|
|
This feature module describes the Tunnel Endpoint Discovery feature. It includes information on the benefits of the new feature, supported platforms, and related documents.
This document includes the following sections:
Tunnel Endpoint Discovery is an enhancement to the IP Security Protocol (IPSec) feature. Defining a dynamic crypto map allows you to be able to dynamically determine an IPSec peer; however, only the receiving router has this ability. With Tunnel Endpoint Discovery, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic Tunnel Endpoint Discovery allows IPSec to scale to large networks by reducing multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Tunnel Endpoint Discovery has the following restrictions:
 | Caution Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com. |
For related information on the Tunnel Endpoint Discovery feature, refer to the following documents:
Tunnel Endpoint Discovery runs on all platforms that support Cisco IOS Release 12.0(5)T and later releases.
No new MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFC 2409, The Internet Key Exchange (IKE)
No new standards are supported by this feature.
To configure a Cisco router to support Tunnel Endpoint Discovery, perform the following tasks:
To create a dynamic crypto map entry with Tunnel Endpoint Discovery configured, perform the following tasks starting in crypto-map configuration mode:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| crypto dynamic-map dynamic-map-name dynamic-map-number
| Configures a dynamic crypto map using the crypto dynamic-map command. For more information on the crypto dynamic-map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Release 12.0 Security Command Reference. | ||
| crypto map map-name map-number ipsec-isakmp dynamic dynamic-map-name [discover] | (Optional) Add a crypto map set to a static crypto map set. For more information on the crypto map command, refer to the "IPSec Network Security Commands" chapter of the Cisco IOS Release 12.0 Security Command Reference . (Optional) Enter the discover keyword on the dynamic crypto map to enable peer discovery. After the dynamic crypto map template permits an outbound packet, peer discovery occurs when the packet reaches an interface configured with the dynamic crypto map. |
Step 1 To verify Tunnel Endpoint Discovery is configured, check the router's running configuration. Enter the show running-configuration command on the router in global configuration mode. If the discover keyword appears in the output, Tunnel Endpoint Discovery has been enabled.
Step 2 Verify Tunnel Endpoint Discovery by comparing the configuration with the examples shown in "Configuration Examples" in the next section.
Step 3 Ping Ecuador from Argentina.
Argentina# ping 10.5.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.5.0.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/12 ms
Figure 1 shows the network topology of four encrypting peer routers (named Argentina, Brazil, Chile, and Ecuador). This section describes how each of the encrypting peer routers is configured:
Brazil and Chile are configured for peer discovery using Tunnel Endpoint Discovery.
1. Argentina initiates traffic to Ecuador by sending a probe. Brazil intercepts the packet. Brazil recognizes that the discover keyword is enabled and matches the access-list.
2. Brazil then initiates traffic to Ecuador by sending a probe. Chile intercepts the packet. Chile recognizes that the discover keyword is enabled and matches the access-list.
3. Chile then sends a probe back to Argentina. Brazil intercepts this probe and starts the IKE exchange.
Argentina# show running configuration Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname Argentina ! clock timezone PST -8 clock summer-time PDT recurring ip subnet-zero ip wccp version 2 ip domain-name cisco.com ip name-server 172.29.30.32 ip name-server 172.17.2.132 ! process-max-time 200 ! interface Ethernet0 ip address 172.21.230.3 255.255.255.224 no ip directed-broadcast no ip route-cache no ip mroute-cache no cdp enable ! interface Ethernet1 ip address 172.21.115.69 255.255.255.224 no ip directed-broadcast no ip mroute-cache media-type 10BaseT no cdp enable ! interface Serial0 bandwidth 2000000 ip address 172.21.115.2 255.255.255.252 no ip directed-broadcast no ip mroute-cache fair-queue 64 256 0 clockrate 2000000 ! interface Serial1 description Connection to Brazil's Serial 0 bandwidth 2000000 ip address 172.17.0.2 255.255.0.0 no ip directed-broadcast no ip mroute-cache fair-queue 64 256 0 clockrate 2000000 ! ip default-gateway 172.21.230.3 no ip classless ip route 10.5.0.1 255.255.255.255 172.16.0.1 ip route 10.6.0.2 255.255.255.255 172.16.0.1 ip route 172.17.0.0 255.255.0.0 172.21.230.1 no ip http server ! line con 0 exec-timeout 0 0 transport input none line aux 0 transport input all line vty 0 4 login ! end
Brazil# show running configuration
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Brazil
!
!
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip domain-name cisco.com
ip name-server 172.17.2.132
ip name-server 172.29.30.32
!
crypto isakmp policy 10
authentication pre-share
lifetime 180
crypto isakmp key Chile-Brazil-key address 172.21.230.88
crypto isakmp key Brazil-Venezuela-key address 172.21.230.70
!
!
crypto ipsec transform-set ted-transforms ah-sha-hmac esp-des esp-md5-hmac
!
crypto dynamic-map ted-dmap 10
set transform-set ted-transforms
match address 101
!
crypto map tedtag 10 ipsec-isakmp dynamic ted-dmap discover
!
process-max-time 200
!
interface Ethernet0
ip address 172.21.230.67 255.255.255.224
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
media-type 10BaseT
crypto map tedtag
!
interface Ethernet1
no ip address
no ip directed-broadcast
shutdown
media-type 10BaseT
!
interface Serial0
description Connection to Argentina's Serial 1
bandwidth 2000000
ip address 172.17.0.1 255.255.0.0
no ip directed-broadcast
no ip mroute-cache
fair-queue 64 256 0
!
interface Serial1
bandwidth 2000000
ip address 10.2.2.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no keepalive
shutdown
fair-queue 64 256 0
!
no ip classless
ip route 10.5.0.1 255.255.255.255 172.21.230.88
ip route 10.6.0.2 255.255.255.255 172.21.230.70
ip route 172.17.0.0 255.255.0.0 172.21.230.65
ip route 172.29.0.0 255.255.0.0 172.21.230.65
no ip http server
!
access-list 101 permit ip 172.16.0.0 0.255.255.255 any
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
ntp clock-period 17179818
ntp server 172.17.150.52
end
Brazil# show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Brazil#
Jun 28 18:33:54.679: IPSEC(tunnel discover request):,
(key eng. msg.) src= 172.16.0.2, dest= 10.5.0.1,
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 172.21.230.67/255.255.255.255/0/0 (type=1),
protocol= AH, transform= ah-sha-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4044
Jun 28 18:33:54.679: IPSEC(tunnel discover request):,
(key eng. msg.) src= 172.16.0.2, dest= 10.5.0.1,
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 172.21.230.67/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4044
Jun 28 18:33:54.679: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!src = 172.16.0.2 to 10.5.0.1, protocol 2, transform 3, hmac 2
Jun 28 18:33:54.679: proxy source is 172.16.0.0/255.0.0.0 and my address
(not used now) is 172.21.230.67
Jun 28 18:33:54.683: 1st ID is 172.21.230.67
Jun 28 18:33:54.683: 2nd ID is 172.16.0.0/255.0.0.0
Jun 28 18:33:54.683: ISAKMP (42): beginning peer discovery exchange
Jun 28 18:33:54.683: ISAKMP (42): sending packet to 10.5.0.1 (I) PEER_DISCOVERY
Jun 28 18:33:54.683: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!src = 155.0.0.2 to 10.5.0.1, protocol 3, transform 2, hmac 1
Jun 28 18:33:54.687: proxy source is 172.16.0.0/255.0.0.0 and my address
(not used now) is 172.21.230.67
Jun 28 18:33:54.691: ISAKMP (42): received packet from 10.5.0.1 (I) PEER_DISCOVERY
Jun 28 18:33:54.691: ISAKMP (42): processing vendor id payload
Jun 28 18:33:54.691: ISAKMP (42): speaking to another IOS box!
Jun 28 18:33:54.691: ISAKMP (42): processing ID payload. message ID = 0
Jun 28 18:33:54.691: ISAKMP (42): processing ID payload. message ID = 1013311209
Jun 28 18:33:54.691: ISAKMP (42): received response to my peer discovery probe!ISAKM
P: initiating IKE to 172.21.230.88 in response to probe.
Jun 28 18:33:54.695: ISAKMP (43): sending packet to 172.21.230.88 (I) MM_NO_STATE
Jun 28 18:33:54.695: ISAKMP (42): deleting SA
Jun 28 18:33:54.799: ISAKMP (43): received packet from 172.21.230.88 (I) MM_NO_STATE
Jun 28 18:33:54.799: ISAKMP (43): processing SA payload. message ID = 0
Jun 28 18:33:54.799: ISAKMP (43): Checking ISAKMP transform 1 against priority 10 policy
Jun 28 18:33:54.799: ISAKMP: encryption DES-CBC
Jun 28 18:33:54.799: ISAKMP: hash SHA
Jun 28 18:33:54.799: ISAKMP: default group 1
Jun 28 18:33:54.799: ISAKMP: auth pre-share
Jun 28 18:33:54.799: ISAKMP: life type in seconds
Jun 28 18:33:54.799: ISAKMP: life duration (basic) of 180
Jun 28 18:33:54.799: ISAKMP (43): atts are acceptable. Next payload is 0
Jun 28 18:33:54.899: ISAKMP (43): SA is doing pre-shared key authentication
Jun 28 18:33:54.903: ISAKMP (43): sending packet to 172.21.230.88 (I) MM_SA_SETUP
Jun 28 18:33:55.035: ISAKMP (43): received packet from 172.21.230.88 (I) MM_SA_SETUP
Jun 28 18:33:55.035: ISAKMP (43): processing KE payload. message ID = 0
Jun 28 18:33:55.159: ISAKMP (43): processing NONCE payload. message ID = 0
Jun 28 18:33:55.163: ISAKMP (43): SKEYID state generated
Jun 28 18:33:55.163: ISAKMP (43): processing vendor id payload
Jun 28 18:33:55.163: ISAKMP (43): speaking to another IOS box!
Jun 28 18:33:55.167: ISAKMP (43): sending packet to 172.21.230.88 (I) MM_KEY_EXCH
Jun 28 18:33:55.167: ISADB: reaper checking SA, conn_id = 42 DELETE IT!
Jun 28 18:33:55.167: ISADB: reaper checking SA, conn_id = 43
Jun 28 18:33:55.175: ISAKMP (43): received packet from 172.21.230.88 (I) MM_KEY_EXCH
Jun 28 18:33:55.175: ISAKMP (43): processing ID payload. message ID = 0
Jun 28 18:33:55.175: ISAKMP (43): processing HASH payload. message ID = 0
Jun 28 18:33:55.179: ISAKMP (43): SA has been authenticated with 172.21.230.88
Jun 28 18:33:55.179: ISAKMP (43): beginning Quick Mode exchange, M-ID of -978014390
Jun 28 18:33:55.179: IPSEC(key_engine): got a queue event...
Jun 28 18:33:55.179: IPSEC(spi_response): getting spi 541730382 for SA
from 172.21.230.88 to 172.21.230.67 for prot 2
Jun 28 18:33:55.179: IPSEC(spi_response): getting spi 92677659 for SA
from 172.21.230.88 to 172.21.230.67 for prot 3
Jun 28 18:33:55.431: ISAKMP (43): sending packet to 172.21.230.88 (I) QM_IDLE
Jun 28 18:33:55.695: ISAKMP (43): received packet from 172.21.230.88 (I) QM_IDLE
Jun 28 18:33:55.699: ISAKMP (43): processing SA payload. message ID = -978014390
Jun 28 18:33:55.699: ISAKMP (43): Checking IPSec proposal 1
Jun 28 18:33:55.699: ISAKMP: transform 1, AH_SHA
Jun 28 18:33:55.699: ISAKMP: attributes in transform:
Jun 28 18:33:55.699: ISAKMP: encaps is 1
Jun 28 18:33:55.699: ISAKMP: SA life type in seconds
Jun 28 18:33:55.699: ISAKMP: SA life duration (basic) of 3600
Jun 28 18:33:55.699: ISAKMP: SA life type in kilobytes
Jun 28 18:33:55.703: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jun 28 18:33:55.703: ISAKMP: authenticator is HMAC-SHA
Jun 28 18:33:55.703: ISAKMP (43): atts are acceptable.
Jun 28 18:33:55.703: ISAKMP (43): Checking IPSec proposal 1
Jun 28 18:33:55.703: ISAKMP: transform 1, ESP_DES
Jun 28 18:33:55.703: ISAKMP: attributes in transform:
Jun 28 18:33:55.703: ISAKMP: encaps is 1
Jun 28 18:33:55.703: ISAKMP: SA life type in seconds
Jun 28 18:33:55.703: ISAKMP: SA life duration (basic) of 3600
Jun 28 18:33:55.703: ISAKMP: SA life type in kilobytes
Jun 28 18:33:55.703: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jun 28 18:33:55.703: ISAKMP: authenticator is HMAC-MD5
Jun 28 18:33:55.703: ISAKMP (43): atts are acceptable.
Jun 28 18:33:55.703: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
Jun 28 18:33:55.703: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
Jun 28 18:33:55.707: ISAKMP (43): processing NONCE payload. message ID = -978014390
Jun 28 18:33:55.707: ISAKMP (43): processing ID payload. message ID = -978014390
Jun 28 18:33:55.707: ISAKMP (43): processing ID payload. message ID = -978014390
Jun 28 18:33:55.715: ISAKMP (43): Creating IPSec SAs
Jun 28 18:33:55.715: inbound SA from 172.21.230.88 to 172.21.230.67 (proxy 10.5.0.0 to 172.16.0.0)
Jun 28 18:33:55.715: has spi 541730382 and conn_id 44 and flags 4
Jun 28 18:33:55.715: lifetime of 3600 seconds
Jun 28 18:33:55.715: lifetime of 4608000 kilobytes
Jun 28 18:33:55.715: outbound SA from 172.21.230.67 to 172.21.230.88 (proxy 172.16.0.0 to 10.5.0.0)
Jun 28 18:33:55.715: has spi 178260909 and conn_id 45 and flags 4
Jun 28 18:33:55.715: lifetime of 3600 seconds
Jun 28 18:33:55.715: lifetime of 4608000 kilobytes
Jun 28 18:33:55.715: ISAKMP (43): Creating IPSec SAs
Jun 28 18:33:55.715: inbound SA from 172.21.230.88 to 172.21.230.67 (proxy 10.5.0.0 to 172.16.0.0)
Jun 28 18:33:55.715: has spi 92677659 and conn_id 46 and flags 4
Jun 28 18:33:55.719: lifetime of 3600 seconds
Jun 28 18:33:55.719: lifetime of 4608000 kilobytes
Jun 28 18:33:55.719: outbound SA from 172.21.230.67 to 172.21.230.88 (proxy 172.16.0.0 to 10.5.0.0)
Jun 28 18:33:55.719: has spi 624236712 and conn_id 47 and flags 4
Jun 28 18:33:55.719: lifetime of 3600 seconds
Jun 28 18:33:55.719: lifetime of 4608000 kilobytes
Jun 28 18:33:55.719: IPSEC(key_engine): got a queue event...
Jun 28 18:33:55.719: IPSEC(initialize_sas):,
(key eng. msg.) dest= 172.21.230.67, src= 172.21.230.88,
dest_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x204A264E(541730382), conn_id= 44, keysize= 0, flags= 0x4
Jun 28 18:33:55.719: IPSEC(initialize_sas):,
(key eng. msg.) src= 172.21.230.67, dest= 172.21.230.88,
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 3600s and 4608000kb,
spi= 0xAA00BAD(178260909), conn_id= 45, keysize= 0, flags= 0x4
Jun 28 18:33:55.719: IPSEC(initialize_sas):,
(key eng. msg.) dest= 172.21.230.67, src= 172.21.230.88,
dest_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x586261B(92677659), conn_id= 46, keysize= 0, flags= 0x4
Jun 28 18:33:55.719: IPSEC(initialize_sas):,
(key eng. msg.) src= 172.21.230.67, dest= 172.21.230.88,
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x253518A8(624236712), conn_id= 47, keysize= 0, flags= 0x4
Jun 28 18:33:55.723: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.67, sa_prot= 51,
sa_spi= 0x204A264E(541730382),
sa_trans= ah-sha-hmac, sa_conn_id= 44
Jun 28 18:33:55.723: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.88, sa_prot= 51,
sa_spi= 0xAA00BAD(178260909),
sa_trans= ah-sha-hmac, sa_conn_id= 45
Jun 28 18:33:55.723: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.67, sa_prot= 50,
sa_spi= 0x586261B(92677659),
sa_trans= esp-des esp-md5-hmac, sa_conn_id= 46
Jun 28 18:33:55.723: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.88, sa_prot= 50,
sa_spi= 0x253518A8(624236712),
sa_trans= esp-des esp-md5-hmac, sa_conn_id= 47
Jun 28 18:33:55.727: ISAKMP (43): sending packet to 172.21.230.88 (I) QM_IDLE
Brazil# show crypto isakmp sa
dst src state conn-id slot
172.21.230.88 172.21.230.67 QM_IDLE 43 0
Brazil# show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
43 no idb no address set DES_56_CBC 0 0
44 Ethernet0 172.21.230.67 set HMAC_SHA 0 4
45 Ethernet0 172.21.230.67 set HMAC_SHA 4 0
46 Ethernet0 172.21.230.67 set HMAC_MD5+DES_56_CB 0 4
47 Ethernet0 172.21.230.67 set HMAC_MD5+DES_56_CB 4 0
Chile# show running configuration
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname Chile
!
enable secret 5 $1$9khG$1l9mNhOVE49dH3fnrvnya/
enable password cisco
!
ip subnet-zero
ip wccp version 2
ip cef
ip domain-name cisco.com
ip name-server 172.17.2.132
ip name-server 172.29.30.32
!
crypto isakmp policy 10
authentication pre-share
lifetime 180
crypto isakmp key Chile-Brazil-key address 172.21.230.67
crypto isakmp key Venezuela-Chile-key address 172.21.230.70
!
crypto ipsec transform-set ted-transforms ah-sha-hmac esp-des esp-md5-hmac
!
crypto dynamic-map ted-dmap 10
set transform-set ted-transforms
match address 101
!
crypto map tedtag 10 ipsec-isakmp dynamic ted-dmap discover
!
!
process-max-time 200
!
interface Ethernet0/0
ip address 172.21.230.88 255.255.255.224
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
crypto map tedtag
!
interface Ethernet0/1
ip address 10.4.0.2 255.0.0.0
no ip directed-broadcast
no keepalive
no cdp enable
!
interface Serial1/0
description Connected to Ecuador's Serial 1
bandwidth 2000000
ip address 10.5.0.1 255.0.0.0
no ip directed-broadcast
fair-queue 64 256 0
!
interface Serial1/1
bandwidth 1544
no ip address
no ip directed-broadcast
no keepalive
shutdown
clockrate 1000000
no cdp enable
!
interface Serial1/2
ip address 10.3.0.2 255.0.0.0
no ip directed-broadcast
no keepalive
!
interface Serial1/3
bandwidth 2000000
no ip address
no ip directed-broadcast
shutdown
fair-queue 64 256 0
clockrate 72000
no cdp enable
!
ip default-gateway 172.21.230.65
ip classless
ip route 10.6.0.2 255.255.255.255 172.21.230.70
ip route 172.16.0.2 255.255.255.255 172.21.230.67
no ip http server
!
access-list 101 permit ip 10.5.0.0 0.255.255.255 any
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
transport input all
line vty 0 4
exec-timeout 0 0
login
!
no scheduler max-task-time
end
Chile# show debug
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Chile#
3d18h: ISAKMP (0): received packet from 172.16.0.2 (N) NEW SA
3d18h: ISAKMP (36): processing vendor id payload
3d18h: ISAKMP (36): speaking to another IOS box!
3d18h: ISAKMP (36): processing ID payload. message ID = 0
3d18h: ISAKMP (36): processing ID payload. message ID = -1554645700
3d18h: ISAKMP (36): responding to peer discovery probe!
3d18h: peer's address is 172.21.230.67
3d18h: src (him) 4, 172.16.0.0/255.0.0.0 to dst (me) 4, 10.5.0.0/255.0.0.0
3d18h: ISAKMP (36): sending packet to 172.16.0.2 (R) PEER_DISCOVERY
3d18h: ISAKMP (36): deleting SA
3d18h: ISAKMP (0): received packet from 172.16.0.2 (N) NEW SA
3d18h: ISAKMP (0): received packet from 172.21.230.67 (N) NEW SA
3d18h: ISAKMP (38): processing SA payload. message ID = 0
3d18h: ISAKMP (38): Checking ISAKMP transform 1 against priority 10 policy
3d18h: ISAKMP: encryption DES-CBC
3d18h: ISAKMP: hash SHA
3d18h: ISAKMP: default group 1
3d18h: ISAKMP: auth pre-share
3d18h: ISAKMP: life type in seconds
3d18h: ISAKMP: life duration (basic) of 180
3d18h: ISAKMP (38): atts are acceptable. Next payload is 0
3d18h: ISAKMP (38): SA is doing pre-shared key authentication
3d18h: ISAKMP (38): sending packet to 172.21.230.67 (R) MM_SA_SETUP
3d18h: ISAKMP (38): received packet from 172.21.230.67 (R) MM_SA_SETUP
3d18h: ISAKMP (38): processing KE payload. message ID = 0
3d18h: ISAKMP (38): processing NONCE payload. message ID = 0
3d18h: ISAKMP (38): SKEYID state generated
3d18h: ISAKMP (38): processing vendor id payload
3d18h: ISAKMP (38): speaking to another IOS box!
3d18h: ISAKMP (38): sending packet to 172.21.230.67 (R) MM_KEY_EXCH
3d18h: ISAKMP (38): received packet from 172.21.230.67 (R) MM_KEY_EXCH
3d18h: ISAKMP (38): processing ID payload. message ID = 0
3d18h: ISAKMP (38): processing HASH payload. message ID = 0
3d18h: ISAKMP (38): SA has been authenticated with 172.21.230.67
3d18h: ISAKMP (38): sending packet to 172.21.230.67 (R) QM_IDLE
3d18h: ISAKMP (38): received packet from 172.21.230.67 (R) QM_IDLE
3d18h: ISAKMP (38): processing SA payload. message ID = -978014390
3d18h: ISAKMP (38): Checking IPSec proposal 1
3d18h: ISAKMP: transform 1, AH_SHA
3d18h: ISAKMP: attributes in transform:
3d18h: ISAKMP: encaps is 1
3d18h: ISAKMP: SA life type in seconds
3d18h: ISAKMP: SA life duration (basic) of 3600
3d18h: ISAKMP: SA life type in kilobytes
3d18h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
3d18h: ISAKMP: authenticator is HMAC-SHA
3d18h: ISAKMP (38): atts are acceptable.
3d18h: ISAKMP (38): Checking IPSec proposal 1
3d18h: ISAKMP: transform 1, ESP_DES
3d18h: ISAKMP: attributes in transform:
3d18h: ISAKMP: encaps is 1
3d18h: ISAKMP: SA life type in seconds
3d18h: ISAKMP: SA life duration (basic) of 3600
3d18h: ISAKMP: SA life type in kilobytes
3d18h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
3d18h: ISAKMP: authenticator is HMAC-MD5
3d18h: ISAKMP (38): atts are acceptable.
3d18h: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
3d18h: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
3d18h: ISAKMP (38): processing NONCE payload. message ID = -978014390
3d18h: ISAKMP (38): processing ID payload. message ID = -978014390
3d18h: ISAKMP (38): processing ID payload. message ID = -978014390
3d18h: IPSEC(key_engine): got a queue event...
3d18h: IPSEC(spi_response): getting spi 178260909 for SA
from 172.21.230.67 to 172.21.230.88 for prot 2
3d18h: IPSEC(spi_response): getting spi 624236712 for SA
from 172.21.230.67 to 172.21.230.88 for prot 3
3d18h: ISAKMP (38): sending packet to 172.21.230.67 (R) QM_IDLE
3d18h: ISAKMP (38): received packet from 172.21.230.67 (R) QM_IDLE
3d18h: ISAKMP (38): Creating IPSec SAs
3d18h: inbound SA from 172.21.230.67 to 172.21.230.88 (proxy 172.16.0.0
to 10.5.0.0)
3d18h: has spi 178260909 and conn_id 39 and flags 4
3d18h: lifetime of 3600 seconds
3d18h: lifetime of 4608000 kilobytes
3d18h: outbound SA from 172.21.230.88 to 172.21.230.67 (proxy 10.5.0.0
to 172.16.0.0)
3d18h: has spi 541730382 and conn_id 40 and flags 4
3d18h: lifetime of 3600 seconds
3d18h: lifetime of 4608000 kilobytes
3d18h: ISAKMP (38): Creating IPSec SAs
3d18h: inbound SA from 172.21.230.67 to 172.21.230.88 (proxy 172.16.0.0
to 10.5.0.0)
3d18h: has spi 624236712 and conn_id 41 and flags 4
3d18h: lifetime of 3600 seconds
3d18h: lifetime of 4608000 kilobytes
3d18h: outbound SA from 172.21.230.88 to 172.21.230.67 (proxy 10.5.0.0
to 172.16.0.0)
3d18h: has spi 92677659 and conn_id 42 and flags 4
3d18h: lifetime of 3600 seconds
3d18h: lifetime of 4608000 kilobytes
3d18h: IPSEC(key_engine): got a queue event...
3d18h: IPSEC(initialize_sas):,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 3600s and 4608000kb,
spi= 0xAA00BAD(178260909), conn_id= 39, keysize= 0, flags= 0x4
3d18h: IPSEC(initialize_sas):,
(key eng. msg.) src= 172.21.230.88, dest= 172.21.230.67,
src_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x204A264E(541730382), conn_id= 40, keysize= 0, flags= 0x4
3d18h: IPSEC(initialize_sas):,
(key eng. msg.) dest= 172.21.230.88, src= 172.21.230.67,
dest_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x253518A8(624236712), conn_id= 41, keysize= 0, flags= 0x4
3d18h: IPSEC(initialize_sas):,
(key eng. msg.) src= 172.21.230.88, dest= 172.21.230.67,
src_proxy= 10.5.0.0/255.0.0.0/0/0 (type=4),
dest_proxy= 172.16.0.0/255.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 3600s and 4608000kb,
spi= 0x586261B(92677659), conn_id= 42, keysize= 0, flags= 0x4
3d18h: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.88, sa_prot= 51,
sa_spi= 0xAA00BAD(178260909),
sa_trans= ah-sha-hmac, sa_conn_id= 39
3d18h: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.67, sa_prot= 51,
sa_spi= 0x204A264E(541730382),
sa_trans= ah-sha-hmac, sa_conn_id= 40
3d18h: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.88, sa_prot= 50,
sa_spi= 0x253518A8(624236712),
sa_trans= esp-des esp-md5-hmac, sa_conn_id= 41
3d18h: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.21.230.67, sa_prot= 50,
sa_spi= 0x586261B(92677659),
sa_trans= esp-des esp-md5-hmac, sa_conn_id= 42show cr isakmp sa
dst src state conn-id slot
10.5.0.1 172.16.0.2 MM_NO_STATE 36 3 (deleted)
172.21.230.88 172.21.230.67 QM_IDLE 38 3
Chile# show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
38 no idb no address set DES_56_CBC 0 0
39 Ethernet0/0 172.21.230.88 set HMAC_SHA 0 4
40 Ethernet0/0 172.21.230.88 set HMAC_SHA 4 0
41 Ethernet0/0 172.21.230.88 set HMAC_MD5+DES_56_CB 0 4
42 Ethernet0/0 172.21.230.88 set HMAC_MD5+DES_56_CB 4 0
Ecuador# show running configuration Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption service tcp-small-servers ! hostname Ecuador ! ip subnet-zero ip wccp version 2 ip host Costarica 2.1.1.2 ip domain-name cisco.com ip name-server 172.17.2.132 ip name-server 172.29.30.32 ! process-max-time 200 ! interface Ethernet0 ip address 172.21.230.195 255.255.255.224 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet1 ip address 192.168.1.3 255.255.255.0 no ip redirects no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Serial0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Serial1 description Connected to Chile's S1/0 bandwidth 1000000 ip address 10.5.0.2 255.0.0.0 no ip directed-broadcast no ip route-cache no ip mroute-cache fair-queue 64 256 0 clockrate 2000000 ! no ip http server ip classless ip route 10.6.0.2 255.255.255.255 10.5.0.1 ip route 172.16.0.2 255.255.255.255 10.5.0.1 ip route 172.17.0.0 255.255.0.0 Ethernet0 ! line con 0 exec-timeout 0 0 transport input none line aux 0 transport input all line vty 0 4 login ! end
This section documents modified commands. All other commands used to configure this feature are documented in the Cisco IOS Release 12.0 command reference publications.
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. Use the no form of this command to delete a crypto map entry or set.
[no] crypto map map-name seq-num [cisco]
map-name | Specifies a name to apply to the crypto map set. |
seq-num | Specifies a number to apply to the crypto map entry. |
cisco | (Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available. |
ipsec-manual | Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. |
ipsec-isakmp | Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. |
dynamic | (Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available. |
dynamic-map-name | Specifies the name of the dynamic crypto map set. |
discover | Enables peer discovery. By default, peer discovery is not enabled. |
No crypto maps exist.
Peer discovery is not enabled.
Global configuration. Using this command puts you into crypto map configuration mode, unless you use the dynamic keyword.
| Release | Modification |
|---|---|
12.0(5)T | This command was introduced. |
The following example configures Tunnel Endpoint Discovery on a Cisco router, as described in the "Chile Configuration Example."
crypto map testtag 10 ipsec-isakmp dynamic dmap discover
| Command | Description |
|---|---|
Creates a dynamic map entry. | |
match address | Names an extended access-list. |
Specify a remote IPSec peer. | |
set security-association lifetime second seconds | Specify a key lifetime for the crypto map entry. |
set security-association lifetime kilobytes kilobytes | Specify a key lifetime for the crypto map entry. |
set pfs | Specify that IPSec should ask for perfect forward secrecy when requesting new security associations for this crypto map entry or should demand perfect forward secrecy in requests received from the IPSec peer. |
AH---Authentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram).
Authentication Header---See AH.
ESP---Encapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected.
Encapsulating Security Payload---See ESP.
Dynamic crypto map---Dynamic crypto maps are only available for use by IKE. A dynamic crypto map entry is a crypto map entry without all the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a remote peer's requirements. This allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto map entry specifically configured to meet all of the remote peer's requirements.
IP Security Protocol---See IPSec.
IPSec---IP Security Protocol. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IKE---Internet Key Exchange. A key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
Internet Key Exchange---See IKE.
Probe---A packet designated by the router to discover the identity of a tunnel endpoint.
Posted: Thu Jul 29 12:13:09 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.