Session Initiation Protocol Triggered VPN
Session Initiation Protocol Triggered VPN (SIP-Triggered VPN or VPN-SIP) is a service offered by service providers where a VPN is set up using Session Initiation Protocol (SIP) for on-demand media or application sharing between peers. The VPN-SIP feature defines the process in which two SIP user agents resolve each other’s IP addresses, exchange the fingerprints of their self-signed certificates, third-party certificates, or pre-shared key securely, and agree to establish an IPsec-based VPN.
Service providers offer the VPN-SIP service to their customers that have SIP-based services such as bank ATMs or branches. This VPN-SIP service replaces an ISDN connection for backup network functionality. If the primary broadband service link goes down, these bank ATMs or branches connect to their central headend or data centres through the VPN-SIP service.
The SIP server of the service provider, which coordinates the VPN-SIP service, is also used for billing of the service based on the time the service is used.
Information about VPN-SIP
Components for VPN-SIP Solution
VPN-SIP uses IPSec Static Virtual Tunnel Interface (SVTI). IPSec SVTI stays in active (UP) state even when there is no IPSec security association (SA) established between the tunnel interface and the SVTI peer.
The following are three components for the VPN-SIP Solution:
-
SIP
-
VPN-SIP
-
Crypto (IP Security (IPsec), Internet Key Exchange (IKE), Tunnel Protection (TP), Public Key Infrastructure (PKI) modules within crypto)
Sesssion Initiation Protocol
SIP is used as a name resolution mechanism to initiate an IKE session. VPN-SIP uses SIP service to establish a VPN connection to a home or a small business router that does not have a fixed IP address. This connection is achieved using self-signed certificates or pre-shared keys. SIP negotiates the use of IKE for media sessions in the Session Description Protocol (SDP) offer-and-answer model.
SIP is statically configured. One tunnel interface must be configured for each remote SIP number.
SIP also provides billing capabilities for service providers to charge customers based on the SIP number, for using the VPN-SIP service. Billing based on SIP numbers happens in the service provider network and is independent of the end devices like Cisco VPN-SIP routers.
VPN-SIP Solution
VPN-SIP is the central block that coordinates between SIP and Crypto modules, and provides an abstraction between them.
When traffic destined to a remote network behind a SIP number is routed to the tunnel interface, the IPSec control plane gets a trigger from packet switching path as there is no IPSEC SA configured to that peer. IPsec control plane passes the trigger to VPN-SIP as the tunnel is configured for VPN-SIP.
 Note |
Static routes for remote networks for that SIP number must be configured to point to that tunnel interface.
|
When the VPN-SIP service is triggered, SIP sets up the call with a SIP phone number pair. SIP also passes incoming call details to the VPN-SIP and negotiates IKE media sessions using local address and fingerprint information of the local self-signed certificate or pre-shared key. SIP also passes remote address and fingerprint information to VPN-SIP.
The VPN-SIP service listens to tunnel status updates and invokes SIP to tear down the SIP session. The VPN-SIP service also provides a means to display current and active sessions.
Feature at a glance
The following steps summarize how the VPN-SIP feature works:
-
IP SLA monitors the primary link using route tracking. When the primary link fails IP SLA detects this failure.
-
Once the primary path fails, IP SLA switches the default route to the higher metric route that is configured on the router.
-
When relevant traffic tries to flow using the secondary link, SIP sends an invite message to the SIP server to obtain the VPN peer information.
-
The router receives the VPN peer information (IP address, local and remote SIP numbers, IKE port, and finger print) and it establishes VPN-SIP tunnel.
-
When the primary path comes back up, IP SLA detects the primary path and the route falls back to the original path. When the idle timer expires, IPSec is torn down and a SIP call is disconnected.
Following is the topology for the VPN-SIP solution:
Figure 1. VPN-SIP Topology
SIP Call Flow
The SIP call flow is divided into initiation at the local peer and call receipt at the remote peer.
At SIP Call Intitiation
When packets are routed to an SVTI interface in data plane, the SIP call must be placed to the peer SIP number to resolve its address, so that VPN tunnel can be brought up.
-
When local auth-type is PSK, IKEv2 finds the matching key for a peer SIP number. The IKEv2 keyring must be configured with id_key_id type (string) as SIP number for each SIP peer. IKEv2 computes the fingerprint of the looked-up key and passes it to VPN-SIP.
-
When local auth-type is a self-signed certificate or an third-party certificate, IKEv2 computes the fingerprint of the local certificate configured under the IKEv2 profile and passes it to the VPN-SIP
The VPN-SIP module interacts with SIP to setup SIP call to the peer. When the call is successful, VPN-SIP sets the tunnel destination of SVTI to the resolved IP address, requesting SVTI to initiate the VPN tunnel.
 Note |
When a wildcard key is required, use the authentication local pre-share key command and the authentication remote pre-share key command in IKEv2 profile.
|
When SIP call is received at the remote peer
When a SIP call is received from a peer, following interactions occur between various crypto modules:
-
The Tunnel Protection helps VPN-SIP module to set tunnel destination address.
-
IKEv2 returns local auth-type (PSK or PKI) and local fingerprint to the VPN-SIP module. When local auth-type is PSK, IKEv2 finds a matching key for a corresponding SIP number.
 Note |
IKEv2 only knows peer by its SIP number.
|
During the SIP call negotiation between peers, each peer must select a unique local IKEv2 port number to be exchanged over the SDP. To support different port numbers for each session, the VPN-SIP module programmatically configures IP Port Address Translation (PAT) to translate between IKEv2 port (4500) and the port number exchanged over SDP. For the translation to work IP NAT must be configured on secondary link and the loopback interface configured as the VPN-SIP tunnel source. The lifetime of the translation is limited to the lifetime of the VPN-SIP session.
SDP Offer and Answer
Following is the sample for SDP offer and answer that is negotiated in the SIP call as defined in RFC 6193:
offer SDP
...
m=application 50001 udp ike-esp-udpencap
c=IN IP4 10.6.6.49
a=ike-setup:active
a=fingerprint:SHA-1 \
b=AS:512
4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
...
answer SDP
...
m=application 50002 udp ike-esp-udpencap
c=IN IP4 10.6.6.50
a=ike-setup:passive
a=fingerprint:SHA-1 \
b=AS:512
D2:9F:6F:1E:CD:D3:09:E8:70:65:1A:51:7C:9D:30:4F:21:E4:4A:8E
As part of the SDP negotiation, both peers negotiate the maximum bandwidth rate for the VPN-SIP session using the b=AS :number SDP attribute. if the peers mention different bandwidth numbers in their SDP, both of them should honor the minimum value as the maximum bandwidth. If b=AS :number SDP attribute is missing in the offer or answer, the SIP call is not successfully set up.
The negotiated maximum bandwidth is applied on the SVTI tunnel interface through the programmatically configured QoS policy in the output direction. The programmatically configured QoS policy is not applied and session fails, if there is a pre-existing statically configured policy.
Once SIP call is complete and address of the peer is resolved, VPN-SIP sets tunnel destination of SVTI and sends a request to initiate tunnel.
IKEv2 Negotiation
Following is the process for IKEv2 Security Session (SA) negotiation:
-
Before starting the session, IKEv2 checks with VPN-SIP if the session is a VPN-SIP session.
-
If it’s a VPN-SIP session and local auth-type is PSK, IKEv2 looks up the PSK key pair using SIP number of the peer instead of IP address of the peer.
-
For validating self-signed certificate, IKEv2 checks if the certificate is self-signed and validates the certificate.
-
In addition to existing AUTH payload validation as part of IKEv2 protocol, IKEv2 calculates hash of the received certificate or looked-up PSK and compares with the fingerprint from SIP negotiation that IKEv2 queries from VPN-SIP module. Only if the fingerprint matches, IKEv2 considers authentication of peer is valid. If not, IKEv2 declares that peer has failed to authenticate and fails the VPN session.
VPN-SIP solution depends on IPSEC idle timer to detect that traffic is no longer routed over the backup VPN. The idle-time configuration under the IPSec Profile is mandatory for session to be disconnected when there is no traffic. 120 seconds is the recommended time.
VPN-SIP and SIP coordinate to tear down SIP call.
When IPsec idle time expires the VPN-SIP module informs the IKEv2 to bring down the IPsec tunnel. VPN-SIP requests the SIP module to disconnect the SIP call, without waiting for confirmation from the IKEv2.
When SIP call disconnect is received from the peer, VPN-SIP module informs the IKEv2 to bring down the IPsec tunnel, and acknowledges to SIP to tear down the SIP call.
Supported Platforms
The VPN-SIP feature is supported on the following platforms:
Cisco 4000 Series Integrated Services Routers:
-
ISR4221/K9 and its bundles
-
ISR4321/K9 and its bundles
-
ISR4331/K9 and its bundles
-
ISR4351/K9 and its bundles
-
ISR4351/K9 and its bundles
-
ISR4451-X/K9 and its bundles
Cisco 1000 Series Integrated Services Routers:
Prerequisites for VPN-SIP
-
Cisco 4000 Series Integrated Services Routers and Cisco 1000 Integrated Services Routers must have Cisco IOS XE 16.8.1 software installed.
-
Security K9 license must be enabled on the router.
-
The routers must have a minimum memory of 1 GB.
-
For the SIP register request of the SIP User Agent to succeed, the SIP registrar must be available to the VPN-SIP routers.
-
The DHCP server must support option 120 and 125 to obtain the SIP server address, which is needed for registration and establishing the SIP session.
-
Proper routing configurations must be completed to ensure backup WAN path is used when primary path is down.
-
Maximum Transmission Unit (MTU) of the tunnel interface must be less than the MTU of the secondary WAN interface.
-
When self-signed or third-party certificates are used for IKEv2 authentication, configure IKEv2 fragmentation on the VPN-SIP router to avoid fragmentation at the IP layer.
-
NAT SIP ALG must be disabled.
-
Caller ID notification service must be configured in the network.
Restrictions for VPN-SIP
-
VPN-SIP and CUBE/SIP gateway cannot be configured on the same device. When CUBE license is active on the device, only CUBE will be functional.
-
Only IPv4 is supported for transport and media (IPv4 transport for SIP registration, SIP signaling, and IPv4 packets encrypted over IPv4 transport).
-
SIP signalling with peer devices behind NAT is not supported (ICE and STUN are not supported.
-
SIP negotiation is supported only in global VRF.
-
Remote-access VPN features like private address assignment, configuration mode exchange (CP payloads), routes exchange, are not supported.
-
Routing protocols over the VPN-SIP session are not supported.
-
Only Rivest-Shamir-Addleman (RSA) server self-signed certificates are supported.
-
Pre-shared key lookup functionality using authentication, authorization, and accounting (AAA) is not supported.
-
The IPSec idle timer is configured per IPSec profile using the ipsec-profile command. The idle time is the same for all VPN-SIP sessions that use a specific IPSec profile.
-
Track objects that are used for IPSLA monitoring, have a maximum limit of 1000 objects in Cisco IOS software. When one track object is used to track one peer router, maximum number of VPN-SIP sessions that one IOS device can have is limited by the maximum number of track objects.
-
Only one local SIP number is supported on Cisco IOS software.
-
If there is a pre-existing statically configured policy, the programmatically configured QoS policy is not applied and session fails, . Remove any statically configured QoS policy on the SVTI interface.
-
On all Cisco ISR 1100 and ISR 4000 series routers, the supported scale of VPN-SIP feature is 300 sessions.
-
Cisco does not support the interoperability with VPN-SIP implementation of other vendors.
How to Configure VPN-SIP
Configuring VPN-SIP
The following steps describe the process of configuring VPN-SIP:
-
Configure the tunnel authentication using third party certificates, self-signed certificates, or pre-shared keys.
-
Tunnel Authentication using Certificates
Configure a trustpoint to obtain a certificate from a certification authority (CA) server that is located in the customer's network. This is required for tunnel authentication. Use the following configuration:
peer1(config)# crypto pki trustpoint CA
enrollment url http://10.45.18.132/
serial-number none
subject-name CN=peer2
revocation-check crl
rsakeypair peer2
peer2(config)# crypto pki authenticate CA
Certificate has the following attributes:
Fingerprint MD5: F38A9B4C 2D80490C F8E7581B BABE7CBD
Fingerprint SHA1: 4907CC36 B1957258 5DFE23B2 649E7DDA 99BDB7C3
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
peer2(config)#crypto pki enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=peer2
% The subject name in the certificate will include: peer2
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA' command will show the fingerprint.
Certificate map for Trustpoint
crypto pki certificate map data 1
issuer-name co cn = orange
-
Tunnel authentication using self-signed certificate
Configure a PKI trust point to generate a self-signed certificate on the device, when authenticating using a self-signed certificate. Use the following configuration:
peer4(config)#crypto pki trustpoint Self
enrollment selfsigned
revocation-check none
rsakeypair myRSA
exit
crypto pki enroll Self
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
-
Configure tunnel authentication using a pre-shared key
crypto ikev2 keyring keys
peer peer1
identity key-id 1234
pre-shared-key key123
-
-
Configure IKEv2 Profile for Certificate
crypto ikev2 profile IPROF
match certificate data
identity local key-id 5678
authentication remote rsa-sig
authentication local rsa-sig
keyring local keys
pki trustpoint self
nat force-encap
-
Configure an IKEv2 Profile for pre-shared keys
crypto ikev2 profile IPROF
match identity remote any
identity local key-id 5678
authentication remote pre-share
authentication local pre-share
keyring local keys
nat force-encap
 Note |
To complete the IKEv2 SA configuration, the nat force-encap command must be configured on both peers. Since, UDP encapsulation is negotiated in SDP, IKEv2 must start and continue on port 4500.
|
-
Configure an IPsec profile
crypto ipsec profile IPROF
set security-association idle-time 2000
-
Configure a LAN side interface
 Note |
The LAN side interface is connected to the ISRG2 interface on the router.
|
interface Vlan101
ip address 10.3.3.3 255.255.255.0
no shutdown
!
interface GigabitEthernet2
switchport access vlan 101
no ip address
-
Configure a loopback interface
The loopback interface is used as the source interface for the secondary VPN tunnel.
interface loopback 1
ip address 10.11.1.1 255.0.0.0
ip nat inside
-
Configure a secondary interface.
 Note |
Make sure the secondary interface is configured to receive the IP address, SIP server address, and vendor specific information via DHCP.
|
interface GigabitEthernet8
ip dhcp client request sip-server-address
ip dhcp client request vendor-identifying-specific
ip address dhcp
ip nat outside
-
Configure the tunnel interface
interface Tunnel1
ip address 10.3.2.1 255.255.255.255
load-interval 30
tunnel source Loopback1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile IPROF ikev2-profile IPROF
vpn-sip local-number 5678 remote-number 1234 bandwidth 1000
Use the vpn-sip local-number
local-number
remote-number remote-number bandwidth
bw-number command to configure the sVTI interface for VPN-SIP. Bandwidth is the maximum data transmission rate that must be negotiated with this peer and the negotiated value is set on the tunnel interface. Allowed values are 64, 512, and 1000 kbps.
Once an SVTI is configured for VPN-SIP, changes cannot be made to tunnel mode, tunnel destination, tunnel source, and tunnel protection. To change the mode, source, destination, or tunnel protection you must remove the VPN-SIP configuration from the SVTI interface.
-
Add static default routes
Add a secondary route with a higher metric.
ip route 0.0.0.0 0.0.0.0 Tunnel0 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel1 254
-
Configure IP SLA
ip sla 1
icmp-echo 10.11.11.1
threshold 500
timeout 500
frequency 2
ip sla schedule 1 life forever start-time now
-
Configure route tracking
track 1 ip sla 1 reachability
-
Enable VPN-SIP
vpn-sip enable
vpn-sip local-number 5678 address ipv4 GigabitEthernet8
vpn-sip tunnel source Loopback1
vpn-sip logging
To configure VPN-SIP, you must configure local SIP number and local address. The vpn-sip local-number
SIP-number
address ipv4
WAN-interface-name command configures the local SIP number that is used for SIP call and the associated IPv4 address.
 Note |
Only IPv4 addresses can be configured. Crypto module does not support dual stack.
|
When the primary WAN interface is functional, the destination of the VPN-SIP tunnel is set to the backup WAN interface, so that the tunnel interface is active. Destination is set to IP address of the peer that is learnt from SDP of SIP negotiation when traffic is routed to the tunnel interface. When primary WAN interface fails and the back routes are activated, packets are routed to the sVTI through backup.
 Note |
We recommend that you use an unused non-routable address as the address of the loopback interface and do not configure this loopback interface for any other purpose. Once a loopback interface is configured, VPN-SIP listens to any updates to the interface and blocks them. The vpn-sip logging command enables the system logging of VPN-SIP module for events, such as session up, down, or failure.
|
Verifying VPN-SIP on a Local Router
Verifying Registration Status
Peer1# show vpn-sip registration-status
SIP registration of local number 0388881001 : registered 10.6.6.50
Verifying SIP Registrar
Peer1#show vpn-sip sip registrar
Line destination expires(sec) contact transport call-id
====================================================================================================
0388881001 example.com 2359 10.6.6.50 UDP 3176F988-9EAA11E7-8002AFA0-8EF41435
Verifying VPN-SIP Status
Peer1#show vpn-sip session detail
VPN-SIP session current status
Interface: Tunnel1
Session status: SESSION_UP (I)
Uptime : 00:00:42
Remote number : 0388881001 =====> This is the Remote Router's SIP number
Local number : 0388882001 =====> Local router's SIP number
Remote address:port: 10.6.6.49:50002
Local address:port : 10.6.6.50:50001
Crypto conn handle: 0x8000017D
SIP Handle : 0x800000C7
SIP callID : 1554
Configured/Negotiated bandwidth: 64/64 kbps
Verifying Crypto Session
Peer1# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP Vpn-sip
Interface: Tunnel1
Profile: IPROF
Uptime: 00:03:53
Session status: UP-ACTIVE
Peer: 10.6.6.49 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 10.6.6.49
Desc: (none)
Session ID: 43
IKEv2 SA: local 10.11.1.1/4500 remote 10.6.6.49/50002 Active
Capabilities:S connid:1 lifetime:23:56:07 ====> Capabilities:S indicates this is a SIP VPN_SIP Session
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 6 drop 0 life (KB/Sec) 4222536/3366
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4222537/3366
Verifying IP NAT Translations
Peer1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 2.2.2.2:4500 10.6.6.50:50001 10.6.6.49:50002 10.6.6.49:50002
Verifying DHCP SIP Configuration
Peer9#show vpn-sip sip dhcp
SIP DHCP Info
SIP-DHCP interface: GigabitEthernet8
SIP server address:
Domain name: dns:example.com
Verifying VPN-SIP on a Remote Router
Verifying VPN-SIP Registration Status on a Remote Router
Peer2# show vpn-sip registration-status
SIP registration of local number 0388882001 : registered 10.6.6.49
Verifying VPN-SIP Registrar on a Remote Router
Peer2# show vpn-sip sip registrar
Line destination expires(sec) contact transport call-id
============================================================================================
0388882001 example.com 2478 10.6.6.49 UDP E6F23809-9EAB11E7-80029279-40B97F59
Verifying VPN-SIP Session Details on a Remote Router
Peer2# show vpn-sip session detail
VPN-SIP session current status
Interface: Tunnel1
Session status: SESSION_UP (R)
Uptime : 00:00:21
Remote number : 0388882001 =====> This is the Peer1 Router's SIP number
Local number : 0388881001 =====> Local router's SIP number
Remote address:port: 10.6.6.50:50001
Local address:port : 10.6.6.49:50002
Crypto conn handle: 0x8000017E
SIP Handle : 0x800000BE
SIP callID : 1556
Configured/Negotiated bandwidth: 1000/64 kbps
Verifying Crypto Session Details on a Remote Router
Peer2 #show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN-SIP
Interface: Tunnel1
Profile: IPROF
Uptime: 00:02:32
Session status: UP-ACTIVE
Peer: 10.6.6.50 port 50001 fvrf: (none) ivrf: (none)
Phase1_id: 10.6.6.50
Desc: (none)
Session ID: 147
IKEv2 SA: local 10.17.1.1/4500 remote 10.6.6.50/50001 Active
Capabilities:S connid:1 lifetime:23:57:28 ====> Capabilities:S indicates this is a SIP VPN-SIP Session
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4293728/3448
Outbound: #pkts enc'ed 6 drop 0 life (KB/Sec) 4293728/3448
Verifying IP NAT Translations on a Remote Router
Peer2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 3.3.3.3:4500 10.6.6.49:50002 10.6.6.50:50001 10.6.6.50:50001
Configuration Examples for VPN-SIP
Configuration Examples for VPN-SIP
Using self-signed certificates for authentication
The following is sample configuration to configure VPN-SIP using self-signed certificates for authentication. There is no distinction between initiator and responder role in VPN-SIP. The configuration on a peer node will be identical with local SIP numbers changed.
// Self-signed certificate
crypto pki trustpoint selfCert
rsakeypair myRSA
enrollment selfsigned
revocation-check none
!
crypto ikev2 profile vpn-sip-profile
match identity remote any
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint selfCert // Use same self-signed trustpoint for sign and verify
nat force-encap
!
crypto ipsec profile vpn-sip-ipsec
set security-association idle-time 120
!
vpn-sip enable
vpn-sip local-number 0388883001 address ipv4 GigabitEthernet1
vpn-sip tunnel source Loopback11
vpn-sip logging
!
// one tunnel per peer – configuration is for peer with a SIP-number of 0388884001
int tunnel0
ip unnumbered loopback 0
tunnel source loopback11
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile vpn-sip-ipsec ikev2-profile vpn-sip-profile
vpn-sip local-number 0388883001 remote-number 0388884001 bandwidth 1000
!
// ip unnumbered of tunnel interfaces
int loopback 0
ip address 10.21.1.1 255.255.255.255
!
int loopback11
ip address 10.9.9.9 255.255.255.255
ip nat inside
!
// one tunnel per peer – this is for peer with SIP-number 0388885001
int tunnel1
ip unnumbered loopback 0
tunnel source loopback11
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile vpn-sip-ipsec ikev2-profile iprof
vpn-sip sip-local 0388883001 sip-remote 0388885001 bandwidth 1000
!
interface GigabitEthernet8
ip dhcp client request sip-server-address
ip dhcp client request vendor-identifying-specific
ip address dhcp
ip nat outside
// backup routes configured with higher AD so that these routes will be activated only when primary path goes down. AD need to be chosen to be greater than that of primary route.
ip route 10.0.0.0 255.0.0.0 tunnel 0 250
ip route 10.1.0.0 255.0.0.0 tunnel 0 250
ip route 10.2.0.0 255.0.0.0 tunnel 0 250
ip route 10.3.0.0 255.0.0.0 tunnel 0 250
Troubleshooting for VPN-SIP
Viewing Tunnel Interface in Show Output
SymptomShow VPN-SIP session doesn’t show any information about the tunnel interface. In the following example, information about the tunnel interface, tunnel1 is not shown:
Peer5-F#show vpn-sip session
VPN-SIP session current status
Interface: Tunnel2
Session status: READY_TO_CONNECT
Remote number : 0334563333
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 192.30.18.22:0
Interface: Tunnel3
Session status: READY_TO_CONNECT
Remote number : 0323452222
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 192.30.18.22:0
Interface: Tunnel4
Session status: READY_TO_CONNECT
Remote number : 0612349999
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 192.30.18.22:0
Interface: Tunnel6
Session status: READY_TO_CONNECT
Remote number : 0634567777
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Possible CauseVPN-SIP is not configured on the tunnel interface
Peer5-F#sh run int tun1
Building configuration...
Current configuration : 201 bytes
!
interface Tunnel1
ip address 10.5.5.5 255.0.0.0
tunnel source Loopback11
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile test-prof ikev2-profile test
end
Recommended ActionConfigure VPN-SIP on the tunnel interface.
:
Peer5-F#show running interface tunnel 1
Building configuration...
Current configuration : 278 bytes
!
interface Tunnel1
ip address 10.5.5.5 255.255.255.255
tunnel source Loopback11
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile test-prof ikev2-profile test
vpn-sip local-number 0623458888 remote-number 0312341111 bandwidth 1000
end
Following is the running output for the above scenario:
Peer5-F#show vpn-sip session detail
VPN-SIP session current status
Interface: Tunnel1
Session status: READY_TO_CONNECT
Remote number : 0312341111
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Crypto conn handle: 0x8000002C
SIP Handle : 0x0
SIP callID : --
Configured/Negotiated bandwidth: 1000/0 kbps
Interface: Tunnel2
Session status: READY_TO_CONNECT
Remote number : 0334563333
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Crypto conn handle: 0x80000012
SIP Handle : 0x0
SIP callID : --
Configured/Negotiated bandwidth: 512/0 kbps
Interface: Tunnel3
Session status: READY_TO_CONNECT
Remote number : 0323452222
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Crypto conn handle: 0x80000031
SIP Handle : 0x0
SIP callID : --
Configured/Negotiated bandwidth: 512/0 kbps
Interface: Tunnel4
Session status: READY_TO_CONNECT
Remote number : 0612349999
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Crypto conn handle: 0x8000002F
SIP Handle : 0x0
SIP callID : --
Configured/Negotiated bandwidth: 1000/0 kbps
Interface: Tunnel6
Session status: READY_TO_CONNECT
Remote number : 0634567777
Local number : 0623458888
Remote address:port: 0.0.0.0:0
Local address:port : 172.30.18.22:0
Crypto conn handle: 0x80000026
SIP Handle : 0x0
SIP callID : --
Configured/Negotiated bandwidth: 1000/0 kbps
Troubleshooting SIP Registration Status
SymptomSIP registration status is Not Registered
Peer5#show vpn-sip sip registrar
Line destination expires(sec) contact
transport call-id
============================================================
Peer5-F#show vpn-sip registration-status
SIP registration of local number 0623458888 : not registered
Possible CauseIP address is not configured on the WAN interface.
Peer5#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 unassigned YES unset up up
GigabitEthernet0/5 10.5.5.5 YES manual up up
Vlan1 10.45.1.5 YES NVRAM up up
NVI0 10.1.1.1 YES unset up up
Loopback1 10.1.1.1 YES NVRAM up up
Loopback5 10.5.5.5 YES NVRAM administratively down down
Loopback11 10.11.11.11 YES NVRAM up up
Tunnel1 10.5.5.5 YES NVRAM up down
Tunnel2 10.2.2.2 YES NVRAM up down
Tunnel3 10.3.3.3 YES NVRAM up down
Tunnel4 10.4.4.4 YES NVRAM up down
Tunnel6 10.8.8.8 YES NVRAM up down
Peer5-F#show run interface gigabitEthernet 0/4
Building configuration...
Current configuration : 213 bytes
!
interface GigabitEthernet0/4
ip dhcp client request sip-server-address
ip dhcp client request vendor-identifying-specific
no ip address ====> no IP address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
Recommended ActionUse the ip address dhcp command to configure the interface IP address.
Peer5-F#show running-config interface gigabitEthernet 0/4
Building configuration...
Current configuration : 215 bytes
!
interface GigabitEthernet0/4
ip dhcp client request sip-server-address
ip dhcp client request vendor-identifying-specific
ip address dhcp ====> configure IP address DHCP
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
Peer5-F#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 172.30.18.22 YES DHCP up up
GigabitEthernet0/5 10.5.5.5 YES manual up up
Vlan1 10.45.1.5 YES NVRAM up up
NVI0 10.1.1.1 YES unset up up
Loopback1 10.1.1.1 YES NVRAM up up
Loopback5 10.5.5.5 YES NVRAM administratively down down
Loopback11 10.11.11.11 YES NVRAM up up
Tunnel1 10.6.5.5 YES NVRAM up down
Tunnel2 10.2.2.2 YES NVRAM up down
Tunnel3 10.3.3.3 YES NVRAM up down
Tunnel4 10.4.4.4 YES NVRAM up down
Tunnel6 10.8.8.8 YES NVRAM up down
Peer5-F#show vpn-sip sip registrar
Line destination expires(sec) contact
transport call-id
============================================================
0623458888 example.com 2863 172.30.18.22
UDP 1E83ECF0-AF0611E7-802B8FCF-594EB9E7@122.50.18.22
Peer5-F#show vpn-sip registration-status
SIP registration of local number 0623458888 : registered 172.30.18.22
Session stuck in Negotiating IKE state
SymptomVPN-SIP session stuck in Negotiating IKE state.
Peer5#show vpn-sip session remote-number 0612349999 detail
VPN-SIP session current status
Interface: Tunnel4
Session status: NEGOTIATING_IKE (R)
Uptime : 00:00:58
Remote number : 0612349999
Local number : 0623458888
Remote address:port: 172.30.168.3:24825
Local address:port : 172.30.18.22:50012
Crypto conn handle: 0x8000002E
SIP Handle : 0x8000000C
SIP callID : 16
Configured/Negotiated bandwidth: 1000/1000 kbps
Possible CauseBad configuration related to IKEv2.
In the following example the Key ID that is configured in the keyring does not match the SIP numberof the remote peer.
Peer5-F#show running-config interface tunnel 4
Building configuration...
Current configuration : 276 bytes
!
interface Tunnel4
ip address 10.4.4.4 255.0.0.0
tunnel source Loopback11
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile test-prof ikev2-profile test
VPN-SIP local-number 0623458888 remote-number 0612349999 bandwidth 1000 ====> Remote number mentioned here doesn’t match the remote number in the keyring
end
IKEv2 Keyring configs:
!
crypto ikev2 keyring keys
peer peer1
identity key-id 0312341111
pre-shared-key psk1
!
peer abc
identity key-id 0345674444
pre-shared-key psk1
!
peer peer2
identity key-id 0334563333
pre-shared-key psk10337101690
!
peer peer6
identity key-id 0634567777
pre-shared-key cisco123
!
peer peer3
identity key-id 0323452222
pre-shared-key cisco123
!
peer peer4
identity key-id 0645676666
pre-shared-key psk1
!
peer NONID
identity fqdn example.com
pre-shared-key psk1
!
!
!
crypto ikev2 profile test
match identity remote any
identity local key-id 0623458888
authentication remote pre-share
authentication local pre-share
keyring local keys
dpd 10 6 periodic
nat force-encap
Recommended ActionCorrect the keyring configurations.
rypto ikev2 keyring keys
peer peer1
identity key-id 0312341111
pre-shared-key psk1
!
peer abc
identity key-id 0345674444
pre-shared-key psk1
!
peer peer2
identity key-id 0334563333
pre-shared-key psk1
!
peer peer6
identity key-id 0634567777
pre-shared-key psk1
!
peer peer3
identity key-id 0323452222
pre-shared-key psk1
!
peer peer4
identity key-id 0612349999
pre-shared-key psk1
!
peer NONID
identity fqdn example.com
pre-shared-key psk1
!
!
!
crypto ikev2 profile test
match identity remote any
identity local key-id 0623458888
authentication remote pre-share
authentication local pre-share
keyring local keys
dpd 10 6 periodic
nat force-encap
!
Peer5-F#show vpn-sip session remote-number 0612349999 detail
VPN-SIP session current status
Interface: Tunnel4
Session status: SESSION_UP (R)
Uptime : 00:02:04
Remote number : 0612349999
Local number : 0623458888
Remote address:port: 172.30.168.3:24845
Local address:port : 172.30.18.22:50020
Crypto conn handle: 0x8000004E
SIP Handle : 0x80000014
SIP callID : 24
Configured/Negotiated bandwidth: 1000/1000 kbps
Troubleshooting Session Initiation
SymptomSession does not initiate and gets stuck in Negotiating IKE state
Possible CauseFagmentation of IKE packets when a large PKI certificate is included in the IKE authentication message.
Recommended ActionConfigure IKEv2 fragmentation on the routers.
Debug Commands
The folllwing debug commands are available to debug VPN-SIP configuration:
Table 1 debug commands
Command Name
|
Description
|
debug vpn-sip event
|
Prints debug messages for SVTI registration with VPN-SIP, SIP registration, call setup, and so on.
|
debug vpn-sip errors
|
Prints error messages only when an error occurs during initialization, registration, call setup, and so on.
|
debug vpn-sip sip all
|
Enables all SIP debugging traces.
|
debug vpn-sip sip calls
|
Enables SIP SPI calls debugging trace.
|
debug vpn-sip sip dhcp
|
Enables SIP-DHCP debugging trace
|
debug vpn-sip sip error
|
Enables SIP error debugging trace
|
debug vpn-sip sip events
|
Enables SIP events debugging trace.
|
debug vpn-sip sip feature
|
Enables feature level debugging.
|
debug vpn-sip sip function
|
Enables SIP function debugging trace.
|
debug vpn-sip sip info
|
Enables SIP information debugging trace.
|
debug vpn-sip sip level
|
Enables information level debugging.
|
debug vpn-sip sip media
|
Enables SIP media debugging trace.
|
debug vpn-sip sip messages
|
Enables SIP SPI messages debugging trace
|
debug vpn-sip sip non-call
|
Enables Non-Call-Context trace (OPTIONS, SUBSCRIBE, and so on)
|
debug vpn-sip sip preauth
|
Enable SIP preauth debugging trace.
|
debug vpn-sip sip states
|
Enable SIP SPI states debugging trace.
|
debug vpn-sip sip translate
|
Enables SIP translation debugging trace.
|
debug vpn-sip sip transport
|
Enables SIP transport debugging traces.
|
debug vpn-sip sip verbose
|
Enables verbose mode.
|
Additional References for VPN-SIP
Standards and RFCs
Standard/RFC |
Title |
RFC 6193 (with Restrictions) |
Media Description for the Internet Key Exchange Protocol (IKE) in the Session Description Protocol (SDP)
|
Feature Information for VPN-SIP
Table 2 Feature Information for VPN-SIP
Feature Name
|
Releases
|
Feature Information
|
Session Initiation Protocol Triggered VPN
|
Cisco IOS XE Fuji 16.8.x
|
VPN-SIP is a service offered by service providers where a VPN is setup for on-demand media or application sharing between peers, using Session Initiation Protocol (SIP).
The following commands were introduced: nat force-encap, show vpn-sip session, show vpn-sip sip, show vpn-sip registration-status, vpn-sip local-number, vpn-sip logging, vpn-sip tunnel source.
|