CCIE Security: IKEdentify yourself! IKEv1 and IKEv2

I think I need to pick up the pace a bit today. I lost too much time trying to shoehorn things into GETVPN (and failing, but seeing as no-one else has replied to my challenge as yet, I am starting to feel less bad about it). GETVPN is not finished yet. We still need to get the servers access to the 10.1.3.0/24 and 10.1.4.0/24 networks. To do this we will probably need to run DMVPN over the top of GETVPN. But not today. Today we’ll be working on the right-hand side of the network, and aim to get IKEv1 running (see this post).

IKEv1 VPNs

We’ll set up EIGRP named mode to get us the routes:

GETVPN-S1(config)#router eigrp LowerLeft 
GETVPN-S1(config-router)#address-family ipv4 auto 103
GETVPN-S1(config-router-af)#eigrp router-id 103.1.1.1
GETVPN-S1(config-router-af)#network 10.1.15.0 0.0.0.255
GETVPN-S1(config-router-af)#

Chicago(config)#router eigrp LowerLeft
Chicago(config-router)#address-family ipv4 auto 103
Chicago(config-router-af)#eigrp router-id 10.1.15.2
Chicago(config-router-af)#network 10.1.15.0 0.0.0.255
Chicago(config-router-af)#network 10.1.15.0 0.0.0.255
%DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.15.1 (GigabitEthern                           
Chicago(config-router-af)#
Chicago(config-router-af)#network 10.1.16.0 0.0.0.255
Chicago(config-router-af)#network 10.1.17.0 0.0.0.255
Chicago(config-router-af)#

IKEv1(config)#router eigrp LowerLeft
IKEv1(config-router)#add ipv4 auto 103
IKEv1(config-router-af)#eigrp router-id 10.1.17.1
IKEv1(config-router-af)#network 10.1.17.0 0.0.0.255
%DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.17.2 (GigabitEthernet0/1) is up: new adjacency
IKEv1(config-router-af)#network 10.1.18.0 0.0.0.255
IKEv1(config-router-af)#

NYC(config)#router eigrp EIGRP
NYC(config-router)#add ipv4 auto 103
NYC(config-router-af)#
NYC(config-router-af)#eigrp router-id 10.1.12.254
NYC(config-router-af)#network 10.1.14.0 0.0.0.255
NYC(config-router-af)#

GETVPN-S1(config-router-af)#network 10.1.14.0 0.0.0.255
GETVPN-S1(config-router-af)#
GETVPN-S1(config-router-af)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.14.254 (GigabitEthernet0/0) is up: new adjacency
GETVPN-S1(config-router-af)#

NYC now has routers up to IKEv1:

NYC(config-router-af)#do sh ip route | b Gate
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C        10.1.12.0/24 is directly connected, GigabitEthernet0/1
L        10.1.12.254/32 is directly connected, GigabitEthernet0/1
C        10.1.13.0/24 is directly connected, GigabitEthernet0/2
L        10.1.13.254/32 is directly connected, GigabitEthernet0/2
C        10.1.14.0/24 is directly connected, GigabitEthernet0/0
L        10.1.14.254/32 is directly connected, GigabitEthernet0/0
D        10.1.15.0/24 [90/15360] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D        10.1.16.0/24 [90/20480] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D        10.1.17.0/24 [90/20480] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
D        10.1.18.0/24 [90/25600] via 10.1.14.1, 00:00:29, GigabitEthernet0/0
NYC(config-router-af)#
NYC(config-router-af)#do ping 10.1.17.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/11 ms
NYC(config-router-af)#

As the goal is for IKEv1 to have access over the VPN to 2.2.2.2, we need to give NYC access to that network, and likewise, Telnet-1 needs a route back:

NYC(config-router-af)#ip route 2.2.2.2 255.255.255.255 10.1.13.1
NYC(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
NYC(config)#

Telnet-2(config)#ip route 0.0.0.0 0.0.0.0 10.1.13.254
Telnet-2(config)#

Start with the policy, create it on one, paste into the other:

IKEv1(config)#cry isakmp policy 10 
IKEv1(config-isakmp)#encryption 3des
IKEv1(config-isakmp)#hash sha
IKEv1(config-isakmp)#group 2
IKEv1(config-isakmp)#auth pre
IKEv1(config-isakmp)#life 3600
IKEv1(config-isakmp)#exit
IKEv1(config)#do sh run | s crypto
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
IKEv1(config)#

NYC(config)#crypto isakmp policy 10
NYC(config-isakmp)# encr 3des
NYC(config-isakmp)# authentication pre-share
NYC(config-isakmp)# group 2
NYC(config-isakmp)# lifetime 3600
NYC(config-isakmp)#

Now we need a transport set:

IKEv1(config)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
IKEv1(cfg-crypto-trans)#exit
IKEv1(config)#do sh run | s transform
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
 mode tunnel
IKEv1(config)#

NYC(config-isakmp)#exit
NYC(config)#crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
NYC(cfg-crypto-trans)# mode tunnel
NYC(cfg-crypto-trans)#exit
NYC(config)#

Define the interesting traffic:

IKEv1(config)#ip access-list standard IKEv1-Tunnel-Traffic 
IKEv1(config-std-nacl)#permit 2.2.2.2
IKEv1(config-std-nacl)#exit

NYC(config)#ip access-list extended IKEv1-Tunnel-Traffic
NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.17.1
NYC(config-ext-nacl)#permit ip host 10.1.17.1 host 2.2.2.2
NYC(config-ext-nacl)#

We set the keyring:

IKEv1(config)#crypto keyring NYC 
IKEv1(conf-keyring)#pre-shared-key address 10.1.14.254 key CCIE
IKEv1(conf-keyring)#exit

NYC(config)#crypto keyring IKEv1 
NYC(conf-keyring)#pre-shared-key address 10.1.17.1 key CCIE
NYC(conf-keyring)#exit
NYC(config)#

Now we can create the crypto map, starting with NYC:

NYC(config)#crypto map CRY-MAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
NYC(config-crypto-map)#set peer 10.1.17.1
NYC(config-crypto-map)#match address IKEv1-Tunnel-Traffic
NYC(config-crypto-map)#set transform-set 3des-sha
NYC(config-crypto-map)#
NYC(config-crypto-map)#set isakmp-profile IKEv1-ISAK-Profile
% IKEv1 Profile IKEv1-ISAK-Profile not found
NYC(config-crypto-map)#
NYC(config-crypto-map)#exit
NYC(config)#cry isakmp profile IKEv1-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
NYC(conf-isa-prof)#
NYC(conf-isa-prof)#match identity address 10.1.17.1
NYC(conf-isa-prof)#keyring IKEv1
NYC(conf-isa-prof)#exit
NYC(config)#crypto map CRY-MAP 1 ipsec-isakmp
NYC(config-crypto-map)#set isakmp-profile IKEv1-ISAK-Profile
NYC(config-crypto-map)#
NYC(config-crypto-map)#do sh run | s crypto
crypto keyring IKEv1  
  pre-shared-key address 10.1.17.1 key CCIE
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp profile IKEv1-ISAK-Profile
   keyring IKEv1
   match identity address 10.1.17.1 255.255.255.255 
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
 mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp 
 set peer 10.1.17.1
 set transform-set 3des-sha 
 set isakmp-profile IKEv1-ISAK-Profile
 match address IKEv1-Tunnel-Traffic
NYC(config-crypto-map)#

It looks like my attempts at NOT throwing every bit of configuration I can find, meant that I forgot to create the ISAKMP profile. Let’s do IKEv1:

IKEv1(config)#crypto keyring NYC
IKEv1(conf-keyring)#pre-shared-key address 10.1.14.254 key CCIE
IKEv1(conf-keyring)#exit
IKEv1(config)#crypto isakmp profile NYC-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
IKEv1(conf-isa-prof)#match identity address 10.1.14.254
IKEv1(conf-isa-prof)#keyring NYC
IKEv1(conf-isa-prof)#exit
IKEv1(config)#crypto map CRY-MAP 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
IKEv1(config-crypto-map)#set peer 10.1.14.254
IKEv1(config-crypto-map)#match add IKEv1-Tunnel-Traffic
Access-list type conflicts with prior definitionERROR: "IKEv1-Tunnel-Traffic" is either an invalid name or the
        list already exists but is the wrong type.

IKEv1(config-crypto-map)#exit
IKEv1(config)#do sh run | s access-list
ip access-list standard IKEv1-Tunnel-Traffic
 permit 2.2.2.2
IKEv1(config)#no ip access-list standard IKEv1-Tunnel-Traffic                
IKEv1(config)#ip access-list extended IKEv1-Tunnel-Traffic
IKEv1(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.17.1   
IKEv1(config-ext-nacl)#permit ip host 10.1.17.1 host 2.2.2.2
IKEv1(config-ext-nacl)#
IKEv1(config-ext-nacl)#crypto map CRY-MAP 1 ipsec-isakmp                     
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
IKEv1(config-crypto-map)#match add IKEv1-Tunnel-Traffic                 
IKEv1(config-crypto-map)#set transform-set 3des-sha
IKEv1(config-crypto-map)#set isakmp-profile NYC-ISAK-Profile                
IKEv1(config-crypto-map)#do sh run | s crypto
crypto keyring NYC  
  pre-shared-key address 10.1.14.254 key CCIE
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp profile NYC-ISAK-Profile
   keyring NYC
   match identity address 10.1.14.254 255.255.255.255 
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac 
 mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp 
 set peer 10.1.14.254
 set transform-set 3des-sha 
 set isakmp-profile NYC-ISAK-Profile
 match address IKEv1-Tunnel-Traffic
IKEv1(config-crypto-map)#

It needs to be an extended list, not a standard one. Now we attach this to the relevant interfaces:

IKEv1(config-crypto-map)#int gi0/1
IKEv1(config-if)#crypto map CRY-MAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
IKEv1(config-if)#

NYC(config-crypto-map)#int gi0/0
NYC(config-if)#crypto map CRY-MAP
NYC(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
NYC(config-if)#

Is everything there? Let’s find out:

Telnet-2#ping 10.1.17.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
.....
Success rate is 0 percent (0/5)
Telnet-2#

NYC(config-if)#do sh cry isa sa                  
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.17.1       10.1.14.254     QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

NYC(config-if)#do sh cry ips sa | i local|rem|enc|dec   
    Crypto map tag: CRY-MAP, local addr 10.1.14.254
   local  ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
     local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
     local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
        sa timing: remaining key lifetime (k/sec): (4257472/3450)
        sa timing: remaining key lifetime (k/sec): (4257472/3450)
NYC(config-if)#

IKEv1(config-if)#do sh cry isak sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.17.1       10.1.14.254     QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

IKEv1(config-if)#do sh cry ips | i local|rem|enc|dec
% Incomplete command.

IKEv1(config-if)#do sh cry ips sa | i local|rem|enc|dec
    Crypto map tag: CRY-MAP, local addr 10.1.17.1
   local  ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
     local crypto endpt.: 10.1.17.1, remote crypto endpt.: 10.1.14.254
        sa timing: remaining key lifetime (k/sec): (4186964/3396)
        sa timing: remaining key lifetime (k/sec): (4186965/3396)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
     local crypto endpt.: 10.1.17.1, remote crypto endpt.: 10.1.14.254
IKEv1(config-if)#

The tunnel is up, the problem is that IKEv1 doesn’t know where to send traffic for 2.2.2.2, this is an easy fix:

IKEv1(config-if)#ip route 2.2.2.2 255.255.255.255 10.1.14.254
IKEv1(config)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
IKEv1(config)#

Telnet-2#ping 10.1.17.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.17.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/17/33 ms
Telnet-2#

NYC#sh cry ips sa identity 

interface: GigabitEthernet0/0
    Crypto map tag: CRY-MAP, local addr 10.1.14.254

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer (none) port 500
     DENY, flags={ident_is_root,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   current_peer 10.1.17.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
   current_peer 10.1.17.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
NYC#

All is working. However, there is a little bit of tidying up to do. The access-lists are too permissive, and we only need one entry:

NYC#sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
    10 permit ip host 2.2.2.2 host 10.1.17.1 (44 matches)
    20 permit ip host 10.1.17.1 host 2.2.2.2
NYC#
NYC#conf t
NYC(config)#ip access-list extended IKEv1-Tunnel-Traffic
NYC(config-ext-nacl)#no 20
NYC(config-ext-nacl)#exit
NYC(config)#exit
NYC#sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
    10 permit ip host 2.2.2.2 host 10.1.17.1 (44 matches)
NYC#

IKEv1(config-ext-nacl)#do sh access-list
Extended IP access list IKEv1-Tunnel-Traffic
    10 permit ip host 2.2.2.2 host 10.1.17.1 (1 match)
    20 permit ip host 10.1.17.1 host 2.2.2.2 (25 matches)
IKEv1(config-ext-nacl)#no 10
IKEv1(config-ext-nacl)#do ping 2.2.2.2  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/13/15 ms
IKEv1(config-ext-nacl)#

The pings still work, and we can for the output from “sh cry ips sa” into one window. More importantly, the access-lists are cleaner:

NYC#sh cry ips sa

interface: GigabitEthernet0/0
    Crypto map tag: CRY-MAP, local addr 10.1.14.254

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.1.17.1/255.255.255.255/0/0)
   current_peer 10.1.17.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
    #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.14.254, remote crypto endpt.: 10.1.17.1
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x6E4A5A46(1850366534)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x38DA9074(953847924)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: SW:11, sibling_flags 80000040, crypto map: CRY-MAP
        sa timing: remaining key lifetime (k/sec): (4257669/3536)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6E4A5A46(1850366534)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: SW:12, sibling_flags 80000040, crypto map: CRY-MAP
        sa timing: remaining key lifetime (k/sec): (4257669/3536)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
NYC#

For the last part of this we need to be able to telnet through, so let’s set that up:

Telnet-2(config)#line vty 0 4
Telnet-2(config-line)#password cisco
Telnet-2(config-line)#login
Telnet-2(config-line)#transport input telnet
Telnet-2(config-line)#

IKEv1#telnet 2.2.2.2
Trying 2.2.2.2 ... Open

****************************************************************
* Banner.                                                      *
****************************************************************

User Access Verification

Password: 
****************************************************************
* Banner.                                                      *
****************************************************************
Telnet-2>en
% No password set
Telnet-2>exit

[Connection to 2.2.2.2 closed by foreign host]
IKEv1#

Not bad. One of the tasks can be crossed off, and we can move on and do IKEv2 between NYC and the Easy-Server.

IKEv2 VPNs

NYC(config)#crypto keyring EASY-Server  
NYC(conf-keyring)#pre-shared-key address 10.1.6.254 key CCIE
NYC(conf-keyring)#exit
NYC(config)#crypto isakmp profile Easy-ISAK-Profile
% A profile is deemed incomplete until it has match identity statements
NYC(conf-isa-prof)#keyring EASY-Server
NYC(conf-isa-prof)#match identity address 10.1.6.254
NYC(conf-isa-prof)#
NYC(config)#crypto ikev2 keyring EASY-Server-Keyring
NYC(config-ikev2-keyring)#peer EASY-Server
NYC(config-ikev2-keyring-peer)#address 10.1.6.254
NYC(config-ikev2-keyring-peer)#exit
NYC(config-ikev2-keyring)#exit
NYC(config)#crypto ikev2 profile IKEv2-Profile
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate or match any statement.
NYC(config-ikev2-profile)#match identity remote add 10.1.6.254
NYC(config-ikev2-profile)#authen local pre-share 
NYC(config-ikev2-profile)#authen remote pre-share 
NYC(config-ikev2-profile)#keyring local EASY-Server-Keyring
NYC(config-ikev2-profile)#exit
NYC(config)#
NYC(config)#crypto map CRY-MAP 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
NYC(config-crypto-map)#set peer 10.1.6.254
NYC(config-crypto-map)#set transform-set 3des-sha
NYC(config-crypto-map)#set ikev2-profile IKEv2-Profile
NYC(config-crypto-map)#match address IKEv2-Tunnel-Traffic
NYC(config-crypto-map)#
NYC(config-crypto-map)#exit
NYC(config)#ip access-list extended IKEv2-Tunnel-Traffic
NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 10.1.6.254
NYC(config-ext-nacl)#permit ip host 2.2.2.2 host 1.1.1.1
NYC(config-ext-nacl)#exit
NYC(config)#

Easy-Server(config)#crypto isakmp policy 10
Easy-Server(config-isakmp)# encr 3des
Easy-Server(config-isakmp)# authentication pre-share
Easy-Server(config-isakmp)# group 2
Easy-Server(config-isakmp)# lifetime 3600
Easy-Server(config-isakmp)#exi
Easy-Server(config)#crypto keyring NYC  
Easy-Server(conf-keyring)#  pre-shared-key address 10.1.14.254 key CCIE
Easy-Server(conf-keyring)#exit
Easy-Server(config)#cry ikev2 keyring NYC
Easy-Server(config-ikev2-keyring)#peer NYC
Easy-Server(config-ikev2-keyring-peer)#address 10.1.14.254
Easy-Server(config-ikev2-keyring-peer)#exit
Easy-Server(config-ikev2-keyring)#exit
Easy-Server(config)#crypto ikev2 profile IKEv2-Profile
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate or match any statement.
Easy-Server(config-ikev2-profile)# authentication remote pre-share
Easy-Server(config-ikev2-profile)# authentication local pre-share
Easy-Server(config-ikev2-profile)#keyring local NYC
Easy-Server(config-ikev2-profile)#match identity remote address 10.1.14.254
Easy-Server(config-ikev2-profile)#exit
Easy-Server(config)#crypto isakmp profile NYC
% A profile is deemed incomplete until it has match identity statements
Easy-Server(conf-isa-prof)#keyring NYC
Easy-Server(conf-isa-prof)#match identity address 10.1.14.254
Easy-Server(conf-isa-prof)#exit
Easy-Server(config)#$c transform-set 3des-sha esp-3des esp-sha-hmac          
Easy-Server(cfg-crypto-trans)# mode tunnel
Easy-Server(cfg-crypto-trans)#exit
Easy-Server(config)#crypto ipsec profile NYC-IPSec-Profile  
Easy-Server(ipsec-profile)#set transform-set 3des-sha
Easy-Server(ipsec-profile)#exit
Easy-Server(config)#ip access-list extended IKEv2-Tunnel-Traffic
Easy-Server(config-ext-nacl)#permit ip host 1.1.1.1 host 2.2.2.2
Easy-Server(config-ext-nacl)#permit ip host 1.1.1.1 host 10.1.14.254
Easy-Server(config-ext-nacl)#
Easy-Server(config-ext-nacl)#crypto map CRY-MAP 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Easy-Server(config-crypto-map)#set peer 10.1.14.254
Easy-Server(config-crypto-map)#set transform-set 3des-sha 
Easy-Server(config-crypto-map)# set ikev2-profile IKEv2-Profile
Easy-Server(config-crypto-map)# match address IKEv2-Tunnel-Traffic
Easy-Server(config-crypto-map)#
Easy-Server(config-crypto-map)#int gi0/0
Easy-Server(config-if)#cry map CRY-MAP
Easy-Server(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Easy-Server(config-if)#

We need a couple of routes:

Easy-Server(config)#ip route 1.1.1.1 255.255.255.255 10.1.7.1
Easy-Server(config)#ip route 0.0.0.0 0.0.0.0 10.1.6.1
Easy-Server(config)#

Telnet-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.7.254
Telnet-1(config)#

NYC(config)#ip route 1.1.1.1 255.255.255.255 10.1.6.254

NYC(config)#

I forgot that the NYC router is (from EASY-Server) behind the ASA firewalls! Doh! Pretty dumb of me. We also need routes! Let’s sort that out:

ASA9(config)# object network obj-NYC
ASA9(config-network-object)# host 10.1.14.254
ASA9(config-network-object)# 
ASA9(config-network-object)# exi
ASA9(config)# object network obj-NYC-External
ASA9(config-network-object)# host 10.1.9.100
ASA9(config-network-object)# nat (Inside,Outside) source static obj-NYC obj-NYC-External
ASA9(config)# 
ASA9(config)# access-list Inside->Outside extended permit esp host 10.1.14.254 host 10.1.6.254
ASA9(config)# access-list Inside->Outside extended permit udp host 10.1.14.254 host 10.1.6.254 eq isakmp
ASA9(config)# access-list Inside->Outside extended permit udp host 10.1.14.254 host 10.1.6.254 eq 4500  
ASA9(config)# access-list Inside->Outside extended permit icmp host 10.1.14.254 host 10.1.6.254 
ASA9(config)# access-list Outside->Inside extended permit udp host 10.1.6.254 host 10.1.14.254 eq isakmp
ASA9(config)# access-list Outside->Inside extended permit udp host 10.1.6.254 host 10.1.14.254 eq 4500  
ASA9(config)# access-list Outside->Inside extended permit icmp host 10.1.6.254 host 10.1.14.254       
ASA9(config)# access-list Outside->Inside extended permit esp host 10.1.6.254 host 10.1.14.254       
ASA9(config)# 

GETVPN-S1(config)#router eigrp LowerLeft
GETVPN-S1(config-router)#address-family ipv4 unicast autonomous-system 103
GETVPN-S1(config-router-af)#topology base
GETVPN-S1(config-router-af-topology)#redistribute static 
GETVPN-S1(config-router-af-topology)#exit
GETVPN-S1(config-router-af)#network 10.1.26.0 0.0.0.255                      
GETVPN-S1(config-router-af)#

Switch(config)#router eigrp LowerLeft
Switch(config-router)# address-family ipv4 unicast autonomous-system 103
Switch(config-router-af)#network 10.1.26.0 0.0.0.255
Switch(config-router-af)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 103: Neighbor 10.1.26.1 (Vlan26) is up: new adjacency
Switch(config-router-af)#topology base
Switch(config-router-af-topology)#red connected 
Switch(config-router-af-topology)#

ISP-2(config)#ip route 10.1.6.0 255.255.255.0 10.1.8.1

Easy-Server#ping 10.1.9.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.9.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/16/24 ms
Easy-Server#

Now we need to fix EASY-Server:

Easy-Server(config)#crypto keyring NYC
Easy-Server(conf-keyring)#no pre-shared-key address 10.1.14.254 key CCIE
Easy-Server(conf-keyring)#pre-shared-key address 10.1.9.100 key CCIE
Easy-Server(conf-keyring)#crypto ikev2 keyring NYC
Easy-Server(config-ikev2-keyring)#peer NYC
Easy-Server(config-ikev2-keyring-peer)#no address 10.1.14.254
Easy-Server(config-ikev2-keyring-peer)#address 10.1.9.100
Easy-Server(config-ikev2-keyring-peer)#exit                                  
Easy-Server(config-ikev2-keyring)#exit
Easy-Server(config)#crypto ikev2 profile IKEv2-Profile
Easy-Server(config-ikev2-profile)#no match identity remote address 10.1.14.254 255.255.255.255   
Easy-Server(config-ikev2-profile)#match identity remote address 10.1.9.100
Easy-Server(config-ikev2-profile)#exit
Easy-Server(config)#crypto isakmp profile NYC
Easy-Server(conf-isa-prof)#no match identity address 10.1.14.254 255.255.255.255       
Easy-Server(conf-isa-prof)#match identity address 10.1.9.100
Easy-Server(conf-isa-prof)#exit
Easy-Server(config)#crypto map CRY-MAP 2 ipsec-isakmp
Easy-Server(config-crypto-map)#no set peer 10.1.14.254
Easy-Server(config-crypto-map)#set peer 10.1.9.100
Easy-Server(config-crypto-map)#

Missed something:

Easy-Server(ipsec-profile)#crypto ikev2 keyring NYC
Easy-Server(config-ikev2-keyring)#peer NYC
Easy-Server(config-ikev2-keyring-peer)#pre-shared-key CCIE
Easy-Server(config-ikev2-keyring-peer)#

NYC(ipsec-profile)#crypto ikev2 keyring EASY-Server-Keyring
NYC(config-ikev2-keyring)#peer EASY-Server
NYC(config-ikev2-keyring-peer)#pre-shared-key CCIE
NYC(config-ikev2-keyring-peer)#

NYC(config)#crypto ikev2 policy 10
NYC(config-ikev2-policy)#match add local 10.1.14.254
NYC(config-ikev2-policy)#crypto ikev2 profile IKEv2-Profile
NYC(config-ikev2-profile)#ident loc add 10.1.14.254
NYC(config-ikev2-profile)#match add loca int gi0/0
NYC(config-ikev2-profile)#exi
NYC(config)#cry isakmp invalid-spi-recovery 
NYC(config)#

Easy-Server(config-crypto-map)#crypto ikev2 policy 10
Easy-Server(config-ikev2-policy)#match add local 10.1.6.254
Easy-Server(config-ikev2-policy)#crypto ikev2 profile IKEv2-Profile
Easy-Server(config-ikev2-profile)#match add local int gi0/0
Easy-Server(config-ikev2-profile)#identity local add 10.1.6.254
Easy-Server(config-ikev2-profile)#
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.6.254, prot=50, spi=0x2BAAE5CE(732620238), srcaddr=10.1.9.100, input interface=GigabitEthernet0/0
Easy-Server(config-ikev2-profile)#exi
Easy-Server(config)#cry isakmp invalid-spi-recovery 
Easy-Server(config)#

It’s now day 8, and I am back at it, trying to get the tunnels up. I am a little tired today after going to see the truly incredible Belly play at the O2 Forum in Kentish town. The wife and I got back to the hotel room about 1 am, and I barely slept. Note to self, when they ask what room you want, always opt for the quiet one!

img_20160721_221505
Tanya
img_20160721_210217
Gail

Brilliant gig. I got a little squashed up at the front row and was very tempted to go further back, but I stayed, and scored (half of) a setlist. All work and no play make Stuart a dull boy.

But it’s back to sorting out the IKEv2 VPN now.

The access-lists are getting the hits, but the traffic is not passing. I enabled debugging on the EASY-Server router (debug crypto ikev2), and here is a little bit of that output (with notes below the lines):

IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
^^ DH passes ^^
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT OUTSIDE found
IKEv2:(SESSION ID = 1,SA ID = 1):NAT detected float to init port 4500, resp port 4500
^^ We work out that we are behind a NAT device, and switch to nat traversal ^^
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
^^ SA completes ^^
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 10.1.6.254, key len 4
^^ We know to use a PSK ^^
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
^^ IKEv2 authentication passes ^^
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.9.100:4500/From 10.1.6.254:4500/VRF i0:f0] 
Initiator SPI : 7C4CB6E87F26A509 - Responder SPI : 6BDD0554932AC653 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 ENCR 
 
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.1.9.100:4500/To 10.1.6.254:4500/VRF i0:f0] 
Initiator SPI : 7C4CB6E87F26A509 - Responder SPI : 6BDD0554932AC653 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 
IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
^^ We start to send the IKEv2 packets ^^
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '10.1.14.254' of type 'IPv4 address'
^^ JFK sends us it's identity, which is the IP address ^^
IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Failed to locate an item in the database
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authentication data FAILED
IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
^^ This is where and why it fails ^^

So, the resolution seems easy enough, we change the identity. But what do we change it to? We could change it to the internal IP address, so that:

crypto ikev2 profile IKEv2-Profile
 match address local interface GigabitEthernet0/0
 match identity remote address 10.1.9.100 255.255.255.255

Becomes

crypto ikev2 profile IKEv2-Profile
 match address local interface GigabitEthernet0/0
 match identity remote address 10.1.14.254 255.255.255.255

But this method means we are not secure, we have exposed our internal network IP addresses to the outside world, and this is bad security design.

Instead, the better option would be for the NYC router to identify itself by its hostname:

NYC(config)#crypto ikev2 profile IKEv2-Profile
NYC(config-ikev2-profile)#identity ?
  local  Specify the local IKE identity to use for the negotiation

NYC(config-ikev2-profile)#identity local ?
  address  address
  dn       Distinguished Name
  email    Fully qualified email string
  fqdn     Fully qualified domain name string
  key-id   key-id opaque string - proprietary types of identification

NYC(config-ikev2-profile)#identity local fqdn
% Incomplete command.

NYC(config-ikev2-profile)#identity local fqdn ?
  WORD  FQDN 

NYC(config-ikev2-profile)#identity local fqdn NYC.ccielab.local
NYC(config-ikev2-profile)#

Easy-Server(config)#crypto ikev2 profile IKEv2-Profile
Easy-Server(config-ikev2-profile)#no match identity remote address 10.1.9.100 255.255.255.255    
Easy-Server(config-ikev2-profile)#
Easy-Server(config-ikev2-profile)#match identity remote ?
  address  IP Address(es)
  any      match any peer identity
  email    Fully qualified email string [Max. 255 char(s)]
  fqdn     Fully qualified domain name string [Max. 255 char(s)]
  key-id   key-id opaque string

Easy-Server(config-ikev2-profile)#match identity remote fqdn NYC.ccielab.local         
Easy-Server(config-ikev2-profile)#

Now the tunnels come up:

Telnet-1#ping 2.2.2.2 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 21/26/31 ms
Telnet-1#

Telnet-2#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/23/27 ms
Telnet-2#

Easy-Server#sh cry ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.1.6.254/4500       10.1.9.100/4500       none/none            READY  
      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/231 sec

 IPv6 Crypto IKEv2  SA 

Easy-Server#

Whilst NAT traversal gets around the issue of having a firewall in the way of a VPN, it cannot change the packets we are sending, such as the identity.

I still need to get quicker on the VPNs, so will be creating a little “cheat sheet” for the commands, differences, and similarities between the different ones. I’ll put it on the site somewhere for everyone else.

Now that we have connectivity between Telnet-1 and Telnet-2 it would make sense to connect them together. So, next up is FlexVPN