cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Upgrading to VRF-Aware IPSec
 Sample Legacy Configuration
 Upgraded Configuration with VRF-Aware IPSec
 IPSec Debug Session

Upgrading to VRF-Aware IPSec

Cisco IOS Release 12.2(15)T introduces the VRF-Aware IPSec feature for IP Security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). You can use this feature to map IPSec tunnels to Virtual Routing and Forwarding (VRF) instances using a single public-facing address.

For more information on VRF-Aware IPSec, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm# wp1027129.

You must make minor configuration changes in order for the VRF-Aware IPSec feature to work in legacy IPSec configurations.

This appendix provides a sample legacy IPSec configuration and an upgraded IPSec configuration with VRF-Aware IPSec. Additionally, this appendix provides an appropriate debug session.

Sample Legacy Configuration

7200-UUT#show config
Using 5627 out of 129016 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 7200-UUT
!
boot system flash disk0:c7200-jk9o3s-mz.122-13.T1
logging queue-limit 100
enable password lab
!
aaa new-model
!
aaa authentication login cisco-client group radius
aaa authentication login juniper-client group radius
aaa authorization network cisco-client group radius
aaa authorization network juniper-client group radius
aaa accounting network acc start-stop broadcast group radius
aaa session-id common
ip subnet-zero
!
no ip domain lookup
!
ip vrf cisco
rd 100:100
route-target export 100:100
route-target import 100:100
!
ip vrf juniper
rd 200:200
route-target export 200:200
route-target import 200:200
!
ip cef
mpls label protocol ldp
mpls ldp logging neighbor-changes
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key bridge address 11.1.1.2 no-xauth
crypto isakmp key last address 12.1.1.2 no-xauth
crypto isakmp nat keepalive 200
crypto isakmp xauth timeout 90
!
crypto ipsec transform-set aswan esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic 1
set transform-set aswan
reverse-route
crypto dynamic-map dynamic 2
set transform-set aswan
reverse-route
!
crypto map vpn client authentication list cisco-client
crypto map vpn isakmp authorization list cisco-client
crypto map vpn client configuration address respond
crypto map vpn 1 ipsec-isakmp dynamic dynamic
crypto map vpn 2 ipsec-isakmp
set peer 11.1.1.2
set transform-set aswan
match address 100
reverse-route
!
crypto map jvpn client authentication list juniper-client
crypto map jvpn isakmp authorization list juniper-client
crypto map jvpn client configuration address respond
crypto map jvpn 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set aswan
match address 110
reverse-route
crypto map jvpn 2 ipsec-isakmp dynamic dynamic
!
xsm
xsm vdm
xsm edm
!
voice call carrier capacity active!
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
controller ISA 1/1
!
interface Loopback0
ip address 200.1.1.1 255.255.255.255
no ip mroute-cache
!
interface Loopback12
ip vrf forwarding cisco
ip address 6.6.6.6 255.255.255.255
!
interface Loopback100
no ip address
!
interface Loopback501
ip vrf forwarding juniper
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex full
no cdp enable
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding cisco
ip address 20.1.1.1 255.255.255.0
crypto map vpn
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip vrf forwarding juniper
ip address 20.2.2.1 255.255.255.0
crypto map jvpn
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 20.3.3.1 255.255.255.0
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
ip address 172.16.100.1 255.255.255.0
pvc 1/101
broadcast
encapsulation aal5snap
!
tag-switching ip
!
interface FastEthernet5/0
ip address 100.1.1.147 255.255.255.0
no ip mroute-cache
duplex full
no cdp enable
!
interface FastEthernet6/0
no ip address
shutdown
duplex half
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 172.16.100.2 remote-as 200
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.2 activate
neighbor 172.16.100.2 send-community extended
no auto-summary
exit-address-family
!
address-family ipv4 vrf juniper
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf cisco
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip local pool pool1 10.13.13.1 10.13.13.13
ip local pool pool2 10.13.13.1 10.13.13.13 group jclient
ip classless
ip route 11.1.1.2 255.255.255.255 FastEthernet0/0.1
ip route 11.1.2.2 255.255.255.255 FastEthernet0/0.1
ip route 12.1.1.2 255.255.255.255 FastEthernet0/0.2
ip route 12.1.2.2 255.255.255.255 FastEthernet0/0.2
ip route vrf cisco 11.1.1.2 255.255.255.255 20.1.1.2
ip route vrf cisco 11.1.2.2 255.255.255.255 20.1.1.2
ip route vrf juniper 12.1.1.2 255.255.255.255 20.2.2.2
ip route vrf juniper 12.1.2.2 255.255.255.255 20.2.2.2
no ip http server
no ip http secure-server
!
!
ip radius source-interface FastEthernet5/0
!
access-list 100 permit ip 172.18.200.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 permit ip 195.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
!
radius-server attribute 44 include-in-access-req
radius-server host 100.1.1.4 auth-port 1645 acct-port 1646
radius-server key nsite
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password lab
line vty 5 15
!
!
end

Upgraded Configuration with VRF-Aware IPSec

The upgraded configuration is shown below.

Note   Changes to the sample legacy configuration are noted within the configuration.
Note   You must add a keyring for every remote peer within the VRF. Do not remove the existing crypto isakmp keys.
New Configuration:
Building configuration...
Current configuration : 5599 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 7200-UUT
!

Note the upgrade to Cisco IOS Release 12.2(15)T.

boot system flash disk0:c7200-jk9s-mz.122-15.T
logging queue-limit 100
enable password lab
!
aaa new-model
!
!
aaa authentication login cisco-client group radius
aaa authentication login juniper-client group radius
aaa authorization network cisco-client group radius
aaa authorization network juniper-client group radius
aaa accounting network acc start-stop broadcast group radius
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf cisco
rd 100:100
route-target export 100:100
route-target import 100:100
!
ip vrf juniper
rd 200:200
route-target export 200:200
route-target import 200:200
!
ip cef
mpls label protocol ldp
mpls ldp logging neighbor-changes
!
!

Below are the necessary upgrade commands. The crypto keyring command defines a crypto keyring to be used during Internet Key Exchange (IKE) authentication. The pre-shared-key command defines a preshared key to be used for IKE authentication.

crypto keyring cisco-peer vrf cisco
pre-shared-key address 11.1.1.2 key bridge
crypto keyring juniper-peer vrf juniper
pre-shared-key address 12.1.1.2 key last

This ends the necessary upgrade commands.

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
crypto isakmp key bridge address 11.1.1.2 no-xauth
crypto isakmp key last address 12.1.1.2 no-xauth
crypto isakmp nat keepalive 200
crypto isakmp xauth timeout 90
!
!
crypto ipsec transform-set aswan esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic 1
set transform-set aswan
reverse-route
crypto dynamic-map dynamic 2
set transform-set aswan
reverse-route
!
!
crypto map vpn client authentication list cisco-client
crypto map vpn isakmp authorization list cisco-client
crypto map vpn client configuration address respond
crypto map vpn 1 ipsec-isakmp dynamic dynamic
crypto map vpn 2 ipsec-isakmp
set peer 11.1.1.2
set transform-set aswan
match address 100
reverse-route
!
crypto map jvpn client authentication list juniper-client
crypto map jvpn isakmp authorization list juniper-client
crypto map jvpn client configuration address respond
crypto map jvpn 1 ipsec-isakmp
set peer 12.1.1.2
set transform-set aswan
match address 110
reverse-route
crypto map jvpn 2 ipsec-isakmp dynamic dynamic
!
!
xsm
xsm vdm
xsm edm
!
!
voice call carrier capacity active
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
controller ISA 1/1
!
!
interface Loopback0
ip address 200.1.1.1 255.255.255.255
no ip mroute-cache
!
interface Loopback12
ip vrf forwarding cisco
ip address 6.6.6.6 255.255.255.255
!
interface Loopback100
no ip address
!
interface Loopback501
ip vrf forwarding juniper
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex full
no cdp enable
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding cisco
ip address 20.1.1.1 255.255.255.0
crypto map vpn
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip vrf forwarding juniper
ip address 20.2.2.1 255.255.255.0
crypto map jvpn
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 20.3.3.1 255.255.255.0
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
!
interface ATM4/0.1 point-to-point
ip address 172.16.100.1 255.255.255.0
pvc 1/101
broadcast
encapsulation aal5snap
!
tag-switching ip
!
interface FastEthernet5/0
ip address 100.1.1.147 255.255.255.0
no ip mroute-cache
duplex full
no cdp enable
!
interface FastEthernet6/0
no ip address
shutdown
duplex half
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 172.16.100.2 remote-as 200
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.2 activate
neighbor 172.16.100.2 send-community extended
no auto-summary
exit-address-family
!
address-family ipv4 vrf juniper
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf cisco
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip local pool pool1 10.13.13.1 10.13.13.13
ip local pool pool2 10.13.13.1 10.13.13.13 group jclient
ip classless
ip route 11.1.1.2 255.255.255.255 FastEthernet0/0.1
ip route 11.1.2.2 255.255.255.255 FastEthernet0/0.1
ip route 12.1.1.2 255.255.255.255 FastEthernet0/0.2
ip route 12.1.2.2 255.255.255.255 FastEthernet0/0.2
ip route vrf cisco 11.1.1.2 255.255.255.255 20.1.1.2
ip route vrf cisco 11.1.2.2 255.255.255.255 20.1.1.2
ip route vrf juniper 12.1.1.2 255.255.255.255 20.2.2.2
ip route vrf juniper 12.1.2.2 255.255.255.255 20.2.2.2
no ip http server
no ip http secure-server
!
!
ip radius source-interface FastEthernet5/0
!
access-list 100 permit ip 172.18.200.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 permit ip 195.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
!
radius-server attribute 44 include-in-access-req
radius-server host 100.1.1.4 auth-port 1645 acct-port 1646
radius-server key nsite
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password lab
line vty 5 15
!
!
end

IPSec Debug Session

*Oct 9 03:50:17.727: ISAKMP (0:0): received packet from 11.1.1.2 dport 500 sport 500 cisco (N) NEW SA
*Oct 9 03:50:17.727: ISAKMP: Created a peer struct for 11.1.1.2, peer port 500
*Oct 9 03:50:17.727: ISAKMP: Locking peer struct 0x64890C84, IKE refcount 1 for crypto_ikmp_config_initialize_sa
*Oct 9 03:50:17.727: ISAKMP (0:0): Setting client config settings 649167D0
*Oct 9 03:50:17.727: ISAKMP: local port 500, remote port 500
*Oct 9 03:50:17.727: ISAKMP: insert sa successfully sa = 64916174
*Oct 9 03:50:17.727: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 9 03:50:17.727: ISAKMP (0:5): Old State = IKE_READY New State = IKE_R_MM1
*Oct 9 03:50:17.727: ISAKMP (0:5): processing SA payload. message ID = 0
*Oct 9 03:50:17.727: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.727: ISAKMP (0:5): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 9 03:50:17.727: ISAKMP (0:5): vendor ID is NAT-T v3
*Oct 9 03:50:17.727: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.727: ISAKMP (0:5): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 03:50:17.727: ISAKMP (0:5): vendor ID is NAT-T v2
*Oct 9 03:50:17.727: ISAKMP: Looking for a matching key for 11.1.1.2 in cisco-peer : success
*Oct 9 03:50:17.727: ISAKMP (0:5): found peer pre-shared key matching 11.1.1.2
*Oct 9 03:50:17.727: ISAKMP (0:5) local preshared key found
*Oct 9 03:50:17.727: ISAKMP : Scanning profiles for xauth ...
*Oct 9 03:50:17.727: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 03:50:17.727: ISAKMP: encryption DES-CBC
*Oct 9 03:50:17.727: ISAKMP: hash SHA
*Oct 9 03:50:17.727: ISAKMP: default group 1
*Oct 9 03:50:17.727: ISAKMP: auth pre-share
*Oct 9 03:50:17.727: ISAKMP: life type in seconds
*Oct 9 03:50:17.727: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 9 03:50:17.727: ISAKMP (0:5): Encryption algorithm offered does not match policy!
*Oct 9 03:50:17.727: ISAKMP (0:5): atts are not acceptable. Next payload is 0
*Oct 9 03:50:17.727: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 03:50:17.727: ISAKMP: encryption DES-CBC
*Oct 9 03:50:17.727: ISAKMP: hash SHA
*Oct 9 03:50:17.727: ISAKMP: default group 1
*Oct 9 03:50:17.727: ISAKMP: auth pre-share
*Oct 9 03:50:17.727: ISAKMP: life type in seconds
*Oct 9 03:50:17.727: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 9 03:50:17.727: ISAKMP (0:5): atts are acceptable. Next payload is 0
*Oct 9 03:50:17.735: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.735: ISAKMP (0:5): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 9 03:50:17.735: ISAKMP (0:5): vendor ID is NAT-T v3
*Oct 9 03:50:17.735: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.735: ISAKMP (0:5): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 03:50:17.735: ISAKMP (0:5): vendor ID is NAT-T v2
*Oct 9 03:50:17.735: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 9 03:50:17.735: ISAKMP (0:5): Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 9 03:50:17.735: ISAKMP (0:5): constructed NAT-T vendor-03 ID
*Oct 9 03:50:17.735: ISAKMP (0:5): sending packet to 11.1.1.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 9 03:50:17.735: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 9 03:50:17.735: ISAKMP (0:5): Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 9 03:50:17.787: ISAKMP (0:5): received packet from 11.1.1.2 dport 500 sport 500 cisco (R) MM_SA_SETUP
*Oct 9 03:50:17.787: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 9 03:50:17.787: ISAKMP (0:5): Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 9 03:50:17.787: ISAKMP (0:5): processing KE payload. message ID = 0
*Oct 9 03:50:17.795: ISAKMP (0:5): processing NONCE payload. message ID = 0
*Oct 9 03:50:17.795: ISAKMP: Looking for a matching key for 11.1.1.2 in cisco-peer : success
*Oct 9 03:50:17.795: ISAKMP (0:5): found peer pre-shared key matching 11.1.1.2
*Oct 9 03:50:17.795: ISAKMP: Looking for a matching key for 11.1.1.2 in cisco-peer : success
*Oct 9 03:50:17.795: ISAKMP (0:5): found peer pre-shared key matching 11.1.1.2
*Oct 9 03:50:17.795: ISAKMP (0:5): SKEYID state generated
*Oct 9 03:50:17.795: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.795: ISAKMP (0:5): vendor ID is Unity
*Oct 9 03:50:17.795: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.795: ISAKMP (0:5): vendor ID is DPD
*Oct 9 03:50:17.795: ISAKMP (0:5): processing vendor id payload
*Oct 9 03:50:17.795: ISAKMP (0:5): speaking to another IOS box!
*Oct 9 03:50:17.795: ISAKMP:received payload type 17
*Oct 9 03:50:17.795: ISAKMP (0:5): Detected NAT-D payload
*Oct 9 03:50:17.795: ISAKMP (0:5): NAT match MINE hash
*Oct 9 03:50:17.795: ISAKMP:received payload type 17
*Oct 9 03:50:17.795: ISAKMP (0:5): Detected NAT-D payload
*Oct 9 03:50:17.795: ISAKMP (0:5): NAT match HIS hash
*Oct 9 03:50:17.795: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 9 03:50:17.795: ISAKMP (0:5): Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 9 03:50:17.795: ISAKMP (0:5): constructed HIS NAT-D
*Oct 9 03:50:17.795: ISAKMP (0:5): constructed MINE NAT-D
*Oct 9 03:50:17.795: ISAKMP (0:5): sending packet to 11.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 9 03:50:17.795: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 9 03:50:17.795: ISAKMP (0:5): Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 9 03:50:17.895: ISAKMP (0:5): received packet from 11.1.1.2 dport 500 sport 500 cisco (R) MM_KEY_EXCH
*Oct 9 03:50:17.895: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 9 03:50:17.895: ISAKMP (0:5): Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 9 03:50:17.895: ISAKMP (0:5): processing ID payload. message ID = 0
*Oct 9 03:50:17.895: ISAKMP (0:5): peer matches *none* of the profiles
*Oct 9 03:50:17.895: ISAKMP (0:5): processing HASH payload. message ID = 0
*Oct 9 03:50:17.895: ISAKMP:received payload type 14
*Oct 9 03:50:17.895: ISAKMP (0:5): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64916174
*Oct 9 03:50:17.895: ISAKMP (0:5): Process initial contact,
bring down existing phase 1 and 2 SA's with local 20.1.1.1 remote 11.1.1.2 remote port 500
*Oct 9 03:50:17.895: ISAKMP (0:5): returning IP addr to the address pool
*Oct 9 03:50:17.895: ISAKMP (0:5): SA has been authenticated with 11.1.1.2
*Oct 9 03:50:17.895: ISAKMP: Trying to insert a peer 11.1.1.2/500/cisco, and inserted successfully.
*Oct 9 03:50:17.895: ISAKMP (0:5): peer matches *none* of the profiles
*Oct 9 03:50:17.895: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 9 03:50:17.895: ISAKMP (0:5): Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 9 03:50:17.895: IPSEC(key_engine): got a queue event...
*Oct 9 03:50:17.895: ISAKMP (0:5): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 9 03:50:17.895: ISAKMP (5): ID payload
next-payload : 8
type : 1
addr : 20.1.1.1
protocol : 17
port : 0
length : 8
*Oct 9 03:50:17.895: ISAKMP (5): Total payload length: 12
*Oct 9 03:50:17.895: ISAKMP (0:5): sending packet to 11.1.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 9 03:50:17.895: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 9 03:50:17.895: ISAKMP (0:5): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 9 03:50:17.895: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 9 03:50:17.895: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 9 03:50:17.939: ISAKMP (0:5): received packet from 11.1.1.2 dport 500 sport 500 cisco (R) QM_IDLE
*Oct 9 03:50:17.939: ISAKMP: set new node 792995152 to QM_IDLE
*Oct 9 03:50:17.943: ISAKMP (0:5): processing HASH payload. message ID = 792995152
*Oct 9 03:50:17.943: ISAKMP (0:5): processing SA payload. message ID = 792995152
*Oct 9 03:50:17.943: ISAKMP (0:5): Checking IPSec proposal 1
*Oct 9 03:50:17.943: ISAKMP: transform 1, ESP_3DES
*Oct 9 03:50:17.943: ISAKMP: attributes in transform:
*Oct 9 03:50:17.943: ISAKMP: encaps is 1
*Oct 9 03:50:17.943: ISAKMP: SA life type in seconds
*Oct 9 03:50:17.943: ISAKMP: SA life duration (basic) of 3600
*Oct 9 03:50:17.943: ISAKMP: SA life type in kilobytes
*Oct 9 03:50:17.943: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Oct 9 03:50:17.943: ISAKMP: authenticator is HMAC-SHA
*Oct 9 03:50:17.943: ISAKMP (0:5): atts are acceptable.
*Oct 9 03:50:17.943: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 20.1.1.1, remote= 11.1.1.2,
local_proxy= 60.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.15.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Oct 9 03:50:17.943: IPSEC(kei_proxy): head = vpn, map->ivrf = cisco, kei->ivrf = cisco
*Oct 9 03:50:17.943: ISAKMP (0:5): processing NONCE payload. message ID = 792995152
*Oct 9 03:50:17.943: ISAKMP (0:5): processing ID payload. message ID = 792995152
*Oct 9 03:50:17.943: ISAKMP (0:5): processing ID payload. message ID = 792995152
*Oct 9 03:50:17.943: ISAKMP (0:5): asking for 1 spis from ipsec
*Oct 9 03:50:17.943: ISAKMP (0:5): Node 792995152, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 9 03:50:17.943: ISAKMP (0:5): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Oct 9 03:50:17.943: IPSEC(key_engine): got a queue event...
*Oct 9 03:50:17.943: IPSEC(spi_response): getting spi 2126455568 for SA
from 20.1.1.1 to 11.1.1.2 for prot 3
*Oct 9 03:50:17.943: ISAKMP: received ke message (2/1)
*Oct 9 03:50:18.195: ISAKMP (0:5): sending packet to 11.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 9 03:50:18.195: ISAKMP (0:5): Node 792995152, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Oct 9 03:50:18.195: ISAKMP (0:5): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Oct 9 03:50:18.311: ISAKMP (0:5): received packet from 11.1.1.2 dport 500 sport 500 cisco (R) QM_IDLE
*Oct 9 03:50:18.311: ISAKMP: Locking peer struct 0x64890C84, IPSEC refcount 1 for for stuff_ke
*Oct 9 03:50:18.311: ISAKMP (0:5): Creating IPSec SAs
*Oct 9 03:50:18.315: inbound SA from 11.1.1.2 to 20.1.1.1 (f/i) 1/ 1
(proxy 10.1.15.0 to 60.1.1.0)
*Oct 9 03:50:18.315: has spi 0x7EBF2310 and conn_id 5123 and flags 2
*Oct 9 03:50:18.315: lifetime of 3600 seconds
*Oct 9 03:50:18.315: lifetime of 4608000 kilobytes
*Oct 9 03:50:18.315: has client flags 0x0
*Oct 9 03:50:18.315: outbound SA from 20.1.1.1 to 11.1.1.2 (f/i) 1/ 1 (proxy 60.1.1.0 to 10.1.15.0 )
*Oct 9 03:50:18.315: has spi 1940656993 and conn_id 5124 and flags A
*Oct 9 03:50:18.315: lifetime of 3600 seconds
*Oct 9 03:50:18.315: lifetime of 4608000 kilobytes
*Oct 9 03:50:18.315: has client flags 0x0
*Oct 9 03:50:18.315: ISAKMP (0:5): deleting node 792995152 error FALSE reason "quick mode done (await)"
*Oct 9 03:50:18.315: ISAKMP (0:5): Node 792995152, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 9 03:50:18.315: ISAKMP (0:5): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Oct 9 03:50:18.315: IPSEC(key_engine): got a queue event...
*Oct 9 03:50:18.315: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 20.1.1.1, remote= 11.1.1.2,
local_proxy= 60.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.15.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x7EBF2310(2126455568), conn_id= 5123, keysize= 0, flags= 0x2
*Oct 9 03:50:18.315: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 11.1.1.2,
local_proxy= 60.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.15.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x73AC1361(1940656993), conn_id= 5124, keysize= 0, flags= 0xA
*Oct 9 03:50:18.315: IPSEC(kei_proxy): head = vpn, map->ivrf = cisco, kei->ivrf = cisco
*Oct 9 03:50:18.315: IPSEC(add mtree): src 60.1.1.0, dest 10.1.15.0, dest_port 0
*Oct 9 03:50:18.315: IPSEC(create_sa): sa created,
(sa) sa_dest= 20.1.1.1, sa_prot= 50,
sa_spi= 0x7EBF2310(2126455568),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5123
*Oct 9 03:50:18.315: IPSEC(create_sa): sa created,
(sa) sa_dest= 11.1.1.2, sa_prot= 50,
sa_spi= 0x73AC1361(1940656993),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5124
7200-UUT#
7200-UUT#sh cry isa sa
f_vrf/i_vrf dst src state conn-id slot
cisco/cisco 20.1.1.1 11.1.1.2 QM_IDLE 5 0

The following show crypto isakmp sa detail shows four IPSec sessions up, one remote EZVPN session and one lan-to-lan session for each VRF:

7200-UUT#sh cry isa sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
Conn-id Local Remote I-VRF Encr Hash Auth DH Lifetime Capabilities
1 20.2.2.1 12.1.1.2 juniper des sha psk 1 23:46:25
2 20.1.1.1 11.1.1.2 cisco des sha psk 1 23:46:35
10 20.1.1.1 11.1.2.4 cisco 3des sha 2 23:59:03 CX
5 20.2.2.1 12.1.2.2 juniper 3des sha 2 18:02:41 CX

hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 05:29:40 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.