cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Troubleshooting Commands
Show Commands
Clear Commands
Debug Commands

Troubleshooting Commands


Helpful commands for troubleshooting IPSec include the show, clear, and debug commands listed below. This appendix contains examples of these commands.

For a detailed explanation of the show and clear commands and additional examples, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122csum/csum2/index.htm .

For a detailed explanation of the debug commands and additional examples, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122debug/index.htm .

Show Commands

This section describes the following commands:

show cry isakmp sa


Note   The command output below displays an ISAKMP (IKE) security association (SA) table. In the example, an SA exists between 172.21.30.71 and 172.21.30.70. The peer should have an SA entry in the same state as this router's output.

dt1-7ka#show cry isakmp sa
dst src state conn-id slot
172.21.30.70 172.21.30.71 QM_IDLE 47 5
2. show cry isakmp policy

Note   The command output below shows the policy objects configured. In this case, policies 1, 2, and 4 are used, in addition to the default. The policies are proposed to the peer in order, with 1 preferable.

dt1-45a#show cry isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 180 seconds, no volume limit
Protection suite of priority 2
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 180 seconds, no volume limit
Protection suite of priority 4
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 180 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

show crypto engine configuration

wan2611#show crypto engine configuration
slot: 0
engine name: unknown
engine type: software
serial number: 01496536
platform: rp crypto engine
crypto lib version: 10.0.0
Encryption Process Info:
input queue top: 140
input queue bot: 140
input queue count: 0

show crypto engine connections active

wan2611# show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
9 Serial0 20.20.20.21 set HMAC_SHA 0 240
10 Serial0 20.20.20.21 set HMAC_SHA 240 0

show crypto engine connections dropped-packet

lab-isdn1#show crypto engine connections dropped-packet
Interface IP-Address Drop Count
BRI0 12.12.12.13 4

show crypto ip transform


Note   The configuration below uses the same router as above, but different show commands. The transform proposals, the settings they will negotiate, and the defaults are all provided.

S3-2611-2#show cry ip transform
Transform proposal Elvis: { ah-sha-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
{ esp-des }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
Transform proposal Bubba: { ah-rfc1828 }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
{ esp-des esp-md5-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
Transform proposal BarneyDino: { ah-md5-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },

show crypto ipsec sa

wan2611#show crypto ipsec sa
interface: Serial0
Crypto map tag: test, local addr. 20.20.20.21
local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (60.60.60.0/255.255.255.0/0/0)
current_peer: 20.20.20.20
PERMIT, flags={origin_is_acl,ident_is_ipsec,}
#pkts encaps: 320, #pkts encrypt: 320, #pkts digest 320
local crypto endpt.: 20.20.20.21, remote crypto endpt.: 20.20.20.20
path mtu 1500, media mtu 1500
current outbound spi: 6625CD
inbound esp sas:
spi: 0x1926112F(421859631)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 11, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607971/3354)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
spi: 0x12050DD2(302321106)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 9, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607958/3354)
replay detection support: Y
outbound esp sas:
spi: 0x3262313(52830995)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 12, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607971/3354)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
spi: 0x6625CD(6694349)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 10, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607958/3354)

replay detection support: Y

show crypto ipsec session/show crypto ipsec sa


Note   The command output below shows the current IPSec security associations of this router, which is configured for AH SA for both incoming and outgoing traffic.

S3-2611-2#show cry ipsec session
Session key lifetime: 4608000 kilobytes/3600 seconds
S3-2611-2#show cry ipsec sa
interface: Ethernet0
Crypto map tag: ToOtherRouter, local addr. 192.168.1.2
local ident (addr/mask/prot/port): (192.168.45.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 5, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 25081A81
inbound esp sas:
inbound ah sas:
spi: 0x1EE91DDC(518594012)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 16, crypto map: ToOtherRouter
sa timing: remaining key lifetime (k/sec): (4608000/3423)
replay detection support: Y
outbound esp sas:
outbound ah sas:
spi: 0x25081A81(621288065)
transform: ah-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 17, crypto map: ToOtherRouter
sa timing: remaining key lifetime (k/sec): (4608000/3424)
replay detection support: Y

show crypto ipsec session-key

wan2611#show crypto ipsec session-key
Session key lifetime: 4608000 kilobytes/3600 seconds
wan2611#show crypto ipsec transform-proposal
Transform proposal auth2: { ah-sha-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
{ esp-des esp-sha-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },

show crypto isakmp policy

wan2611#show crypto isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 240 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

show crypto isakmp sa

lab-isdn1#show crypto isakmp sa
dst src state conn-id slot
12.12.12.12 12.12.12.13 QM_IDLE 4 0
lab-isdn1#show crypto ipsec sa
interface: BRI0
Crypto map tag: test, local addr. 12.12.12.13
local ident (addr/mask/prot/port): (40.40.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer: 12.12.12.12
PERMIT, flags={origin_is_acl,ident_is_ipsec,}
#pkts encaps: 89, #pkts encrypt: 89, #pkts digest 89
#pkts decaps: 89, #pkts decrypt: 89, #pkts verify 89
#send errors 11, #recv errors 0
local crypto endpt.: 12.12.12.13, remote crypto endpt.: 12.12.12.12
path mtu 1500, media mtu 1500
current outbound spi: 6B024AB
inbound esp sas:
spi: 0x21240B07(556010247)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 7, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607989/3062)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
spi: 0x4F60465(83231845)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607984/3062)
replay detection support: Y
outbound esp sas:
spi: 0x19591660(425268832)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 8, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607989/3062)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
spi: 0x6B024AB(112207019)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607984/3062)
replay detection support: Y
lab-isdn1#show crypto ipsec session-key
Session key lifetime: 4608000 kilobytes/3600 seconds
lab-isdn1#show crypto ipsec transform-proposal
Transform proposal mypolicy: { ah-sha-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
{ esp-des esp-sha-hmac }
supported settings = { Tunnel, },
default settings = { Tunnel, },
will negotiate = { Tunnel, },
lab-isdn1#show crypto map interface bri 0
Crypto Map "test" 10 ipsec-isakmp
Peer = 12.12.12.12
Extended IP access list 144
access-list 144 permit ip
source: addr = 40.40.40.0/0.0.0.255
dest: addr = 20.20.20.0/0.0.0.255
Current peer: 12.12.12.12
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform proposals={ mypolicy, }
lab-isdn1#show crypto map tag test
Crypto Map "test" 10 ipsec-isakmp
Peer = 12.12.12.12
Extended IP access list 144
access-list 144 permit ip
source: addr = 40.40.40.0/0.0.0.255
dest: addr = 20.20.20.0/0.0.0.255
Current peer: 12.12.12.12
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N

Transform proposals={ mypolicy, }

show crypto map


Note   The command output below shows the crypto map command, the ACLs and the transform proposals applied to this crypto map, the peers, and the key lifetime.

S3-2611-2#show cry map
Crypto Map "ToOtherRouter" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list 101
access-list 101 permit ip
source: addr = 192.168.45.0/0.0.0.255
dest: addr = 192.168.3.0/0.0.0.255
Connection Id = UNSET (0 established, 0 failed)
Current peer: 192.168.1.1
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform proposals={ Elvis, Bubba, BarneyDino, }

show crypto map interface serial 0

wan2611#show crypto map interface serial 0
Crypto Map "test" 10 ipsec-isakmp
Peer = 20.20.20.20
Extended IP access list 133
access-list 133 permit ip
source: addr = 50.50.50.0/0.0.0.255
dest: addr = 60.60.60.0/0.0.0.255
Current peer: 20.20.20.20
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform proposals={ auth2, }

show crypto map tag test

wan2611#show crypto map tag test
Crypto Map "test" 10 ipsec-isakmp
Peer = 20.20.20.20
Extended IP access list 133
access-list 133 permit ip
source: addr = 50.50.50.0/0.0.0.255
dest: addr = 60.60.60.0/0.0.0.255
Current peer: 20.20.20.20
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform proposals={ auth2,}

Clear Commands

This section describes the following commands:

clear crypto isakmp

lab-isdn1#clear crypto isakmp
lab-isdn1#
*Mar 21 20:58:34.503: ISADB: reaper checking SA, conn_id = 4 DELETE IT!
*Mar 21 20:58:34.507: generate hmac context for conn id 4
*Mar 21 20:58:34.519: CRYPTO(epa_release_crypto_conn_entry): released conn 4
lab-isdn1#

clear crypto sa

lab-isdn1#clear crypto sa
lab-isdn1#
*Mar 21 20:58:42.495: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 12.12.12.13, sa_prot= 51,
sa_spi= 0x4F60465(83231845),
sa_trans= ah-sha-hmac , sa_conn_id= 5
*Mar 21 20:58:42.499: CRYPTO(epa_release_crypto_conn_entry): released conn 5
*Mar 21 20:58:42.499: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 12.12.12.12, sa_prot= 51,
sa_spi= 0x6B024AB(112207019),
sa_trans= ah-sha-hmac , sa_conn_id= 6
*Mar 21 20:58:42.503: CRYPTO(epa_release_crypto_conn_entry): released conn 6
*Mar 21 20:58:42.503: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 12.12.12.13, sa_prot= 50,
sa_spi= 0x21240B07(556010247),
*Mar 21 20:58:42.507: CRYPTO(epa_release_crypto_conn_entry): released conn 7
*Mar 21 20:58:42.507: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 12.12.12.12, sa_prot= 50,
sa_spi= 0x19591660(425268832),
sa_trans= esp-des esp-sha-hmac , sa_conn_id= 8
*Mar 21 20:58:42.511: CRYPTO(epa_release_crypto_conn_entry): released conn 8
lab-isdn1#

Debug Commands

This section provides sample outputs from executing the debug command during a normal IKE/IPSec session between two routers. The routers in the example use a pre-shared key. The source router has the debug cry isakmp and debug cry ipsec commands enabled. The peer has the same two commands, plus the debug ip packet command enabled.

For information on debug scenarios that illustrate configuration problems (for example, a policy mismatch), see "Sample Problem Scenarios."

Configuring on the Source Router

dt3-4kb#ping 192.168.10.66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.66, timeout is 2 seconds:
IPSEC(sa_request): ,
(key eng. msg.) SRC= 192.168.10.38, dest= 192.168.10.66,
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
IPSEC(sa_request): ,
(key eng. msg.) SRC= 192.168.10.38, dest= 192.168.10.66,
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168..10.66/255.255.255.255/0/0 (type=1),
protocol= AH, transform= ah-md5-hmac ,
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
IPSEC(sa_request): ,
(key eng. msg.) SRC= 192.168.10.38, dest= 192.168.10.66,
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des ,
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
IPSEC(sa_request): ,
(key eng. msg.) SRC= 192.168.10.38, dest= 192.168.10.66,
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
protocol= AH, transform= ah-rfc1828 ,
lifedur= 190s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

Note that the router offers all of the available transforms to the peer.

ISAKMP (134): beginning Main Mode exchange
ISAKMP (134): processing SA payload. message ID = 0
ISAKMP (134): Checking ISAKMP transform 1 against priority 1 policy
ISAK.!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 8/8/8 ms
dt3-4kb#MP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP (134): atts are acceptable. Next payload is 0
ISAKMP (134): SA is doing pre-shared key authentication
ISAKMP (134): processing KE payload. message ID = 0
ISAKMP (134): processing NONCE payload. message ID = 0
ISAKMP (134): SKEYID state generated
ISAKMP (134): processing ID payload. message ID = 0
ISAKMP (134): processing HASH payload. message ID = 0
ISAKMP (134): SA has been authenticated
ISAKMP (134): beginning Quick Mode exchange, M-ID of -1517735742
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 383061134 for SA
from 192.168.10.66 to 192.168.10.38 for prot 3
IPSEC(spi_response): getting spi 542967145 for SA
from 192.168.10.66 to 192.168.10.38 for prot 2
IPSEC(spi_response): getting spi 359212595 for SA
from 192.168.10.66 to 192.168.10.38 for prot 3
IPSEC(spi_response): getting spi 366153874 for SA
from 192.168.10.66 to 192.168.10.38 for prot 2
ISAKMP (134): processing SA payload. message ID = -1517735742
ISAKMP (134): Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES_IV64
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 190
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of
0x0 0x46 0x50 0x0
ISAKMP (134): atts are acceptable.

If debug entries appear for ISAKMP even after the IKE has been established, remember that IKE is the entity that negotiates IPSec SAs on behalf of IPSec.

IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.168.10.66, SRC= 192.168.10.38,
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (134): processing NONCE payload. message ID = -1517735742
ISAKMP (134): processing ID payload. message ID = -1517735742
ISAKMP (134): processing ID payload. message ID = -1517735742
ISAKMP (134): Creating IPSec SAs
inbound SA from 192.168.10.66 to 192.168.10.38 (proxy
192.168.10.66 to 192.168.10.38 )
has spi 383061134 and conn_id 135 and flags 4
lifetime of 190 seconds
lifetime of 4608000 kilobytes
outbound SA from 192.168.10.38 to 192.168.10.66 (proxy
192.168.10.38 to 192.168.10.66 )
has spi 138874178 and conn_id 136 and flags 4
lifetime of 190 seconds
lifetime of 4608000 kilobytes
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 192.168.10.38, SRC= 192.168.10.66,
dest_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
src_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 190s and 4608000kb,
spi= 0x16D50C8E(383061134), conn_id= 135, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) SRC= 192.168.10.38, dest= 192.168.10.66,
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 190s and 4608000kb,
spi= 0x8470D42(138874178), conn_id= 136, keysize= 0, flags= 0x4
IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.10.38, sa_prot= 50,
sa_spi= 0x16D50C8E(383061134),
sa_trans= esp-rfc1829 , sa_conn_id= 135
IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.10.66, sa_prot= 50,
sa_spi= 0x8470D42(138874178),
sa_trans= esp-rfc1829 , sa_conn_id= 136

The lines above show that IPSec SAs have been created and encrypted traffic can now pass.

dt3-4kb#ping 192.168.10.66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms
dt3-4kb#

Run the show command on the source router following IKE/IPSec negotiation.

dt3-4kb#show cry is sa
dst src state conn-id slot
192.168.10.66 192.168.10.38 QM_IDLE 134 0
dt3-4kb#show cry is pol
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
dt3-4kb#
dt3-4kb#show cry ipsec sa
interface: TokenRing0
interface: Ethernet0
Crypto map tag: armadillo, local addr. 192.168.10.38
local ident (addr/mask/prot/port): (192.168.10.38/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.66/255.255.255.255/0/0)
current_peer: 192.168.10.66
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.10.38, remote crypto endpt.:
192.168.10.66
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
outbound esp sas:
outbound ah sas:

The peer router shows the same ping sequence on the destination router.

dt3-45a#
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 100, rcvd 1
ISAKMP (165): processing SA payload. message ID = 0
ISAKMP (165): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP (165): atts are acceptable. Next payload is 0
ISAKMP (165): SA is doing pre-shared key authentication
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 100, sending
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 180, rcvd 1
ISAKMP (165): processing KE payload. message ID = 0
ISAKMP (165): processing NONCE payload. message ID = 0
ISAKMP (165): SKEYID state generated
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 180, sending
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 96, rcvd 1
ISAKMP (165): processing ID payload. message ID = 0
SAKMP (165): processing HASH payload. message ID = 0
ISAKMP (165): SA has been authenticated
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 96, sending
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 328, rcvd 1
ISAKMP (165): processing SA payload. message ID = -1517735742
ISAKMP (165): Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES_IV64
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 190
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of
0x0 0x46 0x50 0x0
ISAKMP (165): atts are acceptable

IKE performs its operation and then starts IPSec.

IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.168.10.66, SRC= 192.168.10.38,
dest_proxy= 192.168.10.66/255.255.255.255/0/0 (type=1),
src_proxy= 192.168.10.38/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (165): processing NONCE payload. message ID = -1517735742
ISAKMP (165): processing ID payload. message ID = -1517735742
ISAKMP (165): processing ID payload. message ID = -1517735742
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 138874178 for SA
from 192.168.10.38 to 192.168.10.66 for prot 3
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 184, send
ing
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 80, rcvd 1
ISAKMP (165): Creating IPSec SAs
inbound SA from 192.168.10.38 to 192.168.10.66 (proxy
192.168.10.38 to 192.168.10.66 )
has spi 138874178 and conn_id 166 and flags 4
lifetime of 190 seconds
lifetime of 4608000 kilobytes
outbound SA from 192.168.10.66 to 192.168.10.38 (proxy
192.168.10.66 to 192.168.10.38 )
has spi 383061134 and conn_id 167 and flags 4
lifetime of 190 seconds
lifetime of 4608000 kilobytes
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 192.168.10.66, SRC= 192.168.10.38,
dest_proxy= 192.168.10.66/0.0.0.0/0/0 (type=1),
src_proxy= 192.168.10.38/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 190s and 4608000kb,
spi= 0x8470D42(138874178), conn_id= 166, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) SRC= 192.168.10.66, dest= 192.168.10.38,
src_proxy= 192.168.10.66/0.0.0.0/0/0 (type=1),
dest_proxy= 192.168.10.38/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 190s and 4608000kb,
spi= 0x16D50C8E(383061134), conn_id= 167, keysize= 0, flags= 0x4
IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.10.66, sa_prot= 50,
sa_spi= 0x8470D42(138874178),
sa_trans= esp-rfc1829 , sa_conn_id= 166
IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.10.38, sa_prot= 50,
sa_spi= 0x16D50C8E(383061134),
sa_trans= esp-rfc1829 , sa_conn_id= 167
ISADB: reaper checking SA, conn_id = 165
!-- The IPSec SAs are created, and now we see the packets going back and forth.
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 136, rcvd 1
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 100, rcvd 1
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 100, sending
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 136, rcvd 1
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 100, rcvd 1
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 100, sending
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 136, rcvd 1
IP: s=192.168.10.38 (Ethernet0), d=192.168.10.66, len 100, rcvd 1
IP: s=192.168.10.66 (local), d=192.168.10.38 (Ethernet0), len 100, sending
dt3-45a#

Show Commands on the Peer Router

The following illustrates a series of show command output after IKE/IPSec negotiation has taken place.

dt3-45a#show cry isakmp sa
dst src state conn-id slot
192.168.10.66 192.168.10.38 QM_IDLE 165 0
dt3-45a#show cry isakmp pol
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
dt3-45a#show cry ipsec sa
interface: TokenRing0
interface: Ethernet0
Crypto map tag: armadillo, local addr. 192.168.10.66
local ident (addr/mask/prot/port):
(192.168.10.66/255.255.255.255/0dt3-45a#sho cry isakmp sa
dst src state conn-id slot
192.168.10.66 192.168.10.38 QM_IDLE 165 0
dt3-45a#show cry isakmp pol
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
dt3-45a#show cry ipsec sa
interface: TokenRing0
interface: Ethernet0
Crypto map tag: armadillo, local addr. 192.168.10.66
local ident (addr/mask/prot/port): (192.168.10.66/255.255.255.255/0
/0)
remote ident (addr/mask/prot/port): (192.168.10.38/255.255.255.255/0/0)
current_peer: 192.168.10.38
PERMIT, flags={origin_isakmp_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.10.66, remote crypto endpt.:
192.168.10.38
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
outbound esp sas:
outbound ah sas:
dt3-45a#show cry map
Crypto Map "armadillo" 1 ipsec-isakmp
Peer = 192.168.10.38
Extended IP access list 101
access-list 101 permit ip
source: addr = 192.168.10.66/0.0.0.0
dest: addr = 192.168.10.38/0.0.0.0
Connection Id = UNSET (0 established, 0 failed)
Current peer: 192.168.10.38
Session key lifetime: 4608000 kilobytes/190 seconds
PFS (Y/N): N
Transform proposals={ MamaBear, PapaBear, BabyBear, }
dt3-45a#

ICMP Echo Request

The following comments address each section of the output and relate the collected information back to the functioning of IKE defined by the RFCs.

These lines show the entry of the ping command and the message generated to the operator indicating that the operation has started.

R1# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

The next lines show the SPD entries for the SA that are included in the SA payload as the proposal and associated transform sets. These lines display the SPD's identification of the destination and source, which allows the definition of packet security. A single protocol is configured, resulting in one proposal that contains two transform sets: DES encryption and HAMC-MD5 authentication. These lines define neither a lifetime limit nor a maximum data transmission; instead, the default settings define these values.


Note   The maximum data is a default unit of 4 GB. Because the configuration does not define a lifetime value or an attribute, 4 GB is assumed to be the maximum data possible for the ISA. This value is realized by setting the 32-bit attribute in the SA transform set to 0x0 0x46 0x50 0x0. In addition, Phase 1 operations use cookies for IKE SA creation, and the SPI is set to zero. The connection ID is zero, because this packet is the first generated for the VPN. No keys are defined, because DH has not transpired, and the algorithms in the proposal have not been accepted.

IPSEC(sa_request):
(key eng. msg.) src = 10.1.1.2, dest = 10.1.1.1,
src_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4)
dest_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4),
protocol = ESP, transform = esp-des esp-md5-hmac,
lifedur = 3600s and 4608000kb,
spi = 0 x 0(0), conn_id =0, keysize=0, flags = 0 x 4004

The main mode starts.

ISAKMP (10): beginning Main Mode exchange
ISAKMP (10): sending packet to 10.1.1.1 (I) MM_NO_STATE
ISAKMP (10): received packet from 10.1.1.1 (I) MM_NO_STATE
ISAKMP (10): processing SA payload, message ID = 0

The section below shows the sending of the Main Mode packet (containing the ISAKMP header and SA payload information) to R2. The responder replies with a single proposal previously established in the original proposal from R1. Should several proposals be provided to R2, only one could be selected and returned unchanged.

This section shows that the SA information has been received from R2. You must to verify the proposal's data has not been changed, and that the accepted proposal is valid according to the policy maintained within the SPD. This section's final line shows that the payload is processed and accepted. The "next payload" statement indicates that the return proposal's generic header is at the end of the SA payload data chain.

ISAKMP (10): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP (10): atts are acceptable. Next payload is 0

The line below shows the router's understanding of the ISAKMP as a pre-shared key b based on the peer's IP address. On this basis, the router makes an alignment for computation. ISAKMP (10): SA is doing pre-shared key authentication using id type ID_IP_IPV4_ADDR. The lines below detail the exchange of the third and fourth IKE payloads containing the nonces and public DH values. After this information is obtained and verified, the keys can be created.

The size and number of keys are indicated by the proposal payload information agreed upon in the first two messages. The two systems assume that a limited relationship has been formed, based solely on the peer's IP address and associated policies. The grouping's final line indicates that the keys have been generated. Note that the SKEYID is generated by the responder prior to sending its KE and nonce payloads to the initiator. In so doing, the responder is prepared for future exchanges. However, it has committed to the generation of the key prior to the initiator or any solid authentication. Therefore, this order of events could be processed as a "weakness" and possible denial-of-service against the router. Because the initiator can send only a few messages to the responder that could result in the responder's creation of keys, the initiator is free to flood the responder, consuming system resources.

ISAKMP (10): sending packet to 10.1.1.1 (I) MM_SA_SETUP
ISAKMP (10): receiving packet from 10.1.1.1 (I) MM_SA_SETUP
ISAKMP (10): processing KE payload. message ID = 0
ISAKMP (10): processing NONCE payload. message ID = 0
ISAKMP (10): SKEYID state generated

The following lines add one more attribute to the payload chain, taking advantage of the optional vendor ID payload entry.

ISAKMP (10): processing vendor id payload
ISAKMP (10): speaking to another IOS box!

The following section displays the creation of the ID payload to be presented to the responder. The "next-payload" type of 8 signifies that the HASH_I is to follow. The type of 1 states that the ID payload will contain the IP address of the initiator. The authentication process assumes type 1 from payloads 1 and 2. However, by providing the proper ID payload, there is no confusion, especially if NAT is involved. Protocol and port are defined by the IPSec DOI to be included. For ISAKMP, the protocol is UDP (17), and the port is 500.


Note   The "length statement," as opposed to the total length statement, can be confusing. The RFC states that the length represents the payload and the generic header. From the information gathered, it appears that the router calculates the generic header length rather than assumes the entire payload and header.

ISAKMP (10): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (10): Total payload length : 12

In the lines below, the last two exchanges (packets 5 and 6) are performed and finalize the ISA. The fact that this information is encrypted is not detailed in the debug data from R1. The HASH included in the payloads serves to authenticate both the message and the information gathered to this point. Because the ID payload is included in the exchange, it is used as part of the HASH. Other information included in the HASH was exchanged previously. A good example is that cookies are included in the HASH which were shared in the original ISAKMP header. Also included in the HASH are the DH public values that were created by the initiator and received by the responder.

Using the HASH exchanged in the last few packets validates all the peer information. Note that if the password is incorrect, the key generation is based on bad information contained in disparate databases. The result is that the final exchange is decrypted into nonsense causing several vague errors to arise.

Preshared key authentication is very popular, especially with remote access solutions, but there are several weaknesses inherent to the process. At this point, IKE Phase I is complete, and Phase II can begin to create SAs for IPSec operations.

ISAKMP (10): sending packet to 10.1.1.1 (I) MM_KEY_EXCH
ISAKMP (10): received packet from 10.1.1.1 (I) MM_KEY_EXCH
ISAKMP (10): processing ID payload. message ID = 0
ISAKMP (10): processing HASH payload. message ID = 0
ISAKMP (10): SA has been authenticated with 10.1.1.1

The section below shows that R2 has followed through with VPN establishment and has initiated Quick Mode. Note "for prot 3." Protocol 3 is the IPSec domain of interpretation (DOI) identification for IPSec ESP. This can become confusing when it is known that the protocol ID for ESP is 50, but the prot 3 designation is strictly the IPSec's DOI for the Phase II quick mode (QM) negotiation. The SA proposal from R2 that includes the transform sets is missing. In the beginning of the original IKE exchange, you see the identification of ESP, the encryption identification, and the authentication algorithm to utilize.


Note   It is important to recognize that the SA payload is defined, authenticated (HASHed) and included in the first QM packet. The creation of the transform set was not part of the R2 debug. All data is encrypted using the keys derived from Phase 1.

ISAKMP (10): beginning Quick Mode exchange, M-ID of 953616512
IPSEC (key_engine) : got a queue event...
IPSEC (spi_response) : getting spi 413467620 for SA
from 10.1.1.1 to 10.1.1.2 for prot 3
ISAKMP (10): sending packet to 10.1.1.1 (I) QM_IDLE
ISAKMP (10): received packet from 10.1.1.1 (I) QM_IDLE
ISAKMP (10): processing SA payload. message ID = 953616512
ISAKMP (10): Checking IPsec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0 x 0 0 x 46 0 x 50 0 x 0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (10): atts are acceptable.

In the following section, the QM packets are exchanged and R1 once again validates the proposal from R2 against the SPD. The line "encap 1" specifies that the SA will use IP encapsulation; therefore, it is a tunnel mode ESP SA. Again, the lifetime is in seconds and kilobytes, which should look familiar from Phase 1. Finally, the authentication type to be used for the SA is derived.

ISAKMP (10): processing NONCE payload. message ID = 953616512
ISAKMP (10): processing ID payload. message ID = 953616512

After the proposals are validated against the SPD, the packets' nonce and ID are processed.

ISAKMP (10): Creating IPsec SAs
inbound SA from 10.1.1.1 to 10.1.1.2 (proxy 10.1.0.0 to 10.1.0.0)
has spi 413467620 and conn_id 11 and flags 4
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.1.1.2 to 10.1.1.1 (proxy 10.1.0.0 to 10.1.0.0)
has spi 55772818 and conn_id 12 and flags 4
lifetime of 3600 seconds
lifetime of 4608000 kilobytes

The section above shows the creation of the SAs; the SPD reflects the policies in the log. The SPD and the SAD communicate to ensure that the SAD creates according to policy requirements.

IPSEC (key_engine) : got a queue event...
IPSEC (initialize_sas): ,
(key eng. msg.) dest = 10.1.1.2, src = 10.1.1.1,
dest_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4),
src_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4),
protocol = ESP, transform = esp-des esp-md5-hmac
lifedur = 3600s and 4608000kb
spi = 0 x 18A503E4 (413467620), conn_id = 11, keysize = 0, flags = 0 x 4
IPSEC(initialize_sas): ,
(key eng. msg.) src = 10.1.1.2, dest = 10.1.1.1,
src_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4),
dest_proxy = 10.1.0.0/255.255.0.0/0/0 (type = 4),!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
R1#
protocol = ESP, transform = esp-des esp-md5-hmac,
lifedur = 3600s and 460800kb,
spi = 0 x 3530692 (55772818), conn_id = 12, keysize = 0, flags = 0 x 4

In the above section, the key engine receives an event to initialize an SA. The source and destinations are verified, and the SA proposals containing the necessary transform sets are compiled. These proposals are simply words in a log that reflect the creation of the ISAKMP data to be handed off to the ESP header and associated operations. As the process is completed, and the VPN is established, the results of the original ping command are displayed. The ping used to initiate the VPN is displayed. The time required for the establishment of the VPN exceeds the time taken for the first ICMP echo request. Therefore, ".!!!!," appears, which indicates that the first echo reply was not received.

The VPN created in this environment is established on Ethernet with no other processes running on the router. The routers in the test are establishing a simple VPN over a high-speed connection. Consequently, the establishment may seem very fast, only a 5-ms average round trip that includes a 20 percent loss in packets. The process is slow. In some real-world implementations, only the second ping command showed successful packets; even then the success rate was limited to the final datagrams. Consequently, this example shows that key creation and establishment of a VPN can have significant impact on system resources.

IPSEC (create_sa): sa created,
(sa) sa_dest = 10.1.1.2, sa_prot = 50
sa_spi = 0 x 18A503E4 (413467620),
sa_trans = esp-des esp-md5-hmac, sa_conn_id = 11
IPSEC (create_sa): sa created,
(sa) sa_dest = 10.1.1.1, sa_prot = 50
sa_spi = 0 x 3530692 (55772818),
sa_trans = esp-des esp-md5-hmac, sa_conn_id = 12
ISAKMP (10): sending packet to 10.1.1.1 (I) QM_IDLE

The router now displays the current SA's status. The SPIs relate to the two SAs and can be used to identify and track the activities of the respective SAs. The following is the result of a command that displays the ISAKMP SA status and allows the verification of actions within the SAs. The show crypto isakmp sa command provides a detailed list of security association attributes and statistics. The command output provides not only the IKE SA information, but offers the IPSec SA data, as well, for both protocols. This command is very valuable in troubleshooting and allows the operator to determine the system configuration.

R1#sh crypto isakmp sa
Crypto map tag: VPN-TO-R2, local addr. 10.1.1.2
local ident (addr/mask/prot/port):
(10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port):
(10.1.0.0/255.255.0.0/0/0)
current_peer: 10.1.1.1
PERMIT, flag = {origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#send errors 2, #recv errors 0
local crypto endpt.: 10.1.1.2, remote crypto
endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 188913E4

Within the command output, four areas detail the existing inbound and outbound SAs. The report includes sections that identify the two possible security protocols. In this example, however, there are no AH SAs, because only the ESP security protocol was used.

inbound esp sas:
spi: 0 x 18A503E4 (413467620)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 11, crypto map: VPN-TO-R2
sa timing: remaining key lifetime (k/sec):
(4607999/3460)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0 x 3530692(55772818)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 11, crypto map: VPN-TO-R2
sa timing: remaining key lifetime (k/sec):
(4607999/3460)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:

hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 05:24:16 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.