Cisco crypto map

cisco crypto map

What is IPsecIKE negotiation at a glanceTunnel mode and transport mode.ConfigurationIKEIPsecTroubleshootingShow commandsDebuggingReferences

This report will define basic negotiation and configuration for crypto-map-based totally IPsec VPN configuration.

This report is intended as an creation to sure elements of IKE and IPsec, it WILL include sure simplifications and colloquialisms.

IPsec is a general based protection structure for IP therefore IP-sec.

IKE (Internet Key Exchange) is one of the approaches to barter IPsec Security Associations (SAs), specially case ISAKMP (implementation of IKE) is what Cisco uses.

Currently versions of IKE exist:

This file focuses totally on IKEv1 and crypto map configuration, but maximum elements are genuine for other forms of frameworks.

To establish IKE Security Association (IKE SA or Phase 1) in a steady manner friends will want to trade sure records, those encompass:

It is essential to notice that pre shared key is not actually exchanged, it’s miles supposed factored into the choices key defensive identity. Thus if the choices peer does not have the perfect pre-shared key it will no longer be capable of authenticate and end phase 1 negotiation.

IKE SA may be established through aggressive mode or most important mode negotiation, this document covers Main Mode exchange that’s the only generally deployed.

Aggressive mode is the choices much less secure of modes and is generally used in EZVPN with pre-shared key, where additional layer of security is provided by appearing person authentication.

Once IKE SA is installed, the choices friends are geared up to set up records approximately what site visitors to guard and how to shield it. This will shape an IPsec Security Association (SA) or segment 2, in an change called Quick Mode.

Once quick mode is done and IPsec SA exists and site visitors is able to drift in a secured way.

A visual aide to remember this through:

At this stage it’s far essential to consider, all through normal operation, one IKE SA exists between friends.

During rekey or re-negotiation a couple of IKE SA can exist.

However among two peers a couple of IPsec SAs can exist.

This concept is visualized right here.

As the above diagram suggests there are IPsec SAs, diagnosed by way of Security Parameter Index (SPI), present on a tool for every route, one for inbound site visitors one for outbound visitors.

It is also vital to bear in mind that inbound IPsec SA on left hand side device, if the outbound IPsec SA on proper hand side device, and vice versa.

At this degree it is also well worth to mention that “nearby” and “far off” networks are reversed on each quit. This concept will arise once more whilst acting configuration of “thrilling traffic” in a while.

When IPsec protects visitors, it has multiple services and modes to pick from.

Second service is much more broadly deployed.

While it’s far viable to mix the two services, it’s far an very rare scenario, with limitated-or-no support on sure structures.

More is some other concept which arise pretty often with IPsec. Two modes exist:

A mode that is the choices most not unusual for most crypto map deployments is Encryption Services and  tunnel mode. However let’s examine an outline how every of those will paintings.

First let’s have a look at AH and ESP and the way they tread unique IP datagram, in this example a few TCP records can be despatched over.

And now approximately how the ones IP protocols match inside the modes.

As talked about the final mode is what is usually used with crypto map based IPsec VPNs.

In this mode, RFC1918 addresses (or in truth every other IP address) can be despatched over the choices Internet encapsulated in new IP header on the way to use addresses routable on the Internet.

Now that primary theoretical ideas are delivered, this file will show a way to map those into the real crypto map based configuration.

ISAKMP policy defines, what will be the choices manner to authenticate, and how to protect negotiation , as well as how long and IKE SA may be alive earlier than re-negotiation (by way of default it’s someday).

Those parametrs need to agree on each ends of the tunnel.

In preceding phase the choices manner to authenticate changed into precise, here the choices configuration creates belief of the real pre-shared key to be used to authenticate the peer. In this case it has cost of “take a look at”.

crypto keyring MY_KEYRING

  pre-shared-key address key test

This profile binds collectively functions used by IKE and IPSec, it will be in a while referenced in IPsec section, in crypto map configuration.

crypto isakmp profile MY_PROFILE

In this case the choices profile sprecifies that any (wildcard identification of kind “deal with” need to fall underneath this profile.

It is crucial to say that we’re discussing approximately peer IDENTITY, in this situation peer of kind address with cost of “any” is matched.

Self-identification statement tells this router to apply it’s personal identification of kind cope with while performing authentication.

Optionally, in case of VRF-ware IPsec, that is in which IVRF (in this example MY_IVRF) is referenced.

It is also critical to word that our identity (self-identity) is what the far off peer will need to healthy of their ISAKMP profile.

In a classic exampe if we send our identity as cope with, the choices far off peer will should suit identity of type “address”.

The Diffie-Hellman keys (and different parameters, or VIDs) are exchanged automatically and infrequently require plenty configuration.

As in case of IKE positive parameters need to be exchanged for IPsec SAs to be set up. Also as in case of ISAKMP profile we are able to introduce a vital factor of crypto map.

As mentioned previously a tool desires to recognize the way to guard site visitors, that is where transform set comes into play. It defines what hashing and encryption algorithm is for use to protect visitors.

In this case 3DES and SHA had been chosen.

For guidance and recommendations on present day pleasant practices approximately chosing the choices proper algorithms refer to:

Crypto maps use site visitors selection mechanism in form of get entry to-list.

The get entry to-list is usually described from local attitude, i.e. Cisco devices will use an get right of entry to-list so one can pick out (the use of allow statement) visitors from X to Y and on it is peer the choices get right of entry to-listing could be mirrored deciding on traffic from Y to X.

It is essential to note that that is one of the things checked/enforced at some point of negotiation.

In this situation router could be fascinated to encrypt all site visitors from subnet. The far flung stop will used get right of entry to-listing specifying the choices opposite “any to” (or use dynamic crypto map!).

Crypto map is a function binding all the facts we discussed before on this section and former collectively.

A few statistics approximately crypto map.

The crypto map kinds mentioned and their usage:

crypto map MY_CRYPTO_MAP a hundred ipsec-isakmp

set remodel-set MY_SET

set isakmp-profile MY_PROFILE

Looking at this example,

Crypto map names MY_CRYPTO_MAP has entry a hundred using ISAKMP to negotiate IPsec.

This crypto map access have to healthy traffic targeted by using access-list a hundred and perform parameters described in ISAKMP profile known as MY_PROFILE.

The manner to defend visitors is defined in remodel set MY_SET.

When appearing IKE negotiation, packets should be despatched to look

A crypto map (by name) is then applied to an interface.

r2#sh run int e1/zero

crypto map MY_CRYPTO_MAP

When troubleshooting both show and debug instructions have to be used.

r2#sh crypto isa sa


dst             src             state          conn-identity status

In this situation there is handiest one session and it is in nation “ACTIVE”.

r2#sh crypto ipsec sa

    Crypto map tag: MAP, neighborhood addr

   neighborhood  ident (addr/mask/prot/port): (

   far flung ident (addr/mask/prot/port): (

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 5, #pkts decrypt: five, #pkts verify: five

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts no longer compressed: 0, #pkts compr. failed: 0

    #pkts now not decompressed: 0, #pkts decompress failed: zero

    #send mistakes 0, #recv mistakes zero

     neighborhood crypto endpt.:, far off crypto endpt.: 172.sixteen.1.1

     course mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/zero

     modern-day outbound spi: 0xDFDE17CA(3755874250)

     PFS (Y/N): N, DH group: none

      spi: 0x205F6BE9(543124457)

        conn id: thirteen, flow_id: SW:thirteen, sibling_flags 80000040, crypto map: MY_CRYPTO_MAP

        sa timing: remaining key lifetime (okay/sec): (4335214/3551)

        replay detection guide: Y

        conn identification: 14, flow_id: SW:14, sibling_flags 80000040, crypto map: MY_CRYPTO_MAP

        sa timing: last key lifetime (ok/sec): (4335214/3551)

        replay detection assist: Y

In the above case traffic between neighborhood (in global VRF) to remote is covered and remote peer is 172.sixteen.1.1.

There are two IPsec SAs lively (one in each route) and we processed overall of five packets in each path.

r2#sh crypto session

Crypto session contemporary repute

  IKEv1 SA: local far off 172.sixteen.1.1/500 Active

  IPSEC FLOW: allow ip

        Active SAs: 2, beginning: crypto map

Show crypto consultation offers at-a-look view of information collected already with preceding instructions.

Peer IP cope with, what’s the choices protected site visitors and how many lively SAs are present.

This scenario is from a operating tunnel.

To narrow down debugging to one peer conditional debugging need to be used.

On IOS that is completed by appearing:

Two most important element can be debugged doctors/DOC-13524

Correction  of IP protocol

Of route you’re correct. Reference:

Unfortunately I cannot rate your solution, the rating button isn’t available :