Cisco 1000 Series Connected Grid Routers Security Software Configuration Guide

Information About IKEv2 and IPSec
Prerequisites
Guidelines and Limitations for IKEv2 and IPSec
Default Settings
Configuring IKEv2 and IPSec
Verifying the Configuration
Clear Commands
Monitoring Statistics
Debug Commands
Configuration Example

Configuring IKEv2 and IPSec

This chapter describes how to configure Internet Key Exchange version 2 (IKEv2) and IP Security (IPSec) on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as Cisco CG-OS router) to support secure communications between a source (Cisco CG-OS router) and destination router over a virtual tunnel.

This chapter includes the following sections:

Information About IKEv2 and IPSec

Internet Key Exchange Version 2 (IKEv2) is a key management protocol standard that is used in conjunction with the IPsec standard. IPSec is a security protocol that provides data security by tunnel and transport mode.

Virtual Tunnels

In the tunnel mode, IPSec protects peer-to-peer communication between two end nodes by establishing a virtual tunnel between those two endpoints. On the Cisco CG-OS router, this virtual tunnel is built between itself (source) and the destination router such as the Cisco ASR 1000 Series Aggregation Services Routers (Cisco ASR), which serve as a head-end router.

The virtual tunnel does not manage or modify any packets that are sent over the physical interfaces of the Cisco CG-OS router. Therefore, the Cisco CG-OS router can interoperate with most IPSec implementations (operating with IKEv2) that support IPSec Encapsulating Secure Payload (ESP) operating in tunnel mode. (See limitations in Guidelines and Limitations for IKEv2 and IPSec.)

IKEv2 Authentication

The Cisco CG-OS router employs IKEv2 to authenticate to the destination router by using either a pre-shared key (PSK) or by using RSA signatures with a Public Key Infrastructure (PKI). IKEv2 must be configured on the source and destination router (peers) and both routers must employ the same authentication method.

PSK authenticates each router (peer) by requiring proof of possession of a shared secret. Each router (peer) must have the same shared secret configured.
RSA signatures employ a PKI-based method of authentication. (See Configuring PKI.) IKEv2 interacts with PKI to obtain the identity certificates and to validate the peer (such as Cisco CG-OS router and head-end router) certificates.

IPSec Tunnel Encryption and De-encryption

Encryption Flow

When a packet arrives at the router through an interface, the Cisco CG-OS router applies any configured Policies to that interface such as ingress IP access control lists (IP ACLs) or QoS policies. During IP routing, the Cisco CG-OS router identifies any traffic destined for the virtual tunnel. Before forwarding that traffic to the virtual tunnel interface (VTI), the Cisco CG-OS router attaches any egress policies defined for the VTI. At the VTI, IPSec encrypts the original packet and then encapsulates it within another packet. The encapsulated packet has the Differentiated Services Code Point (DSCP) field of the original packet and its outer address has the source (Cisco CG-OS router) and destination (head-end router) addresses of the VTI.

After encapsulation, IPSec resubmits the packet to the routing function for forwarding to an interface for transmission to the head-end router. The Cisco CG-OS router applies any configured egress IP ACL or QoS policies configured for the interface, before the packet exits the interface.

De-encryption Flow

When the encapsulated packet (with an IP protocol field of ESP) arrives at the destination router (head- end router), the Cisco CG-OS router applies any ingress IP ACL and QoS policies configured for the ingress interface to the packet. The encapsulated packet is then forwarded for processing by IPSec (before any route lookup occurs) for de-encryption. After de-encryption, IPSec forwards the original packet back into the routing function where the Cisco CG-OS router applies egress IP ACL and QoS policies configured for the VTI.

Policies

IKEv2 employs policies to negotiate handshakes between the two peers. These policies, which are configured on each peer, are a combination of the various security parameters listed below:

Encryption method (3DES, AES)
Hash algorithm (SHA)
Diffie-Hellman (DH) group (768-bit, 1024-bit or 1536-bit DH).

Each policy has a unique priority number assigned to it.

The peers must share at least one common policy to allow for successful secure communication.

During the IKEv2 Security Association (SA) negotiation, IKEv2 searches for a policy that is the same for both peers. The peer that initiates the negotiation (handshake) sends all its supported policies to the remote peer.

If a match is found by the remote peer, then the peers employ that security policy for all future communications.
If no policy match exists between the two peers, then IKEv2 terminates the negotiation.

After successful IKEv2 SA negotiation between the peers, IPSec SA negotiation occurs by exchanging profiles (known as transform-sets) between the two peers.

Application

The primary application of IPSec and IKEv2 is to allow the configuration of tunnels between the
Cisco CG-OS router and the head-end router to securely encapsulate and de-encapsulate traffic sent and received over a WAN interface from an insecure backhaul.

IKEv2 negotiates the secure communication channel and IPSec encrypts and de-encrypts the traffic received from an insecure backhaul to provide data confidentiality, data integrity, and authentication. IPSec also provides support for the anti-replay protocol that provides IP packet-level security to prevent interception and modification of message packets that are being sent between a source and destination system.

IPv4 packets can be transported within the virtual tunnel. The Cisco CG-OS router supports up to 25 simultaneous IPSec virtual tunnels.

Prerequisites

A connection must exist between the Cisco CG-OS router and the head-end router before you can configure a virtual tunnel interface between the two systems.

Guidelines and Limitations for IKEv2 and IPSec

IKEv2

IKEv2 must be configured on the source (Cisco CG-OS router) and destination (head-end) routers.

IPSec

IPSec only supports key negotiation using IKEv2 and does not support connection to firewalls configured on the Cisco ASA 5500 Series Adaptive Security Appliance and other VPN concentrator products.

Default Settings

Table 8-1 lists the default settings for IKEv2 policy parameters.

Table 8-2 lists the default settings for IPSec profile parameters.

Table 8-1 Default Settings for IKEv2 Policy Parameters
Parameter	Default
Encryption algorithm	128-bit AES
Hash algorithm	SHA-1
Diffie-Hellman (DH) group	Group 2–1024-bit DH
Authentication method	RSA signatures
lifetime seconds value	86400 seconds

Table 8-2 Default Settings for IPSec Profile Parameters
Parameter	Default
set pfs group	Disabled
set security-association lifetime duration	4608000 kilobytes and 3600 seconds

Configuring IKEv2 and IPSec

BEFORE YOU BEGIN

Contact the system administrator to confirm the authentication method (PSK or RSA) to configure on the Cisco CG-OS router.

DETAILED STEPS

	Command	Purpose
Step 1	feature crypto ike	Enables IKEv2 on the Cisco CG-OS router. Note To prevent loss of IKEv2 configuration, do not disable IKEv2 when IPSec is enabled on the Cisco CG-OS router.
Step 2	crypto ike domain ipsec	Configures the IKEv2 domain and enters the IKEv2 configuration submode.
Step 3	policy value	Defines IKEv2 priority policy and enters the policy configuration submode. The lower the number, the higher the priority.
Step 4	authentication method	Specifies the IKEv2 authentication method. Method options are PSK (pre-share) and RSA signature (rsa-sig) authentication. Default setting for the Cisco CG-OS router is rsa-sig.
Step 5	encryption enc_algo	Specifies the encryption algorithm for the policy. Options are: 3des–168-bit DES (3DES) aes–AES-CBC Default setting for the Cisco CG-OS router is aes.
Step 6	hash hash_algo	Configures the hash algorithm for the IKE policy. Options are: sha–HMAC-SHA1 md5–HMAC-MD5 Default setting for the Cisco CG-OS router is sha.
Step 7	group DH_group	Configures the Diffie-Hellman group for the policy. Options are: 1–768-bit Diffie-Hellman group 2–1024-bit Diffie-Hellman group 5–1536-bit Diffie-Hellman group Default setting for the Cisco CG-OS router is 2.
Step 8	lifetime seconds value	Specifies the IKE SA lifetime for the policy. Value is a range from 600 to 86400 seconds. Default setting is 86400 seconds.
Step 9	exit	Exits the policy mode.
Step 10	keepalive value	Configures the frequency of keep alive messages sent between peers in the tunnel. Keep alive messages validate the ability of peers to send and receive traffic. Value can be any number between 120 and 86400 seconds. The default value is 3600 seconds. (IKE global parameter)
Step 11	identity hostname	Configures the identity of the IKE protocol. By default, Cisco CG-OS employs the IP address of the Cisco CG-OS router as the identity for IKE protocol. This command must be set when using RSA. Note This command is optional when using PSK.
Step 12	exit	Exits to the configuration mode.
Step 13	feature tunnel	Enables tunneling on the Cisco CG-OS router.
Step 14	feature crypto ipsec virtual- tunnel	Enables IPSec tunnelling on the Cisco CG-OS router and creates a virtual tunnel interface.
Step 15	crypto ipsec transform-set tx-form-name { txform\| encr_txform auth_txform}	Configures a single transform set that is included within the IPSec protection profile. Options for txform are: esp-gcm 128–128-bit AES-GCM authenticated encryption esp-gcm 256–256-bit AES-GCM authenticated encryption Options for encr_txform auth_txform: encr_txform options: esp-aes 128 or esp-aes 256 AES-CBC encryption auth_txform options: esp-sha1-hmac or esp-sha256-hmac HMAC-SHA authentication Note The transform-set name (tx-form-name) defined here must match that transform-set name associated with the IPSec profile in .
Step 16	crypto ip sec profile profile-name	Configures an IPSec profile for attachment to the virtual tunnel interface.
Step 17	description text	(Optional) Allows the user to provide a description for the profile. The character limit is 64 characters.
Step 18	set pfs group	Configures the Diffie-Hillman group for perfect forward secrecy for the IPSec tunnel. Options for group are as follows: group1–768-bit mode Diffie-Hillman group 4–2048-bit mode Diffie-Hillman group2–1024-bit mode Diffie-Hillman group5–1536-bit mode Diffie-Hillman Note By default, PFS is disabled.
Step 19	set security-association lifetime [seconds] [kilobytes]	Specifies the lifetime of the IPSec security association. When the configured lifetime value expires, a new security association is negotiated. Lifetime can be expressed in both time (seconds, 120 to 86400) and data volume (kilobytes, 2560 to 4292967295). The default seconds value is 3600 seconds. The default data volume is 4608000 kilobytes.
Step 20	set transform-set tx-form-name	Associates the transformation set to the currently configured IPSec profile .
Step 21	exit	Exits the profile mode.
Step 22	interface tunnel number	Creates a virtual tunnel. number –Any value from 0 to 4095.
Step 23	ip address ip address	Assigns an IP address for the interface tunnel.
Step 24	tunnel mode ipsec {ipv4}	Configures the encapsulation mode for the tunnel. Note When the tunnel is configured to operate in IPSec mode, the keepalive parameter must be disabled. By default, keepalive is disabled.
Step 25	tunnel source { ip-address \| interface-type slot-port }	Configures the source endpoint for the tunnel.
Step 26	tunnel destination { ip-address \| host-name }	Configures the destination endpoint for the tunnel.
Step 27	description text	(Optional) Allows the user to provide a description for the profile. The character limit is 64 characters.
Step 28	tunnel protection ipsec profile profile-name	Binds the IPSec protection profile to the tunnel interfaces. Note The profile-name defined in this step must match the profile name assigned to the virtual tunnel interface in by using the crypto ip sec profile profile-name command.
Step 29	no shutdown	Brings the interface up, administratively.

EXAMPLE

Example 1: RSA Authentication

This example shows how to enable IKEv2 and then create a virtual IPSec tunnel when employing RSA authentication for both the Cisco CG-OS router and the head-end router.

This example configuration employs a Cisco ASR 1000 Series as the head-end router.

RSA mode is the system default setting for the Cisco CG-OS router.

Cisco CG-OS Router Configuration

Note When you use the system default for a parameter there is no need to enter the associated command. In the configuration below, the Cisco CG-OS router uses the default settings for authentication, encryption, hash algorithm, group, and lifetime seconds ( to ).

These commands show how to enable and configure IKEv2 on the Cisco CG-OS router.

router# configure terminal

router(config)# feature crypto ike

router(config)# crypto ike domain ipsec

router(config-ike-IPSec)# policy 10

router(config-ike-ipsec-policy)# exit

router(config-ike-IPSec)# identity hostname

router(config-ike-IPSec)# exit

These commands show how to enable tunnelling on the router and then create a virtual IPSec tunnel (Tunnel 0) and then define profiles for that tunnel.

Note In the configuration below, the connected grid router uses the default settings for the set security-association lifetime seconds kilobytes parameter ().

router(config)# feature tunnel

router(config)# feature crypto ipsec virtual-tunnel

router(config)# crypto ipsec transform-set domain AES128SHA1 esp-aes 128 esp-sha1-hmac

router(config)# crypto ipsec profile MyIPSecProfile

router(config-ipsec-profile)# description IPSec profile for Tunnel 0

router(config-ipsec-profile)# set transform-set AES128SHA1

router(config-ipsec-profile)# exit

router(config)# interface Tunnel 0

router(config-if)# ip address 192.168.170.10/24

router(config-if)# tunnel mode ipsec ipv4

router(config-if)# tunnel source ethernet 2/7

router(config-if)# tunnel destination 172.27.170.23

router(config-if)# description IPSec to HER_01

router(config-if)# tunnel protection ipsec profile MyIPSecProfile

router(config-if)# no shutdown

router(config-if)# exit

Head-End Router Configuration (Cisco ASR 1000 Series with Cisco IOS)

crypto ikev2 proposal MyIke2Proposal

encryption aes-cbc-128

integrity sha1

group 2

crypto ikev2 policy MyIKEPolicy

proposal MyIke2Proposal

crypto ikev2 profile MyIke2Profile_cgr

match fvrf any

match identity remote fqdn cgr01

identity local fqdn her01

authentication local rsa-sig

authentication remote rsa-sig

pki trustpoint jamesRA_MSCA2008

crypto ipsec transform-set AES128SHA1 esp-aes esp-sha-hmac

Note Any Cisco IOS router configured as the head-end router must be configured as responder-only as shown in the configuration section below.

Note Cisco recommends the set security-association lifetime kilobytes and seconds values set in the procedure below to protect against connection tear-downs.

crypto ipsec profile IPSecProfile_altamont

set security-association lifetime kilobytes 4294967295

set security-association lifetime seconds 86400

set transform-set AES128SHA1

set ike-profile MyIke2Profile_altamont

responder-only

interface Tunnel 1

description IPSec to head_end_rtr01

ip address 192.168.170.20 255.255.255.0

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination 172.27.170.20

Example 2: PSK Authentication

This example shows how to enable IKEv2 and then create a virtual IPSec tunnel employing pre-shared key (PSK) for authentication between the Cisco CG-OS router and the head-end router. This example configuration employs a Cisco ASR 1000 Series router as the head-end router.

Connected Grid Router Configuration

These commands show how to enable and configure IKEv2 on the Cisco CG-OS router.

router# configure terminal

router(config)# feature crypto ike

router(config)# crypto ike domain ipsec

router(config-ike-IPSec)# policy 10

router(config-ike-ipsec-policy)# authentication pre-share

router(config-ike-ipsec-policy)# lifetime seconds 600

router(config-ike-IPSec)# keepalive 120

router(config-ike-IPSec)# identity hostname

router(config-ike-IPSec)# key $ecreT1254 hostname brklyn

router(config-ike-IPSec)# key $ecreT1254 address 192.168.150.20

router(config-ike-IPSec)# exit

router(config)# feature tunnel

router(config)# feature crypto ipsec virtual-tunnel

router(config)# crypto ipsec transform-set AES128SHA1 esp-aes 128 esp-sha1-hmac

router(config)# crypto ipsec profile MyProfile

router(config-ipsec-profile)# set transform-set AES128SHA1

router(config-ipsec-profile)# exit

router(config)# interface Tunnel 0

router(config-if)# ip address 192.168.40.10/24

router(config-if)# tunnel mode ipsec ipv4

router(config-if)# tunnel source ethernet 2/1

router(config-if)# tunnel destination 192.168.150.20

router(config-if)# tunnel protection ipsec profile MyProfile

router(config-if)# no shutdown

router(config-if)# exit

router(config)#

Head-End Router Configuration (Cisco ASR 1000 Series with Cisco IOS)

crypto ikev2 proposal MyIke2Proposal

encryption aes-cbc-128

integrity sha1

group 2

crypto ike policy MyIKEPolicy

proposal MyIke2Proposal

crypto ikev2 keyring MyIke2KeyRing

peer cgr2-Milan3

address 192.168.191.30

pre-shared-key Cisco123

crypto ikev2 profile MyIke2Profile

match fvrf any

match identity remote fqdn HER_2

identity local fqdn IOL100

authentication local pre-share

authentication remote pre-share

keyring MyIke2KeyRing

crypto ipsec transform-set AES128SHA1 esp-aes esp-sha-hmac

crypto ipsec profile IPSecProfile

set security-association lifetime kilobytes 4294967295

set security-association lifetime seconds 86400

set transform-set AES128SHA1

set ike-profile MyIke2Profile

responder-only

interface Tunnel0

ip address 192.168.40.20 255.255.255.0

tunnel source Ethernet0/0

tunnel mode ipsec ipv4

tunnel destination 192.168.191.30

tunnel protection ipsec profile IPSecProfile

Verifying the Configuration

To display IKEv2 and IPSec configurations, enter any or all of the following commands.

Command	Purpose
show crypto ike domain ipsec	Displays the current IKEv2 configuration.
show crypto ike domain ipsec policy	Displays all configured IKEv2 policies.
show crypto ipsec profile [ profile name ]	Displays all configured IPSec profiles or a specific IPSec profile.
show crypto ipsec security-association	Displays all configured IPSec security associations.
show crypto ipsec transform-set	Displays all configured IPSec transform-sets.

Clear Commands

To clear the IKE security associations, enter the following command.

Command	Purpose
clear crypto ike domain ipsec sa	Clears all IKEv2 security associations. Caution Entering this command brings down all IPSec tunnels.

Monitoring Statistics

To display IKEv2 and IPSec statistics, refer to the commands summarized in Verifying the Configuration.

Debug Commands

To troubleshoot IKEv2 and IPSec configurations, you can use the following commands.

Command	Purpose
debug ike event	Enables debugging for IKE event generation.
debug ike protocol	Enables debugging for IKE protocol.
debug ike message	Enables debugging for IKE messages.
debug ipsec_tun trace	Enables debugging for IPSec tunnel traces.
debug ipsec_tun packet	Enables debugging for IPSec tunnel packets.

The following is example output for IKEv2 debug commands:

cgr1000(config-if)# debug ike event

cgr1000(config-if)# debug ike protocol

cgr1000(config-if)# debug ike message

cgr1000(config-if)# no shut

2014 Jun 27 17:00:44.328029 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.328264 ike: mts_handle_pfkey: initiating a IKEV2 tunnel

2014 Jun 27 17:00:44.328316 ike: ike_pfkey_handler: get pfkey ACQUIRE message

2014 Jun 27 17:00:44.328364 ike: ike_pk_recvacquire: Creating new IKE_SA as a result of an acquire message for seqnum 26.

2014 Jun 27 17:00:44.328405 ike: create_ike_sa: for seq_num 26 tunnel_id 2

2014 Jun 27 17:00:44.328467 ike: create_ike_sa: ike_sa successfully created for seq_num 26 for doi 0

2014 Jun 27 17:00:44.328517 ike: ike_state_init: State initialized to IKE_STATE_INIT.

2014 Jun 27 17:00:44.328662 ike: ike_state_change: State changed from IKE_STATE_INIT to IKE_STATE_DOI_SA_REQ_RCVD.

2014 Jun 27 17:00:44.328763 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.328801 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_DOI_SA_REQ_RCVD seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.328885 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.328924 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_NONE local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 0000000000000000 r_spi: 0000000000000000 }

2014 Jun 27 17:00:44.328962 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 0 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 0 }

2014 Jun 27 17:00:44.329012 ike: ike_state_change: State changed from IKE_STATE_DOI_SA_REQ_RCVD to IKE_STATE_INIT_REQ_PREP_WAIT.

2014 Jun 27 17:00:44.329101 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.329137 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_INIT_REQ_PREP_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.329174 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.329206 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_NONE local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 0000000000000000 r_spi: 0000000000000000 }

2014 Jun 27 17:00:44.329245 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 0 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 0 }

2014 Jun 27 17:00:44.329297 ike: ike_set_dh_keys:

2014 Jun 27 17:00:44.391644 ike: ike_state_change: State changed from IKE_STATE_INIT_REQ_PREP_WAIT to IKE_STATE_INIT_RSP_WAIT.

2014 Jun 27 17:00:44.391783 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.391821 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_INIT_RSP_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.391858 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.391892 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_NONE local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 0000000000000000 r_spi: 0000000000000000 }

2014 Jun 27 17:00:44.391932 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 0 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 0 }

2014 Jun 27 17:00:44.392038 ike: ike_msg_add_sa: Invoked

2014 Jun 27 17:00:44.392080 ike: ike_msg_add_prop: proto IKE, prop_no 1

2014 Jun 27 17:00:44.392119 ike: ike_msg_prop_add_encr: add AES-CBC

2014 Jun 27 17:00:44.392154 ike: ike_msg_prop_add_encr: add key len 16 (bytes) for AES-CBC

2014 Jun 27 17:00:44.392189 ike: ike_msg_prop_add_prf: add HMAC-SHA1

2014 Jun 27 17:00:44.392223 ike: ike_msg_prop_add_auth: add HMAC-SHA1-96

2014 Jun 27 17:00:44.392258 ike: ike_msg_prop_add_dhg: add dhg MODP-1024

2014 Jun 27 17:00:44.392291 ike: ike_msg_add_prop: num_trans 4

2014 Jun 27 17:00:44.392326 ike: ike_msg_add_ke:

2014 Jun 27 17:00:44.392405 ike: ike_msg_add_nonce:

2014 Jun 27 17:00:44.392450 ike: --------------- IKE packet info (START) -------------

2014 Jun 27 17:00:44.392504 ike: i_spi: 4ca3c52580808d70 , r_spi: 0000000000000000 np: SA, version: 32, etype: IKE_SA_INIT r_bit: 0, v_bit: 0, i_bit: 1 msg_id: 0, len:232

2014 Jun 27 17:00:44.392548 ike: PAYLOAD: SA np: KE, critical: 1, len: 48

2014 Jun 27 17:00:44.392587 ike: np: NONE, len: 44, prop_no: 1, proto_id: 1, spi_size: 0, num_trans: 4

2014 Jun 27 17:00:44.392627 ike: np: TRANS, len: 12, type: Encryption Algorithm, id: AES-CBC

2014 Jun 27 17:00:44.392664 ike: np: TRANS, len: 8, type: Pseudo-random Function, id: HMAC-SHA1

2014 Jun 27 17:00:44.392700 ike: np: TRANS, len: 8, type: Integrity Algorithm, id: HMAC-SHA1-96

2014 Jun 27 17:00:44.392736 ike: np: NONE, len: 8, type: Diffie-Hellman Group, id: MODP-1024

2014 Jun 27 17:00:44.392773 ike: PAYLOAD: KE np: NONCE, critical: 1, len: 136

2014 Jun 27 17:00:44.392927 ike: dhg_id: 2 with key as follow: 51d9166bd30faa2a 815cd8bf8cdaa022 22f5dabd122a4c64 cd123cdf684abb04 2618808b5338d7a4 cdd137e407f6d6de a457d9934a6e33c5 3cd746ea94b5df58 17dd182ff069ecd3 a6d4319cc98ae87a 6c9034a50b36ff38 3e952d04df67c9ae b8cb8e89a21c2f1a e1a0fb087f142149

2014 Jun 27 17:00:44.392966 ike: PAYLOAD: NONCE np: NONE, critical: 1, len: 20

2014 Jun 27 17:00:44.393018 ike: nonce: 917480a28b191e7a 8fbb2a1e892d56ac

2014 Jun 27 17:00:44.393051 ike: --------------- IKE packet info (END) --------------

2014 Jun 27 17:00:44.394786 ike: Send message (232 requested) of 260 bytes from 172.27.126.42:500 to 172.27.126.172:500

2014 Jun 27 17:00:44.394929 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.394974 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_INIT_RSP_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.395013 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.395047 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_NONE local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 0000000000000000 }

2014 Jun 27 17:00:44.395087 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 0 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 1 }

2014 Jun 27 17:00:44.395129 ike: fsm_action_send_init_req: waiting for IKE_SA_INIT response.

2014 Jun 27 17:00:44.395256 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.395356 ike: mts_handle_pfkey: initiating a IKEV2 tunnel

2014 Jun 27 17:00:44.395401 ike: ike_pfkey_handler: get pfkey ACQUIRE message

2014 Jun 27 17:00:44.400966 ike: Recv message of 341 bytes from 172.27.126.172:500 to 172.27.126.42:500

2014 Jun 27 17:00:44.401085 ike: ike_parse_msg_pl: passed IKE sa

2014 Jun 27 17:00:44.401142 ike: ike_parse_msg_pl: recv message:

2014 Jun 27 17:00:44.401244 ike: 0- 31: 4ca3c52580808d70 4f58e388623f1727 2120222000000000 0000013922000030

2014 Jun 27 17:00:44.401351 ike: 32- 63: 0000002c01010004 0300000c0100000c 800e008003000008 0200000203000008

2014 Jun 27 17:00:44.401453 ike: 64- 95: 0300000200000008 0400000228000088 0002000086c83994 fc962bdb265c9ca6

2014 Jun 27 17:00:44.401552 ike: 96- 127: ecc1b1a21d60ab65 6f4da753b017a6ba 9355d12fa8c6e440 a55f715059c5d6ae

2014 Jun 27 17:00:44.401653 ike: 128- 159: af7859b73dd0dc98 b922913de4469903 2579c86677fcd03d e1ee0740c3a65cef

2014 Jun 27 17:00:44.401753 ike: 160- 191: c87d6ee5545cacd2 17622f1ed2d1d115 00ec9ae998be090e 38a188028b884ae7

2014 Jun 27 17:00:44.401848 ike: 192- 223: 6351409fb0ddb793 2147eb993c1000c0 9e6780262b000018 9a4bec5923892dbb

2014 Jun 27 17:00:44.401943 ike: 224- 255: ead5fc095441e467 c3aca6262b000017 434953434f2d4445 4c4554452d524541

2014 Jun 27 17:00:44.402039 ike: 256- 287: 534f4e2600001546 4c455856504e2d53 5550504f52544544 290000190c70ce9b

2014 Jun 27 17:00:44.402123 ike: - 313: c23f4b229445a86e b299f2d02bdadd18 ca00000008010040 08

2014 Jun 27 17:00:44.402175 ike: ike_parse_msg_pl: un-encrypted payload

2014 Jun 27 17:00:44.402229 ike: --------------- IKE packet info (START) -------------

2014 Jun 27 17:00:44.402305 ike: i_spi: 4ca3c52580808d70 , r_spi: 4f58e388623f1727 np: SA, version: 32, etype: IKE_SA_INIT r_bit: 1, v_bit: 0, i_bit: 0 msg_id: 0, len:313

2014 Jun 27 17:00:44.402370 ike: PAYLOAD: SA np: KE, critical: 0, len: 48

2014 Jun 27 17:00:44.402432 ike: np: NONE, len: 44, prop_no: 1, proto_id: 1, spi_size: 0, num_trans: 4

2014 Jun 27 17:00:44.402491 ike: np: TRANS, len: 12, type: Encryption Algorithm, id: AES-CBC

2014 Jun 27 17:00:44.402545 ike: np: TRANS, len: 8, type: Pseudo-random Function, id: HMAC-SHA1

2014 Jun 27 17:00:44.402596 ike: np: TRANS, len: 8, type: Integrity Algorithm, id: HMAC-SHA1-96

2014 Jun 27 17:00:44.403814 ike: np: NONE, len: 8, type: Diffie-Hellman Group, id: MODP-1024

2014 Jun 27 17:00:44.403902 ike: PAYLOAD: KE np: NONCE, critical: 0, len: 136

2014 Jun 27 17:00:44.404139 ike: dhg_id: 2 with key as follow: 86c83994fc962bdb 265c9ca6ecc1b1a2 1d60ab656f4da753 b017a6ba9355d12f a8c6e440a55f7150 59c5d6aeaf7859b7 3dd0dc98b922913d e44699032579c866 77fcd03de1ee0740 c3a65cefc87d6ee5 545cacd217622f1e d2d1d11500ec9ae9 98be090e38a18802 8b884ae76351409f

2014 Jun 27 17:00:44.404202 ike: PAYLOAD: NONCE np: VENDOR-ID, critical: 0, len: 24

2014 Jun 27 17:00:44.404290 ike: nonce: 9a4bec5923892dbb ead5fc095441e467 c3aca626

2014 Jun 27 17:00:44.404344 ike: PAYLOAD: VENDOR-ID np: VENDOR-ID, critical: 0, len: 23

2014 Jun 27 17:00:44.404397 ike: skip np: VENDOR-ID

2014 Jun 27 17:00:44.404439 ike: PAYLOAD: VENDOR-ID np: CERTREQ, critical: 0, len: 21

2014 Jun 27 17:00:44.404475 ike: skip np: VENDOR-ID

2014 Jun 27 17:00:44.404509 ike: PAYLOAD: CERTREQ np: NOTIF, critical: 0, len: 25

2014 Jun 27 17:00:44.404544 ike: skip np: CERTREQ

2014 Jun 27 17:00:44.404576 ike: PAYLOAD: NOTIF np: NONE, critical: 0, len: 8

2014 Jun 27 17:00:44.404613 ike: proto_id=IKE, spi_size=0, spi=, type=HTTP-CERT-LOOKUP-SUPPORTED

2014 Jun 27 17:00:44.404649 ike: --------------- IKE packet info (END) --------------

2014 Jun 27 17:00:44.404684 ike: ike_process_pl: SA

2014 Jun 27 17:00:44.404722 ike: ike_parse_pl_sa: new prop, 1

2014 Jun 27 17:00:44.404771 ike: ike_parse_pl_trans: AES-CBC

2014 Jun 27 17:00:44.404808 ike: ike_parse_pl_trans: key len 16 bytes

2014 Jun 27 17:00:44.404849 ike: ike_parse_pl_trans: HMAC-SHA1

2014 Jun 27 17:00:44.404889 ike: ike_parse_pl_trans: HMAC-SHA1-96

2014 Jun 27 17:00:44.404928 ike: ike_parse_pl_trans: MODP-1024

2014 Jun 27 17:00:44.404968 ike: ike_process_pl: KE

2014 Jun 27 17:00:44.405013 ike: ike_process_pl: NONCE

2014 Jun 27 17:00:44.405055 ike: ike_process_pl: VENDOR-ID

2014 Jun 27 17:00:44.405092 ike: ike_process_pl: VENDOR-ID

2014 Jun 27 17:00:44.405125 ike: ike_process_pl: CERTREQ

2014 Jun 27 17:00:44.405163 ike: ike_process_pl: NOTIF

2014 Jun 27 17:00:44.405199 ike: ike_compose_notif_info: proto_id 1, spi_size 0, notif_type 16392, data_len 0

2014 Jun 27 17:00:44.405243 ike: ike_process_notif_list: for IKE sa

2014 Jun 27 17:00:44.405279 ike: ike_process_notif: process notif -- HTTP-CERT-LOOKUP-SUPPORTED

2014 Jun 27 17:00:44.405318 ike: process_ike_sa_init_rsp: IKE_SA_INIT response okay, start preparing AUTH_REQ

2014 Jun 27 17:00:44.405353 ike: ike_save_sainfo: ignore update request since ike_sa status is IKE_SA_STATUS_NONE

2014 Jun 27 17:00:44.405412 ike: ike_state_change: State changed from IKE_STATE_INIT_RSP_WAIT to IKE_STATE_AUTH_REQ_PREP_WAIT.

2014 Jun 27 17:00:44.405510 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.405546 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_AUTH_REQ_PREP_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.405581 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.405614 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_NONE local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 4f58e388623f1727 }

2014 Jun 27 17:00:44.405651 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 1 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 1 }

2014 Jun 27 17:00:44.405698 ike: ike_generate_ike_keys:

2014 Jun 27 17:00:44.405757 ike: ike_set_dh_shared_keys:

2014 Jun 27 17:00:44.483289 ike: ike_generate_keymat: spi_i: 4ca3c52580808d70

2014 Jun 27 17:00:44.483366 ike: ike_generate_keymat: spi_r: 4f58e388623f1727

2014 Jun 27 17:00:44.484067 ike: fqdn_2_id_info: domainname:

2014 Jun 27 17:00:44.484222 ike: fqdn_2_id_info: hostname: cgr1000

2014 Jun 27 17:00:44.484271 ike: ike_auth_message: RSA signatures

2014 Jun 27 17:00:44.615705 ike: Waiting for GETSPD response from DOI(0) for seq_num 26

2014 Jun 27 17:00:44.615794 ike: ike_handle_msg: message ref saved, cannot be freed

2014 Jun 27 17:00:44.616276 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.616593 ike: get pfkey X_SPDGET2 message

2014 Jun 27 17:00:44.616799 ike: Couldn't find ph2 handle matching spdget2.

2014 Jun 27 17:00:44.616854 ike: ike_pfkey_handler: get pfkey SADB_X_SPDGET2 message

2014 Jun 27 17:00:44.616915 ike: construct_prop_list: Adding proposal: proto(3) encr_id(12) encr_key_len(16 Bytes) auth_id(2) auth_key_len(20 Bytes)

2014 Jun 27 17:00:44.616959 ike: call pfkey_send_getspi for proto_id 3 for doi 0

2014 Jun 27 17:00:44.617138 ike: GETSPI sent: IPSEC-ESP 172.27.126.42->172.27.126.172

2014 Jun 27 17:00:44.617178 ike: ike_post_getspd_ex: waiting for getspi response

2014 Jun 27 17:00:44.617294 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.617515 ike: get pfkey X_SPDGET2 message

2014 Jun 27 17:00:44.617730 ike: ike_pfkey_handler: get pfkey SADB_X_SPDGET2 message

2014 Jun 27 17:00:44.618322 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.618567 ike: get pfkey GETSPI message

2014 Jun 27 17:00:44.618767 ike: seq 26 of GETSPI message not interesting.

2014 Jun 27 17:00:44.618817 ike: ike_pfkey_handler: get pfkey GETSPI message

2014 Jun 27 17:00:44.618910 ike: pfkey GETSPI succeeded: IPSEC-ESP 172.27.126.42->172.27.126.172 spi=3187237707(0xbdf9634b)

2014 Jun 27 17:00:44.618973 ike: ike_state_change: State changed from IKE_STATE_AUTH_REQ_PREP_WAIT to IKE_STATE_AUTH_RSP_WAIT.

2014 Jun 27 17:00:44.619106 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.619155 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_AUTH_RSP_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.619207 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.619255 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_UNAUTH local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 4f58e388623f1727 }

2014 Jun 27 17:00:44.619315 ike: { my_curr_req_msg_id: 0 my_next_req_msg_id: 1 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 0 num_tries: 1 }

2014 Jun 27 17:00:44.619387 ike: ike_msg_add_idi:

2014 Jun 27 17:00:44.619440 ike: ike_msg_add_cert:

2014 Jun 27 17:00:44.619489 ike: ike_enlarge_buf_if_needed: increase the buffer size

2014 Jun 27 17:00:44.619553 ike: ike_msg_add_certreq:

2014 Jun 27 17:00:44.619601 ike: ike_msg_add_auth:

2014 Jun 27 17:00:44.619652 ike: ike_msg_add_sa: Invoked

2014 Jun 27 17:00:44.619702 ike: ike_enlarge_buf_if_needed: increase the buffer size

2014 Jun 27 17:00:44.619757 ike: ike_msg_add_prop: proto IPSEC-ESP, prop_no 1

2014 Jun 27 17:00:44.619809 ike: ike_msg_prop_add_encr: add AES-CBC

2014 Jun 27 17:00:44.619859 ike: ike_msg_prop_add_encr: add key len 16 (bytes) for AES-CBC

2014 Jun 27 17:00:44.619909 ike: ike_msg_prop_add_auth: add HMAC-SHA1-96

2014 Jun 27 17:00:44.619963 ike: ike_msg_prop_add_esn: add esn 0

2014 Jun 27 17:00:44.620010 ike: ike_msg_add_prop: num_trans 3

2014 Jun 27 17:00:44.620071 ike: ike_msg_add_ts: TSi (0.0.0.0:0 -- 255.255.255.255:65535)

2014 Jun 27 17:00:44.620134 ike: ike_msg_add_ts: TSr (0.0.0.0:0 -- 255.255.255.255:65535)

2014 Jun 27 17:00:44.620188 ike: ike_msg_add_IC_notif:

2014 Jun 27 17:00:44.620238 ike: ike_msg_add_notif: proto_id 1, spi_size 0, notif_type INITIAL-CONTACT, data_len 0

2014 Jun 27 17:00:44.620296 ike: ike_msg_encrypt:

2014 Jun 27 17:00:44.620345 ike: NOT PRINTED: size (1309), maximum (1000)

2014 Jun 27 17:00:44.620396 ike: --------------- IKE packet info (START) -------------

2014 Jun 27 17:00:44.620471 ike: i_spi: 4ca3c52580808d70 , r_spi: 4f58e388623f1727 np: IDi, version: 32, etype: IKE_AUTH r_bit: 0, v_bit: 0, i_bit: 1 msg_id: 1, len:1309

2014 Jun 27 17:00:44.620531 ike: PAYLOAD: IDi np: CERT, critical: 1, len: 19

2014 Jun 27 17:00:44.620582 ike: type: FQDN

2014 Jun 27 17:00:44.620653 ike: PAYLOAD: CERT np: CERTREQ, critical: 1, len: 873

2014 Jun 27 17:00:44.620699 ike: skip np: CERT

2014 Jun 27 17:00:44.620733 ike: PAYLOAD: CERTREQ np: AUTH, critical: 1, len: 25

2014 Jun 27 17:00:44.620769 ike: skip np: CERTREQ

2014 Jun 27 17:00:44.620803 ike: PAYLOAD: AUTH np: SA, critical: 1, len: 264

2014 Jun 27 17:00:44.620838 ike: type: RSA signatures

2014 Jun 27 17:00:44.620871 ike: PAYLOAD: SA np: TSi, critical: 1, len: 44

2014 Jun 27 17:00:44.620909 ike: np: NONE, len: 40, prop_no: 1, proto_id: 3, spi_size: 4, num_trans: 3

2014 Jun 27 17:00:44.620949 ike: np: TRANS, len: 12, type: Encryption Algorithm, id: AES-CBC

2014 Jun 27 17:00:44.620986 ike: np: TRANS, len: 8, type: Integrity Algorithm, id: HMAC-SHA1-96

2014 Jun 27 17:00:44.621025 ike: np: NONE, len: 8, type: Extended Sequence Numbers, id: 0

2014 Jun 27 17:00:44.621062 ike: PAYLOAD: TSi np: TSr, critical: 1, len: 24

2014 Jun 27 17:00:44.621097 ike: num_ts: 1

2014 Jun 27 17:00:44.621138 ike: TS[1]: type=IPv4_addr_range, proto_id=0, len=16 start_port=0, end_port=65535, start_ip=0.0.0.0 end_ip=255.255.255.255

2014 Jun 27 17:00:44.621178 ike: PAYLOAD: TSr np: NOTIF, critical: 1, len: 24

2014 Jun 27 17:00:44.621214 ike: num_ts: 1

2014 Jun 27 17:00:44.621253 ike: TS[1]: type=IPv4_addr_range, proto_id=0, len=16 start_port=0, end_port=65535, start_ip=0.0.0.0 end_ip=255.255.255.255

2014 Jun 27 17:00:44.621293 ike: PAYLOAD: NOTIF np: NONE, critical: 1, len: 8

2014 Jun 27 17:00:44.621331 ike: proto_id=IKE, spi_size=0, spi=, type=INITIAL-CONTACT

2014 Jun 27 17:00:44.621367 ike: --------------- IKE packet info (END) --------------

2014 Jun 27 17:00:44.621401 ike: ike_msg_encrypt: AES-CBC with key_len of 16 bytes

2014 Jun 27 17:00:44.621524 ike: ike_msg_encrypt: padding length 14, total 1296 bytes to be encrypted

2014 Jun 27 17:00:44.621701 ike: NOT PRINTED: size (1296), maximum (1000)

2014 Jun 27 17:00:44.621739 ike: ike_msg_encrypt: encryption output:

2014 Jun 27 17:00:44.621773 ike: NOT PRINTED: size (1296), maximum (1000)

2014 Jun 27 17:00:44.621807 ike: ike_msg_encrypt: encr_pl_len 1328, iv_len 16, encry_out_len 1296, md_len 12

2014 Jun 27 17:00:44.621843 ike: ike_msg_encrypt: encr_msg->data_len 1356, encr_pl_len 1328

2014 Jun 27 17:00:44.621878 ike: ike_msg_encrypt: data (ike message) for checksum:

2014 Jun 27 17:00:44.621911 ike: NOT PRINTED: size (1344), maximum (1000)

2014 Jun 27 17:00:44.621945 ike: ike_integ_checksum:

2014 Jun 27 17:00:44.622098 ike: ike_msg_encrypt, checksum: e58a36a1d3a85aeb 2515cd4c

2014 Jun 27 17:00:44.622136 ike: ike_msg_encrypt: encrypted ike message follows

2014 Jun 27 17:00:44.622180 ike: NOT PRINTED: size (1356), maximum (1000)

2014 Jun 27 17:00:44.622247 ike: --------------- IKE packet info (START) -------------

2014 Jun 27 17:00:44.623472 ike: i_spi: 4ca3c52580808d70 , r_spi: 4f58e388623f1727 np: ENCR, version: 32, etype: IKE_AUTH r_bit: 0, v_bit: 0, i_bit: 1 msg_id: 1, len:1356

2014 Jun 27 17:00:44.623517 ike: PAYLOAD: ENCR np: IDi, critical: 1, len: 1328

2014 Jun 27 17:00:44.623554 ike: skip np: ENCR

2014 Jun 27 17:00:44.623586 ike: --------------- IKE packet info (END) --------------

2014 Jun 27 17:00:44.624855 ike: Send message (1356 requested) of 1384 bytes from 172.27.126.42:500 to 172.27.126.172:500

2014 Jun 27 17:00:44.624916 ike: fsm_action_send_auth_req: waiting for IKE_SA_AUTH response.

2014 Jun 27 17:00:44.625052 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.625331 ike: get pfkey GETSPI message

2014 Jun 27 17:00:44.625548 ike: ike_pfkey_handler: get pfkey GETSPI message

2014 Jun 27 17:00:44.639278 ike: Recv message of 1336 bytes from 172.27.126.172:500 to 172.27.126.42:500

2014 Jun 27 17:00:44.639368 ike: ike_parse_msg_pl: parsing for child sa (inc IKE-AUTH)

2014 Jun 27 17:00:44.639410 ike: ike_parse_msg_pl: recv message:

2014 Jun 27 17:00:44.639446 ike: NOT PRINTED: size (1308), maximum (1000)

2014 Jun 27 17:00:44.639479 ike: ike_parse_msg_pl: encrypted payload

2014 Jun 27 17:00:44.639513 ike: ike_msg_decrypt: AES-CBC with key_len of 16 bytes

2014 Jun 27 17:00:44.639565 ike: ike_msg_decrypt: data (ike message) for checksum follows

cgr1000(config-if)# 2014 Jun 27 17:00:44.639604 ike: NOT PRINTED: size (1296) too big to print

2014 Jun 27 17:00:44.639637 ike: ike_integ_checksum:

2014 Jun 27 17:00:44.639826 ike: ike_msg_decrypt: checksum: dbfe24c9ae86af32 1707490c

2014 Jun 27 17:00:44.640003 ike: ike_msg_decrypt: decrypted payload:

2014 Jun 27 17:00:44.640041 ike: NOT PRINTED: size (1248), maximum (1000)

2014 Jun 27 17:00:44.640076 ike: ike_msg_decrypt: decrypted data (1248 bytes) with pad_len 5

2014 Jun 27 17:00:44.640111 ike: ike_msg_decrypt: orig_pl_len 1242 vs cal_len 1242, decrypt_out_len 1248, pad_len 5

2014 Jun 27 17:00:44.640151 ike: ike_parse_msg_pl: decrypted message:

2014 Jun 27 17:00:44.640184 ike: NOT PRINTED: size (1270), maximum (1000)

2014 Jun 27 17:00:44.640219 ike: --------------- IKE packet info (START) -------------

2014 Jun 27 17:00:44.640271 ike: i_spi: 4ca3c52580808d70 , r_spi: 4f58e388623f1727 np: VENDOR-ID, version: 32, etype: IKE_AUTH r_bit: 1, v_bit: 0, i_bit: 0 msg_id: 1, len:1270

2014 Jun 27 17:00:44.640314 ike: PAYLOAD: VENDOR-ID np: IDr, critical: 0, len: 20

2014 Jun 27 17:00:44.640349 ike: skip np: VENDOR-ID

2014 Jun 27 17:00:44.640383 ike: PAYLOAD: IDr np: CERT, critical: 0, len: 12

2014 Jun 27 17:00:44.640428 ike: type: IPv4-address, id: 172.27.126.172

2014 Jun 27 17:00:44.640464 ike: PAYLOAD: CERT np: AUTH, critical: 0, len: 826

2014 Jun 27 17:00:44.640500 ike: skip np: CERT

2014 Jun 27 17:00:44.640534 ike: PAYLOAD: AUTH np: SA, critical: 0, len: 264

2014 Jun 27 17:00:44.640571 ike: type: RSA signatures

2014 Jun 27 17:00:44.640605 ike: PAYLOAD: SA np: TSi, critical: 0, len: 44

2014 Jun 27 17:00:44.640643 ike: np: NONE, len: 40, prop_no: 1, proto_id: 3, spi_size: 4, num_trans: 3

2014 Jun 27 17:00:44.640684 ike: np: TRANS, len: 12, type: Encryption Algorithm, id: AES-CBC

2014 Jun 27 17:00:44.640721 ike: np: TRANS, len: 8, type: Integrity Algorithm, id: HMAC-SHA1-96

2014 Jun 27 17:00:44.640758 ike: np: NONE, len: 8, type: Extended Sequence Numbers, id: 0

2014 Jun 27 17:00:44.640795 ike: PAYLOAD: TSi np: TSr, critical: 0, len: 24

2014 Jun 27 17:00:44.640831 ike: num_ts: 1

2014 Jun 27 17:00:44.640872 ike: TS[1]: type=IPv4_addr_range, proto_id=0, len=16 start_port=0, end_port=65535, start_ip=0.0.0.0 end_ip=255.255.255.255

2014 Jun 27 17:00:44.640913 ike: PAYLOAD: TSr np: NOTIF, critical: 0, len: 24

2014 Jun 27 17:00:44.640948 ike: num_ts: 1

2014 Jun 27 17:00:44.640988 ike: TS[1]: type=IPv4_addr_range, proto_id=0, len=16 start_port=0, end_port=65535, start_ip=0.0.0.0 end_ip=255.255.255.255

2014 Jun 27 17:00:44.641027 ike: PAYLOAD: NOTIF np: NOTIF, critical: 0, len: 12

2014 Jun 27 17:00:44.641064 ike: proto_id=IKE, spi_size=0, spi=, type=SET-WINDOW-SIZE

2014 Jun 27 17:00:44.641100 ike: PAYLOAD: NOTIF np: NOTIF, critical: 0, len: 8

2014 Jun 27 17:00:44.641136 ike: proto_id=IKE, spi_size=0, spi=, type=ESP-TFC-PADDING-NOT-SUPPORTED

2014 Jun 27 17:00:44.641172 ike: PAYLOAD: NOTIF np: NONE, critical: 0, len: 8

2014 Jun 27 17:00:44.641209 ike: proto_id=IKE, spi_size=0, spi=, type=16395

2014 Jun 27 17:00:44.641244 ike: --------------- IKE packet info (END) --------------

2014 Jun 27 17:00:44.641279 ike: ike_process_pl: VENDOR-ID

2014 Jun 27 17:00:44.641315 ike: ike_process_pl: IDr

2014 Jun 27 17:00:44.641356 ike: ike_process_pl: CERT

2014 Jun 27 17:00:44.641401 ike: ike_process_pl: AUTH

2014 Jun 27 17:00:44.641445 ike: ike_process_pl: SA

2014 Jun 27 17:00:44.641492 ike: ike_parse_pl_sa: new prop, 1

2014 Jun 27 17:00:44.641537 ike: ike_parse_pl_trans: AES-CBC

2014 Jun 27 17:00:44.641572 ike: ike_parse_pl_trans: key len 16 bytes

2014 Jun 27 17:00:44.641611 ike: ike_parse_pl_trans: HMAC-SHA1-96

2014 Jun 27 17:00:44.641651 ike: ike_parse_pl_trans: 0

2014 Jun 27 17:00:44.641691 ike: ike_process_pl: TSi

2014 Jun 27 17:00:44.641730 ike: ike_process_pl: TSr

2014 Jun 27 17:00:44.641769 ike: ike_process_pl: NOTIF

2014 Jun 27 17:00:44.641805 ike: ike_compose_notif_info: proto_id 1, spi_size 0, notif_type 16385, data_len 4

2014 Jun 27 17:00:44.641849 ike: ike_process_pl: NOTIF

2014 Jun 27 17:00:44.641884 ike: ike_compose_notif_info: proto_id 1, spi_size 0, notif_type 16394, data_len 0

2014 Jun 27 17:00:44.641923 ike: ike_process_pl: NOTIF

2014 Jun 27 17:00:44.641957 ike: ike_compose_notif_info: proto_id 1, spi_size 0, notif_type 16395, data_len 0

2014 Jun 27 17:00:44.642002 ike: ike_process_notif_list: for child sa (inc IKE-AUTH)

2014 Jun 27 17:00:44.642041 ike: ike_process_notif: process notif -- 16395

2014 Jun 27 17:00:44.642076 ike: ike_process_notif: process notif -- ESP-TFC-PADDING-NOT-SUPPORTED

2014 Jun 27 17:00:44.642117 ike: ike_process_notif: process notif -- SET-WINDOW-SIZE

2014 Jun 27 17:00:44.642154 ike: ike_save_sainfo: ignore update request since ike_sa status is IKE_SA_STATUS_UNAUTH

2014 Jun 27 17:00:44.642189 ike: ike_save_sainfo: ignore update request since ike_sa status is IKE_SA_STATUS_UNAUTH

2014 Jun 27 17:00:44.642222 ike: process_ike_auth_rsp: IKE_AUTH response okay, start processing AUTH rsp

2014 Jun 27 17:00:44.642267 ike: ike_state_change: State changed from IKE_STATE_AUTH_RSP_WAIT to IKE_STATE_AUTH_RSP_PROC_WAIT.

2014 Jun 27 17:00:44.642360 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.642396 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_AUTH_RSP_PROC_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.642431 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.642464 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_UNAUTH local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 4f58e388623f1727 }

2014 Jun 27 17:00:44.642503 ike: { my_curr_req_msg_id: 1 my_next_req_msg_id: 2 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 1 num_tries: 1 }

2014 Jun 27 17:00:44.646214 ike: ike_handle_msg: message ref saved, cannot be freed

2014 Jun 27 17:00:44.739192 ike: mds_cert_rcb_process_response called

2014 Jun 27 17:00:44.739268 ike: response for a cert verify request

2014 Jun 27 17:00:44.739328 ike: ikev2_process_verify_cert_result: IKEv2 CA reqid matches, processing. (1041917).

2014 Jun 27 17:00:44.739384 ike: ike_verify_auth: RSA signatures

2014 Jun 27 17:00:44.747497 ike: ike_verify_auth: verify success

2014 Jun 27 17:00:44.747608 ike: ike_generate_child_keys:

2014 Jun 27 17:00:44.747662 ike: ike_init_child_keys: auth HMAC-SHA1-96 key_len 20

2014 Jun 27 17:00:44.747722 ike: ike_init_child_keys: encr AES-CBC key_len 16

2014 Jun 27 17:00:44.747986 ike: ike_state_change: State changed from IKE_STATE_AUTH_RSP_PROC_WAIT to IKE_STATE_NEW_IKESA_UPDATE_INITIATOR_SA_WAIT.

2014 Jun 27 17:00:44.748130 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.748181 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_NEW_IKESA_UPDATE_INITIATOR_SA_WAIT seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.748232 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.748282 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_UNAUTH local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 4f58e388623f1727 }

2014 Jun 27 17:00:44.748334 ike: { my_curr_req_msg_id: 1 my_next_req_msg_id: 2 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 1 num_tries: 1 }

2014 Jun 27 17:00:44.748401 ike: call pfkey_send_update for proto_id 3 for doi 0

2014 Jun 27 17:00:44.749716 ike: UPDATE sent: IPSEC-ESP 172.27.126.42->172.27.126.172

2014 Jun 27 17:00:44.749788 ike: ike_pk_sendupdate: waiting for update response

2014 Jun 27 17:00:44.749960 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.750266 ike: get pfkey UPDATE message

2014 Jun 27 17:00:44.750532 ike: seq 26 of UPDATE message not interesting.

2014 Jun 27 17:00:44.750600 ike: ike_pfkey_handler: get pfkey UPDATE message

2014 Jun 27 17:00:44.750697 ike: pfkey UPDATE succeeded: IPSEC-ESP 172.27.126.172->172.27.126.42 spi=3187237707(0xbdf9634b)

2014 Jun 27 17:00:44.750756 ike: call pfkey_send_add for proto_id 3 for doi 0

2014 Jun 27 17:00:44.751952 ike: ADD sent: IPSEC-ESP 172.27.126.42->172.27.126.172

2014 Jun 27 17:00:44.752029 ike: ike_pk_sendadd: waiting for add response

2014 Jun 27 17:00:44.752200 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.752513 ike: get pfkey UPDATE message

2014 Jun 27 17:00:44.752787 ike: seq 26 of UPDATE message not interesting.

2014 Jun 27 17:00:44.752855 ike: ike_pfkey_handler: get pfkey UPDATE message

2014 Jun 27 17:00:44.753058 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.753335 ike: get pfkey ADD message

2014 Jun 27 17:00:44.753598 ike: seq 26 of ADD message not interesting.

2014 Jun 27 17:00:44.753667 ike: ike_pfkey_handler: get pfkey ADD message

2014 Jun 27 17:00:44.753770 ike: pfkey ADD succeeded: IPSEC-ESP 172.27.126.172->172.27.126.42 spi=3868651307(0xe696ef2b)

2014 Jun 27 17:00:44.753842 ike: ike_timer_init: for state(IKE_STATE_ESTABLISHED), state timeout set to 81176 sec

2014 Jun 27 17:00:44.753902 ike: ike_state_change: State changed from IKE_STATE_NEW_IKESA_UPDATE_INITIATOR_SA_WAIT to IKE_STATE_ESTABLISHED.

2014 Jun 27 17:00:44.754041 ike: ** Dumping ike_info **

2014 Jun 27 17:00:44.754094 ike: { ike_fsm_type: IKE_FSM_IKE_SA_INITIATOR state: IKE_STATE_ESTABLISHED seq_num: 26 tmp_tx_id: 0 }

2014 Jun 27 17:00:44.754147 ike: ** Dumping ike_sa_info **

2014 Jun 27 17:00:44.754196 ike: { doi_val: 0 ike_tunnel_id: 2 direction: IKE_INITIATOR status: IKE_SA_STATUS_UNAUTH local_addr: 172.27.126.42[500] remote_addr: 172.27.126.172[500] i_spi: 4ca3c52580808d70 r_spi: 4f58e388623f1727 }

2014 Jun 27 17:00:44.754253 ike: { my_curr_req_msg_id: 1 my_next_req_msg_id: 2 peer_curr_req_msg_id: 0 peer_next_req_msg_id: 1 num_tries: 1 }

2014 Jun 27 17:00:44.754315 ike: ike_save_sainfo: Starting save SA INfo in PSS (Update 0)

2014 Jun 27 17:00:44.754779 ike: ike_save_sainfo: Done save SA INfo in PSS: Status 0x0

2014 Jun 27 17:00:44.759425 ike: ike_save_sainfo: Starting save SA INfo in PSS (Update 1)

2014 Jun 27 17:00:44.759837 ike: ike_save_sainfo: Done save SA INfo in PSS: Status 0x0

2014 Jun 27 17:00:44.759915 ike: start_substate_timer: started the substate_timer to 3600 sec

2014 Jun 27 17:00:44.760107 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.760452 ike: get pfkey ADD message

2014 Jun 27 17:00:44.760735 ike: seq 26 of ADD message not interesting.

2014 Jun 27 17:00:44.760805 ike: ike_pfkey_handler: get pfkey ADD message

2014 Jun 27 17:00:44.761003 ike: Processing PF_KEY message

2014 Jun 27 17:00:44.761291 ike: get pfkey X_COMMIT message

2014 Jun 27 17:00:44.761583 ike: ike_pfkey_handler: get pfkey SADB_X_COMMIT message

This example output from the debug ipsec_tun trace command shows a successful handshake:

cgr1000# debug ipsec_tun trace

cgr1000# conf t

Enter configuration commands, one per line. End with CNTL/Z.

cgr1000(config)# int t100

cgr1000(config-if)# no shut

2014 Jun 23 23:03:59.689448 ipsec_tun: ipsec_tun_handle_profile_check(../routing-sw/routing/ipsec_tun/server/ipsec_tun_mts.c:1278): Invoked!

2014 Jun 23 23:03:59.715701 ipsec_tun: ipsec_tun_handle_acquire_sa_cmd(): SA request from Tunnel100 (iod = 12)

2014 Jun 23 23:03:59.715879 ipsec_tun: ipsec_tun_create_connection(): Profile MyIPSecProfile selected.

2014 Jun 23 23:03:59.716153 ipsec_tun: ipsec_tun_create_connection(): Connection 0x812f0cc for Tunnel100 created.

2014 Jun 23 23:03:59.716216 ipsec_tun: ipsec_tun_store_to_runtime_info_pss(): PSS_TYPE_RUNTIME_CONNECTION

2014 Jun 23 23:03:59.716317 ipsec_tun: ipsec_tun_handle_acquire_sa_cmd(): Connection data structure (0x812f0cc) created

2014 Jun 23 23:03:59.719979 ipsec_tun: ipsec_register_with_led(): Register with LED, ret_val: 0x0

2014 Jun 23 23:03:59.720063 ipsec_tun: ipsec_tun_store_to_runtime_info_pss(): PSS_TYPE_RUNTIME_CONNECTION

2014 Jun 23 23:03:59.720417 ipsec_tun: ipsec_set_status_with_led(): Updated LED status -- STARTING : 0x0

2014 Jun 23 23:03:59.720498 ipsec_tun: ipsec_tun_fsm_ac_ike_send_acquire(): Initiate IKE handshake local=172.27.126.42 peer=172.27.126.172

2014 Jun 23 23:03:59.720548 ipsec_tun: ipsec_tun_initiate_ike_handshake(): Connection 0x812f0cc

2014 Jun 23 23:03:59.720597 ipsec_tun: ipsec_tun_new_ike_txn(): IKE transaction 16 assigned

2014 Jun 23 23:03:59.720768 ipsec_tun: ipsec_tun_start_timer(): Starting handshake timer for 15 seconds

2014 Jun 23 23:03:59.972535 ipsec_tun: ikecb_getspd_ex(): Received X_GETSPD_EX seqno 0x10 for src 172.27.126.42 dst 172.27.126.172

2014 Jun 23 23:03:59.972667 ipsec_tun: ikecb_getspd_ex(): Tunnel100 selected.

2014 Jun 23 23:03:59.972708 ipsec_tun: ikecb_getspd_ex(): Profile MyIPSecProfile selected.

2014 Jun 23 23:03:59.972747 ipsec_tun: ikecb_getspd_ex(): Transform set AES128SHA1 selected.

2014 Jun 23 23:03:59.972908 ipsec_tun: ikecb_getspd_ex(): Responded with policy enc AES-CBC len 16, auth SHA1, len 20 group 0, proto IPSEC_PROTO_ANY

2014 Jun 23 23:03:59.973793 ipsec_tun: ikecb_getspi(): Received GETSPI, seqno 0x10 for src 172.27.126.172 dst 172.27.126.42

2014 Jun 23 23:03:59.973947 ipsec_tun: ikecb_getspi(): Tunnel100 selected.

2014 Jun 23 23:03:59.974033 ipsec_tun: ikecb_getspi(): Responded with SPI 0x62b2e60

2014 Jun 23 23:04:00.070883 ipsec_tun: ikecb_update(): Received UPDATE (ingress), seqno 0x10, for src 172.27.126.42 dst 172.27.126.172

2014 Jun 23 23:04:00.070972 ipsec_tun: ikecb_update(): tunnel 2, spi 0x62b2e60, enc AES-CBC len 16 bytes, auth SHA1 len 20 bytes

2014 Jun 23 23:04:00.071111 ipsec_tun: ikecb_update(): Tunnel100 selected.

2014 Jun 23 23:04:00.072776 ipsec_tun: ikecb_add(): Received ADD (egress), seqno 0x10, for src 172.27.126.42 dst 172.27.126.172

2014 Jun 23 23:04:00.072863 ipsec_tun: ikecb_add(): tunnel 2, spi 0x3b141ec4, enc AES-CBC len 16 bytes, auth SHA1 len 20 bytes

2014 Jun 23 23:04:00.072997 ipsec_tun: ikecb_add(): Tunnel100 selected.

2014 Jun 23 23:04:00.074438 ipsec_tun: ikecb_commit(): Received X_COMMIT, seqno 0x10

2014 Jun 23 23:04:00.074601 ipsec_tun: ipsec_tun_handle_pfkey_cmd(): X_COMMIT: Tunnel100 selected for SPI 0x062b2e60/0x3b141ec4.

2014 Jun 23 23:04:00.074843 ipsec_tun: ipsec_tun_stop_timer(): Stopping handshake timer

2014 Jun 23 23:04:00.074961 ipsec_tun: ipsec_tun_store_to_runtime_info_pss(): PSS_TYPE_RUNTIME_CONNECTION

2014 Jun 23 23:04:00.075074 ipsec_tun: ipsec_tun_free_ike_txn(): IKE transaction 16 freed

2014 Jun 23 23:04:00.079320 ipsec_tun: ipsec_tun_fsm_ac_process_sa_committed(): MTS_OPC_IPSEC_TUN_SA_UPDATE notify Tunnel100 with spi 0x00000000/0x00000000

2014 Jun 23 23:04:00.079526 ipsec_tun: ipsec_tun_start_timer(): Starting rekey timer for 3240 seconds

2014 Jun 23 23:04:00.080214 ipsec_tun: ipsec_set_status_with_led(): Updated LED status -- OK : 0x0

cgr1000(config-if)# no debug all

The following is output of the debug ipsec_tun packet command while sending a ping packet:

cgr1000# debug ipsec_tun packet

cgr1000# ping 192.168.100.1 count 1

PING 192.168.100.1 (192.168.100.1): 56 data bytes

64 bytes from 192.168.100.1: icmp_seq=0 ttl=254 time=6.826 ms

--- 192.168.100.1 ping statistics ---

1 packets transmitted, 1 packets received, 0.00% packet loss

round-trip min/avg/max = 6.826/6.825/6.826 ms

2014 Jun 23 22:36:50.737405 ipsec_tun: ipsec_tun_handle_encap_cmd: ESP encap process starts

2014 Jun 23 22:36:50.737469 ipsec_tun: ipsec_tun_encap_processing: SA lookup

2014 Jun 23 22:36:50.737580 ipsec_tun: ipsec_tun_encap_processing: Prepare outer IP header

2014 Jun 23 22:36:50.737708 ipsec_tun: ipsec_tun_encap_processing: Inner packet length 84

2014 Jun 23 22:36:50.737750 ipsec_tun: ipsec_tun_encap_processing: iv_size=16, pad_len=10, mac_size=12, final_pkt_size=152

2014 Jun 23 22:36:50.737786 ipsec_tun: ipsec_tun_encap_processing: Sending to FPGA for encryption

2014 Jun 23 22:36:50.737966 ipsec_tun: ipsec_tun_post_engine_encrypt: Encrytped packet from FPGA

2014 Jun 23 22:36:50.738036 ipsec_tun: ipsec_tun_post_engine_encrypt: Final encap of packet

2014 Jun 23 22:36:50.738097 ipsec_tun: ipsec_tun_post_engine_encrypt: Post encap'ed packet to netstack

2014 Jun 23 22:36:50.738204 ipsec_tun: ipsec_tun_post_engine_encrypt: ESP encap process completed

2014 Jun 23 22:36:50.740815 ipsec_tun: ipsec_tun_handle_decap_cmd: ESP decap process starts

2014 Jun 23 22:36:50.740876 ipsec_tun: ipsec_tun_decap_processing: SA lookup

2014 Jun 23 22:36:50.740914 ipsec_tun: ipsec_tun_decap_processing: Replay detection

2014 Jun 23 22:36:50.740948 ipsec_tun: ipsec_tun_decap_processing: Remove outer IP header

2014 Jun 23 22:36:50.741086 ipsec_tun: ipsec_tun_decap_processing: Sending to FPGA for decryption

2014 Jun 23 22:36:50.741245 ipsec_tun: ipsec_tun_post_engine_decrypt: Decrypted packet from FPGA

2014 Jun 23 22:36:50.741301 ipsec_tun: ipsec_tun_post_engine_decrypt: Remove padding

2014 Jun 23 22:36:50.741346 ipsec_tun: ipsec_tun_post_engine_decrypt: pad_len=10, inner_pkt_len=84

2014 Jun 23 22:36:50.741398 ipsec_tun: ipsec_tun_post_engine_decrypt: Post decap'ed packet to netstack

2014 Jun 23 22:36:50.741584 ipsec_tun: ipsec_tun_post_engine_decrypt: ESP decap process completed

cgr1000# no debug all

Configuration Example

See Example 1: RSA Authentication and Example 2: PSK Authentication.

Bias-Free Language

Book Title

Cisco 1000 Series Connected Grid Routers Security Software Configuration Guide

Chapter Title

Configuring IKEv2 and IPSec

Results

Chapter: Configuring IKEv2 and IPSec

Configuring IKEv2 and IPSec

Information About IKEv2 and IPSec

Virtual Tunnels

IKEv2 Authentication

IPSec Tunnel Encryption and De-encryption

Policies

Application

Prerequisites

Guidelines and Limitations for IKEv2 and IPSec

Default Settings

Configuring IKEv2 and IPSec

BEFORE YOU BEGIN

DETAILED STEPS

EXAMPLE

Example 1: RSA Authentication

Example 2: PSK Authentication

Verifying the Configuration

Clear Commands

Monitoring Statistics

Debug Commands

Configuration Example

Was this Document Helpful?

Contact Cisco