Sunday, December 1, 2019

IPSec GRE

IPSec GRE Config







CSR2

crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key mykey address 1.1.1.1
!
crypto ipsec transform-set GRE_TEST esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile GRE_IPSEC_PROFILE
 set transform-set GRE_TEST
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 12.12.12.2 255.255.255.0
 tunnel source Loopback0
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile GRE_IPSEC_PROFILE

CSR
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key mykey address 2.2.2.2
!
crypto ipsec transform-set GRE_TEST esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile GRE_IPSEC_PROFILE
 set transform-set GRE_TEST
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 12.12.12.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile GRE_IPSEC_PROFILE
CSR2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1         2.2.2.2         QM_IDLE           1001 ACTIVE
CSR2#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 2.2.2.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 77, #pkts encrypt: 77, #pkts digest: 77
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
CSR1#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel0
Uptime: 00:15:28
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 2.2.2.2
      Desc: (none)
  Session ID: 0
  IKEv1 SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
          Capabilities:(none) connid:1001 lifetime:23:44:31
  IPSEC FLOW: permit 47 host 1.1.1.1 host 2.2.2.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 98 drop 0 life (KB/Sec) 4607987/2671
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/2671

*Dec  1 07:33:02.009: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Dec  1 07:33:02.009: ISAKMP-PAK: (0):sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec  1 07:33:12.011: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec  1 07:33:12.011: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*Dec  1 07:33:12.480: ISAKMP: (0):SA request profile is (NULL)
*Dec  1 07:33:12.480: ISAKMP: (0):local port 500, remote port 500
*Dec  1 07:33:12.480: ISAKMP: (0):set new node 0 to QM_IDLE
*Dec  1 07:33:12.480: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7F106FB4CE58
*Dec  1 07:33:12.480: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Dec  1 07:33:12.480: ISAKMP: (0):found peer pre-shared key matching 1.1.1.1

*Dec  1 07:33:12.480: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec  1 07:33:12.480: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

*Dec  1 07:33:12.480: ISAKMP: (0):beginning Main Mode exchange
*Dec  1 07:33:12.480: ISAKMP-PAK: (0):sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec  1 07:33:12.480: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Dec  1 07:33:12.490: ISAKMP-PAK: (0):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec  1 07:33:12.490: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec  1 07:33:12.490: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Dec  1 07:33:12.490: ISAKMP: (0):found peer pre-shared key matching 1.1.1.1
*Dec  1 07:33:12.490: ISAKMP: (0):local preshared key found
*Dec  1 07:33:12.490: ISAKMP: (0):Scanning profiles for xauth ...
*Dec  1 07:33:12.490: ISAKMP: (0):Checking ISAKMP transform 1 against priority 100 policy
*Dec  1 07:33:12.490: ISAKMP: (0):      encryption 3DES-CBC
*Dec  1 07:33:12.490: ISAKMP: (0):      hash MD5
*Dec  1 07:33:12.490: ISAKMP: (0):      default group 2
*Dec  1 07:33:12.490: ISAKMP: (0):      auth pre-share
*Dec  1 07:33:12.490: ISAKMP: (0):      life type in seconds
*Dec  1 07:33:12.490: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Dec  1 07:33:12.492: ISAKMP: (0):processing vendor id payload
*Dec  1 07:33:12.492: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Dec  1 07:33:12.492: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Dec  1 07:33:12.492: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec  1 07:33:12.492: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Dec  1 07:33:12.492: ISAKMP-PAK: (0):sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec  1 07:33:12.492: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Dec  1 07:33:12.492: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec  1 07:33:12.492: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Dec  1 07:33:12.502: ISAKMP-PAK: (0):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec  1 07:33:12.502: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec  1 07:33:12.502: ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Dec  1 07:33:12.504: ISAKMP: (1001):vendor ID is DPD
*Dec  1 07:33:12.504: ISAKMP: (1001):processing vendor id payload
*Dec  1 07:33:12.504: ISAKMP: (1001):speaking to another IOS box!
*Dec  1 07:33:12.504: ISAKMP: (1001):received payload type 20
*Dec  1 07:33:12.504: ISAKMP: (1001):His hash no match - this node outside NAT
*Dec  1 07:33:12.504: ISAKMP: (1001):received payload type 20
*Dec  1 07:33:12.504: ISAKMP: (1001):No NAT Found for self or peer
*Dec  1 07:33:12.504: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec  1 07:33:12.504: ISAKMP: (1001):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Dec  1 07:33:12.504: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*Dec  1 07:33:12.504: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec  1 07:33:12.505: ISAKMP: (1001):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Dec  1 07:33:12.512: ISAKMP: (1001):processing ID payload. message ID = 0
*Dec  1 07:33:12.512: ISAKMP: (1001):ID payload
        next-payload : 8
        type         : 1
*Dec  1 07:33:12.512: ISAKMP: (1001):   address      : 1.1.1.1
*Dec  1 07:33:12.512: ISAKMP: (1001):   protocol     : 17
        port         : 500
        length       : 12
*Dec  1 07:33:12.512: ISAKMP: (0):peer matches *none* of the profiles
*Dec  1 07:33:12.512: ISAKMP: (1001):processing HASH payload. message ID = 0
*Dec  1 07:33:12.512: ISAKMP: (1001):SA authentication status:
        authenticated
*Dec  1 07:33:12.512: ISAKMP: (1001):SA has been authenticated with 1.1.1.1
*Dec  1 07:33:12.512: ISAKMP: (0):Trying to insert a peer 2.2.2.2/1.1.1.1/500/,
*Dec  1 07:33:12.512: ISAKMP: (0): and inserted successfully 7F10531C08D8.
*Dec  1 07:33:12.512: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec  1 07:33:12.512: ISAKMP: (1001):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Dec  1 07:33:12.512: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec  1 07:33:12.512: ISAKMP: (1001):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Dec  1 07:33:12.512: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec  1 07:33:12.512: ISAKMP: (1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Dec  1 07:33:12.513: ISAKMP: (1001):Node 265286714, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Dec  1 07:33:12.513: ISAKMP: (1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Dec  1 07:33:12.513: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec  1 07:33:12.513: ISAKMP: (1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Dec  1 07:33:12.615: ISAKMP: (1001):Node 265286714, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec  1 07:33:12.615: ISAKMP: (1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Dec  1 07:33:12.778: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Dec  1 07:33:12.779: ISAKMP: (1001):Received IPSec Install callback... proceeding with the negotiation
*Dec  1 07:33:12.779: ISAKMP: (1001):Successfully installed IPSEC SA (SPI:0xE6B426F8) on Tunnel0
*Dec  1 07:33:12.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Dec  1 07:33:12.785: ISAKMP: (1001):Node 265286714, Input = IKE_MESG_FROM_IPSEC, IP
CSR2#SEC_INSTALL_DONE
*Dec  1 07:33:12.785: ISAKMP: (1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_PHASE2_COMPLETE




Posted by at 1 comment:
Subscribe to: Posts (Atom)