|
|
Table Of Contents
Restrictions for VRF-Aware IPSec
Information About VRF-Aware IPSec
VRF-Aware IPSec Functional Overview
How to Configure VRF-Aware IPSec
Configuring an ISAKMP Profile on a Crypto Map
Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation
Clearing Security Associations
Troubleshooting VRF-Aware IPSec
Configuration Examples for VRF-Aware IPSec
Static IPSec-to-MPLS VPN Example
IPSec-to-MPLS VPN Using RSA Encryption Example
IPSec-to-MPLS VPN with RSA Signatures Example
IPSec Remote Access-to-MPLS VPN Example
Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution
VRF-Aware IPSec
The VRF-Aware IPSec feature introduces IP Security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). Using the VRF-Aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.
Feature Specifications for VRF-Aware IPSec
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for VRF-Aware IPSec
•
•
•
•
Restrictions for VRF-Aware IPSec
•
Information About VRF-Aware IPSec
The VRF-Aware IPSec feature maps an IPSec tunnel to a MPLS VPN. To configure and use the feature, you need to understand the following concepts:
•
VRF Instance
A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.
MPLS Distribution Protocol
The MPLS distribution protocol is a high-performance packet-forwarding technology that integrates the performance and traffic management capabilities of data link layer switching with the scalability, flexibility, and performance of network-layer routing.
VRF-Aware IPSec Functional Overview
Front Door VRF (FVRF) and Inside VRF (IVRF) are central to understanding the feature.
Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.
Figure 1 is an illustration of a scenario showing IPSec to MPLS and Layer 2 VPNs.
Figure 1 IPSec to MPLS and Layer 2 VPNs
Packet Flow into the IPSec Tunnel
•
•
•
Packet Flow from the IPSec Tunnel
•
•
•
•
How to Configure VRF-Aware IPSec
This section contains the following procedures:
•
•
•
•
•
•
Configuring Crypto Keyrings
A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. There can be zero or more keyrings on the Cisco IOS router.
Perform the following optional task to configure a crypto keyring.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuring ISAKMP Profiles
An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set of peers. An ISAKMP profile defines items such as keepalive, trustpoints, peer identities, and XAUTH AAA list during the IKE Phase 1 and Phase 1.5 exchange. There can be zero or more ISAKMP profiles on the Cisco IOS router.
Note
•
Restriction
A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
What to Do Next
Go to the section " Configuring an ISAKMP Profile on a Crypto Map."
Configuring an ISAKMP Profile on a Crypto Map
An ISAKMP profile must be applied to the crypto map. The IVRF on the ISAKMP profile is used as a selector when matching the VPN traffic. If there is no IVRF on the ISAKMP profile, the IVRF will be equal to the FVRF. Perform this required task to configure an ISAKMP profile on a crypto map.
Prerequisites
Before configuring an ISAKMP profile on a crypto map, you must first have configured your router for basic IPSec.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation
To ignore XAUTH during an IKE Phase 1 negotiation, use the no crypto xauth command. Use the no crypto xauth command if you do not require extended authentication for the Unity clients.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying VRF-Aware IPSec
To verify your VRF-Aware IPSec configurations, use the following show commands. These show commands allow you to list configuration information and security associations (SAs):
SUMMARY STEPS
•
•
•
•
•
DETAILED STEPS
Clearing Security Associations
The following clear commands allow you to clear SAs.
SUMMARY STEPS
•
•
DETAILED STEPS
Troubleshooting VRF-Aware IPSec
To troubleshoot VRF-Aware IPSec, use the following debug commands:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Debug Examples for VRF-Aware IPSec
The following sample debug outputs are for a VRF-aware IPSec configuration:
IPSec PE
Router# debug crypto ipsecCrypto IPSEC debugging is onIPSEC-PE#debug crypto isakmpCrypto ISAKMP debugging is onIPSEC-PE#debug crypto isakmp d04:31:28: ISAKMP (0:12): purging SA., sa=6482B354, delme=6482B35404:31:28: ISAKMP: Unlocking IKE struct 0x63C142F8 for declare_sa_dead(), count 0IPSEC-PE#debug crypto isakmp detailCrypto ISAKMP internals debugging is onIPSEC-PE#IPSEC-PE#IPSEC-PE#04:32:07: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 63C142F804:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.104:32:55: ISAKMP cookie 3123100B DC887D4E04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.68.1.104:32:55: ISAKMP cookie AA8F7B41 49A60E8804:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.104:32:55: ISAKMP cookie 3123100B DBC8E12504:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 B4BDB5B704:32:55: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA04:32:55: ISAKMP: local port 500, remote port 50004:32:55: ISAKMP: hash from 729FA94 for 619 bytes04:32:55: ISAKMP: Packet hash:64218CC0: B91E2C70 095A1346 9.,p.Z.F64218CD0: 0EDB4CA6 8A46784F B314FD3B 00 .[L&.FxO.};.04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:32:55: ISAKMP cookie AA8F7B41 F7ACF38404:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:32:55: ISAKMP cookie AA8F7B41 0C07C67004:32:55: ISAKMP: insert sa successfully sa = 6482B35404:32:55: ISAKMP (0:13): processing SA payload. message ID = 004:32:55: ISAKMP (0:13): processing ID payload. message ID = 004:32:55: ISAKMP (0:13): peer matches vpn2-ra profile04:32:55: ISAKMP: Looking for a matching key for 10.1.1.1 in default04:32:55: ISAKMP: Created a peer struct for 10.1.1.1, peer port 50004:32:55: ISAKMP: Locking peer struct 0x640BBB18, IKE refcount 1 for crypto_ikmp_config_initialize_sa04:32:55: ISAKMP (0:13): Setting client config settings 648252B004:32:55: ISAKMP (0:13): (Re)Setting client xauth list and state04:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch04:32:55: ISAKMP (0:13): vendor ID is NAT-T v304:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch04:32:55: ISAKMP (0:13): vendor ID is NAT-T v204:32:55: ISAKMP (0:13) Authentication by xauth preshared04:32:55: ISAKMP (0:13): Checking ISAKMP transform 1 against priority 1 policy04:32:55: ISAKMP: encryption 3DES-CBC04:32:55: ISAKMP: hash SHA04:32:55: ISAKMP: default group 204:32:55: ISAKMP: auth XAUTHInitPreShared04:32:55: ISAKMP: life type in seconds04:32:55: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B04:32:55: ISAKMP (0:13): atts are acceptable. Next payload is 304:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch04:32:55: ISAKMP (0:13): vendor ID is NAT-T v304:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch04:32:55: ISAKMP (0:13): vendor ID is NAT-T v204:32:55: ISAKMP (0:13): processing KE payload. message ID = 004:32:55: ISAKMP (0:13): processing NONCE payload. message ID = 004:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID is DPD04:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 175 mismatch04:32:55: ISAKMP (0:13): vendor ID is XAUTH04:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): claimed IOS but failed authentication04:32:55: ISAKMP (0:13): processing vendor id payload04:32:55: ISAKMP (0:13): vendor ID is Unity04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH04:32:55: ISAKMP (0:13): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT04:32:55: ISAKMP cookie gen for src 11.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 7AE6E1DF04:32:55: ISAKMP: isadb_post_process_list: crawler: 4 AA 31 (6482B354)04:32:55: crawler my_cookie AA8F7B41 F7ACF38404:32:55: crawler his_cookie E46E088D F227FE4D04:32:55: ISAKMP: got callback 104:32:55: ISAKMP (0:13): SKEYID state generated04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload:next: 0xD, reserved: 0x0, len 0x1404:32:55: ISAKMP: Unity/DPD ID payload dump:63E66D70: 0D000014 ....63E66D80: 12F5F28C 457168A9 702D9FE2 74CC0100 .ur.Eqh)p-.btL..63E66D90: 00 .04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload:next: 0xD, reserved: 0x0, len 0x1404:32:55: ISAKMP: Unity/DPD ID payload dump:63E66D90: 0D000014 AFCAD713 68A1F1C9 6B8696FC ..../JW.h!qIk..|63E66DA0: 77570100 00 wW...04:32:55: ISAKMP (0:13): constructed NAT-T vendor-03 ID04:32:55: ISAKMP (0:13): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR04:32:55: ISAKMP (13): ID payloadnext-payload : 10type : 1addr : 172.16.1.1protocol : 17port : 0length : 804:32:55: ISAKMP (13): Total payload length: 1204:32:55: ISAKMP (0:13): constructed HIS NAT-D04:32:55: ISAKMP (0:13): constructed MINE NAT-D04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) AG_INIT_EXCH04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY04:32:55: ISAKMP (0:13): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM204:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.104:32:55: ISAKMP cookie 3123100B D99DA70D04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 9C69F91704:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354)04:32:55: crawler my_cookie AA8F7B41 F7ACF38404:32:55: crawler his_cookie E46E088D F227FE4D04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.104:32:55: ISAKMP cookie 3123100B 0058322404:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 C1B006EE04:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354)04:32:55: crawler my_cookie AA8F7B41 F7ACF38404:32:55: crawler his_cookie E46E088D F227FE4D04:32:55: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) AG_INIT_EXCH04:32:55: ISAKMP: hash from 7003A34 for 132 bytes04:32:55: ISAKMP: Packet hash:64218CC0: D1202D99 2BB49D38 Q -.+4.864218CD0: B8FBB1BE 7CDC67D7 4E26126C 63 8{1>|\gWN&.lc04:32:55: ISAKMP (0:13): processing HASH payload. message ID = 004:32:55: ISAKMP:received payload type 1704:32:55: ISAKMP (0:13): Detected NAT-D payload04:32:55: ISAKMP (0:13): recalc my hash for NAT-D04:32:55: ISAKMP (0:13): NAT match MINE hash04:32:55: ISAKMP:received payload type 1704:32:55: ISAKMP (0:13): Detected NAT-D payload04:32:55: ISAKMP (0:13): recalc his hash for NAT-D04:32:55: ISAKMP (0:13): NAT match HIS hash04:32:55: ISAKMP (0:13): processing NOTIFY INITIAL_CONTACT protocol 1spi 0, message ID = 0, sa = 6482B35404:32:55: ISAKMP (0:13): Process initial contact,bring down existing phase 1 and 2 SA's with local 172.16.1.1 remote 10.1.1.1 remote port 50004:32:55: ISAKMP (0:13): returning IP addr to the address pool04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 05D315C504:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.104:32:55: ISAKMP cookie 3123100B 041A85A604:32:55: ISAKMP (0:13): SA has been authenticated with 10.1.1.104:32:55: ISAKMP: Trying to insert a peer 172.16.1.1/10.1.1.1/500/, and inserted successfully.04:32:55: ISAKMP: set new node -803402627 to CONF_XAUTH04:32:55: IPSEC(key_engine): got a queue event...04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE04:32:55: ISAKMP (0:13): purging node -80340262704:32:55: ISAKMP: Sending phase 1 responder lifetime 8640004:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH04:32:55: ISAKMP (0:13): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.168.1.104:32:55: ISAKMP cookie AA8F7B41 25EEF25604:32:55: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:32:55: crawler my_cookie AA8F7B41 F7ACF38404:32:55: crawler his_cookie E46E088D F227FE4D04:32:55: ISAKMP (0:13): Need XAUTH04:32:55: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE04:32:55: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.104:32:55: ISAKMP cookie AA8F7B41 2CCFA49104:32:55: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354)04:32:55: crawler my_cookie AA8F7B41 F7ACF38404:32:55: crawler his_cookie E46E088D F227FE4D04:32:55: ISAKMP: got callback 104:32:55: ISAKMP: set new node -1447732198 to CONF_XAUTH04:32:55: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V204:32:55: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V204:32:55: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = -144773219804:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN04:32:55: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT04:33:00: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH -1447732198 ...04:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 204:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 204:33:00: ISAKMP (0:13): retransmitting phase 2 -1447732198 CONF_XAUTH04:33:00: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 124D461804:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 B0C9191704:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 0E29469204:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 091A769504:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH04:33:03: ISAKMP: hash from 7292D74 for 92 bytes04:33:03: ISAKMP: Packet hash:64218CC0: 84A1AF24 5D92B116 .!/$].1.64218CD0: FC2C6252 A472C5F8 152AC860 63 |,bR$rEx.*H`c04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = -144773219804:33:03: ISAKMP: Config payload REPLY04:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V204:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V204:33:03: ISAKMP (0:13): deleting node -1447732198 error FALSE reason "done with xauth request/reply exchange"04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 A1B3E68404:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP: got callback 104:33:03: ISAKMP: set new node 524716665 to CONF_XAUTH04:33:03: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = 52471666504:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT004:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 5C83A09D04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 2BEBEFD404:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B DA00A46B04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 FDD2777304:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH04:33:03: ISAKMP: hash from 7292A34 for 68 bytes04:33:03: ISAKMP: Packet hash:64218CC0: 5034B99E B8BA531F P49.8:S.64218CD0: 6267B8BD F3006989 DC118796 63 bg8=s.i.\...c04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = 52471666504:33:03: ISAKMP: Config payload ACK04:33:03: ISAKMP (0:13): XAUTH ACK Processed04:33:03: ISAKMP (0:13): deleting node 524716665 error FALSE reason "done with transaction"04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 E0BB50E904:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 7794EF6E04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 C035AAE504:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B F1FCC25A04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 31744F4404:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F207FE4D04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE04:33:03: ISAKMP: set new node -1639992295 to QM_IDLE04:33:03: ISAKMP: hash from 7293A74 for 100 bytes04:33:03: ISAKMP: Packet hash:64218CC0: 9D7DF4DF FE3A6403 .}t_~:d.64218CD0: 3F1D1C59 C5D138CE 50289B79 07 ?..YEQ8NP(.y.04:33:03: ISAKMP (0:13): processing transaction payload from 10.1.1.1. message ID = -163999229504:33:03: ISAKMP: Config payload REQUEST04:33:03: ISAKMP (0:13): checking request:04:33:03: ISAKMP: IP4_ADDRESS04:33:03: ISAKMP: IP4_NETMASK04:33:03: ISAKMP: IP4_DNS04:33:03: ISAKMP: IP4_DNS04:33:03: ISAKMP: IP4_NBNS04:33:03: ISAKMP: IP4_NBNS04:33:03: ISAKMP: SPLIT_INCLUDE04:33:03: ISAKMP: DEFAULT_DOMAIN04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 B02E0D6704:33:03: ISAKMP: isadb_post_process_list: crawler: C 27FF 12 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP: got callback 104:33:03: ISAKMP (0:13): attributes sent in message:04:33:03: Address: 10.2.0.004:33:03: ISAKMP (0:13): allocating address 10.4.1.404:33:03: ISAKMP: Sending private address: 10.4.1.404:33:03: ISAKMP: Sending DEFAULT_DOMAIN default domain name: vpn2.com04:33:03: ISAKMP (0:13): responding to peer config from 10.1.1.1. ID = -163999229504:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_ADDR04:33:03: ISAKMP (0:13): deleting node -1639992295 error FALSE reason ""04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR04:33:03: ISAKMP (0:13): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 881D541104:33:03: ISAKMP cookie gen for src 11.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 6FD8254104:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F227FE4D04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:03: ISAKMP cookie 3123100B 8A94C1BE04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:03: ISAKMP cookie AA8F7B41 F3BA766D04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:03: crawler my_cookie AA8F7B41 F7ACF38404:33:03: crawler his_cookie E46E088D F207FE4D04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE04:33:03: ISAKMP: set new node 17011691 to QM_IDLE04:33:03: ISAKMP: hash from 70029F4 for 540 bytes04:33:03: ISAKMP: Packet hash:64218CC0: AFBA30B2 55F5BC2D /:02Uu<-64218CD0: 3A86B1C9 00D2F5BA 77BF5589 07 :.1I.Ru:w?U..04:33:03: ISAKMP (0:13): processing HASH payload. message ID = 1701169104:33:03: ISAKMP (0:13): processing SA payload. message ID = 1701169104:33:03: ISAKMP (0:13): Checking IPSec proposal 104:33:03: ISAKMP: transform 1, ESP_3DES04:33:03: ISAKMP: attributes in transform:04:33:03: ISAKMP: encaps is 104:33:03: ISAKMP: SA life type in seconds04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B04:33:03: ISAKMP: SA life type in kilobytes04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x004:33:03: ISAKMP: authenticator is HMAC-SHA04:33:03: ISAKMP (0:13): atts are acceptable.04:33:03: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-3des esp-sha-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x204:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn204:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn204:33:03: IPSEC(validate_transform_proposal): transform proposal not supported for identity:{esp-3des esp-sha-hmac }04:33:03: ISAKMP (0:13): IPSec policy invalidated proposal04:33:03: ISAKMP (0:13): Checking IPSec proposal 204:33:03: ISAKMP: transform 1, ESP_3DES04:33:03: ISAKMP: attributes in transform:04:33:03: ISAKMP: encaps is 104:33:03: ISAKMP: SA life type in seconds04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B04:33:03: ISAKMP: SA life type in kilobytes04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x004:33:03: ISAKMP: authenticator is HMAC-MD504:33:03: ISAKMP (0:13): atts are acceptable.04:33:03: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x204:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn204:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn204:33:03: ISAKMP (0:13): processing NONCE payload. message ID = 1701169104:33:03: ISAKMP (0:13): processing ID payload. message ID = 1701169104:33:03: ISAKMP (0:13): processing ID payload. message ID = 1701169104:33:03: ISAKMP (0:13): asking for 1 spis from ipsec04:33:03: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH04:33:03: ISAKMP (0:13): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE04:33:03: IPSEC(key_engine): got a queue event...04:33:03: IPSEC(spi_response): getting spi 2749516541 for SAfrom 172.18.1.1 to 10.1.1.1 for prot 304:33:03: ISAKMP: received ke message (2/1)04:33:04: ISAKMP (13): ID payloadnext-payload : 5type : 1addr : 10.4.1.4protocol : 0port : 004:33:04: ISAKMP (13): ID payloadnext-payload : 11type : 4addr : 0.0.0.0protocol : 0port : 004:33:04: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY04:33:04: ISAKMP (0:13): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM204:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:04: ISAKMP cookie 3123100B 93DE46D204:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:04: ISAKMP cookie AA8F7B41 088A0A1604:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:04: crawler my_cookie AA8F7B41 F7ACF38404:33:04: crawler his_cookie E46E088D F227FE4D04:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.104:33:04: ISAKMP cookie 3123100B A8F23F7304:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.104:33:04: ISAKMP cookie AA8F7B41 93D8D87904:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354)04:33:04: crawler my_cookie AA8F7B41 F7ACF38404:33:04: crawler his_cookie E46E088D F227FE4D04:33:04: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE04:33:04: ISAKMP: hash from 7290DB4 for 60 bytes04:33:04: ISAKMP: Packet hash:64218CC0: 4BB45A92 7181A2F8 K4Z.q."x64218CD0: 73CC12F8 091875C0 054F77CD 63 sL.x..u@.OwMc04:33:04: ISAKMP: Locking peer struct 0x640BBB18, IPSEC refcount 1 for for stuff_ke04:33:04: ISAKMP (0:13): Creating IPSec SAs04:33:04: inbound SA from 10.1.1.1 to 172.18.1.1 (f/i) 0/ 2(proxy 10.4.1.4 to 0.0.0.0)04:33:04: has spi 0xA3E24AFD and conn_id 5127 and flags 204:33:04: lifetime of 2147483 seconds04:33:04: lifetime of 4608000 kilobytes04:33:04: has client flags 0x004:33:04: outbound SA from 172.18.1.1 to 10.1.1.1 (f/i) 0/ 2 (proxy 0.0.0.0 to 10.4.1.4 )04:33:04: has spi 1343294712 and conn_id 5128 and flags A04:33:04: lifetime of 2147483 seconds04:33:04: lifetime of 4608000 kilobytes04:33:04: has client flags 0x004:33:04: ISAKMP (0:13): deleting node 17011691 error FALSE reason "quick mode done (await)"04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH04:33:04: ISAKMP (0:13): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE04:33:04: IPSEC(key_engine): got a queue event...04:33:04: IPSEC(initialize_sas): ,(key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1,local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 2147483s and 4608000kb,spi= 0xA3E24AFD(2749516541), conn_id= 5127, keysize= 0, flags= 0x204:33:04: IPSEC(initialize_sas): ,(key eng. msg.) OUTBOUND local= 172.18.1.1, remote= 10.1.1.1,local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-3des esp-md5-hmac ,lifedur= 2147483s and 4608000kb,spi= 0x50110CF8(1343294712), conn_id= 5128, keysize= 0, flags= 0xA04:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn204:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn204:33:04: IPSEC(rte_mgr): VPN Route Added 10.4.1.4 255.255.255.255 via 10.1.1.1 in vpn204:33:04: IPSEC(add mtree): src 0.0.0.0, dest 10.4.1.4, dest_port 004:33:04: IPSEC(create_sa): sa created,(sa) sa_dest= 172.18.1.1, sa_prot= 50,sa_spi= 0xA3E24AFD(2749516541),sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 512704:33:04: IPSEC(create_sa): sa created,(sa) sa_dest= 10.1.1.1, sa_prot= 50,sa_spi= 0x50110CF8(1343294712),sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 512804:33:53: ISAKMP (0:13): purging node -163999229504:33:54: ISAKMP (0:13): purging node 17011691Configuration Examples for VRF-Aware IPSec
The following examples show how to configure VRF-Aware IPSec:
•
•
•
•
Static IPSec-to-MPLS VPN Example
The following sample shows a static configuration that maps IPSec tunnels to MPLS VPNs. The configurations map IPSec tunnels to MPLS VPNs "VPN1" and "VPN2." Both of the IPSec tunnels terminate on a single public-facing interface.
IPSec PE Configuration
ip vrf vpn1rd 100:1route-target export 100:1route-target import 100:1!ip vrf vpn2rd 101:1route-target export 101:1route-target import 101:1!crypto keyring vpn1pre-shared-key address 172.16.1.1 key vpn1crypto keyring vpn2pre-shared-key address 10.1.1.1 key vpn2!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity address 172.16.1.1 255.255.255.255!crypto isakmp profile vpn2vrf vpn2keyring vpn2match identity address 10.1.1.1 255.255.255.255!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmaccrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101crypto map crypmap 3 ipsec-isakmpset peer 10.1.1.1set transform-set vpn2set isakmp-profile vpn2match address 102!interface Ethernet1/1ip address 172.17.1.1 255.255.0.0tag-switching ip!interface Ethernet1/2ip address 172.18.1.1 255.255.255.0crypto map crypmap!ip route 172.16.1.1 255.255.255.255 172.168.1.2ip route 10.1.1.1 255.255.255.255 172.18.1.2ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 globalip route vrf vpn2 10.2.0.0 255.255.0.0 172.18.1.2 global!access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255access-list 102 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255IPSec Customer Provided Edge (CPE) Configuration for VPN1
crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp key vpn1 address 172.18.1.1!!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!crypto map vpn1 1 ipsec-isakmpset peer 172.18.1.1set transform-set vpn1match address 101!interface FastEthernet1/0ip address 172.16.1.1 255.255.255.0crypto map vpn1!interface FastEthernet1/1ip address 10.2.1.1 255.255.0.0!access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255!IPSec CPE Configuration for VPN2
crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp key vpn2 address 172.18.1.1!!crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto map vpn2 1 ipsec-isakmpset peer 172.18.1.1set transform-set vpn2match address 101!interface FastEthernet0ip address 10.1.1.1 255.255.255.0crypto map vpn2!interface FastEthernet1ip address 10.2.1.1 255.255.0.0!access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255IPSec-to-MPLS VPN Using RSA Encryption Example
The following example shows an IPSec-to-MPLS configuration using RSA encryption:
PE Router Configuration
ip vrf vpn1rd 100:1route-target export 100:1route-target import 100:1!crypto isakmp policy 10authentication rsa-encr!crypto keyring vpn1rsa-pubkey address 172.16.1.1 encryptionkey-string305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DBF381 00DDECC8DC4AA490 40320C52 9912D876 EB36717C 63DCA95C 7E5EC02A 84F276CE 292B42D7D664F324 3726F4E0 39D33093 ECB81B95 482511A5 F064C4B3 D5020301 0001quit!crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity address 172.16.1.1 255.255.255.255!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101!interface Ethernet1/1ip address 172.17.1.1 255.255.0.0tag-switching ip!interface Ethernet1/2ip address 172.18.1.1 255.255.255.0crypto map crypmap!ip route 172.16.1.1 255.255.255.255 172.18.1.2ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global!access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255IPSec CPE Configuration for VPN1
crypto isakmp policy 10authentication rsa-encr!crypto key pubkey-chain rsaaddressed-key 172.18.1.1 encryptionkey-string3082011B 300D0609 2A864886 F70D0101 01050003 82010800 30820103 0281FB00C90CC78A 6002BDBA 24683396 B7D7877C 16D08C47 E00C3C10 63CF13BC 4E09EA2392EB8A48 4113F5A4 8796C8BE AD7E2DC1 3B0742B6 7118CE7C 1B0E21D1 AA9724A44D74FCEA 562FF225 A2B11F18 E53C4415 61C3B741 3A06E75D B4F9102D 6163EE4016C68FD7 6532F660 97B59118 9C8DE3E5 4E2F2925 BBB87FCB 95223D4E A5E362DB215CB35C 260080805 17BBE1EF C3050E13 031F3D5B 5C22D16C FC8B1EC5 074F07A5D050EC80 7890D9C5 EC20D6F0 173FE2BA 89F5B5F9 2EADC9A6 D461921E 3D5B60016ABB8B6B9 E2124A21 93F0E4AE B487461B E7F1F1C4 032A0B0E 80DC3E15 CB268EC95D76B9BD 3C78CB75 CE9F68C6 484D6573 CBC3EB59 4B5F3999 8F9D0203 010001quit!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!crypto map vpn1 1 ipsec-isakmpset peer 172.18.1.1set transform-set vpn1match address 101!interface FastEthernet1/0ip address 172.16.1.1 255.255.255.0crypto map vpn1!interface FastEthernet1/1ip address 10.2.1.1 255.255.0.0!access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255!IPSec-to-MPLS VPN with RSA Signatures Example
The following shows an IPSec-to-MPLS VPN configuration using RSA signatures:
PE Router Configuration
ip vrf vpn1rd 100:1route-target export 100:1route-target import 100:1!crypto ca trustpoint bomboenrollment url http://172.31.68.59:80crl optional!crypto ca certificate chain bombocertificate 03C0308203BF 308202A7 A0030201 02020203 C0300D06 092A8648 86F70D01 01050500. . .quitcertificate ca 0130820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030. . .quit!crypto isakmp profile vpn1vrf vpn1ca trust-point bombomatch identity address 172.16.1.1 255.255.255.255!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101!interface Ethernet1/1ip address 172.31.1.1 255.255.0.0tag-switching ip!interface Ethernet1/2ip address 172.18.1.1 255.255.255.0crypto map crypmap!ip route 172.16.1.1 255.255.255.255 172.18.1.2ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global!access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255!IPSec CPE Configuration for VPN1
crypto ca trustpoint bomboenrollment url http://172.31.68.59:80crl optional!crypto ca certificate chain bombocertificate 03BF308203BD 308202A5 A0030201 02020203 BF300D06 092A8648 86F70D01 01050500. . .quitcertificate ca 0130820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030. . .quit!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!crypto map vpn1 1 ipsec-isakmpset peer 172.18.1.1set transform-set vpn1match address 101!interface FastEthernet1/0ip address 172.16.1.1 255.255.255.0crypto map vpn1!interface FastEthernet1/1ip address 10.2.1.1 255.255.0.0!access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255!IPSec Remote Access-to-MPLS VPN Example
The following shows an IPSec remote access-to-MPLS VPN configuration. The configuration maps IPSec tunnels to MPLS VPNs. The IPSec tunnels terminate on a single public-facing interface.
PE Router Configuration
aaa new-model!aaa group server radius vpn1server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn1!aaa group server radius vpn2server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn2!aaa authorization network aaa-list group radius!ip vrf vpn1rd 100:1route-target export 100:1route-target import 100:1!ip vrf vpn2rd 101:1route-target export 101:1route-target import 101:1!crypto isakmp profile vpn1-ravrf vpn1match identity group vpn1-raclient authentication list vpn1isakmp authorization list aaa-listclient configuration address initiateclient configuration address respondcrypto isakmp profile vpn2-ravrf vpn2match identity group vpn2-raclient authentication list vpn2isakmp authorization list aaa-listclient configuration address initiateclient configuration address respond!!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmaccrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-route!crypto dynamic-map vpn2 1set transform-set vpn2set isakmp-profile vpn2-rareverse-route!!crypto map ra 1 ipsec-isakmp dynamic vpn1crypto map ra 2 ipsec-isakmp dynamic vpn2!interface Ethernet1/1ip address 172.17.1.1 255.255.0.0tag-switching ip!interface Ethernet1/2ip address 172.18.1.1 255.255.255.0crypto map ra!ip local pool vpn1-ra 10.4.1.1 10.4.1.254 group vpn1-raip local pool vpn2-ra 10.4.1.1 10.4.1.254 group vpn2-ra!Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution
The VRF-Aware IPSec feature in the Cisco network-based IPSec VPN solution release 1.5 requires that you change your existing configurations.
The sample configurations that follow indicate the changes you must make to your existing configurations. These samples include the following:
•
•
•
Site-to-Site Configuration Upgrade
The following configurations show the changes that are necessary for a site-to-site configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Site-to-Site Configuration
crypto isakmp key VPN1 address 172.21.25.74crypto isakmp key VPN2 address 172.21.21.74!crypto ipsec transform-set VPN1 esp-des esp-sha-hmaccrypto ipsec transform-set VPN2 esp-3des esp-sha-hmac!crypto map VPN1 10 ipsec-isakmpset peer 172.21.25.74set transform-set VPN1match address 101!crypto map VPN2 10 ipsec-isakmpset peer 172.21.21.74set transform-set VPN2match address 102!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2New Version Site-to-Site Configuration
The following is an upgraded version of the same site-to-site configuration to the Cisco network-based IPSec VPN solution release 1.5 solution:
Note
crypto keyring VPN1-KEYS vrf VPN1pre-shared-key address 172.21.25.74 key VPN1!crypto keyring VPN2-KEYS vrf VPN2pre-shared-key address 172.21.21.74 key VPN2!crypto ipsec transform-set VPN1 esp-des esp-sha-hmaccrypto ipsec transform-set VPN2 esp-3des esp-sha-hmac!crypto map VPN1 10 ipsec-isakmpset peer 172.21.25.74set transform-set VPN1match address 101!crypto map VPN2 10 ipsec-isakmpset peer 172.21.21.74set transform-set VPN2match address 102!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2Remote Access Configuration Upgrade
The following configurations show the changes that are necessary for a remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Remote Access Configuration
crypto isakmp client configuration group VPN1-RA-GROUPkey VPN1-RApool VPN1-RA!crypto isakmp client configuration group VPN2-RA-GROUPkey VPN2-RApool VPN2-RA!crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmaccrypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac!crypto dynamic-map VPN1-RA 1set transform-set VPN1-RAreverse-route!crypto dynamic-map VPN2-RA 1set transform-set VPN2-RAreverse-route!!crypto map VPN1 client authentication list VPN1-RA-LISTcrypto map VPN1 isakmp authorization list VPN1-RA-LISTcrypto map VPN1 client configuration address initiatecrypto map VPN1 client configuration address respondcrypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA!crypto map VPN2 client authentication list VPN2-RA-LISTcrypto map VPN2 isakmp authorization list VPN2-RA-LISTcrypto map VPN2 client configuration address initiatecrypto map VPN2 client configuration address respondcrypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2New Version Remote Access Configuration
In the following instance, there is no upgrade; it is recommended that you change to the following configuration:
crypto isakmp client configuration group VPN1-RA-GROUPkey VPN1-RApool VPN1-RA!crypto isakmp client configuration group VPN2-RA-GROUPkey VPN2-RApool VPN2-RA!crypto isakmp profile VPN1-RAmatch identity group VPN1-RA-GROUPclient authentication list VPN1-RA-LISTisakmp authorization list VPN1-RA-LISTclient configuration address initiateclient configuration address respond!crypto isakmp profile VPN2-RAmatch identity group VPN2-RA-GROUPclient authentication list VPN2-RA-LISTisakmp authorization list VPN2-RA-LISTclient configuration address initiateclient configuration address respond!crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmaccrypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac!crypto dynamic-map VPN1-RA 1set transform-set VPN1-RAset isakmp-profile VPN1-RAreverse-route!crypto dynamic-map VPN2-RA 1set transform-set VPN2-RAset isakmp-profile VPN2-RAreverse-route!crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA!crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2Combination Site-to-Site and Remote Access Configuration Upgrade
The following configurations show the changes that are necessary for a site-to-site and remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:
Previous Version Site-to-Site and Remote Access Configuration
crypto isakmp key VPN1 address 172.21.25.74 no-xauthcrypto isakmp key VPN2 address 172.21.21.74 no-xauth!crypto isakmp client configuration group VPN1-RA-GROUPkey VPN1-RApool VPN1-RA!crypto isakmp client configuration group VPN2-RA-GROUPkey VPN2-RApool VPN2-RA!crypto ipsec transform-set VPN1 esp-des esp-sha-hmaccrypto ipsec transform-set VPN2 esp-3des esp-sha-hmac!crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmaccrypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac!crypto dynamic-map VPN1-RA 1set transform-set VPN1-RAreverse-route!crypto dynamic-map VPN2-RA 1set transform-set VPN2-RAreverse-route!crypto map VPN1 client authentication list VPN1-RA-LISTcrypto map VPN1 isakmp authorization list VPN1-RA-LISTcrypto map VPN1 client configuration address initiatecrypto map VPN1 client configuration address respondcrypto map VPN1 10 ipsec-isakmpset peer 172.21.25.74set transform-set VPN1match address 101crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA!crypto map VPN2 client authentication list VPN2-RA-LISTcrypto map VPN2 isakmp authorization list VPN2-RA-LISTcrypto map VPN2 client configuration address initiatecrypto map VPN2 client configuration address respondcrypto map VPN2 10 ipsec-isakmpset peer 172.21.21.74set transform-set VPN2match address 102crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2New Version Site-to-Site and Remote Access Configuration
You must upgrade to this configuration:
Note
crypto keyring VPN1-KEYS vrf VPN1pre-shared-key address 172.21.25.74 key VPN1!crypto keyring VPN2-KEYS vrf VPN2pre-shared-key address 172.21.21.74 key VPN2!crypto isakmp client configuration group VPN1-RA-GROUPkey VPN1-RApool VPN1-RA!crypto isakmp client configuration group VPN2-RA-GROUPkey VPN2-RApool VPN2-RA!crypto isakmp profile VPN1keyring VPN1-KEYSmatch identity address 172.21.25.74 VPN1!crypto isakmp profile VPN2keyring VPN2-KEYSmatch identity address 172.21.21.74 VPN2!crypto isakmp profile VPN1-RAmatch identity group VPN1-RA-GROUPclient authentication list VPN1-RA-LISTisakmp authorization list VPN1-RA-LISTclient configuration address initiateclient configuration address respond!crypto isakmp profile VPN2-RAmatch identity group VPN2-RA-GROUPclient authentication list VPN2-RA-LISTisakmp authorization list VPN2-RA-LISTclient configuration address initiateclient configuration address respond!crypto ipsec transform-set VPN1 esp-des esp-sha-hmaccrypto ipsec transform-set VPN2 esp-3des esp-sha-hmac!crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmaccrypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac!crypto dynamic-map VPN1-RA 1set transform-set VPN1-RAset isakmp-profile VPN1-RAreverse-route!crypto dynamic-map VPN2-RA 1set transform-set VPN2-RAset isakmp-profile VPN2-RAreverse-route!crypto map VPN1 10 ipsec-isakmpset peer 172.21.25.74set transform-set VPN1set isakmp-profile VPN1match address 101crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA!crypto map VPN2 10 ipsec-isakmpset peer 172.21.21.74set transform-set VPN2set isakmp-profile VPN2match address 102crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA!interface FastEthernet0/0.1encapsulation dot1Q 1 nativeip vrf forwarding VPN1ip address 172.21.25.73 255.255.255.0crypto map VPN1!interface FastEthernet0/0.2encapsulation dot1Q 2 nativeip vrf forwarding VPN2ip address 172.21.21.74 255.255.255.0crypto map VPN2Additional References
For additional information related to VRF-Aware IPSec, refer to the following references:
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
1 Not all supported standards are listed.
MIBs
•
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
New Commands
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Modified Commands
•
•
•
•
•
•
•
address
To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.
address ip-addressno address ip-addressSyntax Description
Defaults
No default behavior or values
Command Modes
Rsa-pubkey configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example specifies the RSA public key of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated CommandsRouter(config)# crypto keyring vpnkeyring
Related CommandsRouter(conf-keyring)# rsa-pubkey name host.vpn.com
Related CommandsRouter(config-pubkey-key)# address 10.5.5.1
Related CommandsRouter(config-pubkey)# key-string
Related CommandsRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Related CommandsRouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Related CommandsRouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Related CommandsRouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Related CommandsRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Related CommandsRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Related CommandsRouter(config-pubkey)# quit
Related CommandsRouter(config-pubkey-key)# exit
Related CommandsRouter(conf-keyring)# exit
Related CommandsRouter(config)#
Related Commands
ca trust-point
To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in isakmp profile configuration mode. To remove the trustpoint, use the no form of this command.
ca trust-point trustpoint-nameno ca trust-point trustpoint-nameSyntax Description
Defaults
If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
The ca trust-point command can be used multiple times to define more than one trustpoint.
This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.
Before you can use this command, you must enter the crypto isakmp profile command.
Note
Examples
The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint:
crypto ca trustpoint Aenrollment url http://kahului:80crypto ca trustpoint Benrollment url http://arjun:80!crypto isakmp profile vpn1trustpoint A!crypto isakmp profile vpn2ca trust-point BRelated Commands
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in EXEC mode.
clear crypto saclear crypto sa peer [vrf fvrf-name] addressclear crypto sa map map-nameclear crypto sa entry destination-address protocol spiclear crypto sa countersclear crypto sa [vrf ivrf-name]Syntax Description
Defaults
If the peer, map, entry, or counters keywords are not used, all IPSec SAs are deleted.
Command Modes
EXEC
Command History
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec SAs will be deleted.
•
•
•
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1Related Commands
client authentication list
To configure Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To remove IKE XAUTH, use the no form of this command.
client authentication list list-nameno client authentication list list-nameSyntax Description
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before configuring XAUTH, you must set up an authentication list using AAA commands.
Examples
The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."
crypto isakmp profile vpnprofileclient authentication list xauthlistRelated Commands
client configuration address
To configure Internet Key Exchange (IKE) mode configuration in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.
client configuration address {initiate | respond}no client configuration address {initiate | respond}Syntax Description
initiate
Router will attempt to set IP addresses for each peer.
respond
Router will accept requests for IP addresses from any requesting peer.
Defaults
IKE configuration is not enabled.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the crypto isakmp profile command.
Examples
The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":
crypto isakmp profile vpnprofileclient configuration address initiateclient configuration address respondRelated Commands
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}no crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.2(8)T
This command was introduced.
12.2(15)T
The vrf keyword and fvrf-name argument were added.
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer ip-address 4.4.4.1 vrf vpn1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To remove the profile, use the no form of this command.
crypto isakmp profile profile-nameno crypto isakmp profile profile-nameSyntax Description
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (XAUTH) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the IKE exchange) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
Note
Examples
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofilematch identity address 10.76.11.53The following accounting example shows that an ISAKMP profile has been configured:
aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cisco-clientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!crypto dynamic-map dynamic 1set transform-set aswanset isakmp-profile ciscoreverse-route!!radius-server host 172.1.1.4 auth-port 1645 acct-port 1646radius-server key nsiteRelated Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]no crypto keyring keyring-name [vrf fvrf-name]Syntax Description
Defaults
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeyspre-shared-key address 10.72.23.11 key vpnsecretcrypto isakmp profile vpnprofilekeyring vpnkeyscrypto map isakmp-profile
To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.
crypto map isakmp-profile map-name isakmp-profile isakmp-profile-nameno crypto map isakmp-profile map-name isakmp-profile isakmp-profile-nameSyntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap isakmp-profile vpnprofileRelated Commands
crypto ipsec transform-set
Defines a transform set—an acceptable combination of security protocols and algorithms.
crypto map (global)
Creates or modifies a crypto map entry.
initiate-mode
To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in isakmp profile configuration mode. To remove the mode that was configured, use the no form of this command.
initiate-mode aggressiveno initiate-mode aggressiveSyntax Description
Defaults
IKE initiates main mode.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.
Examples
The following example shows that aggressive mode has been configured:
crypto isakmp profile vpnprofileinitiate-mode aggressiveisakmp authorization list
To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in isakmp profile configuration mode. To disable the shared secret, use the no form of this command.
isakmp authorization list list-nameno isakmp authorization list list-nameSyntax Description
list-name
AAA authorization list used for configuration mode attributes or preshared keys in the case of aggresive mode.
Defaults
No default behaviors or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
This command allows you to retrieve a shared secret from an AAA server.
Examples
The following example shows that an IKE shared secret is configured using an AAA server on a router:
crypto isakmp profile vpnprofileisakmp authorization list ikessaaalistRelated Commands
keepalive (isakmp profile)
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in isakmp profile configuration mode. To return to the default, use the no form of this command.
keepalive seconds retry retry-secondsno keepalive seconds retry retry-secondsSyntax Description
seconds
Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
retry retry-seconds
Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.
Defaults
If this command is not configured, a DPD message is not sent to the client.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.
Examples
The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp profile vpnprofilekeepalive 60 retry 5keyring
To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in isakmp profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring keyring-nameno keyring keyring-nameSyntax Description
keyring-name
The keyring name, which must match the keyring name that was defined in the global configuration.
Defaults
If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.
Examples
The following example shows that "vpnkeyring" is configured as the keyring name:
crypto isakmp profile vpnprofilekeyring vpnkeyringkey-string
To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in pubkey configuration mode. To remove the RSA public key, use the no form of this command.
key-stringno key-stringSyntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example shows that the RSA public key of an IP Security (IPSec) peer is configured:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
match identity
To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in isakmp profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}no match identity {group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}Syntax Description
Defaults
No default behavior or values.
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
There must be at least one match identity command in an isakmp profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Examples
The following example shows that the match identity command is configured:
crypto isakmp profile vpnprofilematch identity group vpngroupmatch identity address 10.53.11.1match identity host domain vpn.commatch identity host server.vpn.comno crypto xauth
To ignore extended authentication (XAUTH) during an Internet Key Exchange (IKE) Phase 1 negotiation, use the no crypto xauth command in global configuration mode. To consider XAUTH proposals, use the crypto xauth command.
no crypto xauth interfacecrypto xauth interfaceSyntax Description
interface
Interface whose IP address is the local endpoint to which the remote peer will send IKE requests.
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
The no version of this command was introduced to support Unity clients that do not require XAUTH when using Internet Security Association and Key Management Protocol (ISAKMP) profiles.
Examples
The following example shows that XAUTH proposals on Ethernet 1/1 are to be ignored:
no crypto xauth Ethernet1/1pre-shared-key
To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key keyno pre-shared-key {address address [mask] | hostname hostname} key keySyntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Usage Guidelines
Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.
Examples
The following example shows how to configure a preshared key using an IP address and host name:
crypto keyring vpnkeyringpre-shared-key address 10.72.23.11 key vpnkeypre-shared-key hostname www.vpn.com key vpnkeyquit
To exit from the key-string mode while defining the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the quit command in public key configuration mode.
quitSyntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Usage Guidelines
Use this command to exit text mode while defining the RSA public key.
Examples
The following example shows that the RSA public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
address
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
rsa-pubkey
To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.
rsa-pubkey{address address | name fqdn} [encryption | signature]no rsa-pubkey {address address | name fqdn} [encryption | signature]Syntax Description
Defaults
No default behavior or values
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.
Examples
The following example shows that the RSA public key of an IPSec peer has been specified:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
address
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
self-identity
To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in isakmp profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}no self-identity {address | fqdn | user-fqdn user-fqdn}Syntax Description
address
The IP address of the local endpoint.
fqdn
The fully qualified domain name (FQDN) of the host.
user-fqdn user-fqdn
The user FQDN that is sent to the remote endpoint.
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
Isakmp profile configuration
Command History
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
crypto isakmp profile vpnprofileself-identity user-fqdn user@vpn.comserial-number
To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.
serial-number serial-numberno serial-number serial-numberSyntax Description
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Examples
The following example shows that the public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# serial-number 1000000Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
address
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
set isakmp-profile
To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.
set isakmp-profile profile-nameno set isakmp-profile profile-nameSyntax Description
Defaults
If the ISAKMP profile is not specified in the crypto map entry, the default is to use the ISAKMP profile on the head. If there is no ISAKMP profile on the head, the default is to "none."
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use when the Internet Key Exchange (IKE) is initiated.
Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap 10 ipsec-isakmpset isakmp-profile vpnprofileRelated Commands
show crypto dynamic-map
To view a dynamic crypto map set, use the show crypto dynamic-map in EXEC mode.
show crypto dynamic-map [tag map-name]Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use the show crypto dynamic-map command to view a dynamic crypto map set.
Examples
The following is sample output for the show crypto dynamic-map command:
Router# show crypto dynamic-mapCrypto Map Template"vpn1" 1ISAKMP Profile: vpn1-raNo matching address list set.Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={vpn1,The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-routeRelated Commands
show crypto ipsec sa
To view the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output for the show crypto ipsec sa command:
Router# show crypto ipsec sa vrf vpn2interface: Ethernet1/2Crypto map tag: ra, local addr. 172.16.1.1protected vrf: vpn2local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 50110CF8inbound esp sas:spi: 0xA3E24AFD(2749516541)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5127, flow_id: 7, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3503)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x50110CF8(1343294712)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5128, flow_id: 8, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3502)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-route!crypto dynamic-map vpn2 1set transform-set vpn2set isakmp-profile vpn2-rareverse-route!!crypto map ra 1 ipsec-isakmp dynamic vpn1crypto map ra 2 ipsec-isakmp dynamic vpn2show crypto isakmp key
To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.
show crypto isakmp keySyntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto isakmp key command:
Router# show crypto isakmp keyHostname/Address Preshared Keyvpn1 : 172.61.1.1 vpn1vpn2 : 10.1.1.1 vpn2The following configuration was in effect when the above show crypto isakmp key command was issued:
crypto keyring vpn1pre-shared-key address 172.16.1.1 key vpn1crypto keyring vpn2pre-shared-key address 10.1.1.1 key vpn2Table 1 describes significant fields in the show crypto isakmp key profile:
show crypto isakmp profile
To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.
show crypto isakmp profileSyntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto isakmp profile command:
Router# show crypto isakmp profileISAKMP PROFILE vpn1-raIdentities matched are:group vpn1-raIdentity presented is: ip-addressThe following configuration was in effect when the above show crypto isakmp profile command was issued:
crypto isakmp profile vpn1-ravrf vpn1self-identity addressmatch identity group vpn1-raclient authentication list aaa-listisakmp authorization list aaaclient configuration address initiateclient configuration address respondTable 2 describes significant fields in the display.
Related Commands
show crypto isakmp sa
To view all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.
show crypto isakmp saSyntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers:
Router# show crypto isakmp saf_vrf/i_vrf dst src state conn-id slot/vpn2 172.21.114.123 10.1.1.1 QM_IDLE 13 0Table 3 through Table 6 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Table 6 describes significant fields shown in the display.
Related Commands
crypto isakmp policy
Defines an IKE policy.
lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto map (IPSec)
To view the crypto map configuration, use the show crypto map in EXEC mode.
show crypto map [interface interface | tag map-name]Syntax Description
interface interface
(Optional) Displays only the crypto map set applied to the specified interface.
tag map-name
(Optional) Displays only the crypto map set with the specified map-name.
Command Modes
EXEC
Command History
Examples
The following is sample output for the show crypto map command:
Router# show crypto mapCrypto Map "crypmap" 1 ipsec-isakmpPeer = 172.1.1.1ISAKMP Profile: vpn1Extended IP access list 101access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255access-list 101 permit ip host 192.168.1.1 host 10.2.1.1access-list 101 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255Current peer: 172.16.1.1Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={vpn1,The following configuration was in effect when the above show crypto map command was issued:
crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101Table 7 describes significant fields in the display.
Table 7 show crypto map Field Descriptions
ISAKMP Profile
The Internet Security Association and Key Management Protocol (ISAKMP) profile that is configured on the crypto map entry.
vrf
To map the IP security (IPSec) tunnel to a Virtual Route Forwarding (VRF) instance, use the vrf command in isakmp profile configuration mode. To remove the VRF, use the no form of this command.
vrf ivrfno vrf ivrfSyntax Description
Defaults
The VRF will be the same as the Front Door Virtual Routing and Forwarding (FVRF).
Command Modes
Isakmp profile configuration
Command History
Usage Guidelines
Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).
Note
•
Examples
The following example shows that two IPSec tunnels to VNP1 and VPN2 are terminated:
crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity address 172.16.1.1 255.255.255.255!crypto isakmp profile vpn2vrf vpn2keyring vpn2match identity address 10.1.1.1 255.255.255.255!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmaccrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101crypto map crypmap 3 ipsec-isakmpset peer 10.1.1.1set transform-set vpn2set isakmp-profile vpn2match address 102!!interface Ethernet1/2ip address 172.26.1.1 255.255.255.0crypto map crypmapThe following is an invalid configuration where the FVRF is vpn1 and IVRF is vpn2.
crypto isakmp profile vpn2vrf vpn2match identity address 172.16.1.1 255.255.255.255!crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn2set isakmp-profile vpn2match address 101!interface Ethernet1/2ip vrf forwarding vpn1ip address 172.26.1.1 255.255.255.0crypto map crypmap!Glossary
CA—certification authority. CA is an entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.
CLI—command-line-interface. CLI is an interface that allows the user to interact with the operating system by entering commands and optional arguments. The UNIX operating system and DOS provide CLIs.
client—Corresponding IPSec IOS peer of the UUT in the Multi Protocol Label Switching (MPLS) network.
dead peer—IKE peer that is no longer reachable.
DN—Distinguished Name. A DN is the global, authoritative name of an entry in the Open System Interconnection (OSI Directory [X.500]).
FQDN—fully qualified domain name. A FQDN is the full name of a system rather than just its host name. For example, aldebaran is a host name, and aldebaran.interop.com is an FQDN.
FR—Frame Relay. FR is an industry-standard, switch-data-link-layer protocol that handles multiple virtual circuits using high-level data link (HDLC) encapsulation between connected devices. Frame Relay is more efficient than X.25, the protocol for which it generally is considered a replacement.
FVRF—Front Door Virtual Routing and Forwarding (VRF) repository. FVRF is the VRF used to route the encrypted packets to the peer.
IDB—Interface descriptor block. An IDB subblock is an area of memory that is private to an application. This area stores private information and states variables that an application wants to associate with an IDB or an interface. The application uses the IDB to register a pointer to its subblock, not to the contents of the subblock itself.
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.
IKE keepalive—Bidirectional mechanism for determining the liveliness of an IKE peer.
IPSec—Security protocol for IP.
IVRF—Inside Virtual Routing and Forwarding. IVRF is the VRF of the plaintext packets.
MPLS—Multiprotocol Label Switching. MPLS is a switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.
RSA—Rivest, Shamir, and Adelman are the inventors of the RSA technique. The RSA technique is a public-key cryptographic system that can be used for encryption and authentication.
SA—Security Association. SA is an instance of security policy and keying material applied to a data flow.
VPN—Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP or IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
VRF—Virtual Route Forwarding. VRF is A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.
XAUTH—Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).
Note
Posted: Mon Mar 22 18:36:17 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
