3des esp-sha-hmac
Easy-Server(cfg-crypto-trans)# mode tunnel
Easy-Server(cfg-crypto-trans)#exit
Easy-Server(config)#crypto ipsec profile NYC-IPSec-Profile
Easy-Server(ipsec-profile)#set transform-set 3des-sha
Easy-Server(ipsec-profile)#exit
Easy-Server(config)#ip access-list extended IKEv2-Tunnel-Traffic
Easy-Server(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2
Easy-Server(config-ext-nacl)#permit ip host 1.1.1.1 host 10.1.14.254
Easy-Server(config-ext-nacl)#
Easy-Server(config-ext-nacl)#crypto map CRY-MAP 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Easy-Server(config-crypto-map)#set peer 10.1.14.254
Easy-Server(config-crypto-map)#set transform-set 3des-sha
Easy-Server(config-crypto-map)# set ikev2-profile IKEv2-Profile
Easy-Server(config-crypto-map)# match address IKEv2-Tunnel-Traffic
Easy-Server(config-crypto-map)#
Easy-Server(config-crypto-map)#int gi0/0
Easy-Server(config-if)#cry map CRY-MAP
Easy-Server(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Easy-Server(config-if)#
We need a couple of routes:Easy-Server(config)#ip route 1.1.1.1 255.255.255.255 10.1.7.1 Easy-Server(config)#ip route 0.0.0.0 0.0.0.0 10.1.6.1 Easy-Server(config)# Telnet-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.7.254 Telnet-1(config)# NYC(config)#ip route 1.1.1.1 255.255.255.255 10.1.6.254 NYC(config)#I forgot that the NYC router is (from EASY-Server) behind the ASA firewalls! Doh! Pretty dumb of me. We also need routes! Let's sort that out:
ASA9(config)# object network obj-NYC ASA9(config-network-object)# host 10.1.14.254 ASA9(config-network-object)# ASA9(config-network-object)# exi ASA9(config)# object network obj-NYC-External ASA9(config-network-object)# host 10.1.9.100 ASA9(config-network-object)# nat (Inside,Outside) source static obj-NYC obj-NYC-External ASA9(config)# ASA9(config)# access-list Inside->Outside extended permit esp host 10.1.14.254 host 10.1.6.254 ASA9(config)# access-list Inside->Outside extended permit udp host 10.1.14.254 host 10.1.6.254 eq isakmp ASA9(config)# access-list Inside->Outside extended permit udp host 10.1.14.254 host 10.1.6.254 eq 4500 ASA9(config)# access-list Inside->Outside extended permit icmp host 10.1.14.254 host 10.1.6.254 ASA9(config)# access-list Outside->Inside extended permit udp host 10.1.6.254 host 10.1.14.254 eq isakmp ASA9(config)# access-list Outside->Inside extended permit udp host 10.1.6.254 host 10.1.14.254 eq 4500 ASA9(config)# access-list Outside->Inside extended permit icmp host 10.1.6.254 host 10.1.14.254 ASA9(config)# access-list Outside->Inside extended permit esp host 10.1.6.254 host 10.1.14.254 ASA9(config)# GETVPN-S1(config)#router eigrp LowerLeft GETVPN-S1(config-router)#address-family ipv4 unicast autonomous-system 103 GETVPN-S1(config-router-af)#topology base GETVPN-S1(config-router-af-topology)#redistribute static GETVPN-S1(config-router-af-topology)#exit GETVPN-S1(config-router-af)#network 10.1.26.0 0.0.0.255 GETVPN-S1(config-router-af)# Switch(config)#router eigrp LowerLeft Switch(config-router)# address-family ipv4 unicast autonomous-system 103 Switch(config-router-af)#network 10.1.26.0 0.0.0.255 Switch(config-router-af)# %DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.26.1 (Vlan26) is up: new adjacency Switch(config-router-af)#topology base Switch(config-router-af-topology)#red connected Switch(config-router-af-topology)# ISP-2(config)#ip route 10.1.6.0 255.255.255.0 10.1.8.1 Easy-Server#ping 10.1.9.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.9.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 11/16/24 ms Easy-Server#Now we need to fix EASY-Server:
Easy-Server(config)#crypto keyring NYC Easy-Server(conf-keyring)#no pre-shared-key address 10.1.14.254 key CCIE Easy-Server(conf-keyring)#pre-shared-key address 10.1.9.100 key CCIE Easy-Server(conf-keyring)#crypto ikev2 keyring NYC Easy-Server(config-ikev2-keyring)#peer NYC Easy-Server(config-ikev2-keyring-peer)#no address 10.1.14.254 Easy-Server(config-ikev2-keyring-peer)#address 10.1.9.100 Easy-Server(config-ikev2-keyring-peer)#exit Easy-Server(config-ikev2-keyring)#exit Easy-Server(config)#crypto ikev2 profile IKEv2-Profile Easy-Server(config-ikev2-profile)#no match identity remote address 10.1.14.254 255.255.255.255 Easy-Server(config-ikev2-profile)#match identity remote address 10.1.9.100 Easy-Server(config-ikev2-profile)#exit Easy-Server(config)#crypto isakmp profile NYC Easy-Server(conf-isa-prof)#no match identity address 10.1.14.254 255.255.255.255 Easy-Server(conf-isa-prof)#match identity address 10.1.9.100 Easy-Server(conf-isa-prof)#exit Easy-Server(config)#crypto map CRY-MAP 2 ipsec-isakmp Easy-Server(config-crypto-map)#no set peer 10.1.14.254 Easy-Server(config-crypto-map)#set peer 10.1.9.100 Easy-Server(config-crypto-map)#Missed something:
Easy-Server(ipsec-profile)#crypto ikev2 keyring NYC Easy-Server(config-ikev2-keyring)#peer NYC Easy-Server(config-ikev2-keyring-peer)#pre-shared-key CCIE Easy-Server(config-ikev2-keyring-peer)# NYC(ipsec-profile)#crypto ikev2 keyring EASY-Server-Keyring NYC(config-ikev2-keyring)#peer EASY-Server NYC(config-ikev2-keyring-peer)#pre-shared-key CCIE NYC(config-ikev2-keyring-peer)# NYC(config)#crypto ikev2 policy 10 NYC(config-ikev2-policy)#match add local 10.1.14.254 NYC(config-ikev2-policy)#crypto ikev2 profile IKEv2-Profile NYC(config-ikev2-profile)#ident loc add 10.1.14.254 NYC(config-ikev2-profile)#match add loca int gi0/0 NYC(config-ikev2-profile)#exi NYC(config)#cry isakmp invalid-spi-recovery NYC(config)# Easy-Server(config-crypto-map)#crypto ikev2 policy 10 Easy-Server(config-ikev2-policy)#match add local 10.1.6.254 Easy-Server(config-ikev2-policy)#crypto ikev2 profile IKEv2-Profile Easy-Server(config-ikev2-profile)#match add local int gi0/0 Easy-Server(config-ikev2-profile)#identity local add 10.1.6.254 Easy-Server(config-ikev2-profile)# %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.6.254, prot=50, spi=0x2BAAE5CE(732620238), srcaddr=10.1.9.100, input interface=GigabitEthernet0/0 Easy-Server(config-ikev2-profile)#exi Easy-Server(config)#cry isakmp invalid-spi-recovery Easy-Server(config)#It's now day 8, and I am back at it, trying to get the tunnels up. I am a little tired today after going to see the truly incredible Belly play at the O2 Forum in Kentish town. The wife and I got back to the hotel room about 1 am, and I barely slept. Note to self, when they ask what room you want, always opt for the quiet one!
 |
| Tanya |
 |
| Gail |
Brilliant gig. I got a little squashed up at the front row and was very tempted to go further back, but I stayed, and scored (half of) a setlist. All work and no play make Stuart a dull boy.
But it's back to sorting out the IKEv2 VPN now.
The access-lists are getting the hits, but the traffic is not passing. I enabled debugging on the EASY-Server router (debug crypto ikev2), and here is a little bit of that output (with notes below the lines):
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5 IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED ^^ DH passes ^^ IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery IKEv2:(SESSION ID = 1,SA ID = 1):NAT OUTSIDE found IKEv2:(SESSION ID = 1,SA ID = 1):NAT detected float to init port 4500, resp port 4500 ^^ We work out that we are behind a NAT device, and switch to nat traversal ^^ IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange ^^ SA completes ^^ IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 10.1.6.254, key len 4 ^^ We know to use a PSK ^^ IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED ^^ IKEv2 authentication passes ^^ IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.9.100:4500/From 10.1.6.254:4500/VRF i0:f0] Initiator SPI : 7C4CB6E87F26A509 - Responder SPI : 6BDD0554932AC653 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.1.9.100:4500/To 10.1.6.254:4500/VRF i0:f0] Initiator SPI : 7C4CB6E87F26A509 - Responder SPI : 6BDD0554932AC653 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify ^^ We start to send the IKEv2 packets ^^ IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '10.1.14.254' of type 'IPv4 address' ^^ JFK sends us it's identity, which is the IP address ^^ IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Failed to locate an item in the database IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authentication data FAILED IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA ^^ This is where and why it fails ^^So, the resolution seems easy enough, we change the identity. But what do we change it to? We could change it to the internal IP address, so that:
crypto ikev2 profile IKEv2-Profile match address local interface GigabitEthernet0/0 match identity remote address 10.1.9.100 255.255.255.255Becomes
crypto ikev2 profile IKEv2-Profile match address local interface GigabitEthernet0/0 match identity remote address 10.1.14.254 255.255.255.255But this method means we are not secure, we have exposed our internal network IP addresses to the outside world, and this is bad security design.
Instead, the better option would be for the NYC router to identify itself by its hostname:
NYC(config)#crypto ikev2 profile IKEv2-Profile NYC(config-ikev2-profile)#identity ? local Specify the local IKE identity to use for the negotiation NYC(config-ikev2-profile)#identity local ? address address dn Distinguished Name email Fully qualified email string fqdn Fully qualified domain name string key-id key-id opaque string - proprietary types of identification NYC(config-ikev2-profile)#identity local fqdn % Incomplete command. NYC(config-ikev2-profile)#identity local fqdn ? WORD FQDN NYC(config-ikev2-profile)#identity local fqdn NYC.ccielab.local NYC(config-ikev2-profile)# Easy-Server(config)#crypto ikev2 profile IKEv2-Profile Easy-Server(config-ikev2-profile)#no match identity remote address 10.1.9.100 255.255.255.255 Easy-Server(config-ikev2-profile)# Easy-Server(config-ikev2-profile)#match identity remote ? address IP Address(es) any match any peer identity email Fully qualified email string [Max. 255 char(s)] fqdn Fully qualified domain name string [Max. 255 char(s)] key-id key-id opaque string Easy-Server(config-ikev2-profile)#match identity remote fqdn NYC.ccielab.local Easy-Server(config-ikev2-profile)#Now the tunnels come up:
Telnet-1#ping 2.2.2.2 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 21/26/31 ms
Telnet-1#
Telnet-2#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/23/27 ms
Telnet-2#
Easy-Server#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.1.6.254/4500 10.1.9.100/4500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/231 sec
IPv6 Crypto IKEv2 SA
Easy-Server#
Whilst NAT traversal gets around the issue of having a firewall in the way of a VPN, it cannot change the packets we are sending, such as the identity.I still need to get quicker on the VPNs, so will be creating a little "cheat sheet" for the commands, differences, and similarities between the different ones. I'll put it on the site somewhere for everyone else.
Now that we have connectivity between Telnet-1 and Telnet-2 it would make sense to connect them together. So, next up is FlexVPN