ISAKMP profiles: When you need them and when you do not.


Through setting up an IPSec VPN between an ASA and an IOS router, Dual-hub DMVPN, GET VPN and Easy VPN, there has been one factor that has slowed the progress immensely. This has been ISAKMP profiles. The VPNs seem to work much better without them, than with them.

So, why and when do we need to use them? Let's lab it up and find out!


R4 will be the gateway between the routers, R1 will be the Easy VPN server, which R2 will connect to, and there will be an IPSec VPN between R1 and R3. We will then add another IPSec VPN between R1 and R4. This way we only need to focus on R1, in terms of complexity. We will use static routing across the network, and the last octet for all of the interfaces will be the router number.

The basic config is below:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#int gi 0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.4
R1(config)#

R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config-if)#int gi0/0
R2(config-if)#ip add 10.1.2.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.2.4
R2(config)#

R3(config)#int lo0
R3(config-if)#ip add 3.3.3.3 255.255.255.255
R3(config-if)#int gi 0/0
R3(config-if)#ip add 10.1.3.3 255.255.255.0
R3(config-if)#no shut
R3(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.3.4
R3(config)#

R4(config)#int gi0/0
R4(config-if)#ip add 10.1.2.4 255.255.255.0
R4(config-if)#no shut
R4(config-if)#int gi0/1
R4(config-if)#ip add 10.1.1.4 255.255.255.0
R4(config-if)#no shut
R4(config-if)#int gi 0/2
R4(config-if)#ip add 10.1.3.4 255.255.255.0
R4(config-if)#no shut
R4(config-if)#ip route 1.1.1.1 255.255.255.255 10.1.1.1
R4(config)#ip route 2.2.2.2 255.255.255.255 10.1.2.2
R4(config)#ip route 3.3.3.3 255.255.255.255 10.1.3.3
R4(config)#
Let's start with Easy VPN:
R2(config)#crypto ipsec client ezvpn EZ-Group
R2(config-crypto-ezvpn)#connect auto
R2(config-crypto-ezvpn)#group EZ-Group key cisco
R2(config-crypto-ezvpn)#mode client
R2(config-crypto-ezvpn)#peer 1.1.1.1
R2(config-crypto-ezvpn)#
R2(config-crypto-ezvpn)#int lo0
R2(config-if)#crypto ipsec client ez EZ-Group inside
R2(config-if)#int gi0/0
R2(config-if)#crypto ipsec client ez EZ-Group
R2(config-if)#exit
R2(config)#crypto isakmp policy 10
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)#

R1(config)#aaa new-model
R1(config)#aaa authentication login AuthC-list local
R1(config)#aaa authorization network AuthZ-list local
R1(config)#
R1(config)#crypto isakmp client configuration group EZ-Group
R1(config-isakmp-group)#key cisco
R1(config-isakmp-group)#pool EZ-Pool
R1(config-isakmp-group)#exit
R1(config)#
R1(config)#crypto isakmp profile EZ-Profile
R1(conf-isa-prof)#match identity group EZ-Group
R1(conf-isa-prof)#isakmp authorization list AuthZ-list
R1(conf-isa-prof)#client configuration address respond
R1(conf-isa-prof)#client config group EZ-Group
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#
R1(conf-isa-prof)#crypto ipsec transform EZ-TS esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#crypto ipsec profile EZ-Profile
R1(ipsec-profile)#set transform-set EZ-TS
R1(ipsec-profile)#set isakmp-profile EZ-Profile
R1(ipsec-profile)#exit
R1(config)#int virtual-template 1 type tunnel
R1(config-if)#ip unnumbered lo0
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec pro EZ-Profile
R1(config-if)#ex
R1(config)#
R1(config)#username cisco password cisco
R1(config)#
R1(config)#crypto isakmp policy 10
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
R1(config)#ip local pool EZ-Pool 192.168.1.10 192.168.1.20
R1(config)#
The results are that the loopback interface is created, we have route in R1's routing table, and it is reachable:
R2#sh ip int bri | e unass
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.2.2        YES manual up                    up
Loopback0                  2.2.2.2         YES manual up                    up
Loopback10000              192.168.1.10    YES TFTP   up                    up
NVI0                       10.1.2.2        YES unset  up                    up

R2#
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1         10.1.2.2        QM_IDLE           1036 ACTIVE

IPv6 Crypto ISAKMP SA

R2#

R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/30/45 ms
R1#
Now let's set up the other VPN:
R1(config)#crypto isakmp policy 20
R1(config-isakmp)#enc aes
R1(config-isakmp)#hash md5
R1(config-isakmp)#auth pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exit

R3(config)#crypto isakmp policy 20
R3(config-isakmp)#enc aes
R3(config-isakmp)#hash md5
R3(config-isakmp)#auth pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#exit

R1(config)#crypto isakmp key cisco1 address 10.1.3.3
R1(config)#crypto ipsec transform IPSec-TS esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile IPSec-Profile
R1(ipsec-profile)#set transform-set IPSec-TS
R1(ipsec-profile)#exit
R1(config)#int tunnel 0
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#tun sour gi0/0
R1(config-if)#tunn dest 10.1.3.3
R1(config-if)#tun mode ipsec ipv4
R1(config-if)#tun pro ipsec prof IPSec-Profile
R1(config-if)#

R3(config)#crypto isakmp key cisco1 address 10.1.1.1
R3(config)#crypto ipsec transform IPSec-TS esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile IPSec-Profile
R3(ipsec-profile)#set transform-set IPSec-TS
R3(ipsec-profile)#exit
R3(config)#int tunnel 0
R3(config-if)#ip add 192.168.10.3 255.255.255.0
R3(config-if)#tun sour gi0/0
R3(config-if)#tunn dest 10.1.1.1
R3(config-if)#tun mode ipsec ipv4
R3(config-if)#tun pro ipsec prof IPSec-Profile
R3(config-if)#
We did not add another ISAKMP profile, this time, but the results are that the tunnels are up, and we have reachability:
R1#sh ip int bri | e unas
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.1.1        YES manual up                    up
Loopback0                  1.1.1.1         YES manual up                    up
Tunnel0                    192.168.10.1    YES manual up                    up
Virtual-Access1            1.1.1.1         YES unset  up                    up
Virtual-Template1          1.1.1.1         YES unset  up                    down

R1#ping 192.168.10.3 so tun 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/33/43 ms
R1#
The tunnel is up, and we have connectivity. We also have one ISAKMP profile (for the Easy VPN). So, what happens when we add a third VPN?
R4(config)#crypto isakmp key cisco2 address 10.1.1.1
R4(config)#crypto ipsec transform-set IPSec2-TS esp-aes 256 esp-sha-hmac
R4(cfg-crypto-trans)#exit
R4(config)#crypto ipsec profile IPSec2-Profile
R4(ipsec-profile)#set transform-set IPSec2-TS
R4(ipsec-profile)#exit
R4(config)#int tunnel 1
R4(config-if)#ip add 192.168.20.4 255.255.255.0
R4(config-if)#tun so gi 0/1
R4(config-if)#tun dest 10.1.1.1
R4(config-if)#tunnel protection ipsec profile IPSec2-Profile
R4(config-if)#
*Jul  8: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jul  8: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.1.1.1
R4(config-if)#
We start to see failures, but the other side (R1) is not set up for the new tunnel. Let's do that now:
R1(config)#crypto isakmp key cisco2 address 10.1.1.4
R1(config)#crypto ipsec transform-set IPSec2-TS esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile IPSec2-Profile
R1(ipsec-profile)#set transform-set IPSec2-TS
R1(ipsec-profile)#exit
R1(config)#int tun 1
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#tun so gi0/0
R1(config-if)#tun dest 10.1.1.4
R1(config-if)#tunnel protection ipsec profile IPSec2-Profile
R1(config-if)#
We are using the same set of commands as we did with R1 & R3, but with a little variation to make the two distinguishable. However, the tunnel does not come up:
*Jul  8: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.1.1.1
*Jul  8: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies
*Jul  8: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.
R4#
R4#sh ip int bri | e unas
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.2.4        YES manual up                    up
GigabitEthernet0/1         10.1.1.4        YES manual up                    up
GigabitEthernet0/2         10.1.3.4        YES manual up                    up
Tunnel1                    192.168.20.4    YES manual up                    down

R4#ping 192.168.20.1 so tun 1
% Invalid source interface - IP not enabled or interface is down
R4#

R1#sh ip int bri | i Tunnel1
Tunnel1                    192.168.20.1    YES manual up                    down
R1#
Let's set up an ISAKMP profile, and virtual template:
R1(config)#crypto isakmp profile R4-Profile
R1(conf-isa-prof)#match identity address 10.1.1.4
R1(conf-isa-prof)#virtual-template 20
R1(conf-isa-prof)#exit
R1(config)#int virtual-template 20 type tunnel
R1(config-if)#ip unnumbered tunnel1
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSec2-Profile
R1(config-if)#exit
R1(config)#crypto ipsec profile IPSec2-Profile
R1(ipsec-profile)#set isakmp-profile R4-Profile
R1(ipsec-profile)#
Still nothing, let's look at the (truncated) logs:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#logging con
R1(config)#
*Jul  8: ISAKMP:(0): SA request profile is R4-Profile
*Jul  8: ISAKMP: Created a peer struct for 10.1.1.4, peer port 500
*Jul  8: ISAKMP:(0):Profile has no keyring, aborting key search
*Jul  8: ISAKMP:(0):Profile has no keyring, aborting host key search
*Jul  8: ISAKMP:(0):found peer pre-shared key matching 10.1.1.4
*Jul  8: ISAKMP:(0): local preshared key found
*Jul  8: ISAKMP : Scanning profiles for xauth ... EZ-Profile R4-Profile
*Jul  8: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jul  8: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jul  8: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  8: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jul  8: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jul  8: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Jul  8: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul  8: ISAKMP:(0): sending packet to 10.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul  8: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  8: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
*Jul  8: ISAKMP (0): received packet from 10.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul  8: ISAKMP:(0):found peer pre-shared key matching 10.1.1.4
*Jul  8: ISAKMP:(1062):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Jul  8: ISAKMP:(1062): sending packet to 10.1.1.4 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul  8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  8: ISAKMP:(1062):Old State = IKE_R_MM3  New State = IKE_R_MM4
*Jul  8: ISAKMP (1062): received packet from 10.1.1.4 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul  8: ISAKMP:(1062):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  8: ISAKMP:(1062):Old State = IKE_R_MM4  New State = IKE_R_MM5
*Jul  8: ISAKMP:(1062): processing ID payload. message ID = 0
*Jul  8: ISAKMP:(0):: peer matches R4-Profile profile
*Jul  8: ISAKMP:(1062):Profile has no keyring, aborting key search
*Jul  8: ISAKMP:(1062):Key not found in keyrings of profile , aborting exchange
*Jul  8: ISAKMP (1062): FSM action returned error: 2
*Jul  8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  8: ISAKMP:(1062):Old State = IKE_R_MM5  New State = IKE_R_MM5
*Jul  8: ISAKMP:(1062):peer does not do paranoid keepalives.
*Jul  8: ISAKMP:(1062):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10.1.1.4)
*Jul  8: ISAKMP (1062): FSM action returned error: 2
*Jul  8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Jul  8: ISAKMP:(1062):Old State = IKE_R_MM5  New State = IKE_R_MM4
*Jul  8: ISAKMP:(1062):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10.1.1.4)
*Jul  8: ISAKMP: Deleting peer node by peer_reap for 10.1.1.4: 10AC2ED8
R1(config)#no logg con
R1(config)#
In the output above we can see that we look for the R4-Profile, we are then told that the profile has no keyring, it must be the ISAKMP profile that the logs are referring to, as that is the only thing we are currently debugging. It does not find a keyring, but it does find a local preshared key. We then go looking through the ISAKMP transform sets, eventually settling on number 4. We move from IKE_R_MM1 to IKE_R_MM2, then from 2 to 3, 3 to 4 and 4 to 5 (Old state / New State). In IKE_R_MM5 we are told that there is no keyring, and the key search is aborted. So, it looks like we need to add a keyring, which will contain our pre-shared key:
R1(config)#crypto keyring R4-Keyring
R1(conf-keyring)#pre-shared-key address 10.1.1.4 key cisco2
R1(conf-keyring)#
R1(conf-keyring)#crypto isakmp profile R4-Profile
R1(conf-isa-prof)#
R1(conf-isa-prof)#keyring R4-Keyring
R1(conf-isa-prof)#
R1#
This keyring lives under the isakmp profile, and by adding this, the tunnels come up:
R4#sh ip int bri | i Tunnel
Tunnel1                    192.168.20.4    YES manual up                    up
R4#ping 192.168.20.1 so tun 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/28/52 ms
R4#
So this is why we need to use ISAKMP profiles when we have different VPNs coming in on the same interface. We did not need to add one for the connection between R1 and R3, as the exisitng one (for the Easy VPN) used the loopback address.

Before we leave, we'll shut and no shut R1's Gi0/0 interface, and make sure that we have full connectivity to the VPNs:
R1(config)#int gi 0/0
R1(config-if)#shut
R1(config-if)#
R1(config-if)#no shut
R1(config-if)#
R1(config-if)#end
R1#sh ip int bri | e unas
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.1.1        YES manual up                    up
Loopback0                  1.1.1.1         YES manual up                    up
Tunnel0                    192.168.10.1    YES manual up                    up
Tunnel1                    192.168.20.1    YES manual up                    down
Virtual-Access1            1.1.1.1         YES unset  up                    up
Virtual-Template1          1.1.1.1         YES unset  up                    down
Virtual-Template20         10.1.1.1        YES unset  up                    down

R1#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/58 ms
R1#ping 192.168.20.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/49 ms
R1#sh ip route static | b Gate
Gateway of last resort is 10.1.1.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.1.4
      192.168.1.0/32 is subnetted, 1 subnets
S        192.168.1.10 is directly connected, Virtual-Access1
R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/43/86 ms
R1#
Nice!

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »