ISR Computing -

CCIE Security - VPN Study Guide - Regular LAN-to-LAN IPSec Tunnels

This section is dedicated to the people who got 0% on their VPN section of the CCIE Lab exam! :)

This article will present you with several tasks related to different VPN technologies. Please enjoy :)

Types of the VPNs that Cisco CCIE Lab Exam might test you on:

• Regular LAN-to-LAN IPSec Tunnel
• Cisco EasyVPN Server and Remote
• Cisco Enhanced EasyVPN Solution - method of configuring EasyVPN using Dynamic VTI (Virtual Tunnel Interface) instead of crypto map. DVTI can be used on both Server and Remote routers. DVTI relies on Virtual Tunnel Interface to create a Virtual Access Interface for every new EasyVPN Tunnel.
• DMVPN
• GETVPN
• WebVPN
• SSL VPN

Additional Features:

• IPSec HA
• IKE Admission Control
• Certificate Maps
• Static VTI
• Dynamic VTI

Configurations below are based on the CCIE Security Racks from Internetwork Expert's CCIE Security Rack Rental. You can simply paste those configurations in, and they topology will work.

R2#
conf t
hostname R2
no ip domain-lookup
interface F0/0
 description Fa0/0 – SW1 Fa0/2
 ip address 44.44.2.2 255.255.255.0
 no shut
 exit
interface Loopback2
 ip address 2.2.2.2 255.255.255.0
 exit
interface Loopback22
 ip address 22.22.22.22 255.255.255.0
 exit
ip route 0.0.0.0 0.0.0.0 44.44.2.10
end
wr mem

ASA1#
conf t
hostname asa1
interface Ethernet0/0
 no shutdown
 nameif inside
 ip address 44.44.2.10 255.255.255.0
 exit
interface Ethernet0/2
 no shutdown
 nameif outside
 ip address 44.44.3.10 255.255.255.0
 exit
access-list OUTSIDE_IN extended permit icmp any any 
access-group OUTSIDE_IN in interface outside
router ospf 2
 network 44.44.2.0 255.255.255.0 area 0
 network 44.44.3.0 255.255.255.0 area 0
 log-adj-changes
 exit
end
wr mem 

R5#
conf t
hostname R5
no ip domain-lookup
interface F0/0
 description SW1 Fa0/5
 ip address 44.44.3.5 255.255.255.0
 no shut
 exit
interface F0/1
 description SW2 Fa0/5
 ip address 44.44.4.5 255.255.255.0
 no shut
 exit
interface Loopback5
 ip address 5.5.5.5 255.255.255.0
 exit
interface Loopback55
 ip address 55.55.55.55 255.255.255.0
 exit
router ospf 2
 network 0.0.0.0 255.255.255.255 area 0
 exit
end
wr mem 

R3#
conf t
hostname R3
no ip domain-lookup
interface F0/0
 description SW1 Fa0/3
 ip address 44.44.4.3 255.255.255.0
 no shut
 exit
interface F0/1
 description SW2 Fa0/3
 ip address 44.44.5.3 255.255.255.0
 no shut
 exit
interface Loopback3
 ip address 3.3.3.3 255.255.255.0
 exit
interface Loopback33
 ip address 33.33.33.33 255.255.255.0
 exit
router ospf 2
 network 0.0.0.0 255.255.255.255 area 0
 exit
end
wr mem 

R4#
conf t
hostname R4
no ip domain-lookup
interface F0/0
 description SW1 Fa0/4
 ip address 44.44.4.4 255.255.255.0
 no shut
 exit
interface Loopback4
 ip address 4.4.4.4 255.255.255.0
 exit
interface Loopback44
 ip address 44.44.44.44 255.255.255.0
 exit
router ospf 2
 network 0.0.0.0 255.255.255.255 area 0
 exit
end
wr mem

SW1#

conf t
hostname SW1
no ip domain-lookup
vtp mode transparent
vlan 2
vlan 3
vlan 4
vlan 5
exit
int Fa0/2
 switchport host
 switchport access vlan 2
 exit
int Fa0/5
 switchport host
 switchport access vlan 3
 exit
int Fa0/4
 switchport host
 switchport access vlan 4
 exit
int Fa0/3
 switchport host
 switchport access vlan 4
 exit
end
wr mem 

SW2#

conf t
hostname SW2
no ip domain-lookup
vtp mode transparent
vlan 2
vlan 3
vlan 4
vlan 5
exit
int Fa0/12
 switchport host
 switchport access vlan 2
 exit
int Fa0/13
 switchport host
 switchport access vlan 3
 exit
int Fa0/5
 switchport host
 switchport access vlan 4
 exit
int Fa0/3
 switchport host
 switchport access vlan 5
 exit
int Fa0/20
 switchport host
 switchport access vlan 5
 exit
end
wr mem 

Task1: Establish LAN-to-LAN tunnel between R2 Lo22 and R4 Lo44.

Issue 1: No ISAKMP traffic hits firewall.
Solution 1:

R4(config)#ip route 22.22.22.0 255.255.255.0 44.44.4.5
R4(config)#end
R4#ping 22.22.22.22 source Lo44

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44 
.....
Success rate is 0 percent (0/5)
R4#
 

Issue 2: Traffic reaches ASA1 and "show crypto isakmp sa" shows the output below:

asa1(config)# 
%ASA-4-106023: Deny udp src outside:44.44.4.4/500 dst inside:44.44.2.2/500 by access-group "OUTSIDE_IN" [0x0, 0x0]
asa1(config)# 

R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
44.44.2.2       44.44.4.4       MM_NO_STATE          0    0 ACTIVE

IPv6 Crypto ISAKMP SA

R4#

Solution 2:

asa1(config)# access-list OUTSIDE_IN permit udp any host 44.44.2.2 eq isakmp

Why am I doing source any? In the recent book by Yusuf http://my.safaribooksonline.com/9781587140303 , he mentions that there is nothing wrong to put "any", but it is recommended to restrict ACL.

Issue 3: ASA Logging show hits on the ISAKMP ACL, but setup still does not work. Main mode starts, but SA is deleted due to "Death by retransmission P1".

asa1(config)# show logging                                                    
%ASA-6-302015: Built inbound UDP connection 33 for outside:44.44.4.4/500 (44.44.4.4/500) to inside:44.44.2.2/500 (44.44.2.2/500)
%ASA-6-302020: Built outbound ICMP connection for faddr 44.44.4.4/0 gaddr 44.44.2.2/0 laddr 44.44.2.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 44.44.4.4/0 gaddr 44.44.2.2/0 laddr 44.44.2.2/0
asa1(config)# 

R4#show logging
Mar 22 18:03:19.104: ISAKMP:(0): beginning Main Mode exchange
Mar 22 18:03:19.104: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:03:19.104: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:03:29.104: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:03:29.104: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 22 18:03:29.104: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 22 18:03:29.104: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:03:29.104: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:03:39.104: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:03:39.104: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 22 18:03:39.104: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 22 18:03:39.104: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:03:39.104: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:03:49.093: ISAKMP: set new node 0 to QM_IDLE      
Mar 22 18:03:49.093: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 44.44.4.4, remote 44.44.2.2)
Mar 22 18:03:49.097: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 22 18:03:49.097: ISAKMP: Error while processing KMI message 0, error 2.
Mar 22 18:03:49.105: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:03:49.105: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 22 18:03:49.105: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 22 18:03:49.105: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:03:49.105: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:03:59.105: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:03:59.105: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 22 18:03:59.105: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 22 18:03:59.105: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:03:59.105: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:04:09.106: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:04:09.106: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 22 18:04:09.106: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 22 18:04:09.106: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 22 18:04:09.106: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 22 18:04:19.106: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 22 18:04:19.106: ISAKMP:(0):peer does not do paranoid keepalives.

Mar 22 18:04:19.106: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 44.44.2.2)
Mar 22 18:04:19.110: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 44.44.2.2) 
Mar 22 18:04:19.110: ISAKMP: Unlocking peer struct 0x8449E69C for isadb_mark_sa_deleted(), count 0
Mar 22 18:04:19.110: ISAKMP: Deleting peer node by peer_reap for 44.44.2.2: 8449E69C
Mar 22 18:04:19.110: ISAKMP:(0):deleting node -136040693 error FALSE reason "IKE deleted"
Mar 22 18:04:19.114: ISAKMP:(0):deleting node 1817707863 error FALSE reason "IKE deleted"
Mar 22 18:04:19.114: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 22 18:04:19.114: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 
R4# 

Solution 3: The other endpoint is misconfigured. No crypto map attached to the interface, or something else is blocking R4 to R3 communication (ex: VLAN ACL with deny ISAKMP statement for two endpoints)

R2#
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 44.44.4.4
!
crypto ipsec transform-set TS10 esp-3des esp-md5-hmac 
!
crypto map CMAP10 10 ipsec-isakmp 
 set peer 44.44.4.4
 set transform-set TS10 
 match address 110
!
interface FastEthernet0/0
 crypto map CMAP10

Issue 3: ISAKMP SA between R2 and R4 was create and state is QM_IDLE, but pings are still unsuccessful.

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
44.44.2.2       44.44.4.4       QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#

R4#show crypto isakmp sa       
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
44.44.2.2       44.44.4.4       QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R4#

Solution 3: Check on the ASA, and see if ESP packets are blocked. If they are, then adjust ACL bound to the outside interface.

asa1(config)# show logging
%ASA-6-302015: Built inbound UDP connection 40 for outside:44.44.4.4/500 (44.44.4.4/500) to inside:44.44.2.2/500 (44.44.2.2/500)
%ASA-4-106023: Deny protocol 50 src outside:44.44.4.4 dst inside:44.44.2.2 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:44.44.4.4 dst inside:44.44.2.2 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:44.44.4.4 dst inside:44.44.2.2 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-4-106023: Deny protocol 50 src outside:44.44.4.4 dst inside:44.44.2.2 by access-group "OUTSIDE_IN" [0x0, 0x0]
%ASA-6-302016: Teardown UDP connection 40 for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416
%ASA-7-609002: Teardown local-host outside:44.44.4.4 duration 0:02:02
%ASA-7-609002: Teardown local-host inside:44.44.2.2 duration 0:02:02
asa1(config)#  

asa1(config)# conf t
asa1(config)# access-list OUTSIDE_IN permit esp any host 44.44.2.2
asa1(config)# end

R4#ping 22.22.22.22 source Lo44

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R4#

R2#ping 44.44.44.44 source Lo22

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/13 ms
R2#