cc/td/doc/product/software/ios122/122newft/122t
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

VRF-Aware IPSec

Contents

Restrictions for VRF-Aware IPSec

Information About VRF-Aware IPSec

VRF Instance

MPLS Distribution Protocol

VRF-Aware IPSec Functional Overview

How to Configure VRF-Aware IPSec

Configuring Crypto Keyrings

Configuring ISAKMP Profiles

Configuring an ISAKMP Profile on a Crypto Map

Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation

Verifying VRF-Aware IPSec

Clearing Security Associations

Troubleshooting VRF-Aware IPSec

Configuration Examples for VRF-Aware IPSec

Static IPSec-to-MPLS VPN Example

IPSec-to-MPLS VPN Using RSA Encryption Example

IPSec-to-MPLS VPN with RSA Signatures Example

IPSec Remote Access-to-MPLS VPN Example

Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

address

ca trust-point

clear crypto sa

client authentication list

client configuration address

crypto isakmp peer

crypto isakmp profile

crypto keyring

crypto map isakmp-profile

initiate-mode

isakmp authorization list

keepalive (isakmp profile)

keyring

key-string

match identity

no crypto xauth

pre-shared-key

quit

rsa-pubkey

self-identity

serial-number

set isakmp-profile

show crypto dynamic-map

show crypto ipsec sa

show crypto isakmp key

show crypto isakmp profile

show crypto isakmp sa

show crypto map (IPSec)

vrf

Glossary

VRF-Aware IPSec


The VRF-Aware IPSec feature introduces IP Security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). Using the VRF-Aware IPSec feature, you can map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.

Feature Specifications for VRF-Aware IPSec

Feature History
 
Release
Modification

12.2(15)T

This feature was introduced.

Supported Platforms

Cisco 1710, Cisco 1760, Cisco 2610-Cisco 2613, Cisco 2620-Cisco 2621, Cisco 2650-Cisco 2651, Cisco 3620, Cisco 3640, Cisco 3660, Cisco 7100, Cisco 7200, Cisco 7400


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Restrictions for VRF-Aware IPSec

Information About VRF-Aware IPSec

How to Configure VRF-Aware IPSec

Configuration Examples for VRF-Aware IPSec

Additional References

Command Reference

Glossary

Restrictions for VRF-Aware IPSec

The VRF-Aware IPSec feature does not allow IPSec tunnel mapping between VRFs. For example, it does not allow IPSec tunnel mapping from VRF vpn1 to VRF vpn2.

Information About VRF-Aware IPSec

The VRF-Aware IPSec feature maps an IPSec tunnel to a MPLS VPN. To configure and use the feature, you need to understand the following concepts:

VRF Instance

MPLS Distribution Protocol

VRF-Aware IPSec Functional Overview

VRF Instance

A VRF instance is a per-VPN routing information repository that defines the VPN membership of a customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included in the routing table. A separate set of routing and CEF tables is maintained for each VPN customer.

MPLS Distribution Protocol

The MPLS distribution protocol is a high-performance packet-forwarding technology that integrates the performance and traffic management capabilities of data link layer switching with the scalability, flexibility, and performance of network-layer routing.

VRF-Aware IPSec Functional Overview

Front Door VRF (FVRF) and Inside VRF (IVRF) are central to understanding the feature.

Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPSec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.

One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry.

Figure 1 is an illustration of a scenario showing IPSec to MPLS and Layer 2 VPNs.

Figure 1 IPSec to MPLS and Layer 2 VPNs

Packet Flow into the IPSec Tunnel

A VPN packet arrives from the Service Provider MPLS backbone network to the PE and is routed through an interface facing the Internet.

The packet is matched against the Security Policy Database (SPD), and the packet is IPSec encapsulated. The SPD includes the IVRF and the access control list (ACL).

The IPSec encapsulated packet is then forwarded using the FVRF routing table.

Packet Flow from the IPSec Tunnel

An IPSec-encapsulated packet arrives at the PE router from the remote IPSec endpoint.

IPSec performs the Security Association (SA) lookup for the Security Parameter Index (SPI), destination, and protocol.

The packet is decapsulated using the SA and is associated with IVRF.

The packet is further forwarded using the IVRF routing table.

How to Configure VRF-Aware IPSec

This section contains the following procedures:

Configuring Crypto Keyrings (Optional)

Configuring ISAKMP Profiles (Required)

Configuring an ISAKMP Profile on a Crypto Map (Required)

Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation (Optional)

Verifying VRF-Aware IPSec

Clearing Security Associations

Troubleshooting VRF-Aware IPSec

Configuring Crypto Keyrings

A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. There can be zero or more keyrings on the Cisco IOS router.

Perform the following optional task to configure a crypto keyring.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto keyring keyring-name [vrf fvrf-name]

4. description string (Optional)

5. pre-shared-key {address address [mask] | hostname hostname} key key (Optional)

6. rsa-pubkey {address address | name fqdn} [encryption | signature] (Optional)

7. address ip-address (Optional)

8. serial-number serial-number (Optional)

9. key-string

10. text

11. quit

12. exit

13. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

crypto keyring keyring-name [vrf fvrf-name]

Example:

Router (config)# crypto keyring VPN1

Defines a keyring with keyring-name as the name of the keyring and enters keyring configuration mode.

(Optional) The vrf keyword and fvrf-name argument imply that the keyring is bound to Front Door Virtual Routing and Forwarding (FVRF). The key in the keyring is searched if the local endpoint is in FVRF. If vrf is not specified, the keyring is bound to the global.

Step 4

description string


Router (config-keyring)# description The keys for VPN1

(Optional) Specifies a one-line description of the keyring.

Step 5

pre-shared-key {address address [mask] | hostname hostname} key key

Example:

Router (config-keyring)# pre-shared-key address 10.72.23.11 key VPN1

(Optional) Defines a preshared key by address or host name.

Step 6

rsa-pubkey {address address | name fqdn} [encryption | signature]

Example:

Router(config-keyring)# rsa-pubkey name host.vpn.com

(Optional) Defines a Rivest, Shamir, and Adelman (RSA) public key by address or host name and enters rsa-pubkey configuration mode.

By default, the key is used for signature.

The optional encryption keyword specifies that the key should be used for encryption. The optional signature keyword specifies that the key should be used for signature. By default, the key is used for signature.

Step 7

address ip-address

Example:

Router(config-pubkey-key)# address 10.5.5.1

(Optional) Defines the RSA public key IP address.

Step 8

serial-number serial-number

Example:

Router(config-pubkey-key)# serial-number 1000000

(Optional) Specifies the serial number of the public key. The value is from 0 through infinity.

Step 9

key-string

Example:

Router (config-pubkey-key)# key-string

Enters into the text mode in which you define the public key.

Step 10

text

Example:

Router (config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Specifies the public key.

Note Only one public key may be added in this step.

Step 11

quit

Example:

Router (config-pubkey)# quit

Quits to the public key configuration mode.

Step 12

exit

Example:

Router (config-pubkey)# exit

Exits to the keyring configuration mode.

Step 13

exit

Example:

Router(config-keyring)# exit#

Exits to global configuration mode.


Configuring ISAKMP Profiles

An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set of peers. An ISAKMP profile defines items such as keepalive, trustpoints, peer identities, and XAUTH AAA list during the IKE Phase 1 and Phase 1.5 exchange. There can be zero or more ISAKMP profiles on the Cisco IOS router.


NoteIf traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to an Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.

If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange (IKE) main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.


Restriction

A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto isakmp profile profile-name

4. description string (Optional)

5. vrf ivrf-name (Optional)

6. keepalive seconds retry retry-seconds (Optional)

7. self-identity {address | fqdn | user-fqdn user-fqdn} (Optional)

8. keyring keyring-name (Optional)

9. ca trust-point trustpoint-name (Optional)

10. match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}

11. client configuration address {initiate | respond} (Optional)

12. client authentication list list-name (Optional)

13. isakmp authorization list list-name (Optional)

14. initiate mode aggressive

15. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

crypto isakmp profile profile-name

Example:

Router (config)# crypto isakmp profile vpnprofile

Defines an Internet Security Association and Key Management Protocol (ISAKMP) profile and enters into isakmp profile configuration mode.

Step 4

description string


Example:

Router (conf-isa-prof)# description configuration for VPN profile

(Optional) Specifies a one-line description of an ISAKMP profile.

Step 5

vrf ivrf-name

Example:

Router (conf-isa-prof)# vrf VPN1

(Optional) Maps the IPSec tunnel to a Virtual Routing and Forwarding (VRF) instance.

Note The VRF also serves as a selector for matching the Security Policy Database (SPD). If the VRF is not specified in the ISAKMP profile, the IVRF of the IPSec tunnel will be the same as its FVRF.

Step 6

keepalive seconds retry retry-seconds

Example:

Router (conf-isa-prof)# keepalive 60 retry 5

(Optional) Allows the gateway to send dead peer detection (DPD) messages to the peer.

If not defined, the gateway uses the global configured value.

seconds—Number of seconds between DPD messages. The range is from 10 to 3600 seconds.

retry retry-seconds—Number of seconds between retries if the DPD message fails. The range is from 2 to 60 seconds.

Step 7

self-identity {address | fqdn | user-fqdn user-fqdn}

Example:

Router (conf-isa-prof)# self-identity address

(Optional) Specifies the identity that the local Internet Key Exchange (IKE) should use to identify itself to the remote peer.

If not defined, IKE uses the global configured value.

address—Uses the IP address of the egress interface.

fqdn—Uses the fully qualified domain name (FQDN) of the router.

user-fqdn—Uses the specified value.

Step 8

keyring keyring-name


Example:

Router (conf-isa-prof)# keyring VPN1

(Optional) Specifies the keyring to use for Phase 1 authentication.

If the keyring is not specified, the global key definitions are used.

Step 9

ca trust-point {trustpoint-name}

Example:

Router (conf-isa-prof)# ca trustpoint VPN1-trustpoint

(Optional) Specifies a trustpoint to validate a Rivest, Shamir, and Adelman (RSA) certificate.

If no trustpoint is specified in the ISAKMP profile, all the trustpoints that are configured on the Cisco IOS router are used to validate the certificate.

Step 10

match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}

Example:

Router (conf-isa-prof)# match identity address 10.1.1.1

Specifies the client IKE Identity (ID) that is to be matched.

group group-name—Matches the group-name with the ID type ID_KEY_ID. It also matches the group-name with the Organizational Unit (OU) field of the Distinguished Name (DN).·

address address [mask] fvrf —Matches the address with the ID type ID_IPV4_ADDR. The mask argument can be used to specify a range of addresses. The fvrf argument specifies that the address is in Front Door Virtual Routing and Forwarding (FVRF)

host hostname—Matches the hostname with the ID type ID_FQDN.

host domain domainname—Matches the domainname to the ID type ID_FQDN whose domain name is the same as the domainname. Use this command to match all the hosts in the domain.

user username—Matches the username with the ID type ID_USER_FQDN·

user domain domainname—Matches the ID type ID_USER_FQDN whose domain name matches the domainname.

Step 11

client configuration address {initiate | respond}

Example:

Router (conf-isa-prof)# client configuration address initiate

(Optional) Specifies whether to initiate the mode configuration exchange or responds to mode configuration requests.

Step 12

client authentication list list-name

Example:

Router (conf-isa-prof)# client authentication list xauthlist

(Optional) Authentication, authorization, and accounting (AAA) to use for authenticating the remote client during the extended authentication (XAUTH) exchange.

Step 13

isamkp authorization list list-name

Example:

Router (conf-isa-prof)# isakmp authorization list ikessaaalist

(Optional) Network authorization server for receiving the Phase 1 preshared key and other attribute-value (AV) pairs.

Step 14

initiate mode aggressive

Example:

Router (conf-isa-prof)# initiate mode aggressive

(Optional) Initiates aggressive mode exchange.

If not specified, IKE always initiates Main Mode exchange.

Step 15

exit

Example:

Router (conf-isa-prof)# exit

Exits to global configuration mode.

What to Do Next

Go to the section " Configuring an ISAKMP Profile on a Crypto Map."

Configuring an ISAKMP Profile on a Crypto Map

An ISAKMP profile must be applied to the crypto map. The IVRF on the ISAKMP profile is used as a selector when matching the VPN traffic. If there is no IVRF on the ISAKMP profile, the IVRF will be equal to the FVRF. Perform this required task to configure an ISAKMP profile on a crypto map.

Prerequisites

Before configuring an ISAKMP profile on a crypto map, you must first have configured your router for basic IPSec.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto map map-name isakmp-profile isakmp-profile-name (Optional)

4. set isakmp-profile profile-name (Optional)

5. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

crypto map map-name isakmp-profile isakmp-profile-name

Example:

Router (config)# crypto map vpnmap isakmp-profile vpnprofile

(Optional) Specifies the Internet Key Exchange and Key Management Protocol (ISAKMP) profile for the crypto map set and enters crypto map configuration mode.

The ISAKMP profile will be used during IKE exchange.

Step 4

set isakmp-profile profile-name

Example:

Router (config-crypto-map)# set isakmp-profile vpnprofile

(Optional) Specifies the ISAKMP profile to use when the traffic matches the crypto map entry.

Step 5

exit

Example:

Router (config-crypto-map)# exit

Exits to global configuration mode.

Configuring to Ignore Extended Authentication During IKE Phase 1 Negotiation

To ignore XAUTH during an IKE Phase 1 negotiation, use the no crypto xauth command. Use the no crypto xauth command if you do not require extended authentication for the Unity clients.

SUMMARY STEPS

1. enable

2. configure terminal

3. no crypto xauth interface

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

no crypto xauth interface

Example:

Router(config)# no crypto xauth ethernet0

Ignores XAUTH proposals for requests that are destined to the IP address of the interface. By default, Internet Key Exchange (IKE) processes XAUTH proposals.

Verifying VRF-Aware IPSec

To verify your VRF-Aware IPSec configurations, use the following show commands. These show commands allow you to list configuration information and security associations (SAs):

SUMMARY STEPS

enable

show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]

show crypto isakmp key

show crypto isakmp profile

show crypto key pubkey-chain rsa

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
Example:

Router# show crypto ipsec sa vrf vpn1

Allows you to view the settings used by current security associations (SAs).

Step 3

show crypto isakmp key

Example:

Router# show crypto isakmp key

Lists all the keyrings and their preshared keys.

Use this command to verify your crypto keyring configuration.

Step 4

show crypto isakmp profile

Example:

Router# show crypto isakmp profile

Lists all ISAKMP profiles and their configurations.

Step 5

show crypto key pubkey-chain rsa

Example:

Router# show crypto key pubkey-chain rsa

Views the Rivest, Shamir, and Adelman (RSA) public keys of the peer that are stored on your router.

The output is extended to show the keyring to which the public key belongs.

Clearing Security Associations

The following clear commands allow you to clear SAs.

SUMMARY STEPS

enable

clear crypto sa [counters | map map-name | peer [vrf fvrf-name] address | spi address {ah | esp} spi | vrf ivrf-name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

clear crypto sa [counters | map map-name | peer [vrf fvrf-name] address | spi address {ah | esp} spi | vrf ivrf-name]

Example:

Router# clear crypto sa vrf VPN1

Clears the IPSec security associations (SAs).

Troubleshooting VRF-Aware IPSec

To troubleshoot VRF-Aware IPSec, use the following debug commands:

SUMMARY STEPS

1. enable

2. debug crypto ipsec

3. debug crypto isakmp

DETAILED STEPS

 
Command or Action
Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

debug crypto ipsec

Example:

Router# debug crypto ipsec

Displays IP security (IPSec) events.

Step 3

debug crypto isakmp

Example:

Router(config)# debug crypto isakmp

Displays messages about Internet Key Exchange (IKE) events.

Debug Examples for VRF-Aware IPSec

The following sample debug outputs are for a VRF-aware IPSec configuration:

IPSec PE

Router# debug crypto ipsec

Crypto IPSEC debugging is on IPSEC-PE#debug crypto isakmp Crypto ISAKMP debugging is on IPSEC-PE#debug crypto isakmp d 04:31:28: ISAKMP (0:12): purging SA., sa=6482B354, delme=6482B354 04:31:28: ISAKMP: Unlocking IKE struct 0x63C142F8 for declare_sa_dead(), count 0 IPSEC-PE#debug crypto isakmp detail Crypto ISAKMP internals debugging is on IPSEC-PE# IPSEC-PE# IPSEC-PE# 04:32:07: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: 63C142F8 04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1 04:32:55: ISAKMP cookie 3123100B DC887D4E 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.68.1.1 04:32:55: ISAKMP cookie AA8F7B41 49A60E88 04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1 04:32:55: ISAKMP cookie 3123100B DBC8E125 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 B4BDB5B7 04:32:55: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 sport 500 Global (N) NEW SA 04:32:55: ISAKMP: local port 500, remote port 500 04:32:55: ISAKMP: hash from 729FA94 for 619 bytes 04:32:55: ISAKMP: Packet hash: 64218CC0: B91E2C70 095A1346 9.,p.Z.F 64218CD0: 0EDB4CA6 8A46784F B314FD3B 00 .[L&.FxO.};. 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:32:55: ISAKMP cookie AA8F7B41 F7ACF384 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:32:55: ISAKMP cookie AA8F7B41 0C07C670 04:32:55: ISAKMP: insert sa successfully sa = 6482B354 04:32:55: ISAKMP (0:13): processing SA payload. message ID = 0 04:32:55: ISAKMP (0:13): processing ID payload. message ID = 0 04:32:55: ISAKMP (0:13): peer matches vpn2-ra profile 04:32:55: ISAKMP: Looking for a matching key for 10.1.1.1 in default 04:32:55: ISAKMP: Created a peer struct for 10.1.1.1, peer port 500 04:32:55: ISAKMP: Locking peer struct 0x640BBB18, IKE refcount 1 for crypto_ikmp_config_initialize_sa 04:32:55: ISAKMP (0:13): Setting client config settings 648252B0 04:32:55: ISAKMP (0:13): (Re)Setting client xauth list and state 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch 04:32:55: ISAKMP (0:13): vendor ID is NAT-T v3 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch 04:32:55: ISAKMP (0:13): vendor ID is NAT-T v2 04:32:55: ISAKMP (0:13) Authentication by xauth preshared 04:32:55: ISAKMP (0:13): Checking ISAKMP transform 1 against priority 1 policy 04:32:55: ISAKMP: encryption 3DES-CBC 04:32:55: ISAKMP: hash SHA 04:32:55: ISAKMP: default group 2 04:32:55: ISAKMP: auth XAUTHInitPreShared 04:32:55: ISAKMP: life type in seconds 04:32:55: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 04:32:55: ISAKMP (0:13): atts are acceptable. Next payload is 3 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mismatch 04:32:55: ISAKMP (0:13): vendor ID is NAT-T v3 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mismatch 04:32:55: ISAKMP (0:13): vendor ID is NAT-T v2 04:32:55: ISAKMP (0:13): processing KE payload. message ID = 0 04:32:55: ISAKMP (0:13): processing NONCE payload. message ID = 0 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID is DPD 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID seems Unity/DPD but major 175 mismatch 04:32:55: ISAKMP (0:13): vendor ID is XAUTH 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): claimed IOS but failed authentication 04:32:55: ISAKMP (0:13): processing vendor id payload 04:32:55: ISAKMP (0:13): vendor ID is Unity 04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH 04:32:55: ISAKMP (0:13): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

04:32:55: ISAKMP cookie gen for src 11.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 7AE6E1DF 04:32:55: ISAKMP: isadb_post_process_list: crawler: 4 AA 31 (6482B354) 04:32:55: crawler my_cookie AA8F7B41 F7ACF384 04:32:55: crawler his_cookie E46E088D F227FE4D 04:32:55: ISAKMP: got callback 1 04:32:55: ISAKMP (0:13): SKEYID state generated 04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload: next: 0xD, reserved: 0x0, len 0x14 04:32:55: ISAKMP: Unity/DPD ID payload dump: 63E66D70: 0D000014 .... 63E66D80: 12F5F28C 457168A9 702D9FE2 74CC0100 .ur.Eqh)p-.btL.. 63E66D90: 00 . 04:32:55: ISAKMP: Unity/DPD ID: vendor_id_payload: next: 0xD, reserved: 0x0, len 0x14 04:32:55: ISAKMP: Unity/DPD ID payload dump: 63E66D90: 0D000014 AFCAD713 68A1F1C9 6B8696FC ..../JW.h!qIk..| 63E66DA0: 77570100 00 wW... 04:32:55: ISAKMP (0:13): constructed NAT-T vendor-03 ID 04:32:55: ISAKMP (0:13): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR 04:32:55: ISAKMP (13): ID payload next-payload : 10 type : 1 addr : 172.16.1.1 protocol : 17 port : 0 length : 8 04:32:55: ISAKMP (13): Total payload length: 12 04:32:55: ISAKMP (0:13): constructed HIS NAT-D 04:32:55: ISAKMP (0:13): constructed MINE NAT-D 04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) AG_INIT_EXCH 04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY 04:32:55: ISAKMP (0:13): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1 04:32:55: ISAKMP cookie 3123100B D99DA70D 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 9C69F917 04:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354) 04:32:55: crawler my_cookie AA8F7B41 F7ACF384 04:32:55: crawler his_cookie E46E088D F227FE4D 04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1 04:32:55: ISAKMP cookie 3123100B 00583224 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 C1B006EE 04:32:55: ISAKMP: isadb_post_process_list: crawler: 5 21FF 1 (6482B354) 04:32:55: crawler my_cookie AA8F7B41 F7ACF384 04:32:55: crawler his_cookie E46E088D F227FE4D 04:32:55: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) AG_INIT_EXCH 04:32:55: ISAKMP: hash from 7003A34 for 132 bytes 04:32:55: ISAKMP: Packet hash: 64218CC0: D1202D99 2BB49D38 Q -.+4.8 64218CD0: B8FBB1BE 7CDC67D7 4E26126C 63 8{1>|\gWN&.lc 04:32:55: ISAKMP (0:13): processing HASH payload. message ID = 0 04:32:55: ISAKMP:received payload type 17 04:32:55: ISAKMP (0:13): Detected NAT-D payload 04:32:55: ISAKMP (0:13): recalc my hash for NAT-D 04:32:55: ISAKMP (0:13): NAT match MINE hash 04:32:55: ISAKMP:received payload type 17 04:32:55: ISAKMP (0:13): Detected NAT-D payload 04:32:55: ISAKMP (0:13): recalc his hash for NAT-D 04:32:55: ISAKMP (0:13): NAT match HIS hash 04:32:55: ISAKMP (0:13): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 6482B354 04:32:55: ISAKMP (0:13): Process initial contact, bring down existing phase 1 and 2 SA's with local 172.16.1.1 remote 10.1.1.1 remote port 500 04:32:55: ISAKMP (0:13): returning IP addr to the address pool 04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 05D315C5 04:32:55: ISAKMP cookie gen for src 172.16.1.1 dst 10.1.1.1 04:32:55: ISAKMP cookie 3123100B 041A85A6 04:32:55: ISAKMP (0:13): SA has been authenticated with 10.1.1.1 04:32:55: ISAKMP: Trying to insert a peer 172.16.1.1/10.1.1.1/500/, and inserted successfully. 04:32:55: ISAKMP: set new node -803402627 to CONF_XAUTH 04:32:55: IPSEC(key_engine): got a queue event... 04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE 04:32:55: ISAKMP (0:13): purging node -803402627 04:32:55: ISAKMP: Sending phase 1 responder lifetime 86400

04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH 04:32:55: ISAKMP (0:13): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.168.1.1 04:32:55: ISAKMP cookie AA8F7B41 25EEF256 04:32:55: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:32:55: crawler my_cookie AA8F7B41 F7ACF384 04:32:55: crawler his_cookie E46E088D F227FE4D 04:32:55: ISAKMP (0:13): Need XAUTH 04:32:55: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 04:32:55: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT

04:32:55: ISAKMP cookie gen for src 10.1.1.1 dst 172.16.1.1 04:32:55: ISAKMP cookie AA8F7B41 2CCFA491 04:32:55: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354) 04:32:55: crawler my_cookie AA8F7B41 F7ACF384 04:32:55: crawler his_cookie E46E088D F227FE4D 04:32:55: ISAKMP: got callback 1 04:32:55: ISAKMP: set new node -1447732198 to CONF_XAUTH 04:32:55: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 04:32:55: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 04:32:55: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = -1447732198 04:32:55: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH 04:32:55: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN 04:32:55: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

04:33:00: ISAKMP (0:13): retransmitting phase 2 CONF_XAUTH -1447732198 ... 04:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2 04:33:00: ISAKMP (0:13): incrementing error counter on sa: retransmit phase 2 04:33:00: ISAKMP (0:13): retransmitting phase 2 -1447732198 CONF_XAUTH 04:33:00: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH 04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 124D4618 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 B0C91917 04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 0E294692 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 091A7695 04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH 04:33:03: ISAKMP: hash from 7292D74 for 92 bytes 04:33:03: ISAKMP: Packet hash: 64218CC0: 84A1AF24 5D92B116 .!/$].1. 64218CD0: FC2C6252 A472C5F8 152AC860 63 |,bR$rEx.*H`c 04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = -1447732198 04:33:03: ISAKMP: Config payload REPLY 04:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 04:33:03: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2 04:33:03: ISAKMP (0:13): deleting node -1447732198 error FALSE reason "done with xauth request/reply exchange" 04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY 04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 A1B3E684 04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 12 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP: got callback 1 04:33:03: ISAKMP: set new node 524716665 to CONF_XAUTH 04:33:03: ISAKMP (0:13): initiating peer config to 10.1.1.1. ID = 524716665 04:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_XAUTH 04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN 04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT 004:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 5C83A09D 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 2BEBEFD4 04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B DA00A46B 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 FDD27773 04:33:03: ISAKMP: isadb_post_process_list: crawler: B 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) CONF_XAUTH 04:33:03: ISAKMP: hash from 7292A34 for 68 bytes 04:33:03: ISAKMP: Packet hash: 64218CC0: 5034B99E B8BA531F P49.8:S. 64218CD0: 6267B8BD F3006989 DC118796 63 bg8=s.i.\...c 04:33:03: ISAKMP (0:13): processing transaction payload from 11.1.1.1. message ID = 524716665 04:33:03: ISAKMP: Config payload ACK 04:33:03: ISAKMP (0:13): XAUTH ACK Processed 04:33:03: ISAKMP (0:13): deleting node 524716665 error FALSE reason "done with transaction" 04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK 04:33:03: ISAKMP (0:13): Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE

04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 E0BB50E9 04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 7794EF6E 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 C035AAE5 04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B F1FCC25A 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 31744F44 04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F207FE4D 04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE 04:33:03: ISAKMP: set new node -1639992295 to QM_IDLE 04:33:03: ISAKMP: hash from 7293A74 for 100 bytes 04:33:03: ISAKMP: Packet hash: 64218CC0: 9D7DF4DF FE3A6403 .}t_~:d. 64218CD0: 3F1D1C59 C5D138CE 50289B79 07 ?..YEQ8NP(.y. 04:33:03: ISAKMP (0:13): processing transaction payload from 10.1.1.1. message ID = -1639992295 04:33:03: ISAKMP: Config payload REQUEST 04:33:03: ISAKMP (0:13): checking request: 04:33:03: ISAKMP: IP4_ADDRESS 04:33:03: ISAKMP: IP4_NETMASK 04:33:03: ISAKMP: IP4_DNS 04:33:03: ISAKMP: IP4_DNS 04:33:03: ISAKMP: IP4_NBNS 04:33:03: ISAKMP: IP4_NBNS 04:33:03: ISAKMP: SPLIT_INCLUDE 04:33:03: ISAKMP: DEFAULT_DOMAIN 04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST 04:33:03: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 B02E0D67 04:33:03: ISAKMP: isadb_post_process_list: crawler: C 27FF 12 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP: got callback 1 04:33:03: ISAKMP (0:13): attributes sent in message: 04:33:03: Address: 10.2.0.0 04:33:03: ISAKMP (0:13): allocating address 10.4.1.4 04:33:03: ISAKMP: Sending private address: 10.4.1.4 04:33:03: ISAKMP: Sending DEFAULT_DOMAIN default domain name: vpn2.com 04:33:03: ISAKMP (0:13): responding to peer config from 10.1.1.1. ID = -1639992295 04:33:03: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) CONF_ADDR 04:33:03: ISAKMP (0:13): deleting node -1639992295 error FALSE reason "" 04:33:03: ISAKMP (0:13): Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR 04:33:03: ISAKMP (0:13): Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE

04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 881D5411 04:33:03: ISAKMP cookie gen for src 11.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 6FD82541 04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F227FE4D 04:33:03: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:03: ISAKMP cookie 3123100B 8A94C1BE 04:33:03: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:03: ISAKMP cookie AA8F7B41 F3BA766D 04:33:03: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:03: crawler my_cookie AA8F7B41 F7ACF384 04:33:03: crawler his_cookie E46E088D F207FE4D 04:33:03: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE 04:33:03: ISAKMP: set new node 17011691 to QM_IDLE 04:33:03: ISAKMP: hash from 70029F4 for 540 bytes 04:33:03: ISAKMP: Packet hash: 64218CC0: AFBA30B2 55F5BC2D /:02Uu<- 64218CD0: 3A86B1C9 00D2F5BA 77BF5589 07 :.1I.Ru:w?U.. 04:33:03: ISAKMP (0:13): processing HASH payload. message ID = 17011691 04:33:03: ISAKMP (0:13): processing SA payload. message ID = 17011691 04:33:03: ISAKMP (0:13): Checking IPSec proposal 1 04:33:03: ISAKMP: transform 1, ESP_3DES 04:33:03: ISAKMP: attributes in transform: 04:33:03: ISAKMP: encaps is 1 04:33:03: ISAKMP: SA life type in seconds 04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 04:33:03: ISAKMP: SA life type in kilobytes 04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 04:33:03: ISAKMP: authenticator is HMAC-SHA 04:33:03: ISAKMP (0:13): atts are acceptable. 04:33:03: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2 04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2 04:33:03: IPSEC(validate_transform_proposal): transform proposal not supported for identity: {esp-3des esp-sha-hmac } 04:33:03: ISAKMP (0:13): IPSec policy invalidated proposal 04:33:03: ISAKMP (0:13): Checking IPSec proposal 2 04:33:03: ISAKMP: transform 1, ESP_3DES 04:33:03: ISAKMP: attributes in transform: 04:33:03: ISAKMP: encaps is 1 04:33:03: ISAKMP: SA life type in seconds 04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B 04:33:03: ISAKMP: SA life type in kilobytes 04:33:03: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 04:33:03: ISAKMP: authenticator is HMAC-MD5 04:33:03: ISAKMP (0:13): atts are acceptable. 04:33:03: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.4.1.4/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2 04:33:03: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2 04:33:03: ISAKMP (0:13): processing NONCE payload. message ID = 17011691 04:33:03: ISAKMP (0:13): processing ID payload. message ID = 17011691 04:33:03: ISAKMP (0:13): processing ID payload. message ID = 17011691 04:33:03: ISAKMP (0:13): asking for 1 spis from ipsec 04:33:03: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 04:33:03: ISAKMP (0:13): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE 04:33:03: IPSEC(key_engine): got a queue event... 04:33:03: IPSEC(spi_response): getting spi 2749516541 for SA from 172.18.1.1 to 10.1.1.1 for prot 3 04:33:03: ISAKMP: received ke message (2/1) 04:33:04: ISAKMP (13): ID payload next-payload : 5 type : 1 addr : 10.4.1.4 protocol : 0 port : 0 04:33:04: ISAKMP (13): ID payload next-payload : 11 type : 4 addr : 0.0.0.0 protocol : 0 port : 0 04:33:04: ISAKMP (0:13): sending packet to 10.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE 04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY 04:33:04: ISAKMP (0:13): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 04:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:04: ISAKMP cookie 3123100B 93DE46D2 04:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:04: ISAKMP cookie AA8F7B41 088A0A16 04:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:04: crawler my_cookie AA8F7B41 F7ACF384 04:33:04: crawler his_cookie E46E088D F227FE4D 04:33:04: ISAKMP cookie gen for src 172.18.1.1 dst 10.1.1.1 04:33:04: ISAKMP cookie 3123100B A8F23F73 04:33:04: ISAKMP cookie gen for src 10.1.1.1 dst 172.18.1.1 04:33:04: ISAKMP cookie AA8F7B41 93D8D879 04:33:04: ISAKMP: isadb_post_process_list: crawler: 9 27FF 2 (6482B354) 04:33:04: crawler my_cookie AA8F7B41 F7ACF384 04:33:04: crawler his_cookie E46E088D F227FE4D 04:33:04: ISAKMP (0:13): received packet from 10.1.1.1 dport 500 sport 500 Global (R) QM_IDLE 04:33:04: ISAKMP: hash from 7290DB4 for 60 bytes 04:33:04: ISAKMP: Packet hash: 64218CC0: 4BB45A92 7181A2F8 K4Z.q."x 64218CD0: 73CC12F8 091875C0 054F77CD 63 sL.x..u@.OwMc 04:33:04: ISAKMP: Locking peer struct 0x640BBB18, IPSEC refcount 1 for for stuff_ke 04:33:04: ISAKMP (0:13): Creating IPSec SAs 04:33:04: inbound SA from 10.1.1.1 to 172.18.1.1 (f/i) 0/ 2 (proxy 10.4.1.4 to 0.0.0.0) 04:33:04: has spi 0xA3E24AFD and conn_id 5127 and flags 2 04:33:04: lifetime of 2147483 seconds 04:33:04: lifetime of 4608000 kilobytes 04:33:04: has client flags 0x0 04:33:04: outbound SA from 172.18.1.1 to 10.1.1.1 (f/i) 0/ 2 (proxy 0.0.0.0 to 10.4.1.4 ) 04:33:04: has spi 1343294712 and conn_id 5128 and flags A 04:33:04: lifetime of 2147483 seconds 04:33:04: lifetime of 4608000 kilobytes 04:33:04: has client flags 0x0 04:33:04: ISAKMP (0:13): deleting node 17011691 error FALSE reason "quick mode done (await)" 04:33:04: ISAKMP (0:13): Node 17011691, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 04:33:04: ISAKMP (0:13): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE 04:33:04: IPSEC(key_engine): got a queue event... 04:33:04: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 172.18.1.1, remote= 10.1.1.1, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 2147483s and 4608000kb, spi= 0xA3E24AFD(2749516541), conn_id= 5127, keysize= 0, flags= 0x2 04:33:04: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 172.18.1.1, remote= 10.1.1.1, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 10.4.1.4/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 2147483s and 4608000kb, spi= 0x50110CF8(1343294712), conn_id= 5128, keysize= 0, flags= 0xA 04:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn1, kei->ivrf = vpn2 04:33:04: IPSEC(kei_proxy): head = ra, map->ivrf = vpn2, kei->ivrf = vpn2 04:33:04: IPSEC(rte_mgr): VPN Route Added 10.4.1.4 255.255.255.255 via 10.1.1.1 in vpn2 04:33:04: IPSEC(add mtree): src 0.0.0.0, dest 10.4.1.4, dest_port 0

04:33:04: IPSEC(create_sa): sa created, (sa) sa_dest= 172.18.1.1, sa_prot= 50, sa_spi= 0xA3E24AFD(2749516541), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 5127 04:33:04: IPSEC(create_sa): sa created, (sa) sa_dest= 10.1.1.1, sa_prot= 50, sa_spi= 0x50110CF8(1343294712), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 5128 04:33:53: ISAKMP (0:13): purging node -1639992295 04:33:54: ISAKMP (0:13): purging node 17011691

Configuration Examples for VRF-Aware IPSec

The following examples show how to configure VRF-Aware IPSec:

Static IPSec-to-MPLS VPN Example

IPSec-to-MPLS VPN Using RSA Encryption Example

IPSec-to-MPLS VPN with RSA Signatures Example

Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution

Static IPSec-to-MPLS VPN Example

The following sample shows a static configuration that maps IPSec tunnels to MPLS VPNs. The configurations map IPSec tunnels to MPLS VPNs "VPN1" and "VPN2." Both of the IPSec tunnels terminate on a single public-facing interface.

IPSec PE Configuration

ip vrf vpn1 rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf vpn2 rd 101:1 route-target export 101:1 route-target import 101:1 ! crypto keyring vpn1 pre-shared-key address 172.16.1.1 key vpn1 crypto keyring vpn2 pre-shared-key address 10.1.1.1 key vpn2 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 ! crypto isakmp profile vpn2 vrf vpn2 keyring vpn2 match identity address 10.1.1.1 255.255.255.255 ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 crypto map crypmap 3 ipsec-isakmp set peer 10.1.1.1 set transform-set vpn2 set isakmp-profile vpn2 match address 102 ! interface Ethernet1/1 ip address 172.17.1.1 255.255.0.0 tag-switching ip ! interface Ethernet1/2 ip address 172.18.1.1 255.255.255.0 crypto map crypmap ! ip route 172.16.1.1 255.255.255.255 172.168.1.2 ip route 10.1.1.1 255.255.255.255 172.18.1.2 ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global ip route vrf vpn2 10.2.0.0 255.255.0.0 172.18.1.2 global ! access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 102 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

IPSec Customer Provided Edge (CPE) Configuration for VPN1

crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key vpn1 address 172.18.1.1 ! ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto map vpn1 1 ipsec-isakmp set peer 172.18.1.1 set transform-set vpn1 match address 101 ! interface FastEthernet1/0 ip address 172.16.1.1 255.255.255.0 crypto map vpn1 ! interface FastEthernet1/1 ip address 10.2.1.1 255.255.0.0 ! access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 !

IPSec CPE Configuration for VPN2

crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp key vpn2 address 172.18.1.1 ! ! crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac ! crypto map vpn2 1 ipsec-isakmp set peer 172.18.1.1 set transform-set vpn2 match address 101 ! interface FastEthernet0 ip address 10.1.1.1 255.255.255.0 crypto map vpn2 ! interface FastEthernet1 ip address 10.2.1.1 255.255.0.0 ! access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

IPSec-to-MPLS VPN Using RSA Encryption Example

The following example shows an IPSec-to-MPLS configuration using RSA encryption:

PE Router Configuration

ip vrf vpn1 rd 100:1 route-target export 100:1 route-target import 100:1 ! crypto isakmp policy 10 authentication rsa-encr ! crypto keyring vpn1 rsa-pubkey address 172.16.1.1 encryption key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DBF381 00DDECC8 DC4AA490 40320C52 9912D876 EB36717C 63DCA95C 7E5EC02A 84F276CE 292B42D7 D664F324 3726F4E0 39D33093 ECB81B95 482511A5 F064C4B3 D5020301 0001 quit ! crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 ! interface Ethernet1/1 ip address 172.17.1.1 255.255.0.0 tag-switching ip ! interface Ethernet1/2 ip address 172.18.1.1 255.255.255.0 crypto map crypmap ! ip route 172.16.1.1 255.255.255.255 172.18.1.2 ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global ! access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

IPSec CPE Configuration for VPN1

crypto isakmp policy 10 authentication rsa-encr ! crypto key pubkey-chain rsa addressed-key 172.18.1.1 encryption key-string 3082011B 300D0609 2A864886 F70D0101 01050003 82010800 30820103 0281FB00 C90CC78A 6002BDBA 24683396 B7D7877C 16D08C47 E00C3C10 63CF13BC 4E09EA23 92EB8A48 4113F5A4 8796C8BE AD7E2DC1 3B0742B6 7118CE7C 1B0E21D1 AA9724A4 4D74FCEA 562FF225 A2B11F18 E53C4415 61C3B741 3A06E75D B4F9102D 6163EE40 16C68FD7 6532F660 97B59118 9C8DE3E5 4E2F2925 BBB87FCB 95223D4E A5E362DB 215CB35C 260080805 17BBE1EF C3050E13 031F3D5B 5C22D16C FC8B1EC5 074F07A5 D050EC80 7890D9C5 EC20D6F0 173FE2BA 89F5B5F9 2EADC9A6 D461921E 3D5B60016 ABB8B6B9 E2124A21 93F0E4AE B487461B E7F1F1C4 032A0B0E 80DC3E15 CB268EC9 5D76B9BD 3C78CB75 CE9F68C6 484D6573 CBC3EB59 4B5F3999 8F9D0203 010001 quit ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto map vpn1 1 ipsec-isakmp set peer 172.18.1.1 set transform-set vpn1 match address 101 ! interface FastEthernet1/0 ip address 172.16.1.1 255.255.255.0 crypto map vpn1 ! interface FastEthernet1/1 ip address 10.2.1.1 255.255.0.0 ! access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 !

IPSec-to-MPLS VPN with RSA Signatures Example

The following shows an IPSec-to-MPLS VPN configuration using RSA signatures:

PE Router Configuration

ip vrf vpn1 rd 100:1 route-target export 100:1 route-target import 100:1 ! crypto ca trustpoint bombo enrollment url http://172.31.68.59:80 crl optional ! crypto ca certificate chain bombo certificate 03C0 308203BF 308202A7 A0030201 02020203 C0300D06 092A8648 86F70D01 01050500 . . . quit certificate ca 01 30820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 . . . quit ! crypto isakmp profile vpn1 vrf vpn1 ca trust-point bombo match identity address 172.16.1.1 255.255.255.255 ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 ! interface Ethernet1/1 ip address 172.31.1.1 255.255.0.0 tag-switching ip ! interface Ethernet1/2 ip address 172.18.1.1 255.255.255.0 crypto map crypmap ! ip route 172.16.1.1 255.255.255.255 172.18.1.2 ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global ! access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 !

IPSec CPE Configuration for VPN1

crypto ca trustpoint bombo enrollment url http://172.31.68.59:80 crl optional ! crypto ca certificate chain bombo certificate 03BF 308203BD 308202A5 A0030201 02020203 BF300D06 092A8648 86F70D01 01050500 . . . quit certificate ca 01 30820379 30820261 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 . . . quit ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto map vpn1 1 ipsec-isakmp set peer 172.18.1.1 set transform-set vpn1 match address 101 ! interface FastEthernet1/0 ip address 172.16.1.1 255.255.255.0 crypto map vpn1 ! interface FastEthernet1/1 ip address 10.2.1.1 255.255.0.0 ! access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 !

IPSec Remote Access-to-MPLS VPN Example

The following shows an IPSec remote access-to-MPLS VPN configuration. The configuration maps IPSec tunnels to MPLS VPNs. The IPSec tunnels terminate on a single public-facing interface.

PE Router Configuration

aaa new-model ! aaa group server radius vpn1 server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn1 ! aaa group server radius vpn2 server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key vpn2 ! aaa authorization network aaa-list group radius ! ip vrf vpn1 rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf vpn2 rd 101:1 route-target export 101:1 route-target import 101:1 ! crypto isakmp profile vpn1-ra vrf vpn1 match identity group vpn1-ra client authentication list vpn1 isakmp authorization list aaa-list client configuration address initiate client configuration address respond crypto isakmp profile vpn2-ra vrf vpn2 match identity group vpn2-ra client authentication list vpn2 isakmp authorization list aaa-list client configuration address initiate client configuration address respond ! ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac ! crypto dynamic-map vpn1 1 set transform-set vpn1 set isakmp-profile vpn1-ra reverse-route ! crypto dynamic-map vpn2 1 set transform-set vpn2 set isakmp-profile vpn2-ra reverse-route ! ! crypto map ra 1 ipsec-isakmp dynamic vpn1 crypto map ra 2 ipsec-isakmp dynamic vpn2 ! interface Ethernet1/1 ip address 172.17.1.1 255.255.0.0 tag-switching ip ! interface Ethernet1/2 ip address 172.18.1.1 255.255.255.0 crypto map ra ! ip local pool vpn1-ra 10.4.1.1 10.4.1.254 group vpn1-ra ip local pool vpn2-ra 10.4.1.1 10.4.1.254 group vpn2-ra !

Upgrade from Previous Versions of the Cisco Network-Based IPSec VPN Solution

The VRF-Aware IPSec feature in the Cisco network-based IPSec VPN solution release 1.5 requires that you change your existing configurations.

The sample configurations that follow indicate the changes you must make to your existing configurations. These samples include the following:

Site-to-Site Configuration Upgrade

Remote Access Configuration Upgrade

Combination Site-to-Site and Remote Access Configuration Upgrade

Site-to-Site Configuration Upgrade

The following configurations show the changes that are necessary for a site-to-site configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:

Previous Version Site-to-Site Configuration

crypto isakmp key VPN1 address 172.21.25.74  crypto isakmp key VPN2 address 172.21.21.74 !  crypto ipsec transform-set VPN1 esp-des esp-sha-hmac  crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac !  crypto map VPN1 10 ipsec-isakmp  set peer 172.21.25.74  set transform-set VPN1  match address 101 !  crypto map VPN2 10 ipsec-isakmp  set peer 172.21.21.74  set transform-set VPN2  match address 102 !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2   encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

New Version Site-to-Site Configuration

The following is an upgraded version of the same site-to-site configuration to the Cisco network-based IPSec VPN solution release 1.5 solution:


Note You must change to keyrings. The VRF-Aware IPSec feature requires that keys be associated with a VRF if the IKE local endpoint is in the VRF.


crypto keyring VPN1-KEYS vrf VPN1  pre-shared-key address 172.21.25.74 key VPN1 !  crypto keyring VPN2-KEYS vrf VPN2   pre-shared-key address 172.21.21.74 key VPN2 !  crypto ipsec transform-set VPN1 esp-des esp-sha-hmac  crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac !  crypto map VPN1 10 ipsec-isakmp  set peer 172.21.25.74   set transform-set VPN1  match address 101 !  crypto map VPN2 10 ipsec-isakmp  set peer 172.21.21.74   set transform-set VPN2  match address 102 !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2  encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

Remote Access Configuration Upgrade

The following configurations show the changes that are necessary for a remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:

Previous Version Remote Access Configuration

crypto isakmp client configuration group VPN1-RA-GROUP  key VPN1-RA  pool VPN1-RA !  crypto isakmp client configuration group VPN2-RA-GROUP  key VPN2-RA  pool VPN2-RA !  crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac  crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac !  crypto dynamic-map VPN1-RA 1   set transform-set VPN1-RA  reverse-route !  crypto dynamic-map VPN2-RA 1  set transform-set VPN2-RA   reverse-route ! !  crypto map VPN1 client authentication list VPN1-RA-LIST  crypto map VPN1 isakmp authorization list VPN1-RA-LIST  crypto map VPN1 client configuration address initiate  crypto map VPN1 client configuration address respond  crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA !  crypto map VPN2 client authentication list VPN2-RA-LIST  crypto map VPN2 isakmp authorization list VPN2-RA-LIST  crypto map VPN2 client configuration address initiate  crypto map VPN2 client configuration address respond  crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2   encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

New Version Remote Access Configuration

In the following instance, there is no upgrade; it is recommended that you change to the following configuration:

crypto isakmp client configuration group VPN1-RA-GROUP   key VPN1-RA   pool VPN1-RA !  crypto isakmp client configuration group VPN2-RA-GROUP  key VPN2-RA  pool VPN2-RA !  crypto isakmp profile VPN1-RA  match identity group VPN1-RA-GROUP   client authentication list VPN1-RA-LIST  isakmp authorization list VPN1-RA-LIST  client configuration address initiate  client configuration address respond !  crypto isakmp profile VPN2-RA  match identity group VPN2-RA-GROUP  client authentication list VPN2-RA-LIST  isakmp authorization list VPN2-RA-LIST  client configuration address initiate  client configuration address respond !  crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac  crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac !  crypto dynamic-map VPN1-RA 1  set transform-set VPN1-RA  set isakmp-profile VPN1-RA  reverse-route !  crypto dynamic-map VPN2-RA 1  set transform-set VPN2-RA  set isakmp-profile VPN2-RA  reverse-route !  crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA !  crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2  encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

Combination Site-to-Site and Remote Access Configuration Upgrade

The following configurations show the changes that are necessary for a site-to-site and remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution release 1.5:

Previous Version Site-to-Site and Remote Access Configuration

crypto isakmp key VPN1 address 172.21.25.74 no-xauth crypto isakmp key VPN2 address 172.21.21.74 no-xauth !  crypto isakmp client configuration group VPN1-RA-GROUP  key VPN1-RA  pool VPN1-RA !  crypto isakmp client configuration group VPN2-RA-GROUP  key VPN2-RA  pool VPN2-RA !  crypto ipsec transform-set VPN1 esp-des esp-sha-hmac  crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac !  crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac  crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac !  crypto dynamic-map VPN1-RA 1  set transform-set VPN1-RA  reverse-route !  crypto dynamic-map VPN2-RA 1  set transform-set VPN2-RA  reverse-route !  crypto map VPN1 client authentication list VPN1-RA-LIST  crypto map VPN1 isakmp authorization list VPN1-RA-LIST  crypto map VPN1 client configuration address initiate  crypto map VPN1 client configuration address respond  crypto map VPN1 10 ipsec-isakmp  set peer 172.21.25.74  set transform-set VPN1  match address 101  crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA !  crypto map VPN2 client authentication list VPN2-RA-LIST  crypto map VPN2 isakmp authorization list VPN2-RA-LIST  crypto map VPN2 client configuration address initiate  crypto map VPN2 client configuration address respond  crypto map VPN2 10 ipsec-isakmp  set peer 172.21.21.74  set transform-set VPN2  match address 102  crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2  encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

New Version Site-to-Site and Remote Access Configuration

You must upgrade to this configuration:


Note For site-to-site configurations that do not require XAUTH, configure an ISAKMP profile without XAUTH configuration. For remote access configurations that require XAUTH, configure an ISAKMP profile with XAUTH.


crypto keyring VPN1-KEYS vrf VPN1  pre-shared-key address 172.21.25.74 key VPN1 !  crypto keyring VPN2-KEYS vrf VPN2  pre-shared-key address 172.21.21.74 key VPN2 !  crypto isakmp client configuration group VPN1-RA-GROUP  key VPN1-RA  pool VPN1-RA !  crypto isakmp client configuration group VPN2-RA-GROUP  key VPN2-RA  pool VPN2-RA !  crypto isakmp profile VPN1  keyring VPN1-KEYS  match identity address 172.21.25.74 VPN1 !  crypto isakmp profile VPN2  keyring VPN2-KEYS  match identity address 172.21.21.74 VPN2 !  crypto isakmp profile VPN1-RA  match identity group VPN1-RA-GROUP  client authentication list VPN1-RA-LIST  isakmp authorization list VPN1-RA-LIST  client configuration address initiate  client configuration address respond !  crypto isakmp profile VPN2-RA  match identity group VPN2-RA-GROUP  client authentication list VPN2-RA-LIST  isakmp authorization list VPN2-RA-LIST  client configuration address initiate  client configuration address respond !  crypto ipsec transform-set VPN1 esp-des esp-sha-hmac  crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac !  crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac  crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac !  crypto dynamic-map VPN1-RA 1  set transform-set VPN1-RA  set isakmp-profile VPN1-RA  reverse-route !  crypto dynamic-map VPN2-RA 1  set transform-set VPN2-RA  set isakmp-profile VPN2-RA  reverse-route !  crypto map VPN1 10 ipsec-isakmp  set peer 172.21.25.74  set transform-set VPN1  set isakmp-profile VPN1  match address 101  crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA !  crypto map VPN2 10 ipsec-isakmp  set peer 172.21.21.74  set transform-set VPN2  set isakmp-profile VPN2  match address 102  crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA !  interface FastEthernet0/0.1  encapsulation dot1Q 1 native  ip vrf forwarding VPN1  ip address 172.21.25.73 255.255.255.0  crypto map VPN1 !  interface FastEthernet0/0.2  encapsulation dot1Q 2 native  ip vrf forwarding VPN2  ip address 172.21.21.74 255.255.255.0  crypto map VPN2

Additional References

For additional information related to VRF-Aware IPSec, refer to the following references:

Related Documents

Related Topic
Document Title

IPSec configuration tasks

The chapter "Configuring IPSec Network Security" in the Cisco IOS Security Configuration Guide, Release 12.2

IPSec commands

The chapter "IPSec Network Security Commands" in the Cisco IOS Security Command Reference, Release 12.2 T

IKE Phase 1 and Phase 2, agressive mode, and main mode

The chapter "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide, Release 12.2

IKE dead peer detection

Easy VPN Server

Additional VPN and MPLS configuration tasks

Cisco IOS Security Configuration Guide, Release 12.2


Standards

Standards1
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

   

1 Not all supported standards are listed.


MIBs

MIBs1
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

1 Not all supported MIBs are listed.


To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

RFCs1
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

   

1 Not all supported RFCs are listed.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.

New Commands

address

ca trust-point

client authentication list

client configuration address

crypto isakmp profile

crypto keyring

crypto map isakmp-profile

initiate-mode

isakmp authorization list

keepalive (isakmp profile)

keyring

key-string

match identity

no crypto xauth

pre-shared-key

quit

rsa-pubkey

self-identity

serial-number

set isakmp-profile

show crypto isakmp key

show crypto isakmp profile

vrf

Modified Commands

clear crypto sa

crypto isakmp peer

crypto map isakmp-profile

show crypto dynamic-map

show crypto ipsec sa

show crypto isakmp sa

show crypto map (IPSec)

address

To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.

address ip-address no address ip-address

Syntax Description

ip-address

IP address of the remote peer.


Defaults

No default behavior or values

Command Modes

Rsa-pubkey configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.

Examples

The following example specifies the RSA public key of an IP Security (IPSec) peer:

Router(config)# crypto keyring vpnkeyring Router(conf-keyring)# rsa-pubkey name host.vpn.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(conf-keyring)# exit

Related CommandsRouter(config)# crypto keyring vpnkeyring

Related CommandsRouter(conf-keyring)# rsa-pubkey name host.vpn.com

Related CommandsRouter(config-pubkey-key)# address 10.5.5.1

Related CommandsRouter(config-pubkey)# key-string

Related CommandsRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Related CommandsRouter(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Related CommandsRouter(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Related CommandsRouter(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Related CommandsRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Related CommandsRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Related CommandsRouter(config-pubkey)# quit

Related CommandsRouter(config-pubkey-key)# exit

Related CommandsRouter(conf-keyring)# exit

Related CommandsRouter(config)#

Related Commands

Command
Description

crypto keyring

Defines a crypto keyring to be used during IKE authentication.

key-string

Specifies the RSA public key of a remote peer.

rsa-pubkey

Defines the RSA manual key to be used for encryption or signatures during IKE authentication.


ca trust-point

To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in isakmp profile configuration mode. To remove the trustpoint, use the no form of this command.

ca trust-point trustpoint-name no ca trust-point trustpoint-name

Syntax Description

trustpoint-name

The trustpoint name as defined in the global configuration.


Defaults

If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

The ca trust-point command can be used multiple times to define more than one trustpoint.

This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.

Before you can use this command, you must enter the crypto isakmp profile command.


Note A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)


Examples

The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint:

crypto ca trustpoint A enrollment url http://kahului:80 crypto ca trustpoint B enrollment url http://arjun:80 ! crypto isakmp profile vpn1 trustpoint A ! crypto isakmp profile vpn2  ca trust-point B

Related Commands

Command
Description

crypto isakmp profile

Defines an ISAKMP profile.


clear crypto sa

To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in EXEC mode.

clear crypto sa clear crypto sa peer [vrf fvrf-name] address clear crypto sa map map-name clear crypto sa entry destination-address protocol spi clear crypto sa counters clear crypto sa [vrf ivrf-name]

Syntax Description

peer [vrf fvrf-name] address

Deletes any IPSec SAs for the specified peer. The fvrf-name argument specifies the front door virtual routing and forwarding (FVRF) of the peer address.

map

Deletes any IPSec SAs for the named crypto map set.

map-name

Specifies the name of a crypto map set.

entry

Deletes the IPSec SA with the specified address, protocol, and security parameter index (SPI).

destination-address

Specifies the IP address of the remote peer.

protocol

Specifies either the Encapsulation Security Protocol (ESP) or Authentication Header (AH).

spi

Specifies an SPI (found by displaying the SA database).

counters

Clears the traffic counters maintained for each SA; the counters keyword does not clear the SAs themselves.

vrf ivrf-name

Clears all IPSec SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.


Defaults

If the peer, map, entry, or counters keywords are not used, all IPSec SAs are deleted.

Command Modes

EXEC

Command History

Release
Modification

11.3 T

This command was introduced.

12.2(15)T

The vrf keyword and fvrf-name argument for clear crypto sa peer were added. The vrf keyword and ivrf-name argument for clear crypto sa were added.


Usage Guidelines

This command clears (deletes) IPSec SAs.

If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)

If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)

If the peer, map, entry, or counters keywords are not used, all IPSec SAs will be deleted.

The peer keyword deletes any IPSec SAs for the specified peer.

The map keyword deletes any IPSec SAs for the named crypto map set.

The entry keyword deletes the IPSec SA with the specified address, protocol, and SPI.

If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.

If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.

If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.

Note that this command only clears IPSec SAs; to clear IKE state, use the clear crypto isakmp command.

Examples

The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:

clear crypto sa

The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto sa entry 10.0.0.1 AH 256

The following example clears all the SAs for VRF VPN1:

clear crypto sa vrf vpn1

Related Commands

Command
Description

clear crypto isakmp

Clears active IKE connections.


client authentication list

To configure Internet Key Exchange (IKE) extended authentication (XAUTH) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in isakmp profile configuration mode. To remove IKE XAUTH, use the no form of this command.

client authentication list list-name no client authentication list list-name

Syntax Description

list-name

Character string used to name the list of authentication methods activated when a user logs in. The list-name must match the list name that was defined during authentication, authorization, and accounting (AAA) configuration.


Defaults

No default behaviors or values

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before configuring XAUTH, you must set up an authentication list using AAA commands.

Examples

The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."

crypto isakmp profile vpnprofile client authentication list xauthlist

Related Commands

Command
Description

aaa authentication login

Sets AAA authentication at login.


client configuration address

To configure Internet Key Exchange (IKE) mode configuration in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in isakmp profile configuration mode. To disable IKE configuraton mode, use the no form of this command.

client configuration address {initiate | respond} no client configuration address {initiate | respond}

Syntax Description

initiate

Router will attempt to set IP addresses for each peer.

respond

Router will accept requests for IP addresses from any requesting peer.


Defaults

IKE configuration is not enabled.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enter the crypto isakmp profile command.

Examples

The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":

crypto isakmp profile vpnprofile client configuration address initiate client configuration address respond

Related Commands

Command
Description

crypto isakmp profile

Defines an ISAKMP profile.


crypto isakmp peer

To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.

crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name} no crypto isakmp peer {ip-address ip-address | fqdn fqdn} {vrf fvrf-name}

Syntax Description

ip-address ip-address

IP address of the peer router.

fqdn fqdn

Fully qualified domain name (FQDN) of the peer router.

vrf fvrf-name

Virtual routing and forwarding (VRF) routing table through which the peer is reachable.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.

12.2(15)T

The vrf keyword and fvrf-name argument were added.


Usage Guidelines

After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.

Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.

Examples

The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:

crypto isakmp peer ip-address 4.4.4.1 vrf vpn1  set aggressive-mode client-endpoint user-fqdn user@cisco.com  set aggressive-mode password cisco123


Related Commands

Command
Description

crypto map isakmp authorization list

Enables IKE querying of AAA for tunnel attributes in aggressive mode.

set aggressive-mode client-endpoint

Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

set aggressive-mode password

Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.


crypto isakmp profile

To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPSec) user sessions, use the crypto isakmp profile command in global configuration mode. To remove the profile, use the no form of this command.

crypto isakmp profile profile-name no crypto isakmp profile profile-name

Syntax Description

profile-name

Name of the user profile.


Defaults

No default behaviors or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

ISAKMP Profile

An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (XAUTH) and mode configuration.

The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the IKE exchange) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.


Note The crypto isakmp profile command and the crypto map (global IPSec) command are mutually exclusive. If a profile is present (the crypto isakmp profile command has been used), with no accounting configured but with the global command present (the crypto isakmp profile command without the accounting keyword), accounting will occur using the attributes in the global command.


Examples

The following example shows how to define an ISAKMP profile and match the peer identities:

crypto isakmp profile vpnprofile match identity address 10.76.11.53

The following accounting example shows that an ISAKMP profile has been configured:

aaa new-model ! ! aaa authentication login cisco-client group radius aaa authorization network cisco-client group radius aaa accounting network acc start-stop broadcast group radius aaa session-id common ! crypto isakmp profile cisco vrf cisco match identity group cisco-client    client authentication list cisco-client    isakmp authorization list cisco-client    client configuration address respond    accounting acc ! crypto dynamic-map dynamic 1 set transform-set aswan set isakmp-profile cisco reverse-route ! ! radius-server host 172.1.1.4 auth-port 1645 acct-port 1646 radius-server key nsite

Related Commands

Command
Description

crypto map (global IPSec)

Enters crypto map configuration mode and creates or modifies a crypto map entry, creates a crypto profile that provides a template for configuration of dynamically created crypto maps, or configures a client accounting list.

debug crypto isakmp

Displays messages about IKE events.

match identity

Matches an identity from a peer in an ISAKMP profile.


crypto keyring

To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.

crypto keyring keyring-name [vrf fvrf-name] no crypto keyring keyring-name [vrf fvrf-name]

Syntax Description

keyring-name

Name of the crypto keyring.

vrf fvrf-name

(Optional) Front Door Virtual Routing and Forwarding (FVRF) name to which the keyring will be referenced. The fvrf-name must match the FVRF name that was defined during Virtual Routing and Forwarding (VRF) configuration.


Defaults

All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Examples

The following example shows that a keyring and its usage have been defined:

crypto keyring vpnkeys pre-shared-key address 10.72.23.11 key vpnsecret crypto isakmp profile vpnprofile keyring vpnkeys

crypto map isakmp-profile

To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.

crypto map isakmp-profile map-name isakmp-profile isakmp-profile-name no crypto map isakmp-profile map-name isakmp-profile isakmp-profile-name

Syntax Description

map-name

Name assigned to the crypto map set.

isakmp-profile isakmp-profile-name

Character string used to name the ISAKMP profile that is used during an Internet Key Exchange (IKE) Phase 1 and Phase 1.5 exchange. The isakmp-profile-name must match the ISAKMP profile name that was defined during the ISAKMP profile configuration.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.

Examples

The following example shows that an ISAKMP profile is configured on a crypto map:

crypto map vpnmap isakmp-profile vpnprofile

Related Commands

Command
Description

crypto ipsec transform-set

Defines a transform set—an acceptable combination of security protocols and algorithms.

crypto map (global)

Creates or modifies a crypto map entry.


initiate-mode

To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in isakmp profile configuration mode. To remove the mode that was configured, use the no form of this command.

initiate-mode aggressive no initiate-mode aggressive

Syntax Description

aggressive

Aggressive mode is initiated.


Defaults

IKE initiates main mode.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.

Examples

The following example shows that aggressive mode has been configured:

crypto isakmp profile vpnprofile  initiate-mode aggressive

isakmp authorization list

To configure an Internet Key Exchange (IKE) shared secret using the authentication, authorization, and accounting (AAA) server in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the isakmp authorization list command in isakmp profile configuration mode. To disable the shared secret, use the no form of this command.

isakmp authorization list list-name no isakmp authorization list list-name

Syntax Description

list-name

AAA authorization list used for configuration mode attributes or preshared keys in the case of aggresive mode.


Defaults

No default behaviors or values

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command allows you to retrieve a shared secret from an AAA server.

Examples

The following example shows that an IKE shared secret is configured using an AAA server on a router:

crypto isakmp profile vpnprofile isakmp authorization list ikessaaalist

Related Commands

Command
Description

aaa authorization

Sets parameters that restrict user access to a network.


keepalive (isakmp profile)

To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in isakmp profile configuration mode. To return to the default, use the no form of this command.

keepalive seconds retry retry-seconds no keepalive seconds retry retry-seconds

Syntax Description

seconds

Number of seconds between DPD messages. The range is from 10 to 3600 seconds.

retry retry-seconds

Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.


Defaults

If this command is not configured, a DPD message is not sent to the client.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.

Examples

The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:

crypto isakmp profile vpnprofile keepalive 60 retry 5

keyring

To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in isakmp profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.

keyring keyring-name no keyring keyring-name

Syntax Description

keyring-name

The keyring name, which must match the keyring name that was defined in the global configuration.


Defaults

If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.

Examples

The following example shows that "vpnkeyring" is configured as the keyring name:

crypto isakmp profile vpnprofile keyring vpnkeyring

key-string

To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in pubkey configuration mode. To remove the RSA public key, use the no form of this command.

key-string no key-string

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Pubkey configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.

Examples

The following example shows that the RSA public key of an IP Security (IPSec) peer is configured:

Router(config)# crypto keyring vpnkeyring Router(conf-keyring)# rsa-pubkey name host.vpn.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(conf-keyring)# exit

Related Commands

Command
Description

crypto keyring

Defines a crypto keyring.

rsa-pubkey

Defines the RSA public key to be used for encryption or signatures during IKE authentication.

show crypto keyring

Displays keyrings on your router.


match identity

To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in isakmp profile configuration mode. To remove the identity, use the no form of this command.

match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name} no match identity {group-name | address address [mask] [fvrf] | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}

Syntax Description

group group-name

Unity group name that matches the identity type ID_KEY_ID. If Unity and main mode Rivest, Shamir, and Adelman (RSA) signatures are used, the group-name matches the Organizational Unit (OU) field of the Distinguished Name (DN).

address address [mask] [fvrf]

Address that matches identity type ID_IPV4_ADDR.

mask—Use to match the range of the address.

fvrf—Use if the address is in Front Door Virtual Routing and Forwarding (FVRF).

host host-name

Host name that matches identity type ID_FQDN.

host domain domain-name

Host domain name that matches identity type ID_FQDN whose fully qualified domain name (FQDN) ends with the domain name.

user user-fqdn

User FQDN that matches identity type ID_USER_FQDN.

user domain domain-name

User domain name that matches identity type ID_USER_FQDN whose string ends with the domain-name.


Defaults

No default behavior or values.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

There must be at least one match identity command in an isakmp profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.

Examples

The following example shows that the match identity command is configured:

crypto isakmp profile vpnprofile match identity group vpngroup match identity address 10.53.11.1 match identity host domain vpn.com match identity host server.vpn.com

no crypto xauth

To ignore extended authentication (XAUTH) during an Internet Key Exchange (IKE) Phase 1 negotiation, use the no crypto xauth command in global configuration mode. To consider XAUTH proposals, use the crypto xauth command.

no crypto xauth interface crypto xauth interface

Syntax Description

interface

Interface whose IP address is the local endpoint to which the remote peer will send IKE requests.


Defaults

No default behaviors or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

The no version of this command was introduced to support Unity clients that do not require XAUTH when using Internet Security Association and Key Management Protocol (ISAKMP) profiles.

Examples

The following example shows that XAUTH proposals on Ethernet 1/1 are to be ignored:

no crypto xauth Ethernet1/1

pre-shared-key

To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.

pre-shared-key {address address [mask] | hostname hostname} key key no pre-shared-key {address address [mask] | hostname hostname} key key

Syntax Description

address address [mask]

IP address of the remote peer or a subnet and mask. The mask argument is optional.

hostname hostname

Fully qualified domain name (FQDN) of the peer.

key key

Specifies the secret.


Defaults

No default behaviors or values

Command Modes

Keyring configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.

Examples

The following example shows how to configure a preshared key using an IP address and host name:

crypto keyring vpnkeyring pre-shared-key address 10.72.23.11 key vpnkey pre-shared-key hostname www.vpn.com key vpnkey

quit

To exit from the key-string mode while defining the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the quit command in public key configuration mode.

quit

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Public key configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command to exit text mode while defining the RSA public key.

Examples

The following example shows that the RSA public key of an IP Security (IPSec) peer has been specified:

Router(config)# crypto keyring vpnkeyring Router(conf-keyring)# rsa-pubkey name host.vpn.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(conf-keyring)# exit

Related Commands

Command
Description

address

Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.

key-string (IKE)

Specifies the RSA public key of a remote peer.


rsa-pubkey

To define the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signature during Internet Key Exchange (IKE) authentication, use the rsa-pubkey command in keyring configuration mode. To remove the manual key that was defined, use the no form of this command.

rsa-pubkey{address address | name fqdn} [encryption | signature] no rsa-pubkey {address address | name fqdn} [encryption | signature]

Syntax Description

address address

IP address of the remote peer.

name fqdn

Fully qualified domain name (FQDN) of the peer.

encryption

(Optional) The manual key is to be used for encryption.

signature

(Optional) The manual key is to be used for signature.


Defaults

No default behavior or values

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command to enter public key chain configuration mode. Use this command when you need to manually specify RSA public keys of other IP Security (IPSec) peers. You need to specify the keys of other peers when you configure RSA encrypted nonces as the authentication method in an IKE policy at your peer router.

Examples

The following example shows that the RSA public key of an IPSec peer has been specified:

Router(config)# crypto keyring vpnkeyring Router(conf-keyring)# rsa-pubkey name host.vpn.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(conf-keyring)# exit

Related Commands

Command
Description

address

Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.

key-string (IKE)

Specifies the RSA public key of a remote peer.


self-identity

To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in isakmp profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.

self-identity {address | fqdn | user-fqdn user-fqdn} no self-identity {address | fqdn | user-fqdn user-fqdn}

Syntax Description

address

The IP address of the local endpoint.

fqdn

The fully qualified domain name (FQDN) of the host.

user-fqdn user-fqdn

The user FQDN that is sent to the remote endpoint.


Defaults

If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the IKE identity is the user FQDN "user@vpn.com":

crypto isakmp profile vpnprofile  self-identity user-fqdn user@vpn.com

serial-number

To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.

serial-number serial-number no serial-number serial-number

Syntax Description

serial-number

Device serial number. The value is from 0 through infinity.


Defaults

No default behavior or values

Command Modes

Pubkey configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the public key of an IP Security (IPSec) peer has been specified:

Router(config)# crypto keyring vpnkeyring Router(conf-keyring)# rsa-pubkey name host.vpn.com Router(config-pubkey-key)# address 10.5.5.1 Router(config-pubkey-key)# serial-number 1000000 Router(config-pubkey)# key-string Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973 Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5 Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8 Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21 Router(config-pubkey)# quit Router(config-pubkey-key)# exit Router(conf-keyring)# exit

Related Commands

Command
Description

address

Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.

key-string (IKE)

Specifies the RSA public key of a remote peer.


set isakmp-profile

To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.

set isakmp-profile profile-name no set isakmp-profile profile-name

Syntax Description

profile-name

Name of the ISAKMP profile.


Defaults

If the ISAKMP profile is not specified in the crypto map entry, the default is to use the ISAKMP profile on the head. If there is no ISAKMP profile on the head, the default is to "none."

Command Modes

Crypto map configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command describes the ISAKMP profile to use when the Internet Key Exchange (IKE) is initiated.

Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.

Examples

The following example shows that an ISAKMP profile is configured on a crypto map:

crypto map vpnmap 10 ipsec-isakmp set isakmp-profile vpnprofile

Related Commands

Command
Description

crypto ipsec transform-set

Defines a transform set, which is an acceptable combination of security protocols and algorithms.

crypto map (global)

Creates or modifies a crypto map entry.


show crypto dynamic-map

To view a dynamic crypto map set, use the show crypto dynamic-map in EXEC mode.

show crypto dynamic-map [tag map-name]

Syntax Description

tag map-name

(Optional) Displays only the crypto dynamic map set with the specified map-name.


Command Modes

EXEC

Command History

Release
Modification

11.3 T

This command was introduced.


Usage Guidelines

Use the show crypto dynamic-map command to view a dynamic crypto map set.

Examples

The following is sample output for the show crypto dynamic-map command:

Router# show crypto dynamic-map

Crypto Map Template"vpn1" 1 ISAKMP Profile: vpn1-ra No matching address list set. Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vpn1,

The following partial configuration was in effect when the above show crypto dynamic-map command was issued:


crypto dynamic-map vpn1 1 set transform-set vpn1 set isakmp-profile vpn1-ra reverse-route

Related Commands

Command
Description

show crypto map

Views the crypto map configuration.


show crypto ipsec sa

To view the settings used by current security associations (SAs), use the show crypto ipsec sa command in EXEC mode.

show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]

Syntax Description

map map-name

(Optional) Any existing SAs that were created for the crypto map set named map-name are displayed.

address

(Optional) All existing SAs are displayed, sorted by the destination address (either the local address or the address of the IP Security (IPSec) remote peer) and then by protocol (Authentication Header [AH] or Encapsulation Security Protocol [ESP]).

identity

(Optional) Only the flow information is displayed. It does not show the SA information.

interface interface

(Optional) All existing SAs created for an interface that is named interface are displayed.

peer [vrf fvrf-name] address

(Optional) All existing SAs with the peer address. If the peer address is in the Virtual Routing and Forwarding (VRF), specify vrf and the fvrf-name.

vrf ivrf-name

(Optional) All existing SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.

detail

(Optional) Detailed error counters are displayed. (The default is the high-level send or receive error counters.)


Command Modes

EXEC

Command History

Release
Modification

11.3 T

This command was introduced.

12.2(13)T

The "remote crypto endpt" and "in use settings" fields were modified to support NAT traversal.

12.2(15)T

The interface keyword and interface argument were added. The peer keyword, the vrf keyword, and the fvrf-name argument were added. In addition, the address keyword was added to the peer keyword string. The vrf keyword and ivrf-name argument were added.


Usage Guidelines

If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).

Examples

The following is sample output for the show crypto ipsec sa command:

Router# show crypto ipsec sa vrf vpn2

interface: Ethernet1/2 Crypto map tag: ra, local addr. 172.16.1.1

protected vrf: vpn2 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0) current_peer: 10.1.1.1:500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1 path mtu 1500, media mtu 1500 current outbound spi: 50110CF8

inbound esp sas: spi: 0xA3E24AFD(2749516541) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5127, flow_id: 7, crypto map: ra sa timing: remaining key lifetime (k/sec): (4603517/3503) IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x50110CF8(1343294712) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5128, flow_id: 8, crypto map: ra sa timing: remaining key lifetime (k/sec): (4603517/3502) IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.


crypto dynamic-map vpn1 1 set transform-set vpn1 set isakmp-profile vpn1-ra reverse-route ! crypto dynamic-map vpn2 1 set transform-set vpn2 set isakmp-profile vpn2-ra reverse-route ! ! crypto map ra 1 ipsec-isakmp dynamic vpn1 crypto map ra 2 ipsec-isakmp dynamic vpn2

show crypto isakmp key

To list the keyrings and their preshared keys, use the show crypto isakmp key command in EXEC mode.

show crypto isakmp key

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following is sample output for the show crypto isakmp key command:

Router# show crypto isakmp key

Hostname/Address Preshared Key vpn1                   : 172.61.1.1          vpn1 vpn2                   : 10.1.1.1            vpn2

The following configuration was in effect when the above show crypto isakmp key command was issued:

crypto keyring vpn1 pre-shared-key address 172.16.1.1 key vpn1 crypto keyring vpn2 pre-shared-key address 10.1.1.1 key vpn2

Table 1 describes significant fields in the show crypto isakmp key profile:

Table 1 show crypto isakmp key Field Descriptions

Field
Description

Hostname/Address

The preshared key host name or address.

Preshared Key

The preshared key.

keyring

Name of the crypto keyring. The global keys are listed in the default keyring.

VRF string

The virtual route forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.


show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in EXEC mode.

show crypto isakmp profile

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following is sample output for the show crypto isakmp profile command:

Router# show crypto isakmp profile

ISAKMP PROFILE vpn1-ra Identities matched are: group vpn1-ra Identity presented is: ip-address

The following configuration was in effect when the above show crypto isakmp profile command was issued:

crypto isakmp profile vpn1-ra vrf vpn1 self-identity address match identity group vpn1-ra client authentication list aaa-list isakmp authorization list aaa client configuration address initiate client configuration address respond

Table 2 describes significant fields in the display.

Table 2 show crypto isakmp profile Field Descriptions

Field
Description

isakmp profile

Name of the ISAKMP profile.

Identities matched, are:

Lists all identities that the ISAKMP profile will match.

Identity presented is:

The identity that the ISAKMP profile will present to the remote endpoint.


Related Commands

Command
Description

show crypto isakmp key

Lists the keyrings and their preshared keys.


show crypto isakmp sa

To view all current Internet Key Exchange (IKE) security associations (SAs) at a peer, use the show crypto isakmp sa command in EXEC mode.

show crypto isakmp sa

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

11.3 T

This command was introduced.


Examples

The following is sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers:

Router# show crypto isakmp sa

f_vrf/i_vrf    dst             src           state        conn-id    slot       /vpn2    172.21.114.123  10.1.1.1      QM_IDLE           13       0

Table 3 through Table 6 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.

Table 3 States in Main Mode Exchange

State
Explanation

MM_NO_STATE

The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.

MM_SA_SETUP

The peers have agreed on parameters for the ISAKMP SA.

MM_KEY_EXCH

The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.

MM_KEY_AUTH

The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.


Table 4 States in Aggressive Mode Exchange 

State
Explanation

AG_NO_STATE

The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.

AG_INIT_EXCH

The peers have done the first exchange in aggressive mode, but the SA is not authenticated.

AG_AUTH

The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.


Table 5 States in Quick Mode Exchange

State
Explanation

QM_IDLE

The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.


Table 6 describes significant fields shown in the display.

Table 6 show crypto isakmp sa Field Descriptions

Field
Description

f_vrf/i_vrf

The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.


Related Commands

Command
Description

crypto isakmp policy

Defines an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.


show crypto map (IPSec)

To view the crypto map configuration, use the show crypto map in EXEC mode.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface

(Optional) Displays only the crypto map set applied to the specified interface.

tag map-name

(Optional) Displays only the crypto map set with the specified map-name.


Command Modes

EXEC

Command History

Release
Modification

11.2

This command was introduced.


Examples

The following is sample output for the show crypto map command:

Router# show crypto map

Crypto Map "crypmap" 1 ipsec-isakmp Peer = 172.1.1.1 ISAKMP Profile: vpn1 Extended IP access list 101 access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 access-list 101 permit ip host 192.168.1.1 host 10.2.1.1 access-list 101 permit ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255 Current peer: 172.16.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ vpn1,

The following configuration was in effect when the above show crypto map command was issued:

crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101

Table 7 describes significant fields in the display.

Table 7 show crypto map Field Descriptions

Field
Description

ISAKMP Profile

The Internet Security Association and Key Management Protocol (ISAKMP) profile that is configured on the crypto map entry.


vrf

To map the IP security (IPSec) tunnel to a Virtual Route Forwarding (VRF) instance, use the vrf command in isakmp profile configuration mode. To remove the VRF, use the no form of this command.

vrf ivrf no vrf ivrf

Syntax Description

ivrf

VRF to which the IPSec tunnel will be mapped.


Defaults

The VRF will be the same as the Front Door Virtual Routing and Forwarding (FVRF).

Command Modes

Isakmp profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).


NoteThis command must be used only when mapping IPSec tunnels from a global VPN to a specific VPN. The command does not support IPSec tunnel mapping between VRFs, for example, from VRF vpn1 to VRF  vpn2.

If traffic from the router to a certification authority (CA) (for authentication, enrollment, or obtaining a certificate revocation list) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.


Examples

The following example shows that two IPSec tunnels to VNP1 and VPN2 are terminated:

crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 172.16.1.1 255.255.255.255 ! crypto isakmp profile vpn2 vrf vpn2 keyring vpn2 match identity address 10.1.1.1 255.255.255.255 ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn1 set isakmp-profile vpn1 match address 101 crypto map crypmap 3 ipsec-isakmp set peer 10.1.1.1 set transform-set vpn2 set isakmp-profile vpn2 match address 102 ! ! interface Ethernet1/2 ip address 172.26.1.1 255.255.255.0  crypto map crypmap

The following is an invalid configuration where the FVRF is vpn1 and IVRF is vpn2.

crypto isakmp profile vpn2 vrf vpn2 match identity address 172.16.1.1 255.255.255.255 ! crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac ! crypto map crypmap 1 ipsec-isakmp set peer 172.16.1.1 set transform-set vpn2 set isakmp-profile vpn2 match address 101 ! interface Ethernet1/2 ip vrf forwarding vpn1 ip address 172.26.1.1 255.255.255.0 crypto map crypmap !

Glossary

CA—certification authority. CA is an entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.

CLI—command-line-interface. CLI is an interface that allows the user to interact with the operating system by entering commands and optional arguments. The UNIX operating system and DOS provide CLIs.

client—Corresponding IPSec IOS peer of the UUT in the Multi Protocol Label Switching (MPLS) network.

dead peer—IKE peer that is no longer reachable.

DN—Distinguished Name. A DN is the global, authoritative name of an entry in the Open System Interconnection (OSI Directory [X.500]).

FQDN—fully qualified domain name. A FQDN is the full name of a system rather than just its host name. For example, aldebaran is a host name, and aldebaran.interop.com is an FQDN.

FR—Frame Relay. FR is an industry-standard, switch-data-link-layer protocol that handles multiple virtual circuits using high-level data link (HDLC) encapsulation between connected devices. Frame Relay is more efficient than X.25, the protocol for which it generally is considered a replacement.

FVRF—Front Door Virtual Routing and Forwarding (VRF) repository. FVRF is the VRF used to route the encrypted packets to the peer.

IDB—Interface descriptor block. An IDB subblock is an area of memory that is private to an application. This area stores private information and states variables that an application wants to associate with an IDB or an interface. The application uses the IDB to register a pointer to its subblock, not to the contents of the subblock itself.

IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.

IKE keepalive—Bidirectional mechanism for determining the liveliness of an IKE peer.

IPSec—Security protocol for IP.

IVRF—Inside Virtual Routing and Forwarding. IVRF is the VRF of the plaintext packets.

MPLS—Multiprotocol Label Switching. MPLS is a switching method that forwards IP traffic using a label. This label instructs the routers and the switches in the network where to forward the packets based on preestablished IP routing information.

RSA—Rivest, Shamir, and Adelman are the inventors of the RSA technique. The RSA technique is a public-key cryptographic system that can be used for encryption and authentication.

SA—Security Association. SA is an instance of security policy and keying material applied to a data flow.

VPN—Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP or IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

VRF—Virtual Route Forwarding. VRF is A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.

XAUTH—Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).


Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.



hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Mar 22 18:36:17 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.