Downloads |
Table Of Contents
Prerequisites for IPsec Usability Enhancements
Information About IPsec Usability Enhancements
How to Utilize IPsec Usability Enhancements
Verifying IKE Phase-1, ISAKMP, Default Policies
Verifying Default IPsec Transform-Sets
Verifying and Troubleshooting IPsec VPNs
Configuration Examples for IPsec Usability Enhancements
Default Transform Sets: Example
Feature Information for IPsec Usability Enhancements
IPsec Usability Enhancements
First Published: July 11, 2008Last Updated: March 30, 2011The IPsec Usability Enhancements feature introduces functionality that eases the configuration and monitoring of your IPsec virtual private network (VPN). Benefits of this feature include intelligent defaults for IPsec and Internet Key Exchange (IKE) and the ability to easily verify and troubleshoot IPsec VPNs.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IPsec Usability Enhancements" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for IPsec Usability Enhancements
•
•
•
•
Prerequisites for IPsec Usability Enhancements
•
•
•
Information About IPsec Usability Enhancements
To utilize the IPsec Usability Enhancements feature, you should understand the following concepts:
IPsec Overview
IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF), which provides security for transmission of sensitive information over public networks. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.
IPsec provides secure tunnels between two peers. You may define which packets are considered sensitive and should be sent through these secure tunnels. You may also define the parameters that should be used to protect these sensitive packets by specifying characteristics of the tunnels. When an IPsec peer detects a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
IPsec Operation
An IPsec operation involves five basic steps: identifying interesting traffic, IKE phase-1, IKE phase-2, establishing the tunnel or IPsec session, and finally tearing down the tunnel.
Step 1: Identifying Interesting Traffic
The VPN devices recognize the traffic, or sensitive packets, to detect. IPsec is either applied to the sensitive packet, the packet is bypassed, or the packet is dropped. Based on the traffic type, if IPsec is applied then IKE phase-1 is initiated.
Step 2: IKE Phase-1
There are three exchanges between the VPN devices to negotiate an IKE security policy and establish a secure channel.
During the first exchange, the VPN devices negotiate matching IKE transform sets to protect the IKE exchange resulting in establishing an Internet Security Association and Key Management Protocol (ISAKMP) policy to utilize. The ISAKMP policy consists of an encryption algorithm, a hash algorithm, an authentication algorithm, a Diffie-Hellman (DH) group, and a lifetime parameter.
There are eight default ISAKMP policies supported. For more information on default ISAKMP policies, see the section "Verifying IKE Phase-1, ISAKMP, Default Policies."
The second exchange consists of a Diffie-Hellman exchange, which establishes a shared secret.
The third exchange authenticates peer identity. After the peers are authenticated, IKE phase-2 begins.
Step 3: IKE Phase-2
The VPN devices negotiate the IPsec security policy used to protect the IPsec data. IPsec transform sets are negotiated.
A transform set is a combination of algorithms and protocols that enact a security policy for network traffic. For more information on default transform sets, see the section "Verifying Default IPsec Transform-Sets." A VPN tunnel is ready to be established.
Step 4: Establishing the Tunnel—IPsec Session
The VPN devices apply security services to IPsec traffic and then transmit the IPsec data. Security associations (SAs) are exchanged between peers. The negotiated security services are applied to the tunnel traffic while the IPsec session is active.
Step 5: Terminating the Tunnel
The tunnel is torn down when an IPsec SA lifetime time-out occurs or if the packet counter is exceeded. The IPsec SA is removed.
How to Utilize IPsec Usability Enhancements
This section contains the following optional procedures:
•
•
•
Verifying IKE Phase-1, ISAKMP, Default Policies
When IKE negotiation begins, the peers try to find a common policy, starting with the highest priority policy as specified on the remote peer. The peers negotiate the policy sets until there is a match. If peers have more than one policy set in common, the lowest priority number is used.
There are three groups of IKE phase-1, ISAKMP, policies as defined by policy priority ranges and behavior:
•
•
•
This section describes the three groups of ISAKMP policies, how they behave in relationship to one another, how to determine which policies are in use with the appropriate show command, and how to disable the default ISAKMP policies.
Default IKE Phase-1 Policies
There are eight default IKE phase-1, ISAKMP, policies supported (see Table 1) that are enabled automatically. If you have neither manually configured IKE policies with the crypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. You can verify that the default IKE policies are in use by issuing either the show crypto isakmp policy command or the show crypto isakmp default policy command.
The default IKE policies define the following policy set parameters:
•
•
•
•
•
–
–
Table 1 Default IKE Phase-1, ISAKMP, Policies
User Configured IKE Policies
You may configure IKE policies with the crypto isakmp policy command. User configured IKE policies are uniquely identified and configured with a priority number ranging from 1-10000, where 1 is the highest priority and 10000 the lowest priority.
Once you have configured one or more IKE policies with a priority of 1-10000:
•
•
•
EzVPN ISAKMP Policies
If you have configured EzVPN (see Related Documents), the default EzVPN ISAKMP policies in use are uniquely identified with a priority number ranging from 65515-65535, where 65515 is the highest priority and 65535 is the lowest priority.
Once a user has configured EzVPN:
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following is sample output of the show crypto isakmp default policy command. The default policies are displayed because the default policies have not been disabled.
Router# show crypto isakmp default policyDefault IKE policyDefault protection suite of priority 65507encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65508encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65509encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65510encryption algorithm: AES - Advanced Encryption Standard (128 bit key.hash algorithm: Message Digest 5authentication method: Pre-Shared KeyDiffie-Hellman group: #5 (1536 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65511encryption algorithm: Three key triple DEShash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65512encryption algorithm: Three key triple DEShash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65513encryption algorithm: Three key triple DEShash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitDefault protection suite of priority 65514encryption algorithm: Three key triple DEShash algorithm: Message Digest 5authentication method: Pre-Shared KeyDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitThe following example disables the default IKE policies then shows the resulting output of the show crypto isakmp default policy command, which is blank:
Router# configure terminalRouter(config)# no crypto isakmp default policyRouter(config)# exitRouter# show crypto isakmp default policyRouter#!There is no output since the default IKE policies have been disabled.The following is an example system log message that is generated whenever the default ISAKMP policies are in use:
%CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policiesVerifying Default IPsec Transform-Sets
A transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
During IPsec SA negotiations with IKE, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and is applied to the protected traffic as part of the IPsec SAs of both peers.
Default Transform Sets
A default transform set will be used by any crypto map or IPsec profile where no other transform set has been configured and if the following is true:
•
•
The two default transform sets each define an Encapsulation Security Protocol (ESP) encryption transform type and an ESP authentication transform type as shown in Table 2.
Table 2 Default Transform Sets and Parameters
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following example displays output from the show crypto ipsec default transform-set command when the default transform sets are enabled, the default setting:Router# show crypto ipsec default transform-setTransform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }will negotiate = { Transport, },Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }will negotiate = { Transport, },The following example displays output from the show crypto ipsec default transform-set command when the default transform sets have been disabled with the no crypto ipsec default transform-set command.
Router(config)# no crypto ipsec default transform-setRouter(config)# exitRouter#Router# show crypto ipsec default transform-set! There is no output.Router#The following is an example system log message that is generated whenever IPsec SAs have negotiated with a default transform set:
%CRYPTO-5-IPSEC_DEFAULT_TRANSFORM: Using Default IPsec transform-setVerifying and Troubleshooting IPsec VPNs
Perform one of the following optional tasks in this section, depending on whether you want to verify IKE phase-1 or IKE phase-2 tunnels or troubleshoot your IPsec VPN:
•
Verifying IKE Phase-1, ISAKMP
To display statistics for ISAKMP tunnels, use the following optional commands.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
For ISAKMP tunnel failures, this command displays event information. The following is sample output for this command:
Router# show crypto mib isakmp flowmib failurevrf GlobalIndex: 1Reason: peer lostFailure time since reset: 00:07:27Local type: ID_IPV4_ADDRLocal value: 192.0.2.1Remote type: ID_IPV4_ADDRRemote Value: 192.0.2.2Local Address: 192.0.2.1Remote Address: 192.0.2.2Index: 2Reason: peer lostFailure time since reset: 00:07:27Local type: ID_IPV4_ADDRLocal value: 192.0.3.1Remote type: ID_IPV4_ADDRRemote Value: 192.0.3.2Local Address: 192.0.3.1Remote Address: 192.0.3.2Index: 3Reason: peer lostFailure time since reset: 00:07:32Local type: ID_IPV4_ADDRRemote type: ID_IPV4_ADDRRemote Value: 192.0.2.2Local Address: 192.0.2.1Remote Address: 192.0.2.2Step 2
Global ISAKMP tunnel statistics are displayed by issuing this command. The following is sample output for this command:
Router# show crypto mib isakmp flowmib globalvrf GlobalActive Tunnels: 3Previous Tunnels: 0In octets: 2856Out octets: 3396In packets: 16Out packets: 19In packets drop: 0Out packets drop: 0In notifys: 4Out notifys: 7In P2 exchg: 3Out P2 exchg: 6In P2 exchg invalids: 0Out P2 exchg invalids: 0In P2 exchg rejects: 0Out P2 exchg rejects: 0In IPSEC delete: 0Out IPSEC delete: 0SAs locally initiated: 3SAs locally initiated failed: 0SAs remotely initiated failed: 0System capacity failures: 0Authentication failures: 0Decrypt failures: 0Hash failures: 0Invalid SPI: 0Step 3
For information about ISAKMP tunnels that are no longer active, this command displays event information including the reason that the tunnel was terminated. The following is sample output for this command:
Router# show crypto mib isakmp flowmib historyvrf GlobalReason: peer lostIndex: 2Local type: ID_IPV4_ADDRLocal address: 192.0.2.1Remote type: ID_IPV4_ADDRRemote address: 192.0.2.2Negotiation mode: Main ModeDiffie Hellman Grp: 2Encryption algo: desHash algo: shaAuth method: pskLifetime: 86400Active time: 00:06:30Policy priority: 1Keepalive enabled: YesIn octets: 3024In packets: 22In drops: 0In notifys: 18In P2 exchanges: 1In P2 exchg invalids: 0In P2 exchg rejected: 0In P2 SA delete reqs: 0Out octets: 4188Out packets: 33Out drops: 0Out notifys: 28Out P2 exchgs: 2Out P2 exchg invalids: 0Out P2 exchg rejects: 0Out P2 Sa delete requests: 0Reason: peer lostIndex: 3Local type: ID_IPV4_ADDRLocal address: 192.0.3.1Remote type: ID_IPV4_ADDRRemote address: 192.0.3.2Negotiation mode: Main ModeDiffie Hellman Grp: 2Encryption algo: desHash algo: shaAuth method: pskLifetime: 86400Active time: 00:06:25Policy priority: 1Keepalive enabled: YesIn octets: 3140In packets: 23In drops: 0In notifys: 19In P2 exchanges: 1In P2 exchg invalids: 0In P2 exchg rejected: 0In P2 SA delete reqs: 0Out octets: 4304Out packets: 34Out drops: 0Out notifys: 29Out P2 exchgs: 2Out P2 exchg invalids: 0Out P2 exchg rejects: 0Out P2 Sa delete requests: 0Step 4
For active ISAKMP peer associations, this command displays information including indexes, type of connection, and IP addresses. The following is sample output for this command:
Router# show crypto mib isakmp flowmib peervrf GlobalIndex: 1Local type: ID_IPV4_ADDRLocal address: 192.0.2.1Remote type: ID_IPV4_ADDRRemote address: 192.0.2.2Index: 2Local type: ID_IPV4_ADDRLocal address: 192.0.3.1Remote type: ID_IPV4_ADDRRemote address: 192.0.3.1Index: 3Local type: ID_IPV4_ADDRLocal address: 192.0.4.1Remote type: ID_IPV4_ADDRRemote address: 192.0.4.1Step 5
For active ISAKMP tunnels, this command displays tunnel statistics. The following is sample output for this command:
Router# show crypto mib isakmp flowmib tunnelvrf GlobalIndex: 1Local type: ID_IPV4_ADDRLocal address: 192.0.2.1Remote type: ID_IPV4_ADDRRemote address: 192.0.2.2Negotiation mode: Main ModeDiffie Hellman Grp: 2Encryption algo: desHash algo: shaAuth method: pskLifetime: 86400Active time: 00:03:08Policy priority: 1Keepalive enabled: YesIn octets: 2148In packets: 15In drops: 0In notifys: 11In P2 exchanges: 1In P2 exchg invalids: 0In P2 exchg rejected: 0In P2 SA delete reqs: 0Out octets: 2328Out packets: 16Out drops: 0Out notifys: 12Out P2 exchgs: 2Out P2 exchg invalids: 0Out P2 exchg rejects: 0Out P2 Sa delete requests: 0
Verifying IKE Phase-2
To display statistics for IPsec phase-2 tunnels, use the following optional commands.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
Information for each active endpoint, local or remote device, associated with an IPsec phase-2 tunnel is displayed by issuing this command. The following is sample output for this command:
Router# show crypto mib ipsec flowmib endpointvrf GlobalIndex: 1Local type: Single IP addressLocal address: 192.1.2.1Protocol: 0Local port: 0Remote type: Single IP addressRemote address: 192.1.2.2Remote port: 0Index: 2Local type: SubnetLocal address: 192.1.3.0 255.255.255.0Protocol: 0Local port: 0Remote type: SubnetRemote address: 192.1.3.0 255.255.255.0Remote port: 0Step 2
For ISAKMP tunnel failures, this command displays event information. The following is sample output for this command:
Router# show crypto mib ipsec flowmib failurevrf GlobalIndex: 1Reason: Operation requestFailure time since reset: 00:25:18Src address: 192.1.2.1Destination address: 192.1.2.2SPI: 0Step 3
Global IKE phase-2 tunnel statistics are displayed by issuing this command. The following is sample output for this command:
Router# show crypto mib ipsec flowmib globalvrf GlobalActive Tunnels: 2Previous Tunnels: 0In octets: 800Out octets: 1408In packets: 8Out packets: 8Uncompressed encrypted bytes: 1408In packets drops: 0Out packets drops: 2In replay drops: 0In authentications: 8Out authentications: 8In decrypts: 8Out encrypts: 8Compressed bytes: 0Uncompressed bytes: 0In uncompressed bytes: 0Out uncompressed bytes: 0In decrypt failures: 0Out encrypt failures: 0No SA failures: 0! Number of SA Failures.Protocol use failures: 0System capacity failures: 0In authentication failures: 0Out authentication failures: 0Step 4
For information about IKE phase-2 tunnels that are no longer active, this command displays event information including the reason that the tunnel was terminated. The following is sample output for this command:
Router# show crypto mib ipsec flowmib historyvrf GlobalReason: Operation requestIndex: 1Local address: 192.1.2.1Remote address: 192.1.2.2IPSEC keying: IKEEncapsulation mode: 1Lifetime (KB): 4608000Lifetime (Sec): 3600Active time: 00:24:32Lifetime threshold (KB): 423559168Lifetime threshold (Sec): 3590000Total number of refreshes: 0Expired SA instances: 4Current SA instances: 4In SA DH group: 1In sa encrypt algorithm desIn SA auth algorithm: rsigIn SA ESP auth algo: ESP_HMAC_SHAIn SA uncompress algorithm: NoneOut SA DH group: 1Out SA encryption algorithm: desOut SA auth algorithm: ESP_HMAC_SHAOut SA ESP auth algorithm: ESP_HMAC_SHAOut SA uncompress algorithm: NoneIn octets: 400Decompressed octets: 400In packets: 4In drops: 0In replay drops: 0In authentications: 4In authentication failures: 0In decrypts: 4In decrypt failures: 0Out octets: 704Out uncompressed octets: 704Out packets: 4Out drops: 1Out authentications: 4Out authentication failures: 0Out encryptions: 4Out encryption failures: 0Compressed octets: 0Decompressed octets: 0Out uncompressed octets: 704Step 5
The security protection index (SPI) table contains an entry for each active and expiring security IKE phase-2 association. The following is sample output for this command, which displays the SPI table:
Router# show crypto mib ipsec flowmib spivrf GlobalTunnel Index: 1SPI Index: 1SPI Value: 0xCC57D053SPI Direction: InSPI Protocol: AHSPI Status: ActiveSPI Index: 2SPI Value: 0x68612DFSPI Direction: OutSPI Protocol: AHSPI Status: ActiveSPI Index: 3SPI Value: 0x56947526SPI Direction: InSPI Protocol: ESPSPI Status: ActiveSPI Index: 4SPI Value: 0x8D7C2204SPI Direction: OutSPI Protocol: ESPSPI Status: ActiveStep 6
For active IKE phase-2 tunnels, this command displays tunnel statistics. The following is sample output for this command:
Router# show crypto mib ipsec flowmib tunnelvrf GlobalIndex: 1Local address: 192.0.2.1Remote address: 192.0.2.2IPSEC keying: IKEEncapsulation mode: 1Lifetime (KB): 4608000Lifetime (Sec): 3600Active time: 00:05:46Lifetime threshold (KB): 64Lifetime threshold (Sec): 10Total number of refreshes: 0Expired SA instances: 0Current SA instances: 4In SA DH group: 1In sa encrypt algorithm: desIn SA auth algorithm: rsigIn SA ESP auth algo: ESP_HMAC_SHAIn SA uncompress algorithm: NoneOut SA DH group: 1Out SA encryption algorithm: desOut SA auth algorithm: ESP_HMAC_SHAOut SA ESP auth algorithm: ESP_HMAC_SHAOut SA uncompress algorithm: NoneIn octets: 400Decompressed octets: 400In packets: 4In drops: 0In replay drops: 0In authentications: 4In authentication failures: 0In decrypts: 4In decrypt failures: 0Out octets: 704Out uncompressed octets: 704Out packets: 4Out drops: 1Out authentications: 4Out authentication failures: 0Out encryptions: 4Out encryption failures: 0Compressed octets: 0Decompressed octets: 0Out uncompressed octets: 704
Troubleshooting IPsec VPNs
The show tech-support ipsec command simplifies the collection of the IPsec related information if you are troubleshooting a problem.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
There are three variations of the show tech-support ipsec command:
•
•
•
For a sample display of the output from the show tech-support ipsec command for the individual show commands listed below for each variation see the "Related Documents" section.
Output of the show tech-support ipsec Command
If you enter the show tech-support ipsec command without any keywords, the command output displays the following show commands, in order of output:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Output of the show tech-support ipsec peer Command
If you enter the show tech-support ipsec command with the peer keyword and the ipv4address argument, the output displays the following show commands, in order of output for the specified peer:
•
•
•
•
•
•
•
•
•
•
•
Output of the show tech-support ipsec vrf Command
If you enter the show tech-support ipsec command with the vrf keyword and the vrf-name argument, the output displays the following show commands, in order of output for the specified Virtual Routing and Forwarding (VRF):
•
•
•
•
•
•
•
•
•
•
•
•
•
Configuration Examples for IPsec Usability Enhancements
This section provides the following configuration examples:
•
•
IKE Default Policies: Example
In the following example, crypto maps are configured on RouterA and RouterB and default IKE policies are in use. Traffic is routed from Pagent A to Pagent B. Checking the system log on Peer A and Peer B confirms that the default IKE policies are in use on both peers (see Figure 1).
Figure 1 Example Site to Site Topology
! Configuring RouterA.RouterA(config)# crypto isakmp key identity address 209.165.200.226RouterA(config)# crypto map testmap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.RouterA(config-crypto-map)# set peer 209.165.200.226RouterA(config-crypto-map)# match address 101RouterA(config-crypto-map)# exitRouterA(config)# ip route 209.165.200.225 255.255.255.224 209.165.200.226RouterA(config)# access-list 101 permit ip host 209.165.200.227 host 209.165.200.225RouterA(config)# endRouterA(config)# interface Ethernet1/2RouterA(config-if)# crypto map testmapRouterA(config-if)# endRouterA(config)# crypto ipsec transform test_transf esp-aes esp-sha-hmacRouterA(cfg-crypto-trans)# mode tunnelRouterA(cfg-crypto-trans)# endRouterA(config)# crypto map testmap 10RouterA(config-crypto-map)# set transform-set test_transfRouterA(config-crypto-map)# end! Configuring RouterB.RouterB(config)# crypto isakmp key identity address 209.165.200.228RouterB(config)# crypto dynamic-map dyn_testmap 10RouterB(config-crypto-map)# crypto map testmap 10 ipsec-isakmp dynamic dyn_testmapRouterB(config)# ip route 209.165.200.227 255.255.255.224 209.165.200.228RouterB(config)# endRouterB(config)# interface GigabitEthernet0/1RouterB(config-if)# crypto map testmapRouterB(config-if)# endRouterB(config)# crypto ipsec transform test_transf esp-aes esp-sha-hmacRouterB(cfg-crypto-trans)# mode tunnelRouterB(cfg-crypto-trans)# endRouterB(config)# crypto dynamic-map dyn_testmap 10RouterB(config-crypto-map)# set transform-set test_transfRouterB(config-crypto-map)# end! Routing traffic from PagentA to PagentB.PagentA(config)# ip route 209.165.200.225 255.255.255.224 209.165.200.229PagentA(config)# end! Routing traffic from PagentB to PagentA.PagentB(config)# ip route 209.165.200.227 255.255.255.224 209.165.200.230PagentB(config)# end! Checking the system log on RouterA confirms that the default IKE policies are in use.RouterA# show log | include %CRYPTO-6-IKMP_POLICY_DEFAULT*Jun 5 09:17:59.251 PDT: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies! Checking the system log on RouterB confirms that the default IKE policies are in use.RouterB# show log | include %CRYPTO-6-IKMP_POLICY_DEFAULT*Jun 5 09:17:59.979 PDT: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policiesDefault Transform Sets: Example
In the following example, static crypto maps are configured on RouterA and dynamic crypto maps are configured on RouterB. Traffic is routed from Pagent A to Pagent B. The IPsec SAs negotiate with default transform sets and the traffic is encrypted. Executing the show crypto map command on both peers verifies that the default transform sets are in use (see Figure 1).
! Configuring RouterA.RouterA(config)# crypto isakmp key identify address 209.165.200.225RouterA(config)# crypto map testmap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.RouterA(config-crypto-map)# set peer 209.165.200.225RouterA(config-crypto-map)# match address 101RouterA(config-crypto-map)# exitRouterA(config)# ip route 209.165.200.226 255.255.255.255 209.165.200.225RouterA(config)# access-list 101 permit ip host 209.165.200.227 host 209.165.200.226RouterA(config)# endRouterA(config)# interface Ethernet1/2RouterA(config-if)# crypto map testmapRouterA(config-if)# endRouterA(config)# crypto isakmp policy 10RouterA(config-isakmp)# encryption aesRouterA(config-isakmp)# authentication pre-shareRouterA(config-isakmp)# hash shaRouterA(config-isakmp)# group 5RouterA(config-isakmp)# end! Configuring RouterB.RouterB(config)# crypto isakmp key identity address 209.165.200.229RouterB(config)# crypto dynamic-map dyn_testmap 10RouterB(config-crypto-map)# crypto map testmap 10 ipsec-isakmp dynamic dyn_testmapRouterB(config)# ip route 209.165.200.227 255.255.255.255 209.165.200.229RouterB(config)# endRouterB(config)# interface GigabitEthernet0/1RouterB(config-if)# crypto map testmapRouterB(config-if)# endRouterB(config)# crypto isakmp policy 10RouterB(config-isakmp)# encryption aesRouterB(config-isakmp)# authentication pre-shareRouterB(config-isakmp)# hash shaRouterB(config-isakmp)# group 5RouterB(config-isakmp)# end! The SA is using the default transform set and traffic is encrypted on RouterA.RouterA# show crypto isakmp sa detail | include 209.165.200.229.*209.165.200.225.*ACTIVE13007 209.165.200.229 209.165.200.225 ACTIVE aes sha psk 5 23:59:5613006 209.165.200.229 209.165.200.225 ACTIVE aes sha psk 5 013005 209.165.200.229 209.165.200.225 ACTIVE aes sha psk 5 0! The SA is using the default transform set and traffic is encrypted on RouterB.RouterB# show crypto isakmp sa detail | include 209.165.200.225.*209.165.200.229.*ACTIVE7007 209.165.200.225 209.165.200.229 ACTIVE aes sha psk 5 23:59:557006 209.165.200.225 209.165.200.229 ACTIVE aes sha psk 5 07005 209.165.200.225 209.165.200.229 ACTIVE aes sha psk 5 0! Verifying that the default transform sets are in use on RouterA.RouterA# show crypto mapCrypto Map "testmap" 10 ipsec-isakmpPeer = 209.165.200.225Extended IP access list 101access-list 101 permit ip host 209.165.200.227 host 209.165.200.226Current peer: 209.165.200.225Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={#$!default_transform_set_1: { esp-aes esp-sha-hmac } ,#$!default_transform_set_0: { esp-3des esp-sha-hmac } ,}Interfaces using crypto map testmap:Ethernet1/2! Verifying that the default transform sets are in use on RouterB.RouterB# show crypto mapCrypto Map "testmap" 10 ipsec-isakmpDynamic map template tag: dyn_testmapCrypto Map "testmap" 65536 ipsec-isakmpPeer = 209.165.200.229Extended IP access listaccess-list permit ip host 209.165.200.226 host 209.165.200.227dynamic (created from dynamic map dyn_testmap/10)Current peer: 209.165.200.229Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={#$!default_transform_set_1: { esp-aes esp-sha-hmac } ,}Interfaces using crypto map testmap:GigabitEthernet0/1Additional References
Related Documents
IKE configuration
IPsec configuration
EzVPN server
Cisco IOS security commands
MIBs
None.
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:
Technical Assistance
Feature Information for IPsec Usability Enhancements
Table 3 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Glossary
peer—In the context of this module, a router or other device that participates in IPsec.
SA—security association. Description of how two or more entities use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. The transform and the shared secret keys are used for protecting the traffic.
transform—List of operations performed on a dataflow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm; another transform is the AH protocol with the 56-bit DES encryption algorithm and the ESP protocol with the HMAC-SHA authentication algorithm.
tunnel—In the context of this module, a secure communication path between two peers, such as two routers. It does not refer to using IPsec in tunnel mode.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009-2011 Cisco Systems, Inc. All rights reserved.
