|
Table Of Contents
Restrictions for VRF-Aware IPSec
Information About VRF-Aware IPSec
VRF-Aware IPSec Functional Overview
How to Configure VRF-Aware IPSec
Configuring an ISAKMP Profile on a Crypto Map
Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation
Clearing Security Associations
Troubleshooting VRF-Aware IPSec
Configuration Examples for VRF-Aware IPSec
Static IPSec-to-MPLS VPN Example
IPSec-to-MPLS VPN Using RSA Encryption Example
IPSec-to-MPLS VPN with RSA Signatures Example
IPSec Remote Access-to-MPLS VPN Example
Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution
VRF-Aware IPSec
The VRF-Aware IPSec feature introduces IP Security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). Using the VRF-Aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.
Feature Specifications for VRF-Aware IPSec
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
• Restrictions for VRF-Aware IPSec
• Information About VRF-Aware IPSec
• How to Configure VRF-Aware IPSec
• Configuration Examples for VRF-Aware IPSec
• Glossary
Restrictions for VRF-Aware IPSec
•The VRF-Aware IPSec feature does not allow IPSec tunnel mapping between VRFs. For example, it does not allow IPSec tunnel mapping from VRF vpn1 to VRF vpn2.
Information About VRF-Aware IPSec
The VRF-Aware IPSec feature maps an IPSec tunnel to a MPLS VPN. To configure and use the feature, you need to understand the following concepts:
• VRF-Aware IPSec Functional Overview
VRF Instance
A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.
MPLS Distribution Protocol
The MPLS distribution protocol is a high-performance packet-forwarding technology that integrates the performance and traffic management capabilities of data link layer switching with the scalability, flexibility, and performance of network-layer routing.
VRF-Aware IPSec Functional Overview
Front Door VRF (FVRF) and Inside VRF (IVRF) are central to understanding the feature.
Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
Figure 1 is an illustration of a scenario showing IPSec to MPLS and Layer 2 VPNs.
Figure 1 IPSec to MPLS and Layer 2 VPNs
Packet Flow into the IPSec Tunnel
•A VPN packet arrives from the Service Provider MPLS backbone network to the PE and is routed through an interface facing the Internet.
•The packet is matched against the Security Policy Database (SPD), and the packet is IPSec encapsulated. The SPD includes the IVRF and the access control list (ACL).
•The IPSec encapsulated packet is then forwarded using the FVRF routing table.
Packet Flow from the IPSec Tunnel
•An IPSec-encapsulated packet arrives at the PE router from the remote IPSec endpoint.
•IPSec performs the Security Association (SA) lookup for the Security Parameter Index (SPI), destination, and protocol.
•The packet is decapsulated using the SA and is associated with IVRF.
•The packet is further forwarded using the IVRF routing table.
How to Configure VRF-Aware IPSec
This section contains the following procedures:
• Configuring Crypto Keyrings (Optional)
• Configuring ISAKMP Profiles (Required)
• Configuring an ISAKMP Profile on a Crypto Map (Required)
• Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation (Optional)
• Clearing Security Associations
• Troubleshooting VRF-Aware IPSec
Configuring Crypto Keyrings
A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. There can be zero or more keyrings on the Cisco IOS router.
Perform the following optional task to configure a crypto keyring.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto keyring keyring-name [vrf fvrf-name]
4. description string (Optional)
5. pre-shared-key {address address [mask] | hostname hostname} key key (Optional)
6. rsa-pubkey {address address | name fqdn} [encryption | signature] (Optional)
7. address ip-address (Optional)
8. serial-number serial-number (Optional)
9. key-string
10. text
11. quit
12. exit
13. exit
DETAILED STEPS
Configuring ISAKMP Profiles
An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set of peers. An ISAKMP profile defines items such as keepalive, trustpoints, peer identities, and XAUTH AAA list during the IKE Phase 1 and Phase 1.5 exchange. There can be zero or more ISAKMP profiles on the Cisco IOS router.
Note•If traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to an Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.
•If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange (IKE) main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.
Restriction
A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto isakmp profile profile-name
4. description string (Optional)
5. vrf ivrf-name (Optional)
6. keepalive seconds retry retry-seconds (Optional)
7. self-identity {address | fqdn | user-fqdn user-fqdn} (Optional)
8. keyring keyring-name (Optional)
9. ca trust-point trustpoint-name (Optional)
10. match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
11. client configuration address {initiate | respond} (Optional)
12. client authentication list list-name (Optional)
13. isakmp authorization list list-name (Optional)
14. initiate mode aggressive
15. exit
DETAILED STEPS
What to Do Next
Go to the section " Configuring an ISAKMP Profile on a Crypto Map."
Configuring an ISAKMP Profile on a Crypto Map
An ISAKMP profile must be applied to the crypto map. The IVRF on the ISAKMP profile is used as a selector when matching the VPN traffic. If there is no IVRF on the ISAKMP profile, the IVRF will be equal to the FVRF. Perform this required task to configure an ISAKMP profile on a crypto map.
Prerequisites
Before configuring an ISAKMP profile on a crypto map, you must first have configured your router for basic IPSec.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto map map-name isakmp-profile isakmp-profile-name (Optional)
4. set isakmp-profile profile-name (Optional)
5. exit
DETAILED STEPS
Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation
To ignore XAUTH during an IKE Phase 1 negotiation, use the no crypto xauth command. Use the no crypto xauth command if you do not require extended authentication for the Unity clients.
SUMMARY STEPS
1. enable
2. configure terminal
3. no crypto xauth interface
DETAILED STEPS
Verifying VRF-Aware IPSec
To verify your VRF-Aware IPSec configurations, use the following show commands. These show commands allow you to list configuration information and security associations (SAs):
SUMMARY STEPS
•enable
•show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
•show crypto isakmp key
•show crypto isakmp profile
•show crypto key pubkey-chain rsa
DETAILED STEPS
Clearing Security Associations
The following clear commands allow you to clear SAs.
SUMMARY STEPS
•enable
•clear crypto sa [counters | map map-name | peer [vrf fvrf-name] address | spi address {ah | esp} spi | vrf ivrf-name]
DETAILED STEPS
Troubleshooting VRF-Aware IPSec
To troubleshoot VRF-Aware IPSec, use the following debug commands:
SUMMARY STEPS
1. enable
2. debug crypto ipsec
3. debug crypto isakmp
DETAILED STEPS
Debug Examples for VRF-Aware IPSec
The following sample debug outputs are for a VRF-aware IPSec configuration:
IPSec PE
Router# debug crypto ipsec
Crypto IPSEC debugging is on
IPSEC-PE#debug crypto isakmp
Crypto ISAKMP debugging is on
IPSEC-PE#debug crypto isakmp d
04:31:28: ISAKMP (0:12): purging SA., sa=6482B354, delme=6482B354
04:31:28: ISAKMP: Unlocking IKE struct 0x63C142F8 for declare_sa_dead(), count 0
IPSEC-PE#debug crypto isakmp detail
Crypto ISAKMP internals debugging is on
IPSEC-PE#
IPSEC-PE#
IPSEC-PE#
04:32:07: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 63C142F8
04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1
04:32:55: ISAKMP cookie 3123100B DC887D4E
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.68.1.1
04:32:55: ISAKMP cookie AA8F7B41 49A60E88
04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1
04:32:55: ISAKMP cookie 3123100B DBC8E125
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 B4BDB5B7
04:32:55: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA
04:32:55: ISAKMP: local port 500, remote port 500
04:32:55: ISAKMP: hash from 729FA94 for 619 bytes
04:32:55: ISAKMP: Packet hash:
64218CC0: B91E2C70 095A1346 9.,p.Z.F
64218CD0: 0EDB4CA6 8A46784F B314FD3B 00 .[L&.FxO.};.
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:32:55: ISAKMP cookie AA8F7B41 F7ACF384
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:32:55: ISAKMP cookie AA8F7B41 0C07C670
04:32:55: ISAKMP: insert sa successfully sa = 6482B354
04:32:55: ISAKMP (0:13): processing SA payload. message ID = 0
04:32:55: ISAKMP (0:13): processing ID payload. message ID = 0
04:32:55: ISAKMP (0:13): peer matches vpn2-ra profile
04:32:55: ISAKMP: Looking for a matching key for 10.1.1.1 in default
04:32:55: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500
04:32:55: ISAKMP: Locking peer struct 0x640BBB18, IKE refcount 1 for crypto_ikmp_config_initialize_sa
04:32:55: ISAKMP (0:13): Setting client config settings 648252B0
04:32:55: ISAKMP (0:13): (Re)Setting client xauth list and state
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch
04:32:55: ISAKMP (0:13): vendor ID is NAT-T v3
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch
04:32:55: ISAKMP (0:13): vendor ID is NAT-T v2
04:32:55: ISAKMP (0:13) Authentication by xauth preshared
04:32:55: ISAKMP (0:13): Checking ISAKMP transform 1 against priority 1 policy
04:32:55: ISAKMP: encryption 3DES-CBC
04:32:55: ISAKMP: hash SHA
04:32:55: ISAKMP: default group 2
04:32:55: ISAKMP: auth XAUTHInitPreShared
04:32:55: ISAKMP: life type in seconds
04:32:55: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:32:55: ISAKMP (0:13): atts are acceptable. Next payload is 3
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch
04:32:55: ISAKMP (0:13): vendor ID is NAT-T v3
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch
04:32:55: ISAKMP (0:13): vendor ID is NAT-T v2
04:32:55: ISAKMP (0:13): processing KE payload. message ID = 0
04:32:55: ISAKMP (0:13): processing NONCE payload. message ID = 0
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID is DPD
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 175 mismatch
04:32:55: ISAKMP (0:13): vendor ID is XAUTH
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): claimed IOS but failed authentication
04:32:55: ISAKMP (0:13): processing vendor id payload
04:32:55: ISAKMP (0:13): vendor ID is Unity
04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
04:32:55: ISAKMP (0:13): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
04:32:55: ISAKMP cookie gen for src 11.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 7AE6E1DF
04:32:55: ISAKMP: isadb_post_process_list: crawler: 4 AA 31 (6482B354)
04:32:55: crawler my_cookie AA8F7B41 F7ACF384
04:32:55: crawler his_cookie E46E088D F227FE4D
04:32:55: ISAKMP: got callback 1
04:32:55: ISAKMP (0:13): SKEYID state generated
04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload:
next: 0xD, reserved: 0x0, len 0x14
04:32:55: ISAKMP: Unity/DPD ID payload dump:
63E66D70: 0D000014 ....
63E66D80: 12F5F28C 457168A9 702D9FE2 74CC0100 .ur.Eqh)p-.btL..
63E66D90: 00 .
04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload:
next: 0xD, reserved: 0x0, len 0x14
04:32:55: ISAKMP: Unity/DPD ID payload dump:
63E66D90: 0D000014 AFCAD713 68A1F1C9 6B8696FC ..../JW.h!qIk..|
63E66DA0: 77570100 00 wW...
04:32:55: ISAKMP (0:13): constructed NAT-T vendor-03 ID
04:32:55: ISAKMP (0:13): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
04:32:55: ISAKMP (13): ID payload
next-payload : 10
type : 1
addr : 172.16.1.1
protocol : 17
port : 0
length : 8
04:32:55: ISAKMP (13): Total payload length: 12
04:32:55: ISAKMP (0:13): constructed HIS NAT-D
04:32:55: ISAKMP (0:13): constructed MINE NAT-D
04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) AG_INIT_EXCH
04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
04:32:55: ISAKMP (0:13): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1
04:32:55: ISAKMP cookie 3123100B D99DA70D
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 9C69F917
04:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354)
04:32:55: crawler my_cookie AA8F7B41 F7ACF384
04:32:55: crawler his_cookie E46E088D F227FE4D
04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1
04:32:55: ISAKMP cookie 3123100B 00583224
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 C1B006EE
04:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354)
04:32:55: crawler my_cookie AA8F7B41 F7ACF384
04:32:55: crawler his_cookie E46E088D F227FE4D
04:32:55: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) AG_INIT_EXCH
04:32:55: ISAKMP: hash from 7003A34 for 132 bytes
04:32:55: ISAKMP: Packet hash:
64218CC0: D1202D99 2BB49D38 Q -.+4.8
64218CD0: B8FBB1BE 7CDC67D7 4E26126C 63 8{1>|\gWN&.lc
04:32:55: ISAKMP (0:13): processing HASH payload. message ID = 0
04:32:55: ISAKMP:received payload type 17
04:32:55: ISAKMP (0:13): Detected NAT-D payload
04:32:55: ISAKMP (0:13): recalc my hash for NAT-D
04:32:55: ISAKMP (0:13): NAT match MINE hash
04:32:55: ISAKMP:received payload type 17
04:32:55: ISAKMP (0:13): Detected NAT-D payload
04:32:55: ISAKMP (0:13): recalc his hash for NAT-D
04:32:55: ISAKMP (0:13): NAT match HIS hash
04:32:55: ISAKMP (0:13): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 6482B354
04:32:55: ISAKMP (0:13): Process initial contact,
bring down existing phase 1 and 2 SA's with local 172.16.1.1 remote 10.1.1.1 remote port 500
04:32:55: ISAKMP (0:13): returning IP addr to the address pool
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 05D315C5
04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1
04:32:55: ISAKMP cookie 3123100B 041A85A6
04:32:55: ISAKMP (0:13): SA has been authenticated with 10.1.1.1
04:32:55: ISAKMP: Trying to insert a peer 172.16.1.1/10.1.1.1/500/, and inserted successfully.
04:32:55: ISAKMP: set new node -803402627 to CONF_XAUTH
04:32:55: IPSEC(key_engine): got a queue event...
04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
04:32:55: ISAKMP (0:13): purging node -803402627
04:32:55: ISAKMP: Sending phase 1 responder lifetime 86400
04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
04:32:55: ISAKMP (0:13): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.168.1.1
04:32:55: ISAKMP cookie AA8F7B41 25EEF256
04:32:55: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:32:55: crawler my_cookie AA8F7B41 F7ACF384
04:32:55: crawler his_cookie E46E088D F227FE4D
04:32:55: ISAKMP (0:13): Need XAUTH
04:32:55: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
04:32:55: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT
04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1
04:32:55: ISAKMP cookie AA8F7B41 2CCFA491
04:32:55: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354)
04:32:55: crawler my_cookie AA8F7B41 F7ACF384
04:32:55: crawler his_cookie E46E088D F227FE4D
04:32:55: ISAKMP: got callback 1
04:32:55: ISAKMP: set new node -1447732198 to CONF_XAUTH
04:32:55: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
04:32:55: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
04:32:55: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = -1447732198
04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
04:32:55: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
04:33:00: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH -1447732198 ...
04:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
04:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2
04:33:00: ISAKMP (0:13): retransmitting phase 2 -1447732198 CONF_XAUTH
04:33:00: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 124D4618
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 B0C91917
04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 0E294692
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 091A7695
04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
04:33:03: ISAKMP: hash from 7292D74 for 92 bytes
04:33:03: ISAKMP: Packet hash:
64218CC0: 84A1AF24 5D92B116 .!/$].1.
64218CD0: FC2C6252 A472C5F8 152AC860 63 |,bR$rEx.*H`c
04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = -1447732198
04:33:03: ISAKMP: Config payload REPLY
04:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
04:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
04:33:03: ISAKMP (0:13): deleting node -1447732198 error FALSE reason "done with xauth request/reply exchange"
04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 A1B3E684
04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP: got callback 1
04:33:03: ISAKMP: set new node 524716665 to CONF_XAUTH
04:33:03: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = 524716665
04:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH
04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
004:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 5C83A09D
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 2BEBEFD4
04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B DA00A46B
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 FDD27773
04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH
04:33:03: ISAKMP: hash from 7292A34 for 68 bytes
04:33:03: ISAKMP: Packet hash:
64218CC0: 5034B99E B8BA531F P49.8:S.
64218CD0: 6267B8BD F3006989 DC118796 63 bg8=s.i.\...c
04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = 524716665
04:33:03: ISAKMP: Config payload ACK
04:33:03: ISAKMP (0:13): XAUTH ACK Processed
04:33:03: ISAKMP (0:13): deleting node 524716665 error FALSE reason "done with transaction"
04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 E0BB50E9
04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 7794EF6E
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 C035AAE5
04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B F1FCC25A
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 31744F44
04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F207FE4D
04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
04:33:03: ISAKMP: set new node -1639992295 to QM_IDLE
04:33:03: ISAKMP: hash from 7293A74 for 100 bytes
04:33:03: ISAKMP: Packet hash:
64218CC0: 9D7DF4DF FE3A6403 .}t_~:d.
64218CD0: 3F1D1C59 C5D138CE 50289B79 07 ?..YEQ8NP(.y.
04:33:03: ISAKMP (0:13): processing transaction payload from 10.1.1.1. message ID = -1639992295
04:33:03: ISAKMP: Config payload REQUEST
04:33:03: ISAKMP (0:13): checking request:
04:33:03: ISAKMP: IP4_ADDRESS
04:33:03: ISAKMP: IP4_NETMASK
04:33:03: ISAKMP: IP4_DNS
04:33:03: ISAKMP: IP4_DNS
04:33:03: ISAKMP: IP4_NBNS
04:33:03: ISAKMP: IP4_NBNS
04:33:03: ISAKMP: SPLIT_INCLUDE
04:33:03: ISAKMP: DEFAULT_DOMAIN
04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 B02E0D67
04:33:03: ISAKMP: isadb_post_process_list: crawler: C 27FF 12 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP: got callback 1
04:33:03: ISAKMP (0:13): attributes sent in message:
04:33:03: Address: 10.2.0.0
04:33:03: ISAKMP (0:13): allocating address 10.4.1.4
04:33:03: ISAKMP: Sending private address: 10.4.1.4
04:33:03: ISAKMP: Sending DEFAULT_DOMAIN default domain name: vpn2.com
04:33:03: ISAKMP (0:13): responding to peer config from 10.1.1.1. ID = -1639992295
04:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_ADDR
04:33:03: ISAKMP (0:13): deleting node -1639992295 error FALSE reason ""
04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
04:33:03: ISAKMP (0:13): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 881D5411
04:33:03: ISAKMP cookie gen for src 11.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 6FD82541
04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F227FE4D
04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:03: ISAKMP cookie 3123100B 8A94C1BE
04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:03: ISAKMP cookie AA8F7B41 F3BA766D
04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:03: crawler my_cookie AA8F7B41 F7ACF384
04:33:03: crawler his_cookie E46E088D F207FE4D
04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
04:33:03: ISAKMP: set new node 17011691 to QM_IDLE
04:33:03: ISAKMP: hash from 70029F4 for 540 bytes
04:33:03: ISAKMP: Packet hash:
64218CC0: AFBA30B2 55F5BC2D /:02Uu<-
64218CD0: 3A86B1C9 00D2F5BA 77BF5589 07 :.1I.Ru:w?U..
04:33:03: ISAKMP (0:13): processing HASH payload. message ID = 17011691
04:33:03: ISAKMP (0:13): processing SA payload. message ID = 17011691
04:33:03: ISAKMP (0:13): Checking IPSec proposal 1
04:33:03: ISAKMP: transform 1, ESP_3DES
04:33:03: ISAKMP: attributes in transform:
04:33:03: ISAKMP: encaps is 1
04:33:03: ISAKMP: SA life type in seconds
04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:33:03: ISAKMP: SA life type in kilobytes
04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
04:33:03: ISAKMP: authenticator is HMAC-SHA
04:33:03: ISAKMP (0:13): atts are acceptable.
04:33:03: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2
04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2
04:33:03: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
04:33:03: ISAKMP (0:13): IPSec policy invalidated proposal
04:33:03: ISAKMP (0:13): Checking IPSec proposal 2
04:33:03: ISAKMP: transform 1, ESP_3DES
04:33:03: ISAKMP: attributes in transform:
04:33:03: ISAKMP: encaps is 1
04:33:03: ISAKMP: SA life type in seconds
04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
04:33:03: ISAKMP: SA life type in kilobytes
04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
04:33:03: ISAKMP: authenticator is HMAC-MD5
04:33:03: ISAKMP (0:13): atts are acceptable.
04:33:03: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2
04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2
04:33:03: ISAKMP (0:13): processing NONCE payload. message ID = 17011691
04:33:03: ISAKMP (0:13): processing ID payload. message ID = 17011691
04:33:03: ISAKMP (0:13): processing ID payload. message ID = 17011691
04:33:03: ISAKMP (0:13): asking for 1 spis from ipsec
04:33:03: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
04:33:03: ISAKMP (0:13): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
04:33:03: IPSEC(key_engine): got a queue event...
04:33:03: IPSEC(spi_response): getting spi 2749516541 for SA
from 172.18.1.1 to 10.1.1.1 for prot 3
04:33:03: ISAKMP: received ke message (2/1)
04:33:04: ISAKMP (13): ID payload
next-payload : 5
type : 1
addr : 10.4.1.4
protocol : 0
port : 0
04:33:04: ISAKMP (13): ID payload
next-payload : 11
type : 4
addr : 0.0.0.0
protocol : 0
port : 0
04:33:04: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
04:33:04: ISAKMP (0:13): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
04:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:04: ISAKMP cookie 3123100B 93DE46D2
04:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:04: ISAKMP cookie AA8F7B41 088A0A16
04:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:04: crawler my_cookie AA8F7B41 F7ACF384
04:33:04: crawler his_cookie E46E088D F227FE4D
04:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1
04:33:04: ISAKMP cookie 3123100B A8F23F73
04:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1
04:33:04: ISAKMP cookie AA8F7B41 93D8D879
04:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)
04:33:04: crawler my_cookie AA8F7B41 F7ACF384
04:33:04: crawler his_cookie E46E088D F227FE4D
04:33:04: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
04:33:04: ISAKMP: hash from 7290DB4 for 60 bytes
04:33:04: ISAKMP: Packet hash:
64218CC0: 4BB45A92 7181A2F8 K4Z.q."x
64218CD0: 73CC12F8 091875C0 054F77CD 63 sL.x..u@.OwMc
04:33:04: ISAKMP: Locking peer struct 0x640BBB18, IPSEC refcount 1 for for stuff_ke
04:33:04: ISAKMP (0:13): Creating IPSec SAs
04:33:04: inbound SA from 10.1.1.1 to 172.18.1.1 (f/i) 0/ 2
(proxy 10.4.1.4 to 0.0.0.0)
04:33:04: has spi 0xA3E24AFD and conn_id 5127 and flags 2
04:33:04: lifetime of 2147483 seconds
04:33:04: lifetime of 4608000 kilobytes
04:33:04: has client flags 0x0
04:33:04: outbound SA from 172.18.1.1 to 10.1.1.1 (f/i) 0/ 2 (proxy 0.0.0.0 to 10.4.1.4 )
04:33:04: has spi 1343294712 and conn_id 5128 and flags A
04:33:04: lifetime of 2147483 seconds
04:33:04: lifetime of 4608000 kilobytes
04:33:04: has client flags 0x0
04:33:04: ISAKMP (0:13): deleting node 17011691 error FALSE reason "quick mode done (await)"
04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
04:33:04: ISAKMP (0:13): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
04:33:04: IPSEC(key_engine): got a queue event...
04:33:04: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 2147483s and 4608000kb,
spi= 0xA3E24AFD(2749516541), conn_id= 5127, keysize= 0, flags= 0x2
04:33:04: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 172.18.1.1, remote= 10.1.1.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 2147483s and 4608000kb,
spi= 0x50110CF8(1343294712), conn_id= 5128, keysize= 0, flags= 0xA
04:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2
04:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2
04:33:04: IPSEC(rte_mgr): VPN Route Added 10.4.1.4 255.255.255.255 via 10.1.1.1 in vpn2
04:33:04: IPSEC(add mtree): src 0.0.0.0, dest 10.4.1.4, dest_port 0
04:33:04: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.18.1.1, sa_prot= 50,
sa_spi= 0xA3E24AFD(2749516541),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 5127
04:33:04: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.1.1, sa_prot= 50,
sa_spi= 0x50110CF8(1343294712),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 5128
04:33:53: ISAKMP (0:13): purging node -1639992295
04:33:54: ISAKMP (0:13): purging node 17011691
Configuration Examples for VRF-Aware IPSec
The following examples show how to configure VRF-Aware IPSec:
• Static IPSec-to-MPLS VPN Example
• IPSec-to-MPLS VPN Using RSA Encryption Example
• IPSec-to-MPLS VPN with RSA Signatures Example
• Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution
Static IPSec-to-MPLS VPN Example
The following sample shows a static configuration that maps IPSec tunnels to MPLS VPNs. The configurations map IPSec tunnels to MPLS VPNs "VPN1" and "VPN2." Both of the IPSec tunnels terminate on a single public-facing interface.
IPSec PE Configuration
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf vpn2
rd 101:1
route-target export 101:1
route-target import 101:1
!
crypto keyring vpn1
pre-shared-key address 172.16.1.1 key vpn1
crypto keyring vpn2
pre-shared-key address 10.1.1.1 key vpn2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp profile vpn1
vrf vpn1
keyring vpn1
match identity address 172.16.1.1 255.255.255.255
!
crypto isakmp profile vpn2
vrf vpn2
keyring vpn2
match identity address 10.1.1.1 255.255.255.255
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
crypto map crypmap 3 ipsec-isakmp
set peer 10.1.1.1
set transform-set vpn2
set isakmp-profile vpn2
match address 102
!
interface Ethernet1/1
ip address 172.17.1.1 255.255.0.0
tag-switching ip
!
interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
crypto map crypmap
!
ip route 172.16.1.1 255.255.255.255 172.168.1.2
ip route 10.1.1.1 255.255.255.255 172.18.1.2
ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global
ip route vrf vpn2 10.2.0.0 255.255.0.0 172.18.1.2 global
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 102 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
IPSec Customer Provided Edge (CPE) Configuration for VPN1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vpn1 address 172.18.1.1
!
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map vpn1 1 ipsec-isakmp
set peer 172.18.1.1
set transform-set vpn1
match address 101
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
crypto map vpn1
!
interface FastEthernet1/1
ip address 10.2.1.1 255.255.0.0
!
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
IPSec CPE Configuration for VPN2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key vpn2 address 172.18.1.1
!
!
crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac
!
crypto map vpn2 1 ipsec-isakmp
set peer 172.18.1.1
set transform-set vpn2
match address 101
!
interface FastEthernet0
ip address 10.1.1.1 255.255.255.0
crypto map vpn2
!
interface FastEthernet1
ip address 10.2.1.1 255.255.0.0
!
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IPSec-to-MPLS VPN Using RSA Encryption Example
The following example shows an IPSec-to-MPLS configuration using RSA encryption:
PE Router Configuration
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
!
crypto isakmp policy 10
authentication rsa-encr
!
crypto keyring vpn1
rsa-pubkey address 172.16.1.1 encryption
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DBF381 00DDECC8
DC4AA490 40320C52 9912D876 EB36717C 63DCA95C 7E5EC02A 84F276CE 292B42D7
D664F324 3726F4E0 39D33093 ECB81B95 482511A5 F064C4B3 D5020301 0001
quit
!
crypto isakmp profile vpn1
vrf vpn1
keyring vpn1
match identity address 172.16.1.1 255.255.255.255
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
!
interface Ethernet1/1
ip address 172.17.1.1 255.255.0.0
tag-switching ip
!
interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
crypto map crypmap
!
ip route 172.16.1.1 255.255.255.255 172.18.1.2
ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
IPSec CPE Configuration for VPN1
crypto isakmp policy 10
authentication rsa-encr
!
crypto key pubkey-chain rsa
addressed-key 172.18.1.1 encryption
key-string
3082011B 300D0609 2A864886 F70D0101 01050003 82010800 30820103 0281FB00
C90CC78A 6002BDBA 24683396 B7D7877C 16D08C47 E00C3C10 63CF13BC 4E09EA23
92EB8A48 4113F5A4 8796C8BE AD7E2DC1 3B0742B6 7118CE7C 1B0E21D1 AA9724A4
4D74FCEA 562FF225 A2B11F18 E53C4415 61C3B741 3A06E75D B4F9102D 6163EE40
16C68FD7 6532F660 97B59118 9C8DE3E5 4E2F2925 BBB87FCB 95223D4E A5E362DB
215CB35C 260080805 17BBE1EF C3050E13 031F3D5B 5C22D16C FC8B1EC5 074F07A5
D050EC80 7890D9C5 EC20D6F0 173FE2BA 89F5B5F9 2EADC9A6 D461921E 3D5B60016
ABB8B6B9 E2124A21 93F0E4AE B487461B E7F1F1C4 032A0B0E 80DC3E15 CB268EC9
5D76B9BD 3C78CB75 CE9F68C6 484D6573 CBC3EB59 4B5F3999 8F9D0203 010001
quit
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map vpn1 1 ipsec-isakmp
set peer 172.18.1.1
set transform-set vpn1
match address 101
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
crypto map vpn1
!
interface FastEthernet1/1
ip address 10.2.1.1 255.255.0.0
!
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
IPSec-to-MPLS VPN with RSA Signatures Example
The following shows an IPSec-to-MPLS VPN configuration using RSA signatures:
PE Router Configuration
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
!
crypto ca trustpoint bombo
enrollment url http://172.31.68.59:80
crl optional
!
crypto ca certificate chain bombo
certificate 03C0
308203BF 308202A7 A0030201 02020203 C0300D06 092A8648 86F70D01 01050500
. . .
quit
certificate ca 01
30820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
. . .
quit
!
crypto isakmp profile vpn1
vrf vpn1
ca trust-point bombo
match identity address 172.16.1.1 255.255.255.255
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
!
interface Ethernet1/1
ip address 172.31.1.1 255.255.0.0
tag-switching ip
!
interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
crypto map crypmap
!
ip route 172.16.1.1 255.255.255.255 172.18.1.2
ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
IPSec CPE Configuration for VPN1
crypto ca trustpoint bombo
enrollment url http://172.31.68.59:80
crl optional
!
crypto ca certificate chain bombo
certificate 03BF
308203BD 308202A5 A0030201 02020203 BF300D06 092A8648 86F70D01 01050500
. . .
quit
certificate ca 01
30820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
. . .
quit
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto map vpn1 1 ipsec-isakmp
set peer 172.18.1.1
set transform-set vpn1
match address 101
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
crypto map vpn1
!
interface FastEthernet1/1
ip address 10.2.1.1 255.255.0.0
!
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
IPSec Remote Access-to-MPLS VPN Example
The following shows an IPSec remote access-to-MPLS VPN configuration. The configuration maps IPSec tunnels to MPLS VPNs. The IPSec tunnels terminate on a single public-facing interface.
PE Router Configuration
aaa new-model
!
aaa group server radius vpn1
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn1
!
aaa group server radius vpn2
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn2
!
aaa authorization network aaa-list group radius
!
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf vpn2
rd 101:1
route-target export 101:1
route-target import 101:1
!
crypto isakmp profile vpn1-ra
vrf vpn1
match identity group vpn1-ra
client authentication list vpn1
isakmp authorization list aaa-list
client configuration address initiate
client configuration address respond
crypto isakmp profile vpn2-ra
vrf vpn2
match identity group vpn2-ra
client authentication list vpn2
isakmp authorization list aaa-list
client configuration address initiate
client configuration address respond
!
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac
!
crypto dynamic-map vpn1 1
set transform-set vpn1
set isakmp-profile vpn1-ra
reverse-route
!
crypto dynamic-map vpn2 1
set transform-set vpn2
set isakmp-profile vpn2-ra
reverse-route
!
!
crypto map ra 1 ipsec-isakmp dynamic vpn1
crypto map ra 2 ipsec-isakmp dynamic vpn2
!
interface Ethernet1/1
ip address 172.17.1.1 255.255.0.0
tag-switching ip
!
interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
crypto map ra
!
ip local pool vpn1-ra 10.4.1.1 10.4.1.254 group vpn1-ra
ip local pool vpn2-ra 10.4.1.1 10.4.1.254 group vpn2-ra
!
Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution
The VRF-Aware IPSec feature in the Cisco network-based IPSec VPN solution release 1.5 requires that you change your existing configurations.
The sample configurations that follow indicate the changes you must make to your existing configurations. These samples include the following:
• Site-to-Site Configuration Upgrade
• Remote Access Configuration Upgrade
• Combination Site-to-Site and Remote Access Configuration Upgrade
Site-to-Site Configuration Upgrade
The following configurations show the changes that are necessary for a site-to-site configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Site-to-Site Configuration
crypto isakmp key VPN1 address 172.21.25.74
crypto isakmp key VPN2 address 172.21.21.74
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
New Version Site-to-Site Configuration
The following is an upgraded version of the same site-to-site configuration to the Cisco network-based IPSec VPN solution release 1.5 solution:
Note You must change to keyrings. The VRF-Aware IPSec feature requires that keys be associated with a VRF if the IKE local endpoint is in the VRF.
crypto keyring VPN1-KEYS vrf VPN1
pre-shared-key address 172.21.25.74 key VPN1
!
crypto keyring VPN2-KEYS vrf VPN2
pre-shared-key address 172.21.21.74 key VPN2
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
Remote Access Configuration Upgrade
The following configurations show the changes that are necessary for a remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Remote Access Configuration
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
reverse-route
!
!
crypto map VPN1 client authentication list VPN1-RA-LIST
crypto map VPN1 isakmp authorization list VPN1-RA-LIST
crypto map VPN1 client configuration address initiate
crypto map VPN1 client configuration address respond
crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 client authentication list VPN2-RA-LIST
crypto map VPN2 isakmp authorization list VPN2-RA-LIST
crypto map VPN2 client configuration address initiate
crypto map VPN2 client configuration address respond
crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
New Version Remote Access Configuration
In the following instance, there is no upgrade; it is recommended that you change to the following configuration:
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto isakmp profile VPN1-RA
match identity group VPN1-RA-GROUP
client authentication list VPN1-RA-LIST
isakmp authorization list VPN1-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto isakmp profile VPN2-RA
match identity group VPN2-RA-GROUP
client authentication list VPN2-RA-LIST
isakmp authorization list VPN2-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
set isakmp-profile VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
set isakmp-profile VPN2-RA
reverse-route
!
crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
Combination Site-to-Site and Remote Access Configuration Upgrade
The following configurations show the changes that are necessary for a site-to-site and remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Site-to-Site and Remote Access Configuration
crypto isakmp key VPN1 address 172.21.25.74 no-xauth
crypto isakmp key VPN2 address 172.21.21.74 no-xauth
!
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
reverse-route
!
crypto map VPN1 client authentication list VPN1-RA-LIST
crypto map VPN1 isakmp authorization list VPN1-RA-LIST
crypto map VPN1 client configuration address initiate
crypto map VPN1 client configuration address respond
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 client authentication list VPN2-RA-LIST
crypto map VPN2 isakmp authorization list VPN2-RA-LIST
crypto map VPN2 client configuration address initiate
crypto map VPN2 client configuration address respond
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
New Version Site-to-Site and Remote Access Configuration
You must upgrade to this configuration:
Note For site-to-site configurations that do not require XAUTH, configure an ISAKMP profile without XAUTH configuration. For remote access configurations that require XAUTH, configure an ISAKMP profile with XAUTH.
crypto keyring VPN1-KEYS vrf VPN1
pre-shared-key address 172.21.25.74 key VPN1
!
crypto keyring VPN2-KEYS vrf VPN2
pre-shared-key address 172.21.21.74 key VPN2
!
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto isakmp profile VPN1
keyring VPN1-KEYS
match identity address 172.21.25.74 VPN1
!
crypto isakmp profile VPN2
keyring VPN2-KEYS
match identity address 172.21.21.74 VPN2
!
crypto isakmp profile VPN1-RA
match identity group VPN1-RA-GROUP
client authentication list VPN1-RA-LIST
isakmp authorization list VPN1-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto isakmp profile VPN2-RA
match identity group VPN2-RA-GROUP
client authentication list VPN2-RA-LIST
isakmp authorization list VPN2-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
set isakmp-profile VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
set isakmp-profile VPN2-RA
reverse-route
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
set isakmp-profile VPN1
match address 101
crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
set isakmp-profile VPN2
match address 102
crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
Additional References
For additional information related to VRF-Aware IPSec, refer to the following references:
Related Documents
Standards
Standards1 TitleNo new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
1 Not all supported standards are listed.
MIBs
MIBs1 MIBs Link•No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
RFCs1 TitleNo new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
New Commands
•address
•ca trust-point
•client authentication list
•client configuration address
•crypto isakmp profile
•crypto keyring
•crypto map isakmp-profile
•initiate-mode
•isakmp authorization list
•keepalive (isakmp profile)
•keyring
•key-string
•match identity
•no crypto xauth
•pre-shared-key
•quit
•rsa-pubkey
•self-identity
•serial-number
•set isakmp-profile
•show crypto isakmp key
•show crypto isakmp profile
•vrf
Modified Commands
•clear crypto sa
•crypto isakmp peer
•crypto map isakmp-profile
•show crypto dynamic-map
•show crypto ipsec sa
•show crypto isakmp sa
•show crypto map (IPSec)
address
To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Rsa-pubkey configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example specifies the RSA public key of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related CommandsRouter(config)# crypto keyring vpnkeyring
Related CommandsRouter(conf-keyring)# rsa-pubkey name host.vpn.com
Related CommandsRouter(config-pubkey-key)# address 10.5.5.1
Related CommandsRouter(config-pubkey)# key-string
Related CommandsRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Related CommandsRouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Related CommandsRouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Related CommandsRouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Related CommandsRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Related CommandsRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Related CommandsRouter(config-pubkey)# quit
Related CommandsRouter(config-pubkey-key)# exit
Related CommandsRouter(conf-keyring)# exit
Related CommandsRouter(config)#
Related Commands
ca trust-point
To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in isakmp profile configuration mode. To remove the trustpoint, use the no form of this command.
ca trust-point trustpoint-name
no ca trust-point trustpoint-name
Syntax Description
Defaults
If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
The ca trust-point command can be used multiple times to define more than one trustpoint.
This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.
Before you can use this command, you must enter the crypto isakmp profile command.
Note A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)
Examples
The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint:
crypto ca trustpoint A
enrollment url http://kahului:80
crypto ca trustpoint B
enrollment url http://arjun:80
!
crypto isakmp profile vpn1
trustpoint A
!
crypto isakmp profile vpn2
ca trust-point B
Related Commands
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in EXEC mode.
clear crypto sa
clear crypto sa peer [vrf fvrf-name] address
clear crypto sa map map-name
clear crypto sa entry destination-address protocol spi
clear crypto sa counters
clear crypto sa [vrf ivrf-name]
Syntax Description
Defaults
If the peer, map, entry, or counters keywords are not used, all IPSec SAs are deleted.
Command Modes
EXEC
Command History
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec SAs will be deleted.
•The peer keyword deletes any IPSec SAs for the specified peer.
•The map keyword deletes any IPSec SAs for the named crypto map set.
•The entry keyword deletes the IPSec SA with the specified address, protocol, and SPI.
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto sa
The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256
The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1
Related Commands
client authentication list
To configure Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To remove IKE XAUTH, use the no form of this command.
client authentication list list-name
no client authentication list list-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before configuring XAUTH, you must set up an authentication list using AAA commands.
Examples
The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."
crypto isakmp profile vpnprofile
client authentication list xauthlist
Related Commands
client configuration address
To configure Internet Key Exchange (IKE) mode configuration in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.
client configuration address {initiate | respond}
no client configuration address {initiate | respond}
Syntax Description
initiate
Router will attempt to set IP addresses for each peer.
respond
Router will accept requests for IP addresses from any requesting peer.
Defaults
IKE configuration is not enabled.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the crypto isakmp profile command.
Examples
The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":
crypto isakmp profile vpnprofile
client configuration address initiate
client configuration address respond
Related Commands
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}
no crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release Modification12.2(8)T
This command was introduced.
12.2(15)T
The vrf keyword and fvrf-name argument were added.
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer ip-address 4.4.4.1 vrf vpn1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123
Related Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To remove the profile, use the no form of this command.
crypto isakmp profile profile-name
no crypto isakmp profile profile-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (XAUTH) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the IKE exchange) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
Note The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofile
match identity address 10.76.11.53
The following accounting example shows that an ISAKMP profile has been configured:
aaa new-model
!
!
aaa authentication login cisco-client group radius
aaa authorization network cisco-client group radius
aaa accounting network acc start-stop broadcast group radius
aaa session-id common
!
crypto isakmp profile cisco
vrf cisco
match identity group cisco-client
client authentication list cisco-client
isakmp authorization list cisco-client
client configuration address respond
accounting acc
!
crypto dynamic-map dynamic 1
set transform-set aswan
set isakmp-profile cisco
reverse-route
!
!
radius-server host 172.1.1.4 auth-port 1645 acct-port 1646
radius-server key nsite
Related Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeys
pre-shared-key address 10.72.23.11 key vpnsecret
crypto isakmp profile vpnprofile
keyring vpnkeys
crypto map isakmp-profile
To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.
crypto map isakmp-profile map-name isakmp-profile isakmp-profile-name
no crypto map isakmp-profile map-name isakmp-profile isakmp-profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap isakmp-profile vpnprofile
Related Commands
Command Descriptioncrypto ipsec transform-set
Defines a transform set—an acceptable combination of security protocols and algorithms.
crypto map (global)
Creates or modifies a crypto map entry.
initiate-mode
To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in isakmp profile configuration mode. To remove the mode that was configured, use the no form of this command.
initiate-mode aggressive
no initiate-mode aggressive
Syntax Description
Defaults
IKE initiates main mode.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.
Examples
The following example shows that aggressive mode has been configured:
crypto isakmp profile vpnprofile
initiate-mode aggressive
isakmp authorization list
To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in isakmp profile configuration mode. To disable the shared secret, use the no form of this command.
isakmp authorization list list-name
no isakmp authorization list list-name
Syntax Description
list-name
AAA authorization list used for configuration mode attributes or preshared keys in the case of aggresive mode.
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
This command allows you to retrieve a shared secret from an AAA server.
Examples
The following example shows that an IKE shared secret is configured using an AAA server on a router:
crypto isakmp profile vpnprofile
isakmp authorization list ikessaaalist
Related Commands
keepalive (isakmp profile)
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in isakmp profile configuration mode. To return to the default, use the no form of this command.
keepalive seconds retry retry-seconds
no keepalive seconds retry retry-seconds
Syntax Description
seconds
Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
retry retry-seconds
Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.
Defaults
If this command is not configured, a DPD message is not sent to the client.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.
Examples
The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp profile vpnprofile
keepalive 60 retry 5
keyring
To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in isakmp profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring keyring-name
no keyring keyring-name
Syntax Description
keyring-name
The keyring name, which must match the keyring name that was defined in the global configuration.
Defaults
If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.
Examples
The following example shows that "vpnkeyring" is configured as the keyring name:
crypto isakmp profile vpnprofile
keyring vpnkeyring
key-string
To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in pubkey configuration mode. To remove the RSA public key, use the no form of this command.
key-string
no key-string
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example shows that the RSA public key of an IP Security (IPSec) peer is configured:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
match identity
To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in isakmp profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
no match identity {group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
There must be at least one match identity command in an isakmp profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Examples
The following example shows that the match identity command is configured:
crypto isakmp profile vpnprofile
match identity group vpngroup
match identity address 10.53.11.1
match identity host domain vpn.com
match identity host server.vpn.com
no crypto xauth
To ignore extended authentication (XAUTH) during an Internet Key Exchange (IKE) Phase 1 negotiation, use the no crypto xauth command in global configuration mode. To consider XAUTH proposals, use the crypto xauth command.
no crypto xauth interface
crypto xauth interface
Syntax Description
interface
Interface whose IP address is the local endpoint to which the remote peer will send IKE requests.
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
The no version of this command was introduced to support Unity clients that do not require XAUTH when using Internet Security Association and Key Management Protocol (ISAKMP) profiles.
Examples
The following example shows that XAUTH proposals on Ethernet 1/1 are to be ignored:
no crypto xauth Ethernet1/1
pre-shared-key
To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key key
no pre-shared-key {address address [mask] | hostname hostname} key key
Syntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Usage Guidelines
Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.
Examples
The following example shows how to configure a preshared key using an IP address and host name:
crypto keyring vpnkeyring
pre-shared-key address 10.72.23.11 key vpnkey
pre-shared-key hostname www.vpn.com key vpnkey
quit
To exit from the key-string mode while defining the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the quit command in public key configuration mode.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command to exit text mode while defining the RSA public key.
Examples
The following example shows that the RSA public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command Descriptionaddress
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.
rsa-pubkey{address address | name fqdn} [encryption | signature]
no rsa-pubkey {address address | name fqdn} [encryption | signature]
Syntax Description
Defaults
No default behavior or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
Examples
The following example shows that the RSA public key of an IPSec peer has been specified:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command Descriptionaddress
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
self-identity
To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in isakmp profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
address
The IP address of the local endpoint.
fqdn
The fully qualified domain name (FQDN) of the host.
user-fqdn user-fqdn
The user FQDN that is sent to the remote endpoint.
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
Isakmp profile configuration
Command History
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
crypto isakmp profile vpnprofile
self-identity user-fqdn user@vpn.com
serial-number
To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.
serial-number serial-number
no serial-number serial-number
Syntax Description
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Examples
The following example shows that the public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# serial-number 1000000
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command Descriptionaddress
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
set isakmp-profile
To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.
set isakmp-profile profile-name
no set isakmp-profile profile-name
Syntax Description
Defaults
If the ISAKMP profile is not specified in the crypto map entry, the default is to use the ISAKMP profile on the head. If there is no ISAKMP profile on the head, the default is to "none."
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use when the Internet Key Exchange (IKE) is initiated.
Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap 10 ipsec-isakmp
set isakmp-profile vpnprofile
Related Commands
show crypto dynamic-map
To view a dynamic crypto map set, use the show crypto dynamic-map in EXEC mode.
show crypto dynamic-map [tag map-name]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use the show crypto dynamic-map command to view a dynamic crypto map set.
Examples
The following is sample output for the show crypto dynamic-map command:
Router# show crypto dynamic-map
Crypto Map Template"vpn1" 1
ISAKMP Profile: vpn1-ra
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
vpn1,
The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto dynamic-map vpn1 1
set transform-set vpn1
set isakmp-profile vpn1-ra
reverse-route
Related Commands
show crypto ipsec sa
To view the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output for the show crypto ipsec sa command:
Router# show crypto ipsec sa vrf vpn2
interface: Ethernet1/2
Crypto map tag: ra, local addr. 172.16.1.1
protected vrf: vpn2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)
current_peer: 10.1.1.1:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 50110CF8
inbound esp sas:
spi: 0xA3E24AFD(2749516541)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5127, flow_id: 7, crypto map: ra
sa timing: remaining key lifetime (k/sec): (4603517/3503)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x50110CF8(1343294712)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5128, flow_id: 8, crypto map: ra
sa timing: remaining key lifetime (k/sec): (4603517/3502)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1
set transform-set vpn1
set isakmp-profile vpn1-ra
reverse-route
!
crypto dynamic-map vpn2 1
set transform-set vpn2
set isakmp-profile vpn2-ra
reverse-route
!
!
crypto map ra 1 ipsec-isakmp dynamic vpn1
crypto map ra 2 ipsec-isakmp dynamic vpn2
show crypto isakmp key
To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto isakmp key command:
Router# show crypto isakmp key
Hostname/Address Preshared Key
vpn1 : 172.61.1.1 vpn1
vpn2 : 10.1.1.1 vpn2
The following configuration was in effect when the above show crypto isakmp key command was issued:
crypto keyring vpn1
pre-shared-key address 172.16.1.1 key vpn1
crypto keyring vpn2
pre-shared-key address 10.1.1.1 key vpn2
Table 1 describes significant fields in the show crypto isakmp key profile:
show crypto isakmp profile
To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.
show crypto isakmp profile
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto isakmp profile command:
Router# show crypto isakmp profile
ISAKMP PROFILE vpn1-ra
Identities matched are:
group vpn1-ra
Identity presented is: ip-address
The following configuration was in effect when the above show crypto isakmp profile command was issued:
crypto isakmp profile vpn1-ra
vrf vpn1
self-identity address
match identity group vpn1-ra
client authentication list aaa-list
isakmp authorization list aaa
client configuration address initiate
client configuration address respond
Table 2 describes significant fields in the display.
Related Commands
show crypto isakmp sa
To view all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp sa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers:
Router# show crypto isakmp sa
f_vrf/i_vrf dst src state conn-id slot
/vpn2 172.21.114.123 10.1.1.1 QM_IDLE 13 0
Table 3 through Table 6 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Table 6 describes significant fields shown in the display.
Related Commands
Command Descriptioncrypto isakmp policy
Defines an IKE policy.
lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto map (IPSec)
To view the crypto map configuration, use the show crypto map in EXEC mode.
show crypto map [interface interface | tag map-name]
Syntax Description
interface interface
(Optional) Displays only the crypto map set applied to the specified interface.
tag map-name
(Optional) Displays only the crypto map set with the specified map-name.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto map command:
Router# show crypto map
Crypto Map "crypmap" 1 ipsec-isakmp
Peer = 172.1.1.1
ISAKMP Profile: vpn1
Extended IP access list 101
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 101 permit ip host 192.168.1.1 host 10.2.1.1
access-list 101 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
Current peer: 172.16.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
vpn1,
The following configuration was in effect when the above show crypto map command was issued:
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
Table 7 describes significant fields in the display.
Table 7 show crypto map Field Descriptions
Field DescriptionISAKMP Profile
The Internet Security Association and Key Management Protocol (ISAKMP) profile that is configured on the crypto map entry.
vrf
To map the IP security (IPSec) tunnel to a Virtual Route Forwarding (VRF) instance, use the vrf command in isakmp profile configuration mode. To remove the VRF, use the no form of this command.
vrf ivrf
no vrf ivrf
Syntax Description
Defaults
The VRF will be the same as the Front Door Virtual Routing and Forwarding (FVRF).
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).
Note•This command must be used only when mapping IPSec tunnels from a global VPN to a specific VPN. The command does not support IPSec tunnel mapping between VRFs, for example, from VRF vpn1 to VRF vpn2.
•If traffic from the router to a certification authority (CA) (for authentication, enrollment, or obtaining a certificate revocation list) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.
Examples
The following example shows that two IPSec tunnels to VNP1 and VPN2 are terminated:
crypto isakmp profile vpn1
vrf vpn1
keyring vpn1
match identity address 172.16.1.1 255.255.255.255
!
crypto isakmp profile vpn2
vrf vpn2
keyring vpn2
match identity address 10.1.1.1 255.255.255.255
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
crypto map crypmap 3 ipsec-isakmp
set peer 10.1.1.1
set transform-set vpn2
set isakmp-profile vpn2
match address 102
!
!
interface Ethernet1/2
ip address 172.26.1.1 255.255.255.0
crypto map crypmap
The following is an invalid configuration where the FVRF is vpn1 and IVRF is vpn2.
crypto isakmp profile vpn2
vrf vpn2
match identity address 172.16.1.1 255.255.255.255
!
crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn2
set isakmp-profile vpn2
match address 101
!
interface Ethernet1/2
ip vrf forwarding vpn1
ip address 172.26.1.1 255.255.255.0
crypto map crypmap
!
Glossary
CA—certification authority. CA is an entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.
CLI—command-line-interface. CLI is an interface that allows the user to interact with the operating system by entering commands and optional arguments. The UNIX operating system and DOS provide CLIs.
client—Corresponding IPSec IOS peer of the UUT in the Multi Protocol Label Switching (MPLS) network.
dead peer—IKE peer that is no longer reachable.
DN—Distinguished Name. A DN is the global, authoritative name of an entry in the Open System Interconnection (OSI Directory [X.500]).
FQDN—fully qualified domain name. A FQDN is the full name of a system rather than just its host name. For example, aldebaran is a host name, and aldebaran.interop.com is an FQDN.
FR—Frame Relay. FR is an industry-standard, switch-data-link-layer protocol that handles multiple virtual circuits using high-level data link (HDLC) encapsulation between connected devices. Frame Relay is more efficient than X.25, the protocol for which it generally is considered a replacement.
FVRF—Front Door Virtual Routing and Forwarding (VRF) repository. FVRF is the VRF used to route the encrypted packets to the peer.
IDB—Interface descriptor block. An IDB subblock is an area of memory that is private to an application. This area stores private information and states variables that an application wants to associate with an IDB or an interface. The application uses the IDB to register a pointer to its subblock, not to the contents of the subblock itself.
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.
IKE keepalive—Bidirectional mechanism for determining the liveliness of an IKE peer.
IPSec—Security protocol for IP.
IVRF—Inside Virtual Routing and Forwarding. IVRF is the VRF of the plaintext packets.
MPLS—Multiprotocol Label Switching. MPLS is a switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.
RSA—Rivest, Shamir, and Adelman are the inventors of the RSA technique. The RSA technique is a public-key cryptographic system that can be used for encryption and authentication.
SA—Security Association. SA is an instance of security policy and keying material applied to a data flow.
VPN—Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP or IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
VRF—Virtual Route Forwarding. VRF is A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.
XAUTH—Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).
Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.
Posted: Mon Mar 22 18:36:17 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.