Introduction
Customers are looking for PE-CE security in case of remote access from various locations. The solution which can sophise the requirement is IPSec. With the help of this solution customers traffic send to the PE in the encrypted form and PE will decrypt the packets and forward the various locations vice versa.
Test Setup
The IPSec is tested for VPDN which is being orginated by the customer router. The customer router wil originate the VPDN session towards LNS_test_ipsec, after sucessful authentication, a IP will be given to the CE which will be a part of the vrf and end to end communication will go on.
Basic Connectivity
Routers used 2800 for CE as well as for LNS
Note:- IPSec uses tcp port500 for session establishment. Make sure the ports are open at its end.
Configuration Of LNS PE
aaa new-model
!
!
aaa group server radius default-group
server-private 71.5.101.2 auth-port 1645 acct-port 1646 key 7 06121A2D455E0A160B19170818
ip radius source-interface FastEthernet0/0
deadtime 0
!
aaa authentication ppp default group default-group local
aaa authorization config-commands
aaa authorization network default local group default-group
!
The above commands are used for creating L2 session with radius.
ip cef
!
!
ip vrf TEST
rd 65500:800
route-target export 65500:800
route-target import 65500:800
!
vpdn enable
vpdn multihop
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto keyring shivlu123 vrf TEST
pre-shared-key address 10.100.101.2 key shivlu123 -> shivlu123 is preshared key and need to be same.
!
crypto isakmp policy 1 ----> Crypto policy created with priority 1
hash md5
authentication pre-share
lifetime 28800
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
!
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.2 ---> This is the customer IP address
set transform-set shivlu -----> This is the above shivlu tranfform set which is called here.
set pfs group1 ---------> It could be group 1 or group5
match address 101 --------------> Acl 101 is called
!
interface Loopback100
ip vrf forwarding TEST
ip address 10.100.101.1 255.255.255.252
!
interface Loopback101
ip vrf forwarding TEST
ip address 10.10.10.100 255.255.255.255
!
interface Loopback100001
ip vrf forwarding TEST
ip address 100.250.250.1 255.255.255.248
!
interface FastEthernet0/0
ip address 10.5.230.220 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding TEST
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
no peer default ip address
ppp authentication pap chap callin
ppp multilink
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.5.230.1
no ip http server
no ip http secure-server
!
!
!
ip radius source-interface FastEthernet0/0
access-list 101 permit ip 10.10.10.0 0.0.0.3 10.1.1.0 0.0.0.3
!
Crypto is not called on LNS, it is in RADIUS
--> cd attributes/
[ //localhost/Radius/UserLists/default/test_ipsec@shivlu.blogspot.com/Attributes ]
cisco-avpair = "lcp:interface-config=ip vrf forwarding TEST"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback100"
cisco-avpair = "lcp:interface-config=crypto map shivlunoc"
framed-ip-address = 10.100.101.2 ----> IP will be given after dialing
framed-protocol = ppp
framed-route = 10.1.1.0/30 ---> Customer LAN Route
service-type = framed
Configuratio Of CE End
l2tp-class TestClass
!
!
crypto keyring shivlu123 -> Keyring is used after IP Dialing in VRF
pre-shared-key address 10.100.101.1 key shivlu123
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
!
crypto isakmp peer address 10.100.101.1
set aggressive-mode password cisco
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.1
set transform-set shivlu
set pfs group1
match address 101
!
!
!
pseudowire-class TestClass
encapsulation l2tpv2
protocol l2tpv2 TestClass
ip local interface FastEthernet0/0
!
!
!
!
!
interface FastEthernet0/0
ip address 10.5.230.101 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-PPP1 -> Router is intiating ppp session for vpdn after that crypto will be used
ip address negotiated
no cdp enable
ppp chap hostname test_ipsec@shivlu.blogspot.com
ppp chap password 0 cisco
pseudowire 10.5.230.220 100 pw-class TestClass
crypto map shivlunoc
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 --> After VPDN this route will work
ip route 10.0.0.0 255.0.0.0 10.5.230.1 --> This route is added for VPDN dialing
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.1.1.0 0.0.0.3 10.10.10.0 0.0.0.3 -> CE lan to VRF TEST
!
Troubleshooting Commands
1.Check the l2session
LNS_TEST_IPSEC#sh l2tun session
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
4 313 10056 test_ipsec@tuli, Vi2 est 00:06:55 3
2. Check the crypto session
LNS_TEST_IPSEC#show crypto session
Crypto session current status
Interface: Virtual-Access2
Session status: DOWN --> Status is down
Peer: 10.100.101.2 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252 -> Acl 101
Active SAs: 0, origin: crypto map
The status is showing down with peer 10.100.101.2. It happens if the traffic is not matching the acl. It means to intiate a session a ping is required with the mentioned acl source and destination.
Ping intiated from
T2800#ping 10.10.10.1 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
Now check the status of crypto on LNS
LNS_TEST_IPSEC#sh crypto session
Crypto session current status
Interface: Virtual-Access2
Session status: UP-ACTIVE -> Showing active with peer 10.100.101.2
Peer: 10.100.101.2 port 500
IKE SA: local 10.100.101.1/500 remote 10.100.101.2/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252
Active SAs: 2, origin: crypto map
3.Check the Phase 1 with given command
LNS_TEST_IPSEC#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.100.101.1 10.100.101.2 QM_IDLE 1002 ACTIVE
QM_IDLE state means the connection is established.
4. Check the encrypted packets
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 4 10.100.101.1
2006 IPsec DES+MD5 4 0 10.100.101.1
ID 1002 is for IKE phase 1 and 2005 and 2006 is for IPSec.
Intiate a ping from CE with count 10 and see the packets are encryted
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 14 10.100.101.1
2006 IPsec DES+MD5 14 0 10.100.101.1
5. IPSec vrf TEST status
LNS_TEST_IPSEC#show crypto ipsec sa vrf TEST
PFS (Y/N): Y, DH group: group1
interface: Virtual-Access2
Crypto map tag: shivlunoc, local addr 10.100.101.1
protected vrf: TEST
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.252/0/0)
current_peer 10.100.101.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.100.101.1, remote crypto endpt.: 10.100.101.2
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x2F0548BC(788875452)
inbound esp sas:
spi: 0x1B071345(453448517)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2F0548BC(788875452)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Customers are looking for PE-CE security in case of remote access from various locations. The solution which can sophise the requirement is IPSec. With the help of this solution customers traffic send to the PE in the encrypted form and PE will decrypt the packets and forward the various locations vice versa.
Test Setup
The IPSec is tested for VPDN which is being orginated by the customer router. The customer router wil originate the VPDN session towards LNS_test_ipsec, after sucessful authentication, a IP will be given to the CE which will be a part of the vrf and end to end communication will go on.
Basic Connectivity
Routers used 2800 for CE as well as for LNS
Note:- IPSec uses tcp port500 for session establishment. Make sure the ports are open at its end.
Configuration Of LNS PE
aaa new-model
!
!
aaa group server radius default-group
server-private 71.5.101.2 auth-port 1645 acct-port 1646 key 7 06121A2D455E0A160B19170818
ip radius source-interface FastEthernet0/0
deadtime 0
!
aaa authentication ppp default group default-group local
aaa authorization config-commands
aaa authorization network default local group default-group
!
The above commands are used for creating L2 session with radius.
ip cef
!
!
ip vrf TEST
rd 65500:800
route-target export 65500:800
route-target import 65500:800
!
vpdn enable
vpdn multihop
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto keyring shivlu123 vrf TEST
pre-shared-key address 10.100.101.2 key shivlu123 -> shivlu123 is preshared key and need to be same.
!
crypto isakmp policy 1 ----> Crypto policy created with priority 1
hash md5
authentication pre-share
lifetime 28800
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
!
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.2 ---> This is the customer IP address
set transform-set shivlu -----> This is the above shivlu tranfform set which is called here.
set pfs group1 ---------> It could be group 1 or group5
match address 101 --------------> Acl 101 is called
!
interface Loopback100
ip vrf forwarding TEST
ip address 10.100.101.1 255.255.255.252
!
interface Loopback101
ip vrf forwarding TEST
ip address 10.10.10.100 255.255.255.255
!
interface Loopback100001
ip vrf forwarding TEST
ip address 100.250.250.1 255.255.255.248
!
interface FastEthernet0/0
ip address 10.5.230.220 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding TEST
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
no peer default ip address
ppp authentication pap chap callin
ppp multilink
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.5.230.1
no ip http server
no ip http secure-server
!
!
!
ip radius source-interface FastEthernet0/0
access-list 101 permit ip 10.10.10.0 0.0.0.3 10.1.1.0 0.0.0.3
!
Crypto is not called on LNS, it is in RADIUS
--> cd attributes/
[ //localhost/Radius/UserLists/default/test_ipsec@shivlu.blogspot.com/Attributes ]
cisco-avpair = "lcp:interface-config=ip vrf forwarding TEST"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback100"
cisco-avpair = "lcp:interface-config=crypto map shivlunoc"
framed-ip-address = 10.100.101.2 ----> IP will be given after dialing
framed-protocol = ppp
framed-route = 10.1.1.0/30 ---> Customer LAN Route
service-type = framed
Configuratio Of CE End
l2tp-class TestClass
!
!
crypto keyring shivlu123 -> Keyring is used after IP Dialing in VRF
pre-shared-key address 10.100.101.1 key shivlu123
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
!
crypto isakmp peer address 10.100.101.1
set aggressive-mode password cisco
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.1
set transform-set shivlu
set pfs group1
match address 101
!
!
!
pseudowire-class TestClass
encapsulation l2tpv2
protocol l2tpv2 TestClass
ip local interface FastEthernet0/0
!
!
!
!
!
interface FastEthernet0/0
ip address 10.5.230.101 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-PPP1 -> Router is intiating ppp session for vpdn after that crypto will be used
ip address negotiated
no cdp enable
ppp chap hostname test_ipsec@shivlu.blogspot.com
ppp chap password 0 cisco
pseudowire 10.5.230.220 100 pw-class TestClass
crypto map shivlunoc
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 --> After VPDN this route will work
ip route 10.0.0.0 255.0.0.0 10.5.230.1 --> This route is added for VPDN dialing
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.1.1.0 0.0.0.3 10.10.10.0 0.0.0.3 -> CE lan to VRF TEST
!
Troubleshooting Commands
1.Check the l2session
LNS_TEST_IPSEC#sh l2tun session
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
4 313 10056 test_ipsec@tuli, Vi2 est 00:06:55 3
2. Check the crypto session
LNS_TEST_IPSEC#show crypto session
Crypto session current status
Interface: Virtual-Access2
Session status: DOWN --> Status is down
Peer: 10.100.101.2 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252 -> Acl 101
Active SAs: 0, origin: crypto map
The status is showing down with peer 10.100.101.2. It happens if the traffic is not matching the acl. It means to intiate a session a ping is required with the mentioned acl source and destination.
Ping intiated from
T2800#ping 10.10.10.1 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
Now check the status of crypto on LNS
LNS_TEST_IPSEC#sh crypto session
Crypto session current status
Interface: Virtual-Access2
Session status: UP-ACTIVE -> Showing active with peer 10.100.101.2
Peer: 10.100.101.2 port 500
IKE SA: local 10.100.101.1/500 remote 10.100.101.2/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252
Active SAs: 2, origin: crypto map
3.Check the Phase 1 with given command
LNS_TEST_IPSEC#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.100.101.1 10.100.101.2 QM_IDLE 1002 ACTIVE
QM_IDLE state means the connection is established.
4. Check the encrypted packets
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 4 10.100.101.1
2006 IPsec DES+MD5 4 0 10.100.101.1
ID 1002 is for IKE phase 1 and 2005 and 2006 is for IPSec.
Intiate a ping from CE with count 10 and see the packets are encryted
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 14 10.100.101.1
2006 IPsec DES+MD5 14 0 10.100.101.1
5. IPSec vrf TEST status
LNS_TEST_IPSEC#show crypto ipsec sa vrf TEST
PFS (Y/N): Y, DH group: group1
interface: Virtual-Access2
Crypto map tag: shivlunoc, local addr 10.100.101.1
protected vrf: TEST
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.252/0/0)
current_peer 10.100.101.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.100.101.1, remote crypto endpt.: 10.100.101.2
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x2F0548BC(788875452)
inbound esp sas:
spi: 0x1B071345(453448517)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2F0548BC(788875452)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
No comments:
Post a Comment