Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.2SR
SafeNet IPsec VPN Client Support
Download this chapter
SafeNet IPsec VPN Client SupportSafeNet IPsec VPN Client Support
Download the complete book
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.2SRCisco IOS Security Configuration Guide: Secure Connectivity, Release 12.2SR (PDF - 5 MB)
give_us_feedback

Table Of Contents

SafeNet IPsec VPN Client Support

Contents

Prerequisites for SafeNet IPsec VPN Client Support

Restrictions for SafeNet IPsec VPN Client Support

Information About SafeNet IPsec VPN Client Support

ISAKMP Profile and ISAKMP Keyring Configurations: Background

Local Termination Address or Interface

Benefit of SafeNet IPsec VPN Client Support

How to Configure SafeNet IPsec VPN Client Support

Limiting an ISAKMP Profile to a Local Termination Address or Interface

Limiting a Keyring to a Local Termination Address or Interface

Monitoring and Maintaining SafeNet IPsec VPN Client Support

Examples

Troubleshooting SafeNet IPsec VPN Client Support

Configuration Examples for SafeNet IPsec VPN Client Support

ISAKMP Profile Bound to a Local Interface: Example

ISAKMP Keyring Bound to a Local Interface: Example

ISAKMP Keyring Bound to a Local IP Address: Example

ISAKMP Keyring Bound to an IP Address and Limited to a VRF: Example

Additional References

Related DocumentsStandards

MIBs

RFCs

Technical Assistance

Command Reference


SafeNet IPsec VPN Client Support

The SafeNet IPsec VPN Client Support feature allows you to limit the scope of an Internet Security Association and Key Management Protocol (ISAKMP) profile or ISAKMP keyring configuration to a local termination address or interface. The benefit of this feature is that different customers can use the same peer identities and ISAKMP keys by using different local termination addresses.

History for the SafeNet IPsec VPN Client Support Feature

Release
Modification

12.3(14)T

This feature was introduced.

12.2(18)SXE

This feature was integrated into Cisco IOS Release 12.2(18)SXE.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for SafeNet IPsec VPN Client Support

Restrictions for SafeNet IPsec VPN Client Support

Information About SafeNet IPsec VPN Client Support

How to Configure SafeNet IPsec VPN Client Support

Configuration Examples for SafeNet IPsec VPN Client Support

Additional References

Command Reference

Prerequisites for SafeNet IPsec VPN Client Support

You must understand how to configure ISAKMP profiles and ISAKMP keyrings.

Restrictions for SafeNet IPsec VPN Client Support

The local address option works only for the primary address of an interface.

If an IP address is provided, the administrator has to ensure that the connection of the peer terminates to the address that is provided.

If the IP address does not exist on the device, or if the interface does not have an IP address, the ISAKMP profile or ISAKMP keyring will be effectively disabled.

Information About SafeNet IPsec VPN Client Support

Before configuring SafeNet IPsec VPN Client Support, you should understand the following concepts:

ISAKMP Profile and ISAKMP Keyring Configurations: Background

Local Termination Address or Interface

ISAKMP Profile and ISAKMP Keyring Configurations: Background

Prior to Cisco IOS Release 12.3(14)T, ISAKMP-profile and ISAKMP-keyring configurations could be only global, meaning that the scope of these configurations could not be limited by any locally defined parameters (VRF instances were an exception). For example, if an ISAKMP keyring contained a preshared key for address 10.11.12.13, the same key would be used if the peer had the address 10.11.12.13, irrespective of the interface or local address to which the peer was connected. There are situations, however, in which users prefer that associate keyrings be bound not only with virtual route forwarding (VRF) instances but also to a particular interface. For example, if instead of VRF instances, there are virtual LANS, and the Internet Key Exchange (IKE) is negotiated with a group of peers using one fixed virtual LAN (VLAN) interface. Such a group of peers uses a single preshared key, so if keyrings could be bound to an interface, it would be easy to define a wildcard key without risking that the keys would also be used for other customers.

Sometimes the identities of the peer are not in the control of the administrator, and even if the same peer negotiates for different customers, the local termination address is the only way to distinguish the peer. After such a distinction is made, if the traffic is sent to different VRF instances, configuring an ISAKMP profile is the only way to distinguish the peer. Unfortunately, when the peer uses an identical identity for all such situations, the ISAKMP profile cannot distinguish among the negotiations. For such scenarios, it would be beneficial to bind ISAKMP profiles to a local termination address. If a local termination address could be assigned, identical identities from the peer would not be a problem.

Local Termination Address or Interface

Effective with Cisco IOS Release 12.3(14)T, the SafeNet IPsec VPN Client Support feature allows you to limit the scope of ISAKMP profiles and ISAKMP keyrings to a local termination address or interface.

Benefit of SafeNet IPsec VPN Client Support

The benefit of this feature is that different customers can use the same peer identities and ISAKMP keys by using different local termination addresses.

How to Configure SafeNet IPsec VPN Client Support

This section contains the following procedures. The first two configurations are independent of each other.

Limiting an ISAKMP Profile to a Local Termination Address or Interface (required)

Limiting a Keyring to a Local Termination Address or Interface (required)

Monitoring and Maintaining SafeNet IPsec VPN Client Support (optional)

Examples (optional)

Limiting an ISAKMP Profile to a Local Termination Address or Interface

To configure an ISAKMP profile and limit it to a local termination address or interface, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto isakmp profile profile-name

4. keyring keyring-name

5. match identity address address

6. local-address {interface-name | ip-address [vrf-tag]}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto isakmp profile profile-name

Example:

Router (config)# crypto isakmp profile profile1

Defines an ISAKMP profile and enters ISAKMP profile configuration mode.

Step 4 

keyring keyring-name

Example:

Router (conf-isa-profile)# keyring keyring1

(Optional) Configures a keyring with an ISAKMP profile.

A keyring is not needed inside an ISAKMP profile for local termination to work. Local termination works even if Rivest, Shamir, and Adelman (RSA) certificates are used.

Step 5 

match identity address address

Example:

Router (conf-isa-profile)# match identity address 10.0.0.0 255.0.0.0

Matches an identity from a peer in an ISAKMP profile.

Step 6 

local-address {interface-name | ip-address [vrf-tag]}

Example:

Router (conf-isa-profile)# local-address serial2/0

Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface.

Limiting a Keyring to a Local Termination Address or Interface

To configure an ISAKMP keyring and limit its scope to a local termination address or interface, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto keyring keyring-name

4. local-address {interface-name | ip-address [vrf-tag]}

5. pre-shared-key address address

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto keyring keyring-name

Example:

Router (config)# crypto keyring keyring1

Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode.

Step 4 

local-address {interface-name | ip-address [vrf-tag]}

Example:

Router (conf-keyring)# local-address serial2/0

Limits the scope of an ISAKMP profile or an ISAKMP keyring configuration to a local termination address or interface.

Step 5 

pre-shared-key address address

Example:

Router (conf-keyring)# pre-shared-key address 10.0.0.1

Defines a preshared key to be used for IKE authentication.

Monitoring and Maintaining SafeNet IPsec VPN Client Support

The following debug and show commands may be used to monitor and maintain the configuration in which you limited the scope of an ISAKMP profile or ISAKMP keyring to a local termination address or interface.

SUMMARY STEPS

1. enable

2. debug crypto isakmp

3. show crypto isakmp profile

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug crypto isakmp

Example:

Router# debug crypto isakmp

Displays messages about IKE events.

Step 3 

show crypto isakmp profile

Example:

Router# show crypto isakmp profile

Lists all the ISAKMP profiles that are defined on a router.

Examples

debug crypto isakmp Command Output for an ISAKMP Keyring That Is
Bound to Local Termination Addresses: Example

You have an ISAKMP configuration as follows (the address of serial2/0 is 10.0.0.1, and the address of serial2/1 is 10.0.0.2), 

crypto keyring keyring1

! Scope of the keyring is limited to interface serial2/0.

  local-address serial2/0

  ! The following is the key string used by the peer.

  pre-shared-key address 10.0.0.3 key somerandomkeystring

crypto keyring keyring2

  local-address serial2/1

  ! The following is the keystring used by the peer coming into serial2/1.

   pre-shared-key address 10.0.0.3 key someotherkeystring

and if the connection is coming into serial2/0, keyring1 is chosen as the source of the preshared key (and keyring2 is ignored because it is bound to serial2/1), you would see the following output: 

Router# debug crypto isakmp


*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Keyring keyring2 is bound to

  10.0.0.0, skipping

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):Looking for a matching key for

  10.0.0.3 in keyring1

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): : success

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0):found peer pre-shared key

  matching 10.0.0.3

*Feb 11 15:01:29.595: ISAKMP:(0:0:N/A:0): local preshared key found

debug crypto isakmp Command Output for an ISAKMP ProfileThat Is Bound
to a Local Termination Address: Example

If you have the following configuration, 

crypto isakmp profile profile1

  keyring keyring1

  match identity address 10.0.0.0 255.0.0.0

  local-address serial2/0

crypto isakmp profile profile2

  keyring keyring1

  keyring keyring2

  self-identity fqdn

  match identity address 10.0.0.1 255.255.255.255

  local-address serial2/1

and the connection is coming through the local terminal address serial2/0, you will see the following output: 

Router# debug crypto isakmp


*Feb 11 15:01:29.935: ISAKMP:(0:0:N/A:0):


Profile profile2 bound to 10.0.0.0 skipped


*Feb 11 15:01:29.935: ISAKMP:(0:1:SW:1):: peer matches profile1 profile

show crypto isakmp profile Command Output: Example

The following is an example of typical show command output for an ISAKMP profile that is bound to serial2/0: 

Router# show crypto isakmp profile


ISAKMP PROFILE profile1

  Identities matched are:

    ip-address 10.0.0.0 255.0.0.0

  Certificate maps matched are:

  keyring(s): keyring1

  trustpoint(s): <all>

  Interface binding: serial2/0 (10.20.0.1:global)

Troubleshooting SafeNet IPsec VPN Client Support

If an ISAKMP profile or ISAKMP keyring fails to be selected, you should double-check the local-address binding in the ISAKMP profile or ISAKMP keyring configuration and follow the output of the IKE debugs to determine whether the peer is correctly terminating on the address. You may remove the local-address binding (to make the scope of the profile or keyring global) and check to determine whether the profile or keyring is selected to confirm the situation.

Configuration Examples for SafeNet IPsec VPN Client Support

This section contains the following configuration, debug command, and show command examples.

ISAKMP Profile Bound to a Local Interface: Example

ISAKMP Keyring Bound to a Local Interface: Example

ISAKMP Keyring Bound to a Local IP Address: Example

ISAKMP Keyring Bound to an IP Address and Limited to a VRF: Example

ISAKMP Profile Bound to a Local Interface: Example

The following example shows that the ISAKMP profile is bound to a local interface: 

crypto isakmp profile profile1

  keyring keyring1

  match identity address 10.0.0.0 255.0.0.0

  local-address serial2/0

ISAKMP Keyring Bound to a Local Interface: Example

The following example shows that the ISAKMP keyring is bound only to interface serial2/0: 

crypto keyring

  local-address serial2/0

  pre-shared-key address 10.0.0.1

ISAKMP Keyring Bound to a Local IP Address: Example

The following example shows that the ISAKMP keyring is bound only to IP address 10.0.0.2: 

crypto keyring keyring1

  local-address 10.0.0.2

  pre-shared-key address 10.0.0.2 key

ISAKMP Keyring Bound to an IP Address and Limited to a VRF: Example

The following example shows that an ISAKMP keyring is bound to IP address 10.34.35.36 and that the scope is limited to VRF examplevrf1: 

ip vrf examplevrf1

  rd 12:3456

crypto keyring ring1

  local-address 10.34.35.36 examplevrf1

interface ethernet2/0

  ip vrf forwarding examplevrf1

  ip address 10.34.35.36 255.255.0.0

Additional References

The following sections provide references related to SafeNet IPsec VPN Client Support.

Related Documents

Related Topic
Document Title

Configuring ISAKMP profiles and ISAKMP keyrings

VRF-Aware IPsec

Security commands

Cisco IOS Security Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Command Reference

The following commands are introduced or modified in the feature or features

local-address

For information about these commands, see the Cisco IOS Security Command Reference at

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.

For information about all Cisco IOS commands, see the Command Lookup Tool at

http://tools.cisco.com/Support/CLILookup or the Master Command List.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco  IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)


Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007-2009 Cisco Systems, Inc. All rights reserved.