Through setting up an IPSec VPN between an ASA and an IOS router, Dual-hub DMVPN, GET VPN and Easy VPN, there has been one factor that has slowed the progress immensely. This has been ISAKMP profiles. The VPNs seem to work much better without them, than with them.
So, why and when do we need to use them? Let's lab it up and find out!
R4 will be the gateway between the routers, R1 will be the Easy VPN server, which R2 will connect to, and there will be an IPSec VPN between R1 and R3. We will then add another IPSec VPN between R1 and R4. This way we only need to focus on R1, in terms of complexity. We will use static routing across the network, and the last octet for all of the interfaces will be the router number.
The basic config is below:
R1(config)#int lo0 R1(config-if)#ip add 1.1.1.1 255.255.255.255 R1(config-if)#int gi 0/0 R1(config-if)#ip add 10.1.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.4 R1(config)# R2(config)#int lo0 R2(config-if)#ip add 2.2.2.2 255.255.255.255 R2(config-if)#int gi0/0 R2(config-if)#ip add 10.1.2.2 255.255.255.0 R2(config-if)#no shut R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.2.4 R2(config)# R3(config)#int lo0 R3(config-if)#ip add 3.3.3.3 255.255.255.255 R3(config-if)#int gi 0/0 R3(config-if)#ip add 10.1.3.3 255.255.255.0 R3(config-if)#no shut R3(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.3.4 R3(config)# R4(config)#int gi0/0 R4(config-if)#ip add 10.1.2.4 255.255.255.0 R4(config-if)#no shut R4(config-if)#int gi0/1 R4(config-if)#ip add 10.1.1.4 255.255.255.0 R4(config-if)#no shut R4(config-if)#int gi 0/2 R4(config-if)#ip add 10.1.3.4 255.255.255.0 R4(config-if)#no shut R4(config-if)#ip route 1.1.1.1 255.255.255.255 10.1.1.1 R4(config)#ip route 2.2.2.2 255.255.255.255 10.1.2.2 R4(config)#ip route 3.3.3.3 255.255.255.255 10.1.3.3 R4(config)#Let's start with Easy VPN:
R2(config)#crypto ipsec client ezvpn EZ-Group R2(config-crypto-ezvpn)#connect auto R2(config-crypto-ezvpn)#group EZ-Group key cisco R2(config-crypto-ezvpn)#mode client R2(config-crypto-ezvpn)#peer 1.1.1.1 R2(config-crypto-ezvpn)# R2(config-crypto-ezvpn)#int lo0 R2(config-if)#crypto ipsec client ez EZ-Group inside R2(config-if)#int gi0/0 R2(config-if)#crypto ipsec client ez EZ-Group R2(config-if)#exit R2(config)#crypto isakmp policy 10 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# R1(config)#aaa new-model R1(config)#aaa authentication login AuthC-list local R1(config)#aaa authorization network AuthZ-list local R1(config)# R1(config)#crypto isakmp client configuration group EZ-Group R1(config-isakmp-group)#key cisco R1(config-isakmp-group)#pool EZ-Pool R1(config-isakmp-group)#exit R1(config)# R1(config)#crypto isakmp profile EZ-Profile R1(conf-isa-prof)#match identity group EZ-Group R1(conf-isa-prof)#isakmp authorization list AuthZ-list R1(conf-isa-prof)#client configuration address respond R1(conf-isa-prof)#client config group EZ-Group R1(conf-isa-prof)#virtual-template 1 R1(conf-isa-prof)# R1(conf-isa-prof)#crypto ipsec transform EZ-TS esp-3des esp-sha-hmac R1(cfg-crypto-trans)#exit R1(config)# R1(config)#crypto ipsec profile EZ-Profile R1(ipsec-profile)#set transform-set EZ-TS R1(ipsec-profile)#set isakmp-profile EZ-Profile R1(ipsec-profile)#exit R1(config)#int virtual-template 1 type tunnel R1(config-if)#ip unnumbered lo0 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec pro EZ-Profile R1(config-if)#ex R1(config)# R1(config)#username cisco password cisco R1(config)# R1(config)#crypto isakmp policy 10 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# exit R1(config)#ip local pool EZ-Pool 192.168.1.10 192.168.1.20 R1(config)#The results are that the loopback interface is created, we have route in R1's routing table, and it is reachable:
R2#sh ip int bri | e unass Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.2.2 YES manual up up Loopback0 2.2.2.2 YES manual up up Loopback10000 192.168.1.10 YES TFTP up up NVI0 10.1.2.2 YES unset up up R2# R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 1.1.1.1 10.1.2.2 QM_IDLE 1036 ACTIVE IPv6 Crypto ISAKMP SA R2# R1#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 21/30/45 ms R1#Now let's set up the other VPN:
R1(config)#crypto isakmp policy 20 R1(config-isakmp)#enc aes R1(config-isakmp)#hash md5 R1(config-isakmp)#auth pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#exit R3(config)#crypto isakmp policy 20 R3(config-isakmp)#enc aes R3(config-isakmp)#hash md5 R3(config-isakmp)#auth pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#exit R1(config)#crypto isakmp key cisco1 address 10.1.3.3 R1(config)#crypto ipsec transform IPSec-TS esp-aes esp-sha-hmac R1(cfg-crypto-trans)#exit R1(config)#crypto ipsec profile IPSec-Profile R1(ipsec-profile)#set transform-set IPSec-TS R1(ipsec-profile)#exit R1(config)#int tunnel 0 R1(config-if)#ip add 192.168.10.1 255.255.255.0 R1(config-if)#tun sour gi0/0 R1(config-if)#tunn dest 10.1.3.3 R1(config-if)#tun mode ipsec ipv4 R1(config-if)#tun pro ipsec prof IPSec-Profile R1(config-if)# R3(config)#crypto isakmp key cisco1 address 10.1.1.1 R3(config)#crypto ipsec transform IPSec-TS esp-aes esp-sha-hmac R3(cfg-crypto-trans)#exit R3(config)#crypto ipsec profile IPSec-Profile R3(ipsec-profile)#set transform-set IPSec-TS R3(ipsec-profile)#exit R3(config)#int tunnel 0 R3(config-if)#ip add 192.168.10.3 255.255.255.0 R3(config-if)#tun sour gi0/0 R3(config-if)#tunn dest 10.1.1.1 R3(config-if)#tun mode ipsec ipv4 R3(config-if)#tun pro ipsec prof IPSec-Profile R3(config-if)#We did not add another ISAKMP profile, this time, but the results are that the tunnels are up, and we have reachability:
R1#sh ip int bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.1 YES manual up up Loopback0 1.1.1.1 YES manual up up Tunnel0 192.168.10.1 YES manual up up Virtual-Access1 1.1.1.1 YES unset up up Virtual-Template1 1.1.1.1 YES unset up down R1#ping 192.168.10.3 so tun 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds: Packet sent with a source address of 192.168.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 22/33/43 ms R1#The tunnel is up, and we have connectivity. We also have one ISAKMP profile (for the Easy VPN). So, what happens when we add a third VPN?
R4(config)#crypto isakmp key cisco2 address 10.1.1.1 R4(config)#crypto ipsec transform-set IPSec2-TS esp-aes 256 esp-sha-hmac R4(cfg-crypto-trans)#exit R4(config)#crypto ipsec profile IPSec2-Profile R4(ipsec-profile)#set transform-set IPSec2-TS R4(ipsec-profile)#exit R4(config)#int tunnel 1 R4(config-if)#ip add 192.168.20.4 255.255.255.0 R4(config-if)#tun so gi 0/1 R4(config-if)#tun dest 10.1.1.1 R4(config-if)#tunnel protection ipsec profile IPSec2-Profile R4(config-if)# *Jul 8: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Jul 8: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.1.1.1 R4(config-if)#We start to see failures, but the other side (R1) is not set up for the new tunnel. Let's do that now:
R1(config)#crypto isakmp key cisco2 address 10.1.1.4 R1(config)#crypto ipsec transform-set IPSec2-TS esp-aes 256 esp-sha-hmac R1(cfg-crypto-trans)#exit R1(config)#crypto ipsec profile IPSec2-Profile R1(ipsec-profile)#set transform-set IPSec2-TS R1(ipsec-profile)#exit R1(config)#int tun 1 R1(config-if)#ip add 192.168.20.1 255.255.255.0 R1(config-if)#tun so gi0/0 R1(config-if)#tun dest 10.1.1.4 R1(config-if)#tunnel protection ipsec profile IPSec2-Profile R1(config-if)#We are using the same set of commands as we did with R1 & R3, but with a little variation to make the two distinguishable. However, the tunnel does not come up:
*Jul 8: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.1.1.1 *Jul 8: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies *Jul 8: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used. R4# R4#sh ip int bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.2.4 YES manual up up GigabitEthernet0/1 10.1.1.4 YES manual up up GigabitEthernet0/2 10.1.3.4 YES manual up up Tunnel1 192.168.20.4 YES manual up down R4#ping 192.168.20.1 so tun 1 % Invalid source interface - IP not enabled or interface is down R4# R1#sh ip int bri | i Tunnel1 Tunnel1 192.168.20.1 YES manual up down R1#Let's set up an ISAKMP profile, and virtual template:
R1(config)#crypto isakmp profile R4-Profile R1(conf-isa-prof)#match identity address 10.1.1.4 R1(conf-isa-prof)#virtual-template 20 R1(conf-isa-prof)#exit R1(config)#int virtual-template 20 type tunnel R1(config-if)#ip unnumbered tunnel1 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec profile IPSec2-Profile R1(config-if)#exit R1(config)#crypto ipsec profile IPSec2-Profile R1(ipsec-profile)#set isakmp-profile R4-Profile R1(ipsec-profile)#Still nothing, let's look at the (truncated) logs:
R1#debug crypto isakmp Crypto ISAKMP debugging is on R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#logging con R1(config)# *Jul 8: ISAKMP:(0): SA request profile is R4-Profile *Jul 8: ISAKMP: Created a peer struct for 10.1.1.4, peer port 500 *Jul 8: ISAKMP:(0):Profile has no keyring, aborting key search *Jul 8: ISAKMP:(0):Profile has no keyring, aborting host key search *Jul 8: ISAKMP:(0):found peer pre-shared key matching 10.1.1.4 *Jul 8: ISAKMP:(0): local preshared key found *Jul 8: ISAKMP : Scanning profiles for xauth ... EZ-Profile R4-Profile *Jul 8: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Jul 8: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy *Jul 8: ISAKMP:(0):Encryption algorithm offered does not match policy! *Jul 8: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy *Jul 8: ISAKMP:(0):Hash algorithm offered does not match policy! *Jul 8: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy *Jul 8: ISAKMP:(0):atts are acceptable. Next payload is 0 *Jul 8: ISAKMP:(0): sending packet to 10.1.1.4 my_port 500 peer_port 500 (R) MM_SA_SETUP *Jul 8: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 8: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 *Jul 8: ISAKMP (0): received packet from 10.1.1.4 dport 500 sport 500 Global (R) MM_SA_SETUP *Jul 8: ISAKMP:(0):found peer pre-shared key matching 10.1.1.4 *Jul 8: ISAKMP:(1062):Old State = IKE_R_MM3 New State = IKE_R_MM3 *Jul 8: ISAKMP:(1062): sending packet to 10.1.1.4 my_port 500 peer_port 500 (R) MM_KEY_EXCH *Jul 8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Jul 8: ISAKMP:(1062):Old State = IKE_R_MM3 New State = IKE_R_MM4 *Jul 8: ISAKMP (1062): received packet from 10.1.1.4 dport 500 sport 500 Global (R) MM_KEY_EXCH *Jul 8: ISAKMP:(1062):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Jul 8: ISAKMP:(1062):Old State = IKE_R_MM4 New State = IKE_R_MM5 *Jul 8: ISAKMP:(1062): processing ID payload. message ID = 0 *Jul 8: ISAKMP:(0):: peer matches R4-Profile profile *Jul 8: ISAKMP:(1062):Profile has no keyring, aborting key search *Jul 8: ISAKMP:(1062):Key not found in keyrings of profile , aborting exchange *Jul 8: ISAKMP (1062): FSM action returned error: 2 *Jul 8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE *Jul 8: ISAKMP:(1062):Old State = IKE_R_MM5 New State = IKE_R_MM5 *Jul 8: ISAKMP:(1062):peer does not do paranoid keepalives. *Jul 8: ISAKMP:(1062):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10.1.1.4) *Jul 8: ISAKMP (1062): FSM action returned error: 2 *Jul 8: ISAKMP:(1062):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR *Jul 8: ISAKMP:(1062):Old State = IKE_R_MM5 New State = IKE_R_MM4 *Jul 8: ISAKMP:(1062):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10.1.1.4) *Jul 8: ISAKMP: Deleting peer node by peer_reap for 10.1.1.4: 10AC2ED8 R1(config)#no logg con R1(config)#In the output above we can see that we look for the R4-Profile, we are then told that the profile has no keyring, it must be the ISAKMP profile that the logs are referring to, as that is the only thing we are currently debugging. It does not find a keyring, but it does find a local preshared key. We then go looking through the ISAKMP transform sets, eventually settling on number 4. We move from IKE_R_MM1 to IKE_R_MM2, then from 2 to 3, 3 to 4 and 4 to 5 (Old state / New State). In IKE_R_MM5 we are told that there is no keyring, and the key search is aborted. So, it looks like we need to add a keyring, which will contain our pre-shared key:
R1(config)#crypto keyring R4-Keyring R1(conf-keyring)#pre-shared-key address 10.1.1.4 key cisco2 R1(conf-keyring)# R1(conf-keyring)#crypto isakmp profile R4-Profile R1(conf-isa-prof)# R1(conf-isa-prof)#keyring R4-Keyring R1(conf-isa-prof)# R1#This keyring lives under the isakmp profile, and by adding this, the tunnels come up:
R4#sh ip int bri | i Tunnel Tunnel1 192.168.20.4 YES manual up up R4#ping 192.168.20.1 so tun 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: Packet sent with a source address of 192.168.20.4 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 17/28/52 ms R4#So this is why we need to use ISAKMP profiles when we have different VPNs coming in on the same interface. We did not need to add one for the connection between R1 and R3, as the exisitng one (for the Easy VPN) used the loopback address.
Before we leave, we'll shut and no shut R1's Gi0/0 interface, and make sure that we have full connectivity to the VPNs:
R1(config)#int gi 0/0
R1(config-if)#shut
R1(config-if)#
R1(config-if)#no shut
R1(config-if)#
R1(config-if)#end
R1#sh ip int bri | e unas
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.1.1.1 YES manual up up
Loopback0 1.1.1.1 YES manual up up
Tunnel0 192.168.10.1 YES manual up up
Tunnel1 192.168.20.1 YES manual up down
Virtual-Access1 1.1.1.1 YES unset up up
Virtual-Template1 1.1.1.1 YES unset up down
Virtual-Template20 10.1.1.1 YES unset up down
R1#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/58 ms
R1#ping 192.168.20.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/49 ms
R1#sh ip route static | b Gate
Gateway of last resort is 10.1.1.4 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.1.4
192.168.1.0/32 is subnetted, 1 subnets
S 192.168.1.10 is directly connected, Virtual-Access1
R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/43/86 ms
R1#
Nice!