Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.2 T

IPSec VPN Accounting

Downloads

Table Of Contents

IPSec VPN Accounting

Contents

Prerequisites for IPSec VPN Accounting

Information About IPSec VPN Accounting

RADIUS Accounting

RADIUS Start Accounting

RADIUS Stop Accounting

RADIUS Update Accounting

IKE and IPSec Subsystem Interaction

Accounting Start

Accounting Stop

Accounting Updates

How to Configure IPSec VPN Accounting

Configuring IPSec VPN Accounting

Prerequisites

Configuring Accounting Updates

Prerequisites

Troubleshooting for IPSec VPN Accounting

Configuration Examples for IPSec VPN Accounting

Accounting and ISAKMP-Profile Example

Accounting Without ISAKMP Profiles Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

client authentication list

client configuration address

crypto isakmp profile

crypto map (global IPSec)

debug crypto isakmp

isakmp authorization list

match identity

set isakmp-profile

vrf

Glossary


IPSec VPN Accounting

The IPSec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPSec) pair is created and stops when all IPSec SAs are deleted.

Session identifying information and session usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server via standard RADIUS attributes and vendor-specific attributes (VSAs).

Feature Specifications for IPSec VPN Accounting

Feature History
 
Release
Modification

12.2(15)T

This feature was introduced.

Supported Platforms

Cisco 2610-2613, Cisco 2620-Cisco 2621, Cisco 2650-Cisco 2651, Cisco 3620, Cisco 3640, Cisco 3660, Cisco 3725, Cisco 3745, Cisco 7100, Cisco 7200, Cisco 7400, Cisco ubr7100, Cisco ubr7200.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for IPSec VPN Accounting

Information About IPSec VPN Accounting

How to Configure IPSec VPN Accounting

Configuration Examples for IPSec VPN Accounting

Additional References

Command Reference

Glossary

Prerequisites for IPSec VPN Accounting

You need to understand how to configure RADIUS and authentication, authorization, and accounting (AAA) accounting. For information about configuring RADIUS and AAA, refer to the following documents:

Configuring Basic AAA RADIUS for Dial-In Clients

How Does RADIUS Work?

The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide

The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference, Release 12.2

The chapter "Configuring Accounting" in the Cisco IOS Security Configuration Guide, Release 12.2

You also need to know how to configure IPSec accounting. For information about configuring IPSec accounting, refer to the chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2.

Information About IPSec VPN Accounting

To configure IPSec VPN accounting, you must understand the following concepts:

RADIUS Accounting

IKE and IPSec Subsystem Interaction

RADIUS Accounting

For many large networks, it is required that user activity be recorded for auditing purposes. The method that is used most is RADIUS accounting.

RADIUS accounting allows for a session to be accounted for by indicating when the session starts and when it stops. Additionally, session identifying information and session usage information will be passed to the RADIUS server via RADIUS attributes and VSAs.

RADIUS Start Accounting

The RADIUS Start packet contains many attributes that generally identify who is requesting the service and of what the property of that service consists. Table 1 represents the attributes required for the start.

Table 1 RADIUS Accounting Start Packet Attributes 

RADIUS Attributes
Value
Attribute
Description

1

user-name

Username used in extended authentication (XAUTH).The username may be NULL when XAUTH is not used.

4

nas-ip-address

Identifying IP address of the network access server (NAS) that serves the user. It should be unique to the NAS within the scope of the RADIUS server.

5

nas-port

Physical port number of the NAS that serves the user.

8

framed-ip-address

Private address allocated for the IP Security (IPSec) session.

40

acct-status-type

Status type. This attribute indicates whether this accounting request marks the beginning (start), the end (stop), or an update of the session.

41

acct-delay-time

Number of seconds the client has been trying to send a particular record.

44

acct-session-id

Unique accounting identifier that makes it easy to match start and stop records in a log file.

26

vrf-id

String that represents the name of the Virtual Route Forwarder (VRF).

26

isakmp-initiator-ip

Endpoint IP address of the remote Internet Key Exchange (IKE) initiator (V4).

26

isakmp-group-id

Name of the VPN group profile used for accounting.

26

isakmp-phase1-id

Phase 1 identification (ID) used by IKE (for example, domain name [DN], fully qualified domain name [FQDN], IP address) to help identify the session initiator.


RADIUS Stop Accounting

The RADIUS Stop packet contains many attributes that identify the usage of the session. Table 2 represents the additional attributes required for the RADIUS stop packet. It is possible that only the stop packet will be sent without the start if configured to do so. If only the stop packet is sent, this allows an easy way to reduce the number of records going to the AAA server.

Table 2 RADIUS Accounting Stop Packet Attributes 

RADIUS Attributes
Value
Attribute
Description

42

acct-input-octets

Number of octets that have been received from the Unity client over the course of the service that is being provided.

43

acct-output-octets

Number of octets that have been sent to the Unity client in the course of delivering this service.

46

acct-session-time

Length of time (in seconds) that the Unity client has received service.

47

acct-input-packets

Quantity of packets that have been received from the Unity client in the course of delivering this service.

48

acct-output-packets

Quantity of packets that have been sent to the Unity client in the course of delivering this service.

49

acct-terminate-cause

For future use.

52

acct-input-gigawords

How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.

52

acct-output-gigawords

How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service.


RADIUS Update Accounting

RADIUS accounting updates are supported. Packet and octet counts are shown in the updates. To learn more about AAA, refer to the following documents:

Configuring Basic AAA RADIUS for Dial-In Clients

The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference, Release 12.2 T

How to Assign Privilege Levels with TACACS+ and RADIUS

Other AAA documentation at the Cisco.com website

IKE and IPSec Subsystem Interaction

Accounting Start

If IPSec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying.

The following is an account start record that was generated on a router and that is to be sent to the AAA server that is defined: 

*Aug 23 04:06:20.131: RADIUS(00000002): sending

*Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 10.1.1.4:1646 id 4, len 
220

*Aug 23 04:06:20.131: RADIUS:  authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 
FB 3F

*Aug 23 04:06:20.135: RADIUS:  Acct-Session-Id     [44]  10  "00000001"

*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  31  

*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   25  "isakmp-group-id=cclient"

*Aug 23 04:06:20.135: RADIUS:  Framed-IP-Address   [8]   6   10.13.13.1                

*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  20  

*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"

*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  35  

*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=11.1.2.2"

*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  36  

*Aug 23 04:06:20.135: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No 
Progress"

*Aug 23 04:06:20.135: RADIUS:  User-Name           [1]   13  "joe@cclient"

*Aug 23 04:06:20.135: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

*Aug 23 04:06:20.135: RADIUS:  Vendor, Cisco       [26]  25  

*Aug 23 04:06:20.135: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"

*Aug 23 04:06:20.135: RADIUS:  NAS-Port            [5]   6   0                         

*Aug 23 04:06:20.135: RADIUS:  NAS-IP-Address      [4]   6   10.1.1.147               

*Aug 23 04:06:20.135: RADIUS:  Acct-Delay-Time     [41]  6   0                         

*Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 10.1.1.4:1646, Accounting-response, 
len 20

*Aug 23 04:06:20.139: RADIUS:  authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 
9D 5D

Accounting Stop

An accounting stop packet is generated when there are no more flows (IPSec SA pairs) with the remote peer.

The accounting stop records contain the following information:

Packets out

Packets in

Octets out

Gigawords in

Gigawords out

Below is an account start record that was generated on a router. The account start record is to be sent to the AAA server that is defined. 

*Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0

*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147

*Aug 23 04:20:16.519: RADIUS(00000003): sending

*Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, 
len 238

*Aug 23 04:20:16.519: RADIUS:  authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 
3E E6

*Aug 23 04:20:16.519: RADIUS:  Acct-Session-Id     [44]  10  "00000002"

*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  20  

*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"

*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  35  

*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=11.1.1.2"

*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  36  

*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No 
Progress"

*Aug 23 04:20:16.519: RADIUS:  Acct-Session-Time   [46]  6   709                       

*Aug 23 04:20:16.519: RADIUS:  Acct-Input-Octets   [42]  6   152608                    

*Aug 23 04:20:16.519: RADIUS:  Acct-Output-Octets  [43]  6   152608                    

*Aug 23 04:20:16.519: RADIUS:  Acct-Input-Packets  [47]  6   1004                      

*Aug 23 04:20:16.519: RADIUS:  Acct-Output-Packets [48]  6   1004  

*Apr 23 04:20:16.519: RADIUS:  Acct-Input-Giga-Word[52]  6   0                         

*Apr 23 04:20:16.519: RADIUS:  Acct-Output-Giga-Wor[53]  6   0                                             

*Aug 23 04:20:16.519: RADIUS:  Acct-Terminate-Cause[49]  6   none                      [0]

*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  32  

*Aug 23 04:20:16.519: RADIUS:   Cisco AVpair       [1]   26  "disc-cause-ext=No Reason"

*Aug 23 04:20:16.519: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]

*Aug 23 04:20:16.519: RADIUS:  Vendor, Cisco       [26]  25  

*Aug 23 04:20:16.519: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"

*Aug 23 04:20:16.519: RADIUS:  NAS-Port            [5]   6   0                         

*Aug 23 04:20:16.519: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               

*Aug 23 04:20:16.519: RADIUS:  Acct-Delay-Time     [41]  6   0                         

*Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, 
Accounting-response, len 20

*Aug 23 04:20:16.523: RADIUS:  authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 
22 A0

Accounting Updates

If accounting updates are enabled, accounting updates are sent while a session is "up." The update interval is configurable. To enable the accounting updates, use the aaa accounting update command.

The following is an accounting update record that is being sent from the router: 

Router#

*Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0

*Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147

*Aug 23 21:46:05.263: RADIUS(00000004): sending

*Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, 
len 200

*Aug 23 21:46:05.263: RADIUS:  authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 
52 25

*Aug 23 21:46:05.263: RADIUS:  Acct-Session-Id     [44]  10  "00000003"

*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  20  

*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   14  "vrf-id=cisco"

*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  35  

*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   29  "isakmp-initator-ip=11.1.1.2"

*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  36  

*Aug 23 21:46:05.263: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No 
Progress"

*Aug 23 21:46:05.263: RADIUS:  Acct-Session-Time   [46]  6   109                       

*Aug 23 21:46:05.263: RADIUS:  Acct-Input-Octets   [42]  6   608                       

*Aug 23 21:46:05.263: RADIUS:  Acct-Output-Octets  [43]  6   608                       

*Aug 23 21:46:05.263: RADIUS:  Acct-Input-Packets  [47]  6   4                         

*Aug 23 21:46:05.263: RADIUS:  Acct-Output-Packets [48]  6   4                         

*Aug 23 21:46:05.263: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]

*Aug 23 21:46:05.263: RADIUS:  Vendor, Cisco       [26]  25  

*Aug 23 21:46:05.263: RADIUS:   cisco-nas-port     [2]   19  "FastEthernet0/0.1"

*Aug 23 21:46:05.263: RADIUS:  NAS-Port            [5]   6   0                         

*Aug 23 21:46:05.263: RADIUS:  NAS-IP-Address      [4]   6   100.1.1.147               

*Aug 23 21:46:05.263: RADIUS:  Acct-Delay-Time     [41]  6   0                         

*Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, 
Accounting-response, len 20

*Aug 23 21:46:05.267: RADIUS:  authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 
1C

How to Configure IPSec VPN Accounting

This section contains the following procedures:

Configuring IPSec VPN Accounting

Configuring Accounting Updates

Troubleshooting for IPSec VPN Accounting

Configuring IPSec VPN Accounting

To enable IPSec VPN Accounting, you need to perform the following required task:

Prerequisites

Before configuring IPSec VPN accounting, you must first configure IPSec. To learn about configuring IPSec, refer to the following documents:

The chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2

Other IPSec documentation at the Cisco.com website

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication login list-name method

5. aaa authorization network list-name method

6. aaa accounting network list-name start-stop [broadcast] group group-name

7. aaa session-id common

8. crypto isakmp profile profile-name

9. vrf ivrf

10. match identity group group-name

11. client authentication list list-name

12. isakmp authorization list list-name

13. client configuration address [initiate | respond]

14. accounting list-name

15. exit

16. crypto dynamic-map dynamic-map-name dynamic-seq-num

17. set transform-set transform-set-name

18. set isakmp-profile profile-name

19. reverse-route [remote-peer]

20. exit

21. crypto map map-name ipsec-isakmp dynamic dynamic-template-name

22. radius-server host ip-address [auth-port port-number] [acct-port port-number]

23. radius-server key string

24. radius-server vsa send accounting

25. interface interface-id

26. crypto map map-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3  

aaa new-model
Example:

Router (config)# aaa new-model

Enables periodic interim accounting records to be sent to the accounting server.

Step 4  

aaa authentication login list-name method
Example:

Router (config)# aaa authentication login cisco-client group radius

Enforces authentication, authorization, and accounting (AAA) authentication for extended authorization (XAUTH) via RADIUS or local.

Step 5  

aaa authorization network list-name method
Example:

Router (config)# aaa authorization network cisco-client group radius

Sets AAA authorization parameters on the remote client from RADIUS or local.

Step 6  

aaa accounting network list-name start-stop 
[broadcast] group group-name
Example: 
Router (config)# aaa accounting network acc 
start-stop broadcast group radius

Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.

Step 7  

aaa session-id common
Example:

Router (config)# aaa session-id common

Specifies whether the same session ID will be used for each AAA accounting service type within a call or whether a different session ID will be assigned to each accounting service type.

Step 8  

crypto isakmp profile profile-name
Example:

Route (config)# crypto isakmp profile cisco

Audits IP security (IPSec) user sessions and enters isakmp-profile submode.

Step 9  

vrf ivrf
Example:

Router (conf-isa-prof)# vrf cisco

Associates the on-demand address pool with a Virtual Private Network (VPN) routing and forwarding (VRF) instance name.

Step 10  

match identity group group-name
Example:

Router(conf-isa-prof)# match identity group cisco

Matches an identity from a peer in an ISAKMP profile.

Step 11  

client authentication list list-name
Example:

Router(conf-isa-prof)# client authentication list cisco

Configures Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile.

Step 12  

isakmp authorization list list-name
Example:

Router(conf-isa-prof)# isakmp authorization list cisco-client

Configures an IKE shared secret and other parameters using the AAA server in an ISAKMP profile. The shared secret and other parameters are generally pushed to the remote peer via mode configuration (MODECFG).

Step 13  

client configuration address [initiate | 
respond]
Example:

Router(conf-isa-prof)# client configuration address respond

Configures IKE mode configuration (MODECFG) in the ISAKMP profile.

Step 14  

accounting list-name
Example:

Router(conf-isa-prof)# accounting acc

Enables AAA accounting services for all peers that connect via this ISAKMP profile.

Step 15  

exit
Example: 
Router(conf-isa-prof)# exit

Exits isakmp-profile submode.

Step 16  

crypto dynamic-map dynamic-map-name 
dynamic-seq-num
Example:

Router(config)# crypto dynamic-map mymap 10 ipsec-isakmp

Creates a dynamic crypto map template and enters the crypto map configuration command mode.

Step 17  

set transform-set transform-set-name
Example:

Router(config-crypto-map)# set transform-set aswan

Specifies which transform sets can be used with the crypto map template.

Step 18  

set isakmp-profile profile-name
Example:

Router(config-crypto-map)# set isakmp-profile cisco

Sets the ISAKMP profile name.

Step 19  

reverse-route [remote-peer]
Example:

Router(config-crypto-map)# reverse-route

Allows routes (ip addresses) to be injected for destinations behind the VPN remote tunnel endpoint and may include a route to the tunnel endpoint itself (using the remote-peer keyword for the crypto map.

Step 20 

exit

Example:

Router(config-crypto-map)# exit

Exits dynamic crypto map configuration mode.

Step 21 

crypto map map-name ipsec-isakmp dynamic dynamic-template-name

Example:

Router(config)# crypto map mymap ipsec-isakmp dynamic dmap

Enters crypto map configuration mode

Step 22  

radius-server host ip-address [auth-port 
port-number] [acct-port port-number]
Example:

Router(config)# radius-server host 172.16.1.4

Specifies a RADIUS server host.

Step 23  

radius-server key string
Example:

Router(config)# radius-server key nsite

Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

Step 24  

radius-server vsa send accounting
Example: 
Router(config)# radius-server vsa send 
accounting

Configures the network access server to recognize and use vendor-specific attributes.

Step 25  

interface type slot/port
Example: 
Router(config)# interface FastEthernet 1/0

Configures an interface type and enters interface configuration mode.

Step 26  

crypto map map-name
Example: 
Router(config-if)# crypto map mymap

Applies a previously defined crypto map set to an interface.

Configuring Accounting Updates

To send accounting updates while a session is "up," perform the following optional task:

Prerequisites

Before you configure accounting updates, you must first configure IPSec VPN accounting. See the section "Configuring IPSec VPN Accounting."

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa accounting update periodic number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa accounting update periodic number

Example:

Router (config)# aaa accounting update periodic 1-2147483647

(Optional) Enables periodic interim accounting records to be sent to the accounting server.

Troubleshooting for IPSec VPN Accounting

To display messages about IPSec accounting events, perform the following optional task:

SUMMARY STEPS

1. enable

2. debug crypto isakmp aaa

DETAILED STEPS

 
Command or Action
Purpose

Step 1  

enable
Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

debug crypto isakmp aaa
Example:

Router# debug crypto isakmp aaa

Displays messages about Internet Key Exchange (IKE) events.

The aaa keyword specifies accounting events.

Configuration Examples for IPSec VPN Accounting

Accounting and ISAKMP-Profile Example

Accounting Without ISAKMP Profiles Example

Accounting and ISAKMP-Profile Example

The following example shows a configuration for supporting remote access clients with accounting and ISAKMP profiles: 

version 12.2 

service timestamps debug datetime msec 

service timestamps log datetime msec 

no service password-encryption 

! 

hostname sheep 

! 

aaa new-model 

! 

! 

aaa accounting network ipsecaaa start-stop group radius 

aaa accounting update periodic 1 

aaa session-id common 

ip subnet-zero 

ip cef 

! 

! 

no ip domain lookup 

ip domain name cisco.com 

ip name-server 172.29.2.133 

ip name-server 172.29.11.48 

! 

! 

crypto isakmp policy 1 

authentication pre-share 

group 2 

! 

crypto isakmp policy 10 

hash md5 

authentication pre-share 

lifetime 200 

crypto isakmp key cisco address 172.31.100.2 


crypto iakmp client configuration group cclient

 key jegjegjhrg

 pool addressA

crypto-isakmp profile groupA

 vrf cisco 

 match identity group cclient 

 client authentication list cisco-client 

 isakmp authorization list cisco-client 

 client configuration address respond 

 accounting acc 

! 

! 

crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 

!

crypto dynamic-map remotes 1

set peer 172.31.100.2 

set security-association lifetime seconds 120 

set transform-set esp-des-md5 

reverse-route


! 

crypto map test 10 ipsec-isakmp dynamic remotes

! 

voice call carrier capacity active 

! 

interface Loopback0 

ip address 10.20.20.20 255.255.255.0 

no ip route-cache 

no ip mroute-cache 

! 

interface FastEthernet0/0 

ip address 10.2.80.203 255.255.255.0 

no ip mroute-cache 

load-interval 30 

duplex full 

! 

interface FastEthernet1/0 

ip address 192.168.219.2 255.255.255.0 

no ip mroute-cache 

duplex auto 

speed auto 

! 

interface FastEthernet1/1 

ip address 172.28.100.1 255.255.255.0 

no ip mroute-cache 

duplex auto 

speed auto 

crypto map test 

! 

no fair-queue 

ip default-gateway 10.2.80.1 

ip classless 

ip route 10.0.0.0 0.0.0.0 10.2.80.1 

ip route 10.20.0.0 255.0.0.0 10.2.80.56 

ip route 10.10.10.0 255.255.255.0 172.31.100.2 

ip route 10.0.0.2 255.255.255.255 10.2.80.73 


ip local pool addressA 192.168.1.1 192.168.1.253

no ip http server 

ip pim bidir-enable 

! 

! 

ip access-list extended encrypt 

permit ip host 10.0.0.1 host 10.5.0.1 

! 

access-list 101 permit ip host 10.20.20.20 host 10.10.10.10 

! 

! 

radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123 

radius-server retransmit 3 

radius-server authorization permit missing Service-Type 

radius-server vsa send accounting 

call rsvp-sync 

! 

! 

mgcp profile default 

! 

dial-peer cor custom 

! 

! 

gatekeeper 

shutdown 

! 

! 

line con 0 

exec-timeout 0 0 

exec prompt timestamp 

line aux 0 

line vty 5 15 

 ntp server 172.31.150.52 

end

Accounting Without ISAKMP Profiles Example

The following example shows a full Cisco IOS configuration that supports accounting remote access peers when ISAKMP profiles are not used: 

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname sheep

!

aaa new-model

!

!

aaa accounting network ipsecaaa start-stop group radius

aaa accounting update periodic 1

aaa session-id common

ip subnet-zero

ip cef

!

!

no ip domain lookup

ip domain name cisco.com

ip name-server 172.29.2.133

ip name-server 172.29.11.48

!

!

crypto isakmp policy 1

 authentication pre-share

 group 2

!

crypto isakmp policy 10

 hash md5

 authentication pre-share

 lifetime 200

crypto isakmp key cisco address 172.31.100.2

!

!

crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac 

!

crypto map test client accounting list ipsecaaa

crypto map test 10 ipsec-isakmp 

 set peer 172.31.100.2

 set security-association lifetime seconds 120

 set transform-set esp-des-md5 

 match address 101

!

voice call carrier capacity active

!

interface Loopback0

 ip address 10.20.20.20 255.255.255.0

 no ip route-cache

 no ip mroute-cache

!

interface FastEthernet0/0

 ip address 10.2.80.203 255.255.255.0

 no ip mroute-cache

 load-interval 30

 duplex full

!

interface FastEthernet1/0

 ip address 192.168.219.2 255.255.255.0

 no ip mroute-cache

 duplex auto

 speed auto

!

interface FastEthernet1/1

 ip address 172.28.100.1 255.255.255.0

 no ip mroute-cache

 duplex auto

 speed auto

 crypto map test

!

no fair-queue

ip default-gateway 10.2.80.1

ip classless

ip route 10.0.0.0 0.0.0.0 10.2.80.1

ip route 10.30.0.0 255.0.0.0 10.2.80.56

ip route 10.10.10.0 255.255.255.0 172.31.100.2

ip route 10.0.0.2 255.255.255.255 10.2.80.73

no ip http server

ip pim bidir-enable

!

!

ip access-list extended encrypt

 permit ip host 10.0.0.1 host 10.5.0.1

!

access-list 101 permit ip host 10.20.20.20 host 10.10.10.10

!

!

radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123

radius-server retransmit 3

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

gatekeeper

 shutdown

!

!

line con 0

 exec-timeout 0 0

 exec prompt timestamp

line aux 0

line vty 5 15

!

exception core-file ioscrypto/core/sheep-core

exception dump 172.25.1.129

ntp clock-period 17208229

ntp server 172.71.150.52

!

end

Additional References

For additional information related to IPSec VPN accounting, refer to the following references:

Related Documents

Related Topic
Document Title

Configuring AAA accounting

The chapter "Configuring Accounting" in the Cisco IOS Security Configuration Guide, Release 12.2

Configuring IPSec VPN accounting

The chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2

Configuring basic AAA RADIUS

Configuring Basic AAA RADIUS for Dial-In Clients

How Does RADIUS Work?

The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2

The chapter "RADIUS Commands" in the Security Command Reference, Release 12.2 T

Configuring ISAKMP profiles

VRF-Aware IPSec, Cisco IOS Release 12.2(15)T feature module

Privilege levels with TACACS+ and RADIUS

How to Assign Privilege Levels with TACACS+ and RADIUS

IP security, RADIUS, and AAA commands

Cisco IOS Security Command Reference, Release 12.2 T


Standards

Standards
Title

None

 

MIBs

MIBs
MIBs Link

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

RFCs
Title

None

 

Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.

New Commands

client authentication list

client configuration address

crypto isakmp profile

isakmp authorization list

match identity

set isakmp-profile

vrf

Modified Commands

crypto map (global IPSec)

debug crypto isakmp

client authentication list

To configure Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To restore the default behavior, which is that XAUTH is not enabled, use the no form of this command.

client authentication list list-name

no client authentication list list-name

Syntax Description

list-name

Character string used to name the list of authentication methods activated when a user logs in. The list name must match the list name that was defined during the authentication, authorization, and accounting (AAA) configuration.


Defaults

No default behaviors or values

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before configuring XAUTH, you must set up an authentication list using AAA commands.

Examples

The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile." 

crypto isakmp profile vpnprofile

 client authentication list xauthlist

Related Commands

Command
Description

aaa authentication login

Sets AAA authentication at login.


client configuration address

To configure Internet Key Exchange (IKE) configuration mode in the Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.

client configuration address {initiate | respond}

no client configuration address {initiate | respond}

Syntax Description

initiate

Router will attempt to set IP addresses for each peer.

respond

Router will accept requests for IP addresses from any requesting peer.


Defaults

IKE configuration is not enabled.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enter the crypto isakmp profile command.

Examples

The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile": 

crypto isakmp profile vpnprofile

 client configuration address initiate

 client configuration address respond

Related Commands

Command
Description