Here's a nice Cisco link regarding VRF aware IPSec VPN. I was troubleshooting a Site-to-Site IPSec VPN between a Cisco ASA firewall and an IOS router but no Security Association (SA) was established. So I ran a debug crypto ikev1 on the ASA and found there's no ISAKMP/IKE Phase 1 proposal was negotiated.
I checked the routing to the Internet on the router and it was using a Virtual Routing and Forwarding (VRF). So I fixed it to be a VRF aware IPSec VPN configuration.
ciscoasa# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
goid Set crypto map GOID debug levels
ike-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
ss-api Set Crypto Secure Socket API debug levels
vpnclient Set EasyVPN client debug levels
ciscoasa# debug crypto ikev1 ?
<1-255> Specify an optional debug level (default is 1)
timers debug the ikev1 timers
<cr>
ciscoasa# debug crypto ikev1 255
ciscoasa# Feb 07 02:14:25 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, IKE Initiator: New Phase 1, Intf inside, IKE Peer 23.2.0.7 local Proxy Address 62.18.7.6, remote Proxy Address 23.2.0.7, Crypto map (CMAP)
Feb 07 02:14:25 [IKEv1 DEBUG]IP = 23.2.0.7, constructing ISAKMP SA payload
Feb 07 02:14:25 [IKEv1 DEBUG]IP = 23.2.0.7, constructing NAT-Traversal VID ver 02 payload
Feb 07 02:14:25 [IKEv1 DEBUG]IP = 23.2.0.7, constructing NAT-Traversal VID ver 03 payload
Feb 07 02:14:25 [IKEv1 DEBUG]IP = 23.2.0.7, constructing NAT-Traversal VID ver RFC payload
Feb 07 02:14:25 [IKEv1 DEBUG]IP = 23.2.0.7, constructing Fragmentation VID + extended capabilities payload
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
SENDING PACKET to 23.2.0.7
ISAKMP Header
Initiator COOKIE: 4a 9c c1 8a 83 02 55 30
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 172
Feb 07 02:14:25 [IKEv1]IKE Receiver: Packet received on 89.25.22.1:500 from 23.2.0.7:500
IKEv1 Recv RAW packet dump
4a 9c c1 8a 83 02 55 30 11 d6 67 4e 16 02 92 e8 | J.....U0..gN....
0b 10 05 00 00 00 00 00 00 00 00 34 00 00 00 18 | ...........4....
00 00 00 01 01 00 00 0e 0d 00 00 3c 00 00 00 01 | ...........<....
00 00 00 01 | ....
RECV PACKET from 23.2.0.7
ISAKMP Header
Initiator COOKIE: 4a 9c c1 8a 83 02 55 30
Responder COOKIE: 11 d6 67 4e 16 02 92 e8
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 00000000
Length: 52
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 24
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 0
Notify Type: NO_PROPOSAL_CHOSEN
Data: 0d 00 00 3c 00 00 00 01 00 00 00 01
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 52
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 52
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Feb 07 02:14:25 [IKEv1]IP = 23.2.0.7, Information Exchange processing failed
Feb 07 02:14:33 [IKEv1]IP = 23.2.0.7, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto ?
call Configure Crypto Call Admission Control
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GKM (Group Key Management, GDOI or G-IKEv2) Policy
gkm Configure GKM (Group Key Management, GDOI or G-IKEv2) Policy
identity Enter a crypto identity list
ikev2 Configure IKEv2 Options
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
ssl Configure Crypto SSL Options
tls-tunnel Configure Crypto TLS-Tunnel Options
vpn Configure crypto vpn commands
xauth X-Auth parameters
Router(config)#crypto keyring ?
WORD name of the key ring
Router(config)#crypto keyring KEY1 ?
vrf Mention a vrf it belongs to
<cr>
Router(config)#crypto keyring KEY1 vrf ?
WORD the VRF name
Router(config)#crypto keyring KEY1 vrf VPN
Router(conf-keyring)#?
Crypto Keyring Commands are:
default Set a command to its defaults
description Specify a description about this keyring
exit Exit from crypto keyring submode
local-address Limit the keyring usage to a local address
no Negate a command or set its defaults
pre-shared-key Pre-Shared Key
rsa-pubkey Peer RSA public key chain management
Router(conf-keyring)#pre-shared-key ?
address pre shared key by address
hostname pre shared key by hostname
Router(conf-keyring)#pre-shared-key address ?
A.B.C.D address prefix
ipv6 define shared key with IPv6 address
Router(conf-keyring)#pre-shared-key address 200.1.1.1 ?
A.B.C.D address prefix mask
key specify the key
Router(conf-keyring)#pre-shared-key address 200.1.1.1 key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
Router(conf-keyring)#pre-shared-key address 200.1.1.1 key cisco123
Crypto Keyring Commands are:
default Set a command to its defaults
description Specify a description about this keyring
exit Exit from crypto keyring submode
local-address Limit the keyring usage to a local address
no Negate a command or set its defaults
pre-shared-key Pre-Shared Key
rsa-pubkey Peer RSA public key chain management
Router(conf-keyring)#pre-shared-key ?
address pre shared key by address
hostname pre shared key by hostname
Router(conf-keyring)#pre-shared-key address ?
A.B.C.D address prefix
ipv6 define shared key with IPv6 address
Router(conf-keyring)#pre-shared-key address 200.1.1.1 ?
A.B.C.D address prefix mask
key specify the key
Router(conf-keyring)#pre-shared-key address 200.1.1.1 key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
Router(conf-keyring)#pre-shared-key address 200.1.1.1 key cisco123
No comments:
Post a Comment