Download - LICRED - Ch08 - Implementing VPNs
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
1/105
2012 Cisco and/or its affiliates. All rights reserved. 1
Implementing VirtualPrivate Networks
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
2/105
2012 Cisco and/or its affiliates. All rights reserved. 2
VPNTerminology
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
3/105
2012 Cisco and/or its affiliates. All rights reserved. 3
A system to accomplish the encryption/decryption, userauthentication, hashing, and key-exchange processes.
A cryptosystem may use one of several different methods,depending on the policy intended for various user trafficsituations.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
4/105
2012 Cisco and/or its affiliates. All rights reserved. 4
Encryption transforms information (clear text) into ciphertext
which is not readable by unauthorized users. Decryption transforms ciphertext back into clear text making
it readable by authorized users.
Popular encryption algorithms include:
DES
3DES
AES
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
5/105
2012 Cisco and/or its affiliates. All rights reserved. 5
Guarantees message integrity by using an algorithm to
convert a variable length message and shared secret keyinto a single fixed-length string.
Popular hashing methods include:
SHA (Cisco default)
MD5
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
6/105
2012 Cisco and/or its affiliates. All rights reserved. 6
Is the ability to prove a transaction occurred.
Similar to a signed package received from a shipping company.
This is very important in financial transactions and similardata transactions.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
7/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
8/105 2012 Cisco and/or its affiliates. All rights reserved. 8
Identifies a communicating party during a phase 1 IKEnegotiation.
The key must be pre-shared with another party before thepeers routers can communicate.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
9/105 2012 Cisco and/or its affiliates. All rights reserved. 9
A frameworkof open standards developed by the IETF tocreate a secure tunnel at the network (IP) layer.
It spells out the rules for secure communications.
IPsec is not bound to any specific encryption or authenticationalgorithms, keying technology, or security algorithms.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
10/105 2012 Cisco and/or its affiliates. All rights reserved. 10
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
11/105 2012 Cisco and/or its affiliates. All rights reserved. 11
A Cisco IOS software configuration entity that performs two
primary functions. First, it selects data flows that need security processing.
Second, it defines the policy for these flows and the crypto peerthat traffic needs to go to.
A crypto map is applied to an interface.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
12/105 2012 Cisco and/or its affiliates. All rights reserved. 12
Is a contract between two parties indicating what
security parameters, such as keys and algorithms willbe used.
A Security Parameter Index (SPI) identifies each establishedSA.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
13/105 2012 Cisco and/or its affiliates. All rights reserved. 13
VPNs
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
14/105
2012 Cisco and/or its affiliates. All rights reserved. 14
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
15/105
2012 Cisco and/or its affiliates. All rights reserved. 15
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
16/105
2012 Cisco and/or its affiliates. All rights reserved. 16
A Virtual Private Network (VPN) provides the same network
connectivity for remote users over a public infrastructureas they would have over a private network.
VPN services for network connectivity include:
Authentication
Data integrity Confidentiality
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
17/105
2012 Cisco and/or its affiliates. All rights reserved. 17
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
18/105
2012 Cisco and/or its affiliates. All rights reserved. 18
A secure VPN is a combination of concepts:
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
19/105
2012 Cisco and/or its affiliates. All rights reserved. 19
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
20/105
2012 Cisco and/or its affiliates. All rights reserved. 20
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
21/105
2012 Cisco and/or its affiliates. All rights reserved. 21
VPNTopologies
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
22/105
2012 Cisco and/or its affiliates. All rights reserved. 22
Site-to-Site VPNs:
Intranet VPNs connect corporate headquarters, remote offices, andbranch offices over a public infrastructure.
Extranet VPNs link customers, suppliers, partners, or communities ofinterest to a corporate Intranet over a public infrastructure.
Remote Access VPNs:
Which securely connect remote users, such as mobile users andtelecommuters, to the enterprise.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
23/105
2012 Cisco and/or its affiliates. All rights reserved. 23
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
24/105
2012 Cisco and/or its affiliates. All rights reserved. 24
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
25/105
2012 Cisco and/or its affiliates. All rights reserved. 25
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
26/105
2012 Cisco and/or its affiliates. All rights reserved. 26
GRETunnel
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
27/105
2012 Cisco and/or its affiliates. All rights reserved. 27
There are 2 popular site-to-site tunneling protocols:
Cisco Generic Routing Encapsulation (GRE)
IP Security Protocol (IPsec)
When should you use GRE and / or IPsec?
User Traffic IPOnly?
Use GRETunnel
No
Yes
No YesUnicastOnly?
Use IPsecVPN
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
28/105
2012 Cisco and/or its affiliates. All rights reserved. 28
GRE can encapsulate almost any other type of packet.
Uses IP to create a virtual point-to-point link between Cisco routers
Supports multiprotocol (IP, CLNS, ) and IP multicast tunneling (andtherefore routing protocols)
Best suited for site-to-site multiprotocol VPNs
RFC 1702 and RFC 2784
GRE header adds 24 bytesof additional overhead
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
29/105
2012 Cisco and/or its affiliates. All rights reserved. 29
GRE can optionally contain any one or more of these fields:
Tunnel checksum
Tunnel key
Tunnel packet sequence number
GRE keepalives can be used to track tunnel path status.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
30/105
2012 Cisco and/or its affiliates. All rights reserved. 30
GRE does not provide encryption!
It can be monitored with a protocol analyzer. However, GRE and IPsec can be used together.
IPsec does not support multicast / broadcast and thereforedoes not forward routing protocol packets.
However IPsec can encapsulate a GRE packet that encapsulatesrouting traffic (GRE over IPsec).
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
31/105
2012 Cisco and/or its affiliates. All rights reserved. 31
1. Create a tunnel interface:interface tunnel 0
2. Assign the tunnel an IP address.
3. Identify the source tunnel interface: tunnel source
4. Identify the tunnel destination:tunneldestination
5. (Optional) Identify the protocol to encapsulate in the GREtunnel:tunnel mode gre ip
By default, GRE is tunneled in an IP packet.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
32/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
33/105
2012 Cisco and/or its affiliates. All rights reserved. 33
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
34/105
2012 Cisco and/or its affiliates. All rights reserved. 34
IPsec
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
35/105
2012 Cisco and/or its affiliates. All rights reserved. 35
AH ESP ESP
+ AH
DES3
DESAES SEAL
MD5 SHA
PSK RSA
DH1 DH2 DH5 DH7
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
36/105
2012 Cisco and/or its affiliates. All rights reserved. 36
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
37/105
2012 Cisco and/or its affiliates. All rights reserved. 37
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
38/105
2012 Cisco and/or its affiliates. All rights reserved. 38
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
39/105
2012 Cisco and/or its affiliates. All rights reserved. 39
AH ESP ESP
+ AH
DES3
DESAES SEAL
MD5 SHA
PSK RSA
DH1 DH2 DH5 DH7
768 bits 1024 bits 1536 bits
Used by DES and 3DES Used by AES
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
40/105
2012 Cisco and/or its affiliates. All rights reserved. 40
AH provides authentication and optional replay-detectionservices.
It authenticates the sender of the data.
AH operates on protocol number 51.
AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
41/105
2012 Cisco and/or its affiliates. All rights reserved. 41
ESP provides the same security services as AH (authenticationand integrity) AND encryption service.
It encapsulates the data to be protected.
It operates on protocol number 50.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
42/105
2012 Cisco and/or its affiliates. All rights reserved. 42
ESP can also provide integrity and authentication.
First, the payload is encrypted using DES (default), 3DES, AES, or SEAL.
Next, the encrypted payload is hashed to provide authentication and dataintegrity using HMAC-MD5 or HMAC-SHA-1.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
43/105
2012 Cisco and/or its affiliates. All rights reserved. 43
ESP and AH can be applied to IP packets in two different modes.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
44/105
2012 Cisco and/or its affiliates. All rights reserved. 44
Security is provided only for the Transport Layer and above.
It protects the payload but leaves the original IP address in plaintext.
ESP transport mode is used between hosts.
Transport mode works well with GRE, because GRE hides theaddresses of the end devices by adding its own IP.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
45/105
2012 Cisco and/or its affiliates. All rights reserved. 45
Tunnel mode provides security for the complete original IPpacket.
The original IP packet is encrypted and then it is encapsulated in another IPpacket (IP-in-IP encryption).
ESP tunnel mode is used in remote access and site-to-siteimplementations.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
46/105
2012 Cisco and/or its affiliates. All rights reserved. 46
Key Exchange
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
47/105
2012 Cisco and/or its affiliates. All rights reserved. 47
The IPsec VPN solution:
Negotiates key exchange parameters (IKE).
Establishes a shared key (DH).
Authenticates the peer.
Negotiates the encryption parameters.
The negotiated parameters between two devices are knownas a security association (SA).
SAs represent a policy contract between two peers orhosts, and describe how the peers will use IPsec securityservices to protect network traffic. SAs contain all thesecurity parameters needed to securely transport packetsbetween the peers or hosts, and practically define thesecurity policy used in IPsec.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
48/105
2012 Cisco and/or its affiliates. All rights reserved. 48
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
49/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
50/105
2012 Cisco and/or its affiliates. All rights reserved. 50
1. Outbound packet is sentfrom Alice to Bob. No IPsec
SA.
4. Packet is sent from Alice toBob protected by IPsec SA.
IPsec IPsec
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
51/105
2012 Cisco and/or its affiliates. All rights reserved. 51
There are two phases in every IKE negotiation Phase 1 (Authentication)
Phase 2 (Key Exchange)
IKE negotiation can also occur in:
Main Mode
Aggressive mode
The difference between the two is that Main mode requiresthe exchange of 6 messages while Aggressive moderequires only 3 exchanges.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
52/105
2012 Cisco and/or its affiliates. All rights reserved. 52
IKE Phase One:
Negotiates an IKE protection suite.
Exchanges keying material to protect the IKE session (DH).
Authenticates each other.
Establishes the IKE SA.
Main Mode requires the exchange of 6 messages while Aggressive
mode only uses 3 messages.
IKE Phase Two:
Negotiates IPsec security parameters, known as IPsec transformsets.
Establishes IPsec SAs. Periodically renegotiates IPsec SAs to ensure security.
Optionally performs an additional DH exchange.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
53/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
54/105
2012 Cisco and/or its affiliates. All rights reserved. 54
IKE Phase 1authenticates IPsec peers and negotiates IKE SAs to create a secure
communications channel for negotiating IPsec SAs in Phase 2.
Host A sends interesting traffic destined for Host B.
IKE Phase 2negotiates IPsec SA parameters and creates matching IPsec SAs in the
peers to protect data and messages exchanged between endpoints.
Data transfer occurs between IPsec peers based on the IPsec parameters and keys
stored in the SA database.
IPsec tunnel termination occurs by SAs through deletion or by timing out.
Step 1
Step 2
Step 3
Step 4
Step 5
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
55/105
2012 Cisco and/or its affiliates. All rights reserved. 55
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
56/105
2012 Cisco and/or its affiliates. All rights reserved. 56
IKE Policy Negotiation
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
57/105
2012 Cisco and/or its affiliates. All rights reserved. 57
DH Key Exchange
RouterB hashes the receivedstring together with the pre-sharedsecret and yields a hash value.
RouterA randomly chooses astring and sends it to RouterB.
RouterB sends the result of
hashing back to RouterA.
RouterA calculates its own hashof the random string, togetherwith the pre-shared secret, andmatches it with the receivedresult from the other peer.
If they match, RouterB knows thepre-shared secret, and isconsidered authenticated.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
58/105
2012 Cisco and/or its affiliates. All rights reserved. 58
DH Key Exchange
Now RouterB randomly chooses a
different random string and sendsit to RouterA.
RouterA also hashes thereceived string together with thepre-shared secret and yields ahash value.
RouterA sends the result ofhashing back to RouterB.
RouterB calculates its own hashof the random string, togetherwith the pre-shared secret, andmatches it with the receivedresult from the other peer.
If they match, RouterA knows thepre-shared secret, and isconsidered authenticated.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
59/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
60/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
61/105
2012 Cisco and/or its affiliates. All rights reserved. 61
Transform Set Negotiation
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
62/105
2012 Cisco and/or its affiliates. All rights reserved. 62
Security Associations
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
63/105
2012 Cisco and/or its affiliates. All rights reserved. 63
IPsec Session
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
64/105
2012 Cisco and/or its affiliates. All rights reserved. 64
Tunnel Termination
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
65/105
2012 Cisco and/or its affiliates. All rights reserved. 65
IPsec Tasks
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
66/105
2012 Cisco and/or its affiliates. All rights reserved. 66
1. Ensure that ACLsconfigured on the interface are compatiblewith IPsec configuration.
2. Create an IKE policy to determine the parameters that will beused to establish the tunnel.
3. Configure the IPsec transform set which defines theparameters that the IPsec tunnel uses.
The set can include the encryption and integrity algorithms.
4. Create a crypto ACL.
The crypto ACL defines which traffic is sent through the IPsec tunnel andprotected by the IPsec process.
5. Create and apply a crypto map.
The crypto map groups the previously configured parameters together anddefines the IPsec peer devices.
The crypto map is applied to the outgoing interface of the VPN device.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
67/105
2012 Cisco and/or its affiliates. All rights reserved. 67
1
2
3
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
68/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
69/105
2012 Cisco and/or its affiliates. All rights reserved. 69
Creating a plan in advance is mandatory to configure IPsecencryption correctly to minimize misconfiguration.
Determine the following policy details:
Key distribution method
Authentication method
IPsec peer IP addresses and hostnames
IKE phase 1 policies for all peers
Encryption algorithm, Hash algorithm, IKE SA lifetime
Goal: Minimize misconfiguration.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
70/105
2012 Cisco and/or its affiliates. All rights reserved. 70
or AES
or D-H 5
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
71/105
2012 Cisco and/or its affiliates. All rights reserved. 71
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
72/105
2012 Cisco and/or its affiliates. All rights reserved. 72
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
73/105
2012 Cisco and/or its affiliates. All rights reserved. 73
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
74/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
75/105
2012 Cisco and/or its affiliates. All rights reserved. 75
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
76/105
2012 Cisco and/or its affiliates. All rights reserved. 76
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
77/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
78/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
79/105
2012 Cisco and/or its affiliates. All rights reserved. 79
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
80/105
2012 Cisco and/or its affiliates. All rights reserved. 80
To use the hostnameparameter, configure thecryptoisakmp identityhostnameglobal configuration mode
command. In addition, DNS must be accessible to resolve the hostname.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
81/105
2012 Cisco and/or its affiliates. All rights reserved. 81
RouterA# show crypto isakmp policy
Protection suite of priority 110encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
82/105
2012 Cisco and/or its affiliates. All rights reserved. 82
Determine the following policy details:
IPsec algorithms and parameters for optimal security and
performance
Transforms sets
IPsec peer details
IP address and applications of hosts to be protected
Manual or IKE-initiated SAs
Goal: Minimize misconfiguration.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
83/105
2012 Cisco and/or its affiliates. All rights reserved. 83
Cisco IOS software supports the following IPsec transforms:
CentralA(config)# crypto ipsec transform-set transform-set-name?ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-null ESP transform w/o cipher
Note:
esp-md5-hmacand esp-sha-hmacprovide more data integrity.
They are compatible with NAT/PAT and are used more frequently than
ah-md5-hmacand ah-sha-hmac.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
84/105
2012 Cisco and/or its affiliates. All rights reserved. 84
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
85/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
86/105
2012 Cisco and/or its affiliates. All rights reserved. 86
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
87/105
2012 Cisco and/or its affiliates. All rights reserved. 87
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
88/105
2012 Cisco and/or its affiliates. All rights reserved. 88
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
89/105
2012 Cisco and/or its affiliates. All rights reserved. 89
Configures global IPsec lifetime values used when negotiatingIPsec security associations.
IPsec SA lifetimes are negotiated during IKE phase 2.
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
90/105
2012 Cisco and/or its affiliates. All rights reserved. 90
tcp
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
91/105
2012 Cisco and/or its affiliates. All rights reserved. 91
access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255RouterA#(config)
access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
RouterB#(config)
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
92/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
93/105
2012 Cisco and/or its affiliates. All rights reserved. 93
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
94/105
2012 Cisco and/or its affiliates. All rights reserved. 94
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
95/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
96/105
2012 Cisco and/or its affiliates. All rights reserved. 96
RouterA(config)#crypto map MYMAP 110 ipsec-isakmp
RouterA(config-crypto-map)#match address 110
RouterA(config-crypto-map)#set peer 172.30.2.2
RouterA(config-crypto-map)#set peer 172.30.3.2RouterA(config-crypto-map)#set transform-set MINE
RouterA(config-crypto-map)#set security-association lifetime 86400
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
97/105
2012 Cisco and/or its affiliates. All rights reserved. 97
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
98/105
2012 Cisco and/or its affiliates. All rights reserved. 98
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
99/105
2012 Cisco and/or its affiliates. All rights reserved. 99
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
100/105
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
101/105
2012 Cisco and/or its affiliates. All rights reserved. 101
E0/1 172.30.1.2 E0/1 172.30.2.2
A
RouterA# show crypto ipsec transform-set MY-SET
Transform set MY-SET: { esp-des }
will negotiate = { Tunnel, },
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
102/105
2012 Cisco and/or its affiliates. All rights reserved. 102
QM_IDLE (quiescent state) indicates that an ISAKMP SA
exists but is idle.
The router will remain authenticated with its peer and may
be used for subsequent quick mode (QM) exchanges.
RouterA# show crypto isakmp sa
dst src state conn-id slot
172.30.2.2 172.30.1.2 QM_IDLE 47 5
E0/1 172.30.1.2 E0/1 172.30.2.2
A
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
103/105
2012 Cisco and/or its affiliates. All rights reserved. 103
RouterA# show crypto ipsec sa
interface: Ethernet0/1Crypto map tag: MYMAP, local addr. 172.30.1.2local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)current_peer: 172.30.2.2PERMIT, flags={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2path mtu 1500, media mtu 1500current outbound spi: 8AE1C9C
E0/1 172.30.1.2 E0/1 172.30.2.2
A
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
104/105
2012 Cisco and/or its affiliates. All rights reserved. 104
RouterA# show crypto map
Crypto Map MYMAP" 10 ipsec-isakmpPeer = 172.30.2.2Extended IP access list 102access-list 102 permit ip host 172.30.1.2 host 172.30.2.2
Current peer: 172.30.2.2Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={ MINE, }
E0/1 172.30.1.2 E0/1 172.30.2.2
A
-
8/10/2019 LICRED - Ch08 - Implementing VPNs
105/105
To display debug messages about all IPsec actions, use theglobal command debug crypto ipsec.
To display debug messages about all ISAKMP actions, use theglobal command debug crypto isakmp.