Guest

Cisco PIX 500 Series Security Appliances

PIX/ASA 7.x: DMZ Interface Part of the IPsec Tunnel Interesting Traffic Configuration Example

Cisco - PIX/ASA 7.x: DMZ Interface Part of the IPsec Tunnel Interesting Traffic Configuration Example

Document ID: 69385

Updated: Oct 16, 2008

   Print

Introduction

This configuration allows two Cisco Secure PIX Firewalls with PIX 7.x to run a simple VPN tunnel from the inside and the Demilitarized Zone (DMZ) interfaces of one PIX to the other PIX over the Internet or any public network that uses IPsec.

IPsec is a combination of open standards that provides data confidentiality, data integrity and data origin authentication between IPsec peers.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

Components Used

The information in this document is based on the Cisco Secure PIX 515E Firewall with Cisco PIX Security Appliance software version 7.2(1) with DMZ interfaces.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

IPsec negotiation can be broken down into five steps and includes two Internet Key Exchange (IKE) phases.

  1. An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPsec peers.

  2. In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using ISAKMP.

  3. In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.

  4. The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.

  5. The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

    Note: IPsec negotiation between the two PIXes fails if the SAs on both of the IKE phases do not match on the peers.

Configure

In this section, you are presented with the information to configure the IPsec tunnel between both the inside interface and the DMZ interface on one PIX to the other PIX.

This configuration assumes that the basic routing configuration is already in place and that the devices are reachable end-to-end. Throughout this document, you can verify the configuration with these show commands.

  • show isakmp

  • show isakmp policy

  • show access-list

  • show crypto ipsec transform-set

  • show crypto isakmp sa

  • show crypto ipsec sa

Refer to the Cisco Secure PIX Firewall Command References for more information on these show commands.

The formation of a secure IPsec tunnel happens in IKE Phase 1 and IKE Phase 2.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

pix-asa-7x-dmz-ipsec-tunnel-1.gif

Configurations

This document uses these configurations:

IKE for Preshared Keys Configuration

Enable IKE on the IPsec terminating interfaces by using the isakmp enable command. In this scenario, the outside interface is the IPsec terminating interface on both PIXes. IKE is configured on both PIXes. Use the isakmp enable outside command on both PIXes.

Use the isakmp policy command to define the IKE policies that are used during the IKE negotiations. When you use this command, you must assign a priority level so that the policies are uniquely identified. In this case, the priority of 10 is assigned to the policy.

PIX1(config)#isakmp policy 10 authentication pre-share
PIX1(config)#isakmp policy 10 encryption des
PIX1(config)#isakmp policy 10 hash md5
PIX1(config)#isakmp policy 10 group 1
PIX1(config)#isakmp policy 10 lifetime 1000

This policy is also set to:

  • Use a preshared key

  • Use MD5 hashing algorithm for data authentication

  • Use DES for Encapsulating Security Payload (ESP)

  • Use Diffie-Hellman group1

  • Set the SA lifetime

Use the show isakmp policy command to verify if the policy is actually configured with all the parameters of your choice.

In order to create and manage the database of connection-specific records for IPsec tunnels, use the tunnel-group command in global configuration mode. The name of the tunnel group must be the IP address of the peer. The type should be IPsec LAN-to-LAN. Under the IPsec tunnel configuration mode, issue the pre-shared-key <Password> command as shown:

PIX1(config)#tunnel-group 172.16.2.5 type ipsec-l2l
PIX1(config)#tunnel-group 172.16.2.5 ipsec-attributes
PIX1(config-tunnel-ipsec)#pre-shared-key cisco

Network Address Translation (NAT) Configuration

This setup uses NAT exemption for the traffic to be tunneled. This means that the interesting traffic goes un-NATed. All other traffic uses Port Address Translation (PAT) to change the source IP address of the packet to the IP address of the outside interface.

PIX1(config)#access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list PAT permit ip 10.2.2.0 255.255.255.0 any
PIX1(config)#access-list PAT permit ip 10.3.3.0 255.255.255.0 any
PIX1(config)#nat (inside) 0 access-list NoNAT
PIX1(config)#nat (inside) 1 access-list PAT
PIX1(config)#nat (DMZ) 0 access-list NoNAT
PIX1(config)#nat (DMZ) 1 access-list PAT 
PIX1(config)#global (outside) 1 interface

Similarly, on PIX2, identity NAT is configured for the traffic to be tunneled and all other traffic is sent using PAT.

PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
PIX2(config)#access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
PIX2(config)#nat (inside) 0 access-list NoNAT
PIX2(config)#nat (inside) 1 10.6.6.0 255.255.255.0
PIX2(config)#global (outside) 1 interface

IPsec Configuration

IPsec is initiated when one of the PIXes receives traffic that is destined for the inside network of the other PIX. This traffic is deemed interesting traffic that needs to be protected by IPsec. An access list is used to determine which traffic initiates the IKE and IPsec negotiations. The access list named INTERESTING permits the traffic to be sent from the 10.2.2.0 and 10.3.3.0 networks on the PIX1 Firewall to the 10.6.6.0 network on the PIX2 Firewall.

PIX1(config)#access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
PIX1(config)#access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0

The IPsec transform set defines the security policy that the peers use to protect the data flow. The IPsec transform is defined by using the crypto ipsec transform-set command. A unique name must be chosen for the transform set and up to three transforms can be selected to define the IPsec security protocols. This configuration only uses two transforms:

  • esp-md5-hmac

  • esp-des

PIX1(config)#crypto ipsec transform-set my-set esp-des esp-md5-hmac

Crypto maps set up IPsec SAs for the encrypted traffic. You must assign a map name and a sequence number, and define the crypto map parameters to create a crypto map. The crypto map "mymap" uses IKE to establish IPsec SAs, encrypts anything that matches the INTERESTING access list, has a set peer, and uses the my-set transform-set to enact its security policy for traffic.

PIX1(config)#crypto map mymap 20 match address INTERESTING
PIX1(config)#crypto map mymap 20 set peer 172.16.2.5
PIX1(config)#crypto map mymap 20 set transform-set my-set

After you define the crypto map, use the crypto map mymap interface outside command to apply the crypto map to an interface. The interface you choose should be the IPsec terminating interface.

PIX1(config)#crypto map mymap interface outside

PIX1 Configuration

PIX1

!--- Output is suppressed.


interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.2.2.2 255.255.255.0
!
interface Ethernet2
 nameif DMZ1
 security-level 50
 ip address 10.3.3.2 255.255.255.0


!--- Output is suppressed.



!--- This access control list (ACL) is for NAT 0.

access-list NoNAT extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
access-list NoNAT extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0


!--- This ACL defines the interesting traffic.

access-list INTERESTING extended permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
access-list INTERESTING extended permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0


!--- This ACL is for PAT.

access-list PAT permit ip 10.2.2.0 255.255.255.0 any
access-list PAT permit ip 10.3.3.0 255.255.255.0 any


!--- Output is suppressed.



!--- NAT control requires NAT for inside or DMZ hosts 
!--- when they access the outside.

nat-control




!--- This is the global statement for PAT.

global (outside) 1 interface


!--- This command is for the NAT 0 entry on the inside interface.

nat (inside) 0 access-list NoNAT


!--- This command is for the PAT entry on the inside interface.

nat (inside) 1 access-list PAT 


!--- This command is for the NAT 0 entry on the DMZ interface.

nat (DMZ) 0 access-list NoNAT


!--- This command is for the PAT entry on the DMZ interface.

nat (DMZ) 1 access-list PAT


route outside 0.0.0.0 0.0.0.0 172.16.1.4 1



!--- Output is suppressed.




!--- This command defines the IPsec transform set with the 
!--- security policy that the peers use to protect the data flow.

crypto ipsec transform-set my-set esp-des esp-md5-hmac


!--- These commands allow crypto map to set up IPsec SAs
!--- for the encrypted traffic.

crypto map mymap 20 match address INTERESTING
crypto map mymap 20 set peer 172.16.2.5
crypto map mymap 20 set transform-set my-set


!--- This command applies the crypto map to the outside interface.

crypto map mymap interface outside


!--- This command applies the crypto map to the outside interface.

isakmp enable outside


!--- These commands apply the crypto map to the outside interface.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000


!--- Output is suppressed.




!--- These commands create and manage the database of connection-specific 
!--- records for IPsec tunnels. Issue a preshared key, which should be the same as 
!--- that on the peer.

tunnel-group 172.16.2.5 type ipsec-l2l
tunnel-group 172.16.2.5 ipsec-attributes
 pre-shared-key *


!--- Output is suppressed.

PIX2 Configuration

Configuration on PIX2

!--- Output is suppressed.


interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.16.2.5 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.6.6.5 255.255.255.0


!--- Output is suppressed.


access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list NoNAT extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list INTERESTING extended permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0


!--- Output is suppressed.



global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 10.6.6.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.2.4 1


!--- Output is suppressed.


crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto map mymap 20 match address INTERESTING
crypto map mymap 20 set peer 172.16.1.2
crypto map mymap 20 set transform-set my-set
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000


!--- Output is suppressed.


tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 pre-shared-key *
telnet timeout 5


!--- Output is suppressed.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show crypto isakmp sa—Displays current IKE SAs.

    PIX1#show crypto isakmp sa
    
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 172.16.2.5
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
  • show crypto ipsec sa—Displays the settings used by current SAs.

    Once you send the traffic between networks defined as interesting traffic, the IPsec tunnel is triggered. A ping between two hosts can be used to test the formation of the tunnel.


!--- This is show crypto ipsec sa command output on PIX1.

PIX1#show crypto ipsec sa
interface: outside
    Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2

      access-list INTERESTING permit ip 10.2.2.0 255.255.255.0 10.6.6.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      current_peer: 172.16.2.5


!--- This verifies that encrypted packets are 
!--- sent and recede without any errors.


      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 80A00578

    inbound esp sas:
      spi: 0xD92F129E (3643740830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28593)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x80A00578 (2157970808)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28591)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: mymap, seq num: 20, local addr: 172.16.1.2

      access-list INTERESTING permit ip 10.3.3.0 255.255.255.0 10.6.6.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      current_peer: 172.16.2.5

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.5

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 3D0C2074

    inbound esp sas:
      spi: 0x5B64B9D6 (1533327830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28658)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3D0C2074 (1024204916)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (3824980/28658)
         IV size: 8 bytes
         replay detection support: Y




!--- This is show crypto ipsec sa command output on PIX2.


PIX2#show crypto ipsec sa
interface: outside
    Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5

      access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.3.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 5B64B9D6

    inbound esp sas:
      spi: 0x3D0C2074 (1024204916)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28465)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x5B64B9D6 (1533327830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28463)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: mymap, seq num: 20, local addr: 172.16.2.5

      access-list INTERESTING permit ip 10.6.6.0 255.255.255.0 10.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.6.6.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      current_peer: 172.16.1.2

      #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
      #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 199, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.2.5, remote crypto endpt.: 172.16.1.2

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: D92F129E

    inbound esp sas:
      spi: 0x80A00578 (2157970808)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28393)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD92F129E (3643740830)
         transform: esp-des esp-md5-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4274980/28393)
         IV size: 8 bytes
         replay detection support: Y

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you issue debug commands.

debug crypto isakmp—Displays debug information about IPsec connections.

debug crypto isakmp
pix3#debug crypto isakmp 7

Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Oakley proposal is acceptable
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Fragmentation VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, IKE Peer included 
IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing ke payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing nonce payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing Cisco Unity VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing xauth V6 VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send IOS VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing ASA spoofing 
IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, constructing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + 
VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ke payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing ISA_KE payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing nonce payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Cisco Unity client VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received xauth V6 VID
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing VPN3000/ASA 
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, processing VID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Received Altiga/Cisco 
VPN3000/Cisco ASA GW VID
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating keys for Initiator...
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing ID payload
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing hash payload
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Computing hash for ISAKMP
Jan 01 04:34:49 [IKEv1 DEBUG]: IP = 172.16.2.5, Constructing IOS keep 
alive payload: proposal=32767/32767 sec.
Jan 01 04:34:49 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing dpd vid payload
Jan 01 04:34:49 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message (msgid=0) 
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13)
 + NONE (0) total length : 92
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) 
+ VENDOR (13) + NONE (0) total length : 92
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Computing hash for ISAKMP
Jan 01 04:34:50 [IKEv1 DEBUG]: IP = 172.16.2.5, Processing IOS keep 
alive payload: proposal=32767/32767 sec.
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing VID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received DPD VID
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Connection landed on tunnel_group 172.16.2.5
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Freeing 
previously allocated memory for authorization-dn-attributes
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Oakley begin quick mode
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 1 COMPLETED
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, Keep-alive type for this connection: DPD
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Starting P1 rekey timer: 850 seconds.
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
IKE got SPI from key engine: SPI = 0x1cd9ec0c
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
oakley constucting quick mode
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing IPSec SA payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing IPSec nonce payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing proxy ID
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Transmitting Proxy Id:
  Local subnet:  10.2.2.0  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: 10.6.6.0  Mask 255.255.255.0 Protocol 0  Port 0
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=75aa2cf6) with payloads: HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + 
ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=75aa2cf6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + 
ID (5) + ID (5) + NONE (0) total length : 164
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing SA payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing nonce payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing ID payload
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
loading all IPSEC SAs
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating Quick Mode Key!
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Generating Quick Mode Key!
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, Security negotiation 
complete for LAN-to-LAN Group (172.16.2.5)  Initiator, Inbound SPI = 0x1cd9ec0c, 
Outbound SPI = 0x489fb7ca
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
oakley constructing final quickmode
Jan 01 04:34:50 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=75aa2cf6) with payloads: HDR + HASH (8) + NONE (0) total length : 72
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, IKE got 
a KEY_ADD msg for SA: SPI = 0x489fb7ca
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Pitcher: received KEY_UPDATE, spi 0x1cd9ec0c
Jan 01 04:34:50 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Starting P2 rekey timer: 24480 seconds.
Jan 01 04:34:50 [IKEv1]: Group = 172.16.2.5, IP = 172.16.2.5, PHASE 2 COMPLETED 
(msgid=75aa2cf6)
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b7)
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=e3dd9a55) with payloads: HDR + HASH (8) + NOTIFY (11) 
+ NONE (0) total length : 80
Jan 01 04:35:05 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED 
Message (msgid=1f40840c) with payloads : HDR + HASH (8) + NOTIFY (11) + 
NONE (0) total length : 80
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing notify payload
Jan 01 04:35:05 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received keep-alive of type DPD
R-U-THERE-ACK (seq number 0x52fec0b7)
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Sending keep-alive of type DPD R-U-THERE (seq number 0x52fec0b8)
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing blank hash payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
constructing qm hash payload
Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE SENDING Message 
(msgid=928bbc7f) with payloads: HDR + HASH (8) + NOTIFY (11) + NONE (0) 
total length : 80
Jan 01 04:35:15 [IKEv1]: IP = 172.16.2.5, IKE_DECODE RECEIVED Message 
(msgid=b4745eeb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) 
total length : 80
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing hash payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
processing notify payload
Jan 01 04:35:15 [IKEv1 DEBUG]: Group = 172.16.2.5, IP = 172.16.2.5, 
Received keep-alive of type DPD
R-U-THERE-ACK (seq number 0x52fec0b8)

debug crypto ipsec—Displays debug information about IPsec connections.

debug crypto ipsec
pix1#debug crypto ipsec 7

IPSEC: New embryonic SA created @ 0x01AEAB40,
    SCB: 0x028CF0C8,
    Direction: inbound
    SPI      : 0xEFFE8E91
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x028F27E0,
    SCB: 0x02842188,
    Direction: outbound
    SPI      : 0xEB62E7B0
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xEB62E7B0
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
    Flags: 0x00000005
    SA   : 0x028F27E0
    SPI  : 0xEB62E7B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x02842188
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
    VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
    Rule ID: 0x026AAAF0
IPSEC: New outbound permit rule, SPI 0xEB62E7B0

!--- Tunnel endpoints

    Src addr: 172.16.1.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.2.5
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEB62E7B0
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xEB62E7B0
    Rule ID: 0x028A45F8
IPSEC: Completed host IBSA update, SPI 0xEFFE8E91
IPSEC: Creating inbound VPN context, SPI 0xEFFE8E91
    Flags: 0x00000006
    SA   : 0x01AEAB40
    SPI  : 0xEFFE8E91
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x00076B84
    SCB  : 0x028CF0C8
    Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0xEFFE8E91
    VPN handle: 0x0007801C
IPSEC: Updating outbound VPN context 0x00076B84, SPI 0xEB62E7B0
    Flags: 0x00000005
    SA   : 0x028F27E0
    SPI  : 0xEB62E7B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0007801C
    SCB  : 0x02842188
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0xEB62E7B0
    VPN handle: 0x00076B84
IPSEC: Completed outbound inner rule, SPI 0xEB62E7B0
    Rule ID: 0x026AAAF0
IPSEC: Completed outbound outer SPD rule, SPI 0xEB62E7B0
    Rule ID: 0x028A45F8
IPSEC: New inbound tunnel flow rule, SPI 0xEFFE8E91

!--- IPsec session by inside interface

    Src addr: 10.6.6.0
    Src mask: 255.255.255.0
    Dst addr: 10.2.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xEFFE8E91
    Rule ID: 0x01A88838
IPSEC: New inbound decrypt rule, SPI 0xEFFE8E91
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEFFE8E91
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xEFFE8E91
    Rule ID: 0x028F2710
IPSEC: New inbound permit rule, SPI 0xEFFE8E91
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xEFFE8E91
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xEFFE8E91
    Rule ID: 0x028F3F70
IPSEC: New embryonic SA created @ 0x01AFA2E8,
    SCB: 0x028F4318,
    Direction: inbound
    SPI      : 0x9E53EEA4
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0x0281FEA8,
    SCB: 0x01AFA6C0,
    Direction: outbound
    SPI      : 0x430107DD
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x430107DD
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
    Flags: 0x00000005
    SA   : 0x0281FEA8
    SPI  : 0x430107DD
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x01AFA6C0
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
    VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
    Rule ID: 0x028FA880
IPSEC: New outbound permit rule, SPI 0x430107DD
    Src addr: 172.16.1.2
    Src mask: 255.255.255.255
    Dst addr: 172.16.2.5
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x430107DD
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x430107DD
    Rule ID: 0x028055B0
IPSEC: Completed host IBSA update, SPI 0x9E53EEA4
IPSEC: Creating inbound VPN context, SPI 0x9E53EEA4
    Flags: 0x00000006
    SA   : 0x01AFA2E8
    SPI  : 0x9E53EEA4
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0007DB1C
    SCB  : 0x028F4318
    Channel: 0x01693DE8
IPSEC: Completed inbound VPN context, SPI 0x9E53EEA4
    VPN handle: 0x000813D4
IPSEC: Updating outbound VPN context 0x0007DB1C, SPI 0x430107DD
    Flags: 0x00000005
    SA   : 0x0281FEA8
    SPI  : 0x430107DD
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x000813D4
    SCB  : 0x01AFA6C0
    Channel: 0x01693DE8
IPSEC: Completed outbound VPN context, SPI 0x430107DD
    VPN handle: 0x0007DB1C
IPSEC: Completed outbound inner rule, SPI 0x430107DD
    Rule ID: 0x028FA880
IPSEC: Completed outbound outer SPD rule, SPI 0x430107DD
    Rule ID: 0x028055B0
IPSEC: New inbound tunnel flow rule, SPI 0x9E53EEA4

!--- IPsec session by DMZ interface

    Src addr: 10.6.6.0
    Src mask: 255.255.255.0
    Dst addr: 10.3.3.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x9E53EEA4
    Rule ID: 0x02850040
IPSEC: New inbound decrypt rule, SPI 0x9E53EEA4
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9E53EEA4
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x9E53EEA4
    Rule ID: 0x0284ACF8
IPSEC: New inbound permit rule, SPI 0x9E53EEA4
    Src addr: 172.16.2.5
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.2
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x9E53EEA4
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x9E53EEA4
    Rule ID: 0x0281FDA8

Clear Security Associations (SAs)

clear crypto ipsec sa peer 10.6.6.6—Deletes all IPsec SAs to a peer as identified by the specified hostname or IP address.

clear isakmp sa—Removes all of the IKE runtime SA databases.

Related Information

Updated: Oct 16, 2008
Document ID: 69385